From d80f9ea063320c43ddc0d5bdf26afa85a69633df Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 20 Feb 2024 20:46:57 +0100 Subject: [PATCH 01/28] enabling the incremental (nblocks) API for Shake128 (scalar) in Kyber --- src/digest.rs | 2 + src/hacl/sha3.rs | 68 + src/kem/kyber/hash_functions.rs | 37 + src/kem/kyber/matrix.rs | 12 +- src/kem/kyber/sampling.rs | 75 +- sys/hacl/c/include/Hacl_Hash_SHA3_Scalar.h | 88 +- sys/hacl/c/include/Hacl_Hash_SHA3_Simd256.h | 134 +- .../c/include/msvc/Hacl_Hash_SHA3_Scalar.h | 88 +- .../c/include/msvc/Hacl_Hash_SHA3_Simd256.h | 134 +- sys/hacl/c/src/Hacl_Hash_SHA3_Scalar.c | 435 +- sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c | 3685 +++++++++++------ sys/hacl/c/src/msvc/Hacl_Hash_SHA3_Scalar.c | 435 +- sys/hacl/c/src/msvc/Hacl_Hash_SHA3_Simd256.c | 3685 +++++++++++------ sys/hacl/src/bindings.rs | 27 + 14 files changed, 6362 insertions(+), 2543 deletions(-) diff --git a/src/digest.rs b/src/digest.rs index 7ebcfeed0..d9bcab9a1 100644 --- a/src/digest.rs +++ b/src/digest.rs @@ -24,6 +24,8 @@ use crate::hacl::{ use libcrux_platform::{simd128_support, simd256_support}; +pub use sha3::incremental; + #[derive(Debug)] pub enum Error { InvalidStateFinished, diff --git a/src/hacl/sha3.rs b/src/hacl/sha3.rs index 818d3c1e8..12050482f 100644 --- a/src/hacl/sha3.rs +++ b/src/hacl/sha3.rs @@ -227,3 +227,71 @@ pub mod x4 { (digest0, digest1, digest2, digest3) } } + +/// This module groups together functions that can be used to absorb or squeeze +/// bytes in increments. +/// TODO: This module should not be public, see: https://github.com/cryspen/libcrux/issues/157 +pub mod incremental { + use libcrux_hacl::{ + Hacl_Hash_SHA3_Scalar_shake128_absorb_nblocks, + Hacl_Hash_SHA3_Scalar_shake128_absorb_final, + Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks, + Hacl_Hash_SHA3_Scalar_state_free, Hacl_Hash_SHA3_Scalar_state_malloc, + }; + + /// SHAKE 128 + /// + + /// Handle to internal SHAKE 129 state + pub struct Shake128State { + state: *mut u64, + } + + impl Shake128State { + pub fn new() -> Self { + let state = Self { + state: unsafe { Hacl_Hash_SHA3_Scalar_state_malloc() }, + }; + + state + } + + pub fn absorb_nblocks(&mut self, input: &[u8]) { + unsafe { + Hacl_Hash_SHA3_Scalar_shake128_absorb_nblocks( + self.state, + input.as_ptr() as _, + input.len() as u32, + ) + }; + } + + pub fn absorb_final(&mut self, input: &[u8]) { + unsafe { + Hacl_Hash_SHA3_Scalar_shake128_absorb_final( + self.state, + input.as_ptr() as _, + input.len() as u32, + ) + }; + } + pub fn squeeze_nblocks(&mut self) -> [u8; OUTPUT_BYTES] { + debug_assert!(OUTPUT_BYTES % 168 == 0); + let mut output = [0u8; OUTPUT_BYTES]; + unsafe { + Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks( + self.state, + output.as_mut_ptr(), + OUTPUT_BYTES as u32, + ) + }; + + output + } + } + impl Drop for Shake128State { + fn drop(&mut self) { + unsafe { Hacl_Hash_SHA3_Scalar_state_free(self.state) } + } + } +} \ No newline at end of file diff --git a/src/kem/kyber/hash_functions.rs b/src/kem/kyber/hash_functions.rs index 3eeb58bd8..f4662c21d 100644 --- a/src/kem/kyber/hash_functions.rs +++ b/src/kem/kyber/hash_functions.rs @@ -65,3 +65,40 @@ pub(crate) fn XOFx4( out } + +// The following API uses the repeated squeeze API +// Currently it only supports Scalar SHAKE, adapting it to SIMD SHAKE is a todo +type XofState = crate::digest::incremental::Shake128State; + +#[inline(always)] +pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> [XofState; K] { + let mut out = + core::array::from_fn(|_| crate::digest::incremental::Shake128State::new()); + + for i in 0..K { + out[i].absorb_final(&input[i]); + } + out +} + +#[inline(always)] +pub(crate) fn XOF_squeeze_three_blocks( + state: &mut [XofState; K], +) -> [[u8; 168 * 3]; K] { + let mut out = [[0; 168 * 3]; K]; + + for i in 0..K { + out[i] = state[i].squeeze_nblocks(); + } + out +} + +#[inline(always)] +pub(crate) fn XOF_squeeze_block(state: &mut [XofState; K]) -> [[u8; 168]; K] { + let mut out = [[0; 168]; K]; + + for i in 0..K { + out[i] = state[i].squeeze_nblocks(); + } + out +} \ No newline at end of file diff --git a/src/kem/kyber/matrix.rs b/src/kem/kyber/matrix.rs index 5d51e7c7d..a4908eaaa 100644 --- a/src/kem/kyber/matrix.rs +++ b/src/kem/kyber/matrix.rs @@ -4,9 +4,8 @@ use super::{ PolynomialRingElement, }, constants::COEFFICIENTS_IN_RING_ELEMENT, - hash_functions::XOFx4, ntt::{invert_ntt_montgomery, ntt_multiply}, - sampling::sample_from_uniform_distribution, + sampling::sample_from_xof, }; use crate::cloop; @@ -24,16 +23,13 @@ pub(in crate::kem::kyber) fn sample_matrix_A( seeds[j][32] = i as u8; seeds[j][33] = j as u8; } - let xof_bytes = XOFx4::(seeds); - + let sampled = sample_from_xof(seeds); for j in 0..K { - let sampled = sample_from_uniform_distribution(xof_bytes[j]); - // A[i][j] = A_transpose[j][i] if transpose { - A_transpose[j][i] = sampled; + A_transpose[j][i] = sampled[j]; } else { - A_transpose[i][j] = sampled; + A_transpose[i][j] = sampled[j]; } } } diff --git a/src/kem/kyber/sampling.rs b/src/kem/kyber/sampling.rs index b7243439e..0cc86c811 100644 --- a/src/kem/kyber/sampling.rs +++ b/src/kem/kyber/sampling.rs @@ -1,14 +1,10 @@ use super::{ arithmetic::{FieldElement, PolynomialRingElement}, - constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS, REJECTION_SAMPLING_SEED_SIZE}, + constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS}, }; -use crate::{cloop, hax_utils::hax_debug_assert}; +use crate::{cloop, hax_utils::hax_debug_assert, + kem::kyber::hash_functions::{XOF_absorb, XOF_squeeze_block, XOF_squeeze_three_blocks}}; -fn rejection_sampling_panic_with_diagnostic() { - panic!() - // We would instead prefer to do the following: - // panic!("5 blocks of SHAKE128 output were extracted from the seed for rejection sampling, but not all of them could be sampled.\nWe would appreciate it if you could report this error by opening an issue at https://github.com/cryspen/libcrux/issues"); -} /// If `bytes` contains a set of uniformly random bytes, this function /// uniformly samples a ring element `รข` that is treated as being the NTT representation @@ -48,19 +44,14 @@ fn rejection_sampling_panic_with_diagnostic() { /// /// The NIST FIPS 203 standard can be found at /// . -pub fn sample_from_uniform_distribution( - randomness: [u8; REJECTION_SAMPLING_SEED_SIZE], -) -> PolynomialRingElement { - let mut sampled_coefficients: usize = 0; - let mut out: PolynomialRingElement = PolynomialRingElement::ZERO; - - // This loop is written the way it is since reasoning about early returns, - // breaks, and continues is not well supported in Fstar at the moment. Rewriting - // this code to use an early return is being tracked in: - // https://github.com/cryspen/libcrux/issues/134 - let mut done = false; - for bytes in randomness.chunks(3) { - if !done { +fn sample_from_uniform_distribution_next( + randomness: [[u8; N]; K], + sampled_coefficients: &mut [usize; K], + out: &mut [PolynomialRingElement; K], +) -> bool { + let mut done = true; + for i in 0..K { + for bytes in randomness[i].chunks(3) { let b1 = bytes[0] as i32; let b2 = bytes[1] as i32; let b3 = bytes[2] as i32; @@ -68,34 +59,48 @@ pub fn sample_from_uniform_distribution( let d1 = ((b2 & 0xF) << 8) | b1; let d2 = (b3 << 4) | (b2 >> 4); - if d1 < FIELD_MODULUS && sampled_coefficients < COEFFICIENTS_IN_RING_ELEMENT { - out.coefficients[sampled_coefficients] = d1; - sampled_coefficients += 1 - } - if d2 < FIELD_MODULUS && sampled_coefficients < COEFFICIENTS_IN_RING_ELEMENT { - out.coefficients[sampled_coefficients] = d2; - sampled_coefficients += 1; + if d1 < FIELD_MODULUS && sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT { + out[i].coefficients[sampled_coefficients[i]] = d1; + sampled_coefficients[i] += 1 } - if sampled_coefficients == COEFFICIENTS_IN_RING_ELEMENT { - done = true; + if d2 < FIELD_MODULUS && sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT { + out[i].coefficients[sampled_coefficients[i]] = d2; + sampled_coefficients[i] += 1; } } + if sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT { + done = false + } } + done +} - if !done { - // Requiring more than 5 blocks to sample a ring element should be very - // unlikely according to: - // https://eprint.iacr.org/2023/708.pdf - rejection_sampling_panic_with_diagnostic(); +pub fn sample_from_xof(seeds: [[u8; 34]; K]) -> [PolynomialRingElement; K] { + let mut sampled_coefficients: [usize; K] = [0; K]; + let mut out: [PolynomialRingElement; K] = [PolynomialRingElement::ZERO; K]; + + let mut xof_states = XOF_absorb::(seeds); + let randomness = XOF_squeeze_three_blocks(&mut xof_states); + + let mut done = sample_from_uniform_distribution_next(randomness, &mut sampled_coefficients, &mut out); + + // Requiring more than 5 blocks to sample a ring element should be very + // unlikely according to: + // https://eprint.iacr.org/2023/708.pdf + while !done { + let randomness = XOF_squeeze_block(&mut xof_states); + done = + sample_from_uniform_distribution_next(randomness, &mut sampled_coefficients, &mut out); } - hax_debug_assert!(out + hax_debug_assert!(out[0] .coefficients .into_iter() .all(|coefficient| coefficient >= 0 && coefficient < FIELD_MODULUS)); out } + /// Given a series of uniformly random bytes in `randomness`, for some number `eta`, /// the `sample_from_binomial_distribution_{eta}` functions sample /// a ring element from a binomial distribution centered at 0 that uses two sets diff --git a/sys/hacl/c/include/Hacl_Hash_SHA3_Scalar.h b/sys/hacl/c/include/Hacl_Hash_SHA3_Scalar.h index e49f1967b..a40c2d04d 100644 --- a/sys/hacl/c/include/Hacl_Hash_SHA3_Scalar.h +++ b/sys/hacl/c/include/Hacl_Hash_SHA3_Scalar.h @@ -37,27 +37,95 @@ extern "C" { void Hacl_Hash_SHA3_Scalar_shake128( - uint32_t inputByteLen, - uint8_t *input, + uint8_t *output, uint32_t outputByteLen, - uint8_t *output + uint8_t *input, + uint32_t inputByteLen ); void Hacl_Hash_SHA3_Scalar_shake256( - uint32_t inputByteLen, - uint8_t *input, + uint8_t *output, uint32_t outputByteLen, - uint8_t *output + uint8_t *input, + uint32_t inputByteLen ); -void Hacl_Hash_SHA3_Scalar_sha3_224(uint32_t inputByteLen, uint8_t *input, uint8_t *output); +void Hacl_Hash_SHA3_Scalar_sha3_224(uint8_t *output, uint8_t *input, uint32_t inputByteLen); + +void Hacl_Hash_SHA3_Scalar_sha3_256(uint8_t *output, uint8_t *input, uint32_t inputByteLen); + +void Hacl_Hash_SHA3_Scalar_sha3_384(uint8_t *output, uint8_t *input, uint32_t inputByteLen); -void Hacl_Hash_SHA3_Scalar_sha3_256(uint32_t inputByteLen, uint8_t *input, uint8_t *output); +void Hacl_Hash_SHA3_Scalar_sha3_512(uint8_t *output, uint8_t *input, uint32_t inputByteLen); -void Hacl_Hash_SHA3_Scalar_sha3_384(uint32_t inputByteLen, uint8_t *input, uint8_t *output); +/** +Allocate state buffer of 200-bytes +*/ +uint64_t *Hacl_Hash_SHA3_Scalar_state_malloc(void); -void Hacl_Hash_SHA3_Scalar_sha3_512(uint32_t inputByteLen, uint8_t *input, uint8_t *output); +/** +Free state buffer +*/ +void Hacl_Hash_SHA3_Scalar_state_free(uint64_t *s); + +/** +Absorb number of input blocks and write the output state + + This function is intended to receive a hash state and input buffer. + It prcoesses an input of multiple of 168-bytes (SHAKE128 block size), + any additional bytes of final partial block are ignored. + + The argument `state` (IN/OUT) points to hash state, i.e., uint64_t[25] + The argument `input` (IN) points to `inputByteLen` bytes of valid memory, + i.e., uint8_t[inputByteLen] +*/ +void +Hacl_Hash_SHA3_Scalar_shake128_absorb_nblocks( + uint64_t *state, + uint8_t *input, + uint32_t inputByteLen +); + +/** +Absorb a final partial block of input and write the output state + + This function is intended to receive a hash state and input buffer. + It prcoesses a sequence of bytes at end of input buffer that is less + than 168-bytes (SHAKE128 block size), + any bytes of full blocks at start of input buffer are ignored. + + The argument `state` (IN/OUT) points to hash state, i.e., uint64_t[25] + The argument `input` (IN) points to `inputByteLen` bytes of valid memory, + i.e., uint8_t[inputByteLen] + + Note: Full size of input buffer must be passed to `inputByteLen` including + the number of full-block bytes at start of input buffer that are ignored +*/ +void +Hacl_Hash_SHA3_Scalar_shake128_absorb_final( + uint64_t *state, + uint8_t *input, + uint32_t inputByteLen +); + +/** +Squeeze a hash state to output buffer + + This function is intended to receive a hash state and output buffer. + It produces an output of multiple of 168-bytes (SHAKE128 block size), + any additional bytes of final partial block are ignored. + + The argument `state` (IN) points to hash state, i.e., uint64_t[25] + The argument `output` (OUT) points to `outputByteLen` bytes of valid memory, + i.e., uint8_t[outputByteLen] +*/ +void +Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks( + uint64_t *state, + uint8_t *output, + uint32_t outputByteLen +); #if defined(__cplusplus) } diff --git a/sys/hacl/c/include/Hacl_Hash_SHA3_Simd256.h b/sys/hacl/c/include/Hacl_Hash_SHA3_Simd256.h index 3dd3772dd..302094a43 100644 --- a/sys/hacl/c/include/Hacl_Hash_SHA3_Simd256.h +++ b/sys/hacl/c/include/Hacl_Hash_SHA3_Simd256.h @@ -35,6 +35,8 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" +#include "libintvector.h" + typedef struct K____uint8_t___uint8_t__s { uint8_t *fst; @@ -58,82 +60,162 @@ K____uint8_t___uint8_t____K____uint8_t___uint8_t_; void Hacl_Hash_SHA3_Simd256_shake128( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, + uint32_t outputByteLen, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint32_t outputByteLen, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ); void Hacl_Hash_SHA3_Simd256_shake256( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, + uint32_t outputByteLen, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint32_t outputByteLen, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ); void Hacl_Hash_SHA3_Simd256_sha3_224( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, + uint32_t inputByteLen +); + +void +Hacl_Hash_SHA3_Simd256_sha3_256( uint8_t *output0, uint8_t *output1, uint8_t *output2, - uint8_t *output3 + uint8_t *output3, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint32_t inputByteLen ); void -Hacl_Hash_SHA3_Simd256_sha3_256( - uint32_t inputByteLen, +Hacl_Hash_SHA3_Simd256_sha3_384( + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, + uint32_t inputByteLen +); + +void +Hacl_Hash_SHA3_Simd256_sha3_512( uint8_t *output0, uint8_t *output1, uint8_t *output2, - uint8_t *output3 + uint8_t *output3, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint32_t inputByteLen ); +/** +Allocate quadruple state buffer (200-bytes for each) +*/ +uint64_t *Hacl_Hash_SHA3_Simd256_state_malloc(void); + +/** +Free quadruple state buffer +*/ +void Hacl_Hash_SHA3_Simd256_state_free(uint64_t *s); + +/** +Absorb number of blocks of 4 input buffers and write the output states + + This function is intended to receive a quadruple hash state and 4 input buffers. + It prcoesses an inputs of multiple of 168-bytes (SHAKE128 block size), + any additional bytes of final partial block for each buffer are ignored. + + The argument `state` (IN/OUT) points to quadruple hash state, + i.e., Lib_IntVector_Intrinsics_vec256[25] + The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes + of valid memory for each buffer, i.e., uint8_t[inputByteLen] +*/ void -Hacl_Hash_SHA3_Simd256_sha3_384( - uint32_t inputByteLen, +Hacl_Hash_SHA3_Simd256_shake128_absorb_nblocks( + Lib_IntVector_Intrinsics_vec256 *state, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ); +/** +Absorb a final partial blocks of 4 input buffers and write the output states + + This function is intended to receive a quadruple hash state and 4 input buffers. + It prcoesses a sequence of bytes at end of each input buffer that is less + than 168-bytes (SHAKE128 block size), + any bytes of full blocks at start of input buffers are ignored. + + The argument `state` (IN/OUT) points to quadruple hash state, + i.e., Lib_IntVector_Intrinsics_vec256[25] + The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes + of valid memory for each buffer, i.e., uint8_t[inputByteLen] + + Note: Full size of input buffers must be passed to `inputByteLen` including + the number of full-block bytes at start of each input buffer that are ignored +*/ void -Hacl_Hash_SHA3_Simd256_sha3_512( - uint32_t inputByteLen, +Hacl_Hash_SHA3_Simd256_shake128_absorb_final( + Lib_IntVector_Intrinsics_vec256 *state, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, + uint32_t inputByteLen +); + +/** +Squeeze a quadruple hash state to 4 output buffers + + This function is intended to receive a quadruple hash state and 4 output buffers. + It produces 4 outputs, each is multiple of 168-bytes (SHAKE128 block size), + any additional bytes of final partial block for each buffer are ignored. + + The argument `state` (IN) points to quadruple hash state, + i.e., Lib_IntVector_Intrinsics_vec256[25] + The arguments `output0/output1/output2/output3` (OUT) point to `outputByteLen` bytes + of valid memory for each buffer, i.e., uint8_t[inputByteLen] +*/ +void +Hacl_Hash_SHA3_Simd256_shake128_squeeze_nblocks( + Lib_IntVector_Intrinsics_vec256 *state, uint8_t *output0, uint8_t *output1, uint8_t *output2, - uint8_t *output3 + uint8_t *output3, + uint32_t outputByteLen ); #if defined(__cplusplus) diff --git a/sys/hacl/c/include/msvc/Hacl_Hash_SHA3_Scalar.h b/sys/hacl/c/include/msvc/Hacl_Hash_SHA3_Scalar.h index e49f1967b..a40c2d04d 100644 --- a/sys/hacl/c/include/msvc/Hacl_Hash_SHA3_Scalar.h +++ b/sys/hacl/c/include/msvc/Hacl_Hash_SHA3_Scalar.h @@ -37,27 +37,95 @@ extern "C" { void Hacl_Hash_SHA3_Scalar_shake128( - uint32_t inputByteLen, - uint8_t *input, + uint8_t *output, uint32_t outputByteLen, - uint8_t *output + uint8_t *input, + uint32_t inputByteLen ); void Hacl_Hash_SHA3_Scalar_shake256( - uint32_t inputByteLen, - uint8_t *input, + uint8_t *output, uint32_t outputByteLen, - uint8_t *output + uint8_t *input, + uint32_t inputByteLen ); -void Hacl_Hash_SHA3_Scalar_sha3_224(uint32_t inputByteLen, uint8_t *input, uint8_t *output); +void Hacl_Hash_SHA3_Scalar_sha3_224(uint8_t *output, uint8_t *input, uint32_t inputByteLen); + +void Hacl_Hash_SHA3_Scalar_sha3_256(uint8_t *output, uint8_t *input, uint32_t inputByteLen); + +void Hacl_Hash_SHA3_Scalar_sha3_384(uint8_t *output, uint8_t *input, uint32_t inputByteLen); -void Hacl_Hash_SHA3_Scalar_sha3_256(uint32_t inputByteLen, uint8_t *input, uint8_t *output); +void Hacl_Hash_SHA3_Scalar_sha3_512(uint8_t *output, uint8_t *input, uint32_t inputByteLen); -void Hacl_Hash_SHA3_Scalar_sha3_384(uint32_t inputByteLen, uint8_t *input, uint8_t *output); +/** +Allocate state buffer of 200-bytes +*/ +uint64_t *Hacl_Hash_SHA3_Scalar_state_malloc(void); -void Hacl_Hash_SHA3_Scalar_sha3_512(uint32_t inputByteLen, uint8_t *input, uint8_t *output); +/** +Free state buffer +*/ +void Hacl_Hash_SHA3_Scalar_state_free(uint64_t *s); + +/** +Absorb number of input blocks and write the output state + + This function is intended to receive a hash state and input buffer. + It prcoesses an input of multiple of 168-bytes (SHAKE128 block size), + any additional bytes of final partial block are ignored. + + The argument `state` (IN/OUT) points to hash state, i.e., uint64_t[25] + The argument `input` (IN) points to `inputByteLen` bytes of valid memory, + i.e., uint8_t[inputByteLen] +*/ +void +Hacl_Hash_SHA3_Scalar_shake128_absorb_nblocks( + uint64_t *state, + uint8_t *input, + uint32_t inputByteLen +); + +/** +Absorb a final partial block of input and write the output state + + This function is intended to receive a hash state and input buffer. + It prcoesses a sequence of bytes at end of input buffer that is less + than 168-bytes (SHAKE128 block size), + any bytes of full blocks at start of input buffer are ignored. + + The argument `state` (IN/OUT) points to hash state, i.e., uint64_t[25] + The argument `input` (IN) points to `inputByteLen` bytes of valid memory, + i.e., uint8_t[inputByteLen] + + Note: Full size of input buffer must be passed to `inputByteLen` including + the number of full-block bytes at start of input buffer that are ignored +*/ +void +Hacl_Hash_SHA3_Scalar_shake128_absorb_final( + uint64_t *state, + uint8_t *input, + uint32_t inputByteLen +); + +/** +Squeeze a hash state to output buffer + + This function is intended to receive a hash state and output buffer. + It produces an output of multiple of 168-bytes (SHAKE128 block size), + any additional bytes of final partial block are ignored. + + The argument `state` (IN) points to hash state, i.e., uint64_t[25] + The argument `output` (OUT) points to `outputByteLen` bytes of valid memory, + i.e., uint8_t[outputByteLen] +*/ +void +Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks( + uint64_t *state, + uint8_t *output, + uint32_t outputByteLen +); #if defined(__cplusplus) } diff --git a/sys/hacl/c/include/msvc/Hacl_Hash_SHA3_Simd256.h b/sys/hacl/c/include/msvc/Hacl_Hash_SHA3_Simd256.h index 3dd3772dd..302094a43 100644 --- a/sys/hacl/c/include/msvc/Hacl_Hash_SHA3_Simd256.h +++ b/sys/hacl/c/include/msvc/Hacl_Hash_SHA3_Simd256.h @@ -35,6 +35,8 @@ extern "C" { #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" +#include "libintvector.h" + typedef struct K____uint8_t___uint8_t__s { uint8_t *fst; @@ -58,82 +60,162 @@ K____uint8_t___uint8_t____K____uint8_t___uint8_t_; void Hacl_Hash_SHA3_Simd256_shake128( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, + uint32_t outputByteLen, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint32_t outputByteLen, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ); void Hacl_Hash_SHA3_Simd256_shake256( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, + uint32_t outputByteLen, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint32_t outputByteLen, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ); void Hacl_Hash_SHA3_Simd256_sha3_224( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, + uint32_t inputByteLen +); + +void +Hacl_Hash_SHA3_Simd256_sha3_256( uint8_t *output0, uint8_t *output1, uint8_t *output2, - uint8_t *output3 + uint8_t *output3, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint32_t inputByteLen ); void -Hacl_Hash_SHA3_Simd256_sha3_256( - uint32_t inputByteLen, +Hacl_Hash_SHA3_Simd256_sha3_384( + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, + uint32_t inputByteLen +); + +void +Hacl_Hash_SHA3_Simd256_sha3_512( uint8_t *output0, uint8_t *output1, uint8_t *output2, - uint8_t *output3 + uint8_t *output3, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint32_t inputByteLen ); +/** +Allocate quadruple state buffer (200-bytes for each) +*/ +uint64_t *Hacl_Hash_SHA3_Simd256_state_malloc(void); + +/** +Free quadruple state buffer +*/ +void Hacl_Hash_SHA3_Simd256_state_free(uint64_t *s); + +/** +Absorb number of blocks of 4 input buffers and write the output states + + This function is intended to receive a quadruple hash state and 4 input buffers. + It prcoesses an inputs of multiple of 168-bytes (SHAKE128 block size), + any additional bytes of final partial block for each buffer are ignored. + + The argument `state` (IN/OUT) points to quadruple hash state, + i.e., Lib_IntVector_Intrinsics_vec256[25] + The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes + of valid memory for each buffer, i.e., uint8_t[inputByteLen] +*/ void -Hacl_Hash_SHA3_Simd256_sha3_384( - uint32_t inputByteLen, +Hacl_Hash_SHA3_Simd256_shake128_absorb_nblocks( + Lib_IntVector_Intrinsics_vec256 *state, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ); +/** +Absorb a final partial blocks of 4 input buffers and write the output states + + This function is intended to receive a quadruple hash state and 4 input buffers. + It prcoesses a sequence of bytes at end of each input buffer that is less + than 168-bytes (SHAKE128 block size), + any bytes of full blocks at start of input buffers are ignored. + + The argument `state` (IN/OUT) points to quadruple hash state, + i.e., Lib_IntVector_Intrinsics_vec256[25] + The arguments `input0/input1/input2/input3` (IN) point to `inputByteLen` bytes + of valid memory for each buffer, i.e., uint8_t[inputByteLen] + + Note: Full size of input buffers must be passed to `inputByteLen` including + the number of full-block bytes at start of each input buffer that are ignored +*/ void -Hacl_Hash_SHA3_Simd256_sha3_512( - uint32_t inputByteLen, +Hacl_Hash_SHA3_Simd256_shake128_absorb_final( + Lib_IntVector_Intrinsics_vec256 *state, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, + uint32_t inputByteLen +); + +/** +Squeeze a quadruple hash state to 4 output buffers + + This function is intended to receive a quadruple hash state and 4 output buffers. + It produces 4 outputs, each is multiple of 168-bytes (SHAKE128 block size), + any additional bytes of final partial block for each buffer are ignored. + + The argument `state` (IN) points to quadruple hash state, + i.e., Lib_IntVector_Intrinsics_vec256[25] + The arguments `output0/output1/output2/output3` (OUT) point to `outputByteLen` bytes + of valid memory for each buffer, i.e., uint8_t[inputByteLen] +*/ +void +Hacl_Hash_SHA3_Simd256_shake128_squeeze_nblocks( + Lib_IntVector_Intrinsics_vec256 *state, uint8_t *output0, uint8_t *output1, uint8_t *output2, - uint8_t *output3 + uint8_t *output3, + uint32_t outputByteLen ); #if defined(__cplusplus) diff --git a/sys/hacl/c/src/Hacl_Hash_SHA3_Scalar.c b/sys/hacl/c/src/Hacl_Hash_SHA3_Scalar.c index 43d574827..6d6806a37 100644 --- a/sys/hacl/c/src/Hacl_Hash_SHA3_Scalar.c +++ b/sys/hacl/c/src/Hacl_Hash_SHA3_Scalar.c @@ -55,10 +55,10 @@ Hacl_Impl_SHA3_Vec_keccak_rndc[24U] = void Hacl_Hash_SHA3_Scalar_shake128( - uint32_t inputByteLen, - uint8_t *input, + uint8_t *output, uint32_t outputByteLen, - uint8_t *output + uint8_t *input, + uint32_t inputByteLen ) { uint32_t rateInBytes = 168U; @@ -447,10 +447,10 @@ Hacl_Hash_SHA3_Scalar_shake128( void Hacl_Hash_SHA3_Scalar_shake256( - uint32_t inputByteLen, - uint8_t *input, + uint8_t *output, uint32_t outputByteLen, - uint8_t *output + uint8_t *input, + uint32_t inputByteLen ) { uint32_t rateInBytes = 136U; @@ -837,7 +837,7 @@ Hacl_Hash_SHA3_Scalar_shake256( memcpy(output + outputByteLen - remOut, hbuf, remOut * sizeof (uint8_t)); } -void Hacl_Hash_SHA3_Scalar_sha3_224(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +void Hacl_Hash_SHA3_Scalar_sha3_224(uint8_t *output, uint8_t *input, uint32_t inputByteLen) { uint32_t rateInBytes = 144U; uint64_t s[25U] = { 0U }; @@ -1223,7 +1223,7 @@ void Hacl_Hash_SHA3_Scalar_sha3_224(uint32_t inputByteLen, uint8_t *input, uint8 memcpy(output + 28U - remOut, hbuf, remOut * sizeof (uint8_t)); } -void Hacl_Hash_SHA3_Scalar_sha3_256(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +void Hacl_Hash_SHA3_Scalar_sha3_256(uint8_t *output, uint8_t *input, uint32_t inputByteLen) { uint32_t rateInBytes = 136U; uint64_t s[25U] = { 0U }; @@ -1609,7 +1609,7 @@ void Hacl_Hash_SHA3_Scalar_sha3_256(uint32_t inputByteLen, uint8_t *input, uint8 memcpy(output + 32U - remOut, hbuf, remOut * sizeof (uint8_t)); } -void Hacl_Hash_SHA3_Scalar_sha3_384(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +void Hacl_Hash_SHA3_Scalar_sha3_384(uint8_t *output, uint8_t *input, uint32_t inputByteLen) { uint32_t rateInBytes = 104U; uint64_t s[25U] = { 0U }; @@ -1995,7 +1995,7 @@ void Hacl_Hash_SHA3_Scalar_sha3_384(uint32_t inputByteLen, uint8_t *input, uint8 memcpy(output + 48U - remOut, hbuf, remOut * sizeof (uint8_t)); } -void Hacl_Hash_SHA3_Scalar_sha3_512(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +void Hacl_Hash_SHA3_Scalar_sha3_512(uint8_t *output, uint8_t *input, uint32_t inputByteLen) { uint32_t rateInBytes = 72U; uint64_t s[25U] = { 0U }; @@ -2381,3 +2381,418 @@ void Hacl_Hash_SHA3_Scalar_sha3_512(uint32_t inputByteLen, uint8_t *input, uint8 memcpy(output + 64U - remOut, hbuf, remOut * sizeof (uint8_t)); } +uint64_t *Hacl_Hash_SHA3_Scalar_state_malloc(void) +{ + uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + return buf; +} + +void Hacl_Hash_SHA3_Scalar_state_free(uint64_t *s) +{ + KRML_HOST_FREE(s); +} + +void +Hacl_Hash_SHA3_Scalar_shake128_absorb_nblocks( + uint64_t *state, + uint8_t *input, + uint32_t inputByteLen +) +{ + for (uint32_t i0 = 0U; i0 < inputByteLen / 168U; i0++) + { + uint8_t b1[256U] = { 0U }; + uint8_t *b_ = b1; + uint8_t *b0 = input; + uint8_t *bl0 = b_; + memcpy(bl0, b0 + i0 * 168U, 168U * sizeof (uint8_t)); + uint64_t ws[32U] = { 0U }; + uint8_t *b = b_; + uint64_t u = load64_le(b); + ws[0U] = u; + uint64_t u0 = load64_le(b + 8U); + ws[1U] = u0; + uint64_t u1 = load64_le(b + 16U); + ws[2U] = u1; + uint64_t u2 = load64_le(b + 24U); + ws[3U] = u2; + uint64_t u3 = load64_le(b + 32U); + ws[4U] = u3; + uint64_t u4 = load64_le(b + 40U); + ws[5U] = u4; + uint64_t u5 = load64_le(b + 48U); + ws[6U] = u5; + uint64_t u6 = load64_le(b + 56U); + ws[7U] = u6; + uint64_t u7 = load64_le(b + 64U); + ws[8U] = u7; + uint64_t u8 = load64_le(b + 72U); + ws[9U] = u8; + uint64_t u9 = load64_le(b + 80U); + ws[10U] = u9; + uint64_t u10 = load64_le(b + 88U); + ws[11U] = u10; + uint64_t u11 = load64_le(b + 96U); + ws[12U] = u11; + uint64_t u12 = load64_le(b + 104U); + ws[13U] = u12; + uint64_t u13 = load64_le(b + 112U); + ws[14U] = u13; + uint64_t u14 = load64_le(b + 120U); + ws[15U] = u14; + uint64_t u15 = load64_le(b + 128U); + ws[16U] = u15; + uint64_t u16 = load64_le(b + 136U); + ws[17U] = u16; + uint64_t u17 = load64_le(b + 144U); + ws[18U] = u17; + uint64_t u18 = load64_le(b + 152U); + ws[19U] = u18; + uint64_t u19 = load64_le(b + 160U); + ws[20U] = u19; + uint64_t u20 = load64_le(b + 168U); + ws[21U] = u20; + uint64_t u21 = load64_le(b + 176U); + ws[22U] = u21; + uint64_t u22 = load64_le(b + 184U); + ws[23U] = u22; + uint64_t u23 = load64_le(b + 192U); + ws[24U] = u23; + uint64_t u24 = load64_le(b + 200U); + ws[25U] = u24; + uint64_t u25 = load64_le(b + 208U); + ws[26U] = u25; + uint64_t u26 = load64_le(b + 216U); + ws[27U] = u26; + uint64_t u27 = load64_le(b + 224U); + ws[28U] = u27; + uint64_t u28 = load64_le(b + 232U); + ws[29U] = u28; + uint64_t u29 = load64_le(b + 240U); + ws[30U] = u29; + uint64_t u30 = load64_le(b + 248U); + ws[31U] = u30; + for (uint32_t i = 0U; i < 25U; i++) + { + state[i] = state[i] ^ ws[i]; + } + for (uint32_t i1 = 0U; i1 < 24U; i1++) + { + uint64_t _C[5U] = { 0U }; + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + _C[i] = + state[i + + 0U] + ^ (state[i + 5U] ^ (state[i + 10U] ^ (state[i + 15U] ^ state[i + 20U])));); + KRML_MAYBE_FOR5(i2, + 0U, + 5U, + 1U, + uint64_t uu____0 = _C[(i2 + 1U) % 5U]; + uint64_t _D = _C[(i2 + 4U) % 5U] ^ (uu____0 << 1U | uu____0 >> 63U); + KRML_MAYBE_FOR5(i, 0U, 5U, 1U, state[i2 + 5U * i] = state[i2 + 5U * i] ^ _D;);); + uint64_t x = state[1U]; + uint64_t current = x; + for (uint32_t i = 0U; i < 24U; i++) + { + uint32_t _Y = Hacl_Impl_SHA3_Vec_keccak_piln[i]; + uint32_t r = Hacl_Impl_SHA3_Vec_keccak_rotc[i]; + uint64_t temp = state[_Y]; + uint64_t uu____1 = current; + state[_Y] = uu____1 << r | uu____1 >> (64U - r); + current = temp; + } + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + uint64_t v0 = state[0U + 5U * i] ^ (~state[1U + 5U * i] & state[2U + 5U * i]); + uint64_t v1 = state[1U + 5U * i] ^ (~state[2U + 5U * i] & state[3U + 5U * i]); + uint64_t v2 = state[2U + 5U * i] ^ (~state[3U + 5U * i] & state[4U + 5U * i]); + uint64_t v3 = state[3U + 5U * i] ^ (~state[4U + 5U * i] & state[0U + 5U * i]); + uint64_t v4 = state[4U + 5U * i] ^ (~state[0U + 5U * i] & state[1U + 5U * i]); + state[0U + 5U * i] = v0; + state[1U + 5U * i] = v1; + state[2U + 5U * i] = v2; + state[3U + 5U * i] = v3; + state[4U + 5U * i] = v4;); + uint64_t c = Hacl_Impl_SHA3_Vec_keccak_rndc[i1]; + state[0U] = state[0U] ^ c; + } + } +} + +void +Hacl_Hash_SHA3_Scalar_shake128_absorb_final( + uint64_t *state, + uint8_t *input, + uint32_t inputByteLen +) +{ + uint32_t rem = inputByteLen % 168U; + uint8_t b2[256U] = { 0U }; + uint8_t *b_ = b2; + uint32_t rem1 = inputByteLen % 168U; + uint8_t *b00 = input; + uint8_t *bl0 = b_; + memcpy(bl0, b00 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b01 = b_; + b01[rem] = 0x1FU; + uint64_t ws[32U] = { 0U }; + uint8_t *b = b_; + uint64_t u0 = load64_le(b); + ws[0U] = u0; + uint64_t u1 = load64_le(b + 8U); + ws[1U] = u1; + uint64_t u2 = load64_le(b + 16U); + ws[2U] = u2; + uint64_t u3 = load64_le(b + 24U); + ws[3U] = u3; + uint64_t u4 = load64_le(b + 32U); + ws[4U] = u4; + uint64_t u5 = load64_le(b + 40U); + ws[5U] = u5; + uint64_t u6 = load64_le(b + 48U); + ws[6U] = u6; + uint64_t u7 = load64_le(b + 56U); + ws[7U] = u7; + uint64_t u8 = load64_le(b + 64U); + ws[8U] = u8; + uint64_t u9 = load64_le(b + 72U); + ws[9U] = u9; + uint64_t u10 = load64_le(b + 80U); + ws[10U] = u10; + uint64_t u11 = load64_le(b + 88U); + ws[11U] = u11; + uint64_t u12 = load64_le(b + 96U); + ws[12U] = u12; + uint64_t u13 = load64_le(b + 104U); + ws[13U] = u13; + uint64_t u14 = load64_le(b + 112U); + ws[14U] = u14; + uint64_t u15 = load64_le(b + 120U); + ws[15U] = u15; + uint64_t u16 = load64_le(b + 128U); + ws[16U] = u16; + uint64_t u17 = load64_le(b + 136U); + ws[17U] = u17; + uint64_t u18 = load64_le(b + 144U); + ws[18U] = u18; + uint64_t u19 = load64_le(b + 152U); + ws[19U] = u19; + uint64_t u20 = load64_le(b + 160U); + ws[20U] = u20; + uint64_t u21 = load64_le(b + 168U); + ws[21U] = u21; + uint64_t u22 = load64_le(b + 176U); + ws[22U] = u22; + uint64_t u23 = load64_le(b + 184U); + ws[23U] = u23; + uint64_t u24 = load64_le(b + 192U); + ws[24U] = u24; + uint64_t u25 = load64_le(b + 200U); + ws[25U] = u25; + uint64_t u26 = load64_le(b + 208U); + ws[26U] = u26; + uint64_t u27 = load64_le(b + 216U); + ws[27U] = u27; + uint64_t u28 = load64_le(b + 224U); + ws[28U] = u28; + uint64_t u29 = load64_le(b + 232U); + ws[29U] = u29; + uint64_t u30 = load64_le(b + 240U); + ws[30U] = u30; + uint64_t u31 = load64_le(b + 248U); + ws[31U] = u31; + for (uint32_t i = 0U; i < 25U; i++) + { + state[i] = state[i] ^ ws[i]; + } + uint8_t b3[256U] = { 0U }; + uint8_t *b4 = b3; + uint8_t *b0 = b4; + b0[167U] = 0x80U; + uint64_t ws0[32U] = { 0U }; + uint8_t *b1 = b4; + uint64_t u = load64_le(b1); + ws0[0U] = u; + uint64_t u32 = load64_le(b1 + 8U); + ws0[1U] = u32; + uint64_t u33 = load64_le(b1 + 16U); + ws0[2U] = u33; + uint64_t u34 = load64_le(b1 + 24U); + ws0[3U] = u34; + uint64_t u35 = load64_le(b1 + 32U); + ws0[4U] = u35; + uint64_t u36 = load64_le(b1 + 40U); + ws0[5U] = u36; + uint64_t u37 = load64_le(b1 + 48U); + ws0[6U] = u37; + uint64_t u38 = load64_le(b1 + 56U); + ws0[7U] = u38; + uint64_t u39 = load64_le(b1 + 64U); + ws0[8U] = u39; + uint64_t u40 = load64_le(b1 + 72U); + ws0[9U] = u40; + uint64_t u41 = load64_le(b1 + 80U); + ws0[10U] = u41; + uint64_t u42 = load64_le(b1 + 88U); + ws0[11U] = u42; + uint64_t u43 = load64_le(b1 + 96U); + ws0[12U] = u43; + uint64_t u44 = load64_le(b1 + 104U); + ws0[13U] = u44; + uint64_t u45 = load64_le(b1 + 112U); + ws0[14U] = u45; + uint64_t u46 = load64_le(b1 + 120U); + ws0[15U] = u46; + uint64_t u47 = load64_le(b1 + 128U); + ws0[16U] = u47; + uint64_t u48 = load64_le(b1 + 136U); + ws0[17U] = u48; + uint64_t u49 = load64_le(b1 + 144U); + ws0[18U] = u49; + uint64_t u50 = load64_le(b1 + 152U); + ws0[19U] = u50; + uint64_t u51 = load64_le(b1 + 160U); + ws0[20U] = u51; + uint64_t u52 = load64_le(b1 + 168U); + ws0[21U] = u52; + uint64_t u53 = load64_le(b1 + 176U); + ws0[22U] = u53; + uint64_t u54 = load64_le(b1 + 184U); + ws0[23U] = u54; + uint64_t u55 = load64_le(b1 + 192U); + ws0[24U] = u55; + uint64_t u56 = load64_le(b1 + 200U); + ws0[25U] = u56; + uint64_t u57 = load64_le(b1 + 208U); + ws0[26U] = u57; + uint64_t u58 = load64_le(b1 + 216U); + ws0[27U] = u58; + uint64_t u59 = load64_le(b1 + 224U); + ws0[28U] = u59; + uint64_t u60 = load64_le(b1 + 232U); + ws0[29U] = u60; + uint64_t u61 = load64_le(b1 + 240U); + ws0[30U] = u61; + uint64_t u62 = load64_le(b1 + 248U); + ws0[31U] = u62; + for (uint32_t i = 0U; i < 25U; i++) + { + state[i] = state[i] ^ ws0[i]; + } + for (uint32_t i0 = 0U; i0 < 24U; i0++) + { + uint64_t _C[5U] = { 0U }; + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + _C[i] = state[i + 0U] ^ (state[i + 5U] ^ (state[i + 10U] ^ (state[i + 15U] ^ state[i + 20U])));); + KRML_MAYBE_FOR5(i1, + 0U, + 5U, + 1U, + uint64_t uu____0 = _C[(i1 + 1U) % 5U]; + uint64_t _D = _C[(i1 + 4U) % 5U] ^ (uu____0 << 1U | uu____0 >> 63U); + KRML_MAYBE_FOR5(i, 0U, 5U, 1U, state[i1 + 5U * i] = state[i1 + 5U * i] ^ _D;);); + uint64_t x = state[1U]; + uint64_t current = x; + for (uint32_t i = 0U; i < 24U; i++) + { + uint32_t _Y = Hacl_Impl_SHA3_Vec_keccak_piln[i]; + uint32_t r = Hacl_Impl_SHA3_Vec_keccak_rotc[i]; + uint64_t temp = state[_Y]; + uint64_t uu____1 = current; + state[_Y] = uu____1 << r | uu____1 >> (64U - r); + current = temp; + } + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + uint64_t v0 = state[0U + 5U * i] ^ (~state[1U + 5U * i] & state[2U + 5U * i]); + uint64_t v1 = state[1U + 5U * i] ^ (~state[2U + 5U * i] & state[3U + 5U * i]); + uint64_t v2 = state[2U + 5U * i] ^ (~state[3U + 5U * i] & state[4U + 5U * i]); + uint64_t v3 = state[3U + 5U * i] ^ (~state[4U + 5U * i] & state[0U + 5U * i]); + uint64_t v4 = state[4U + 5U * i] ^ (~state[0U + 5U * i] & state[1U + 5U * i]); + state[0U + 5U * i] = v0; + state[1U + 5U * i] = v1; + state[2U + 5U * i] = v2; + state[3U + 5U * i] = v3; + state[4U + 5U * i] = v4;); + uint64_t c = Hacl_Impl_SHA3_Vec_keccak_rndc[i0]; + state[0U] = state[0U] ^ c; + } +} + +void +Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks( + uint64_t *state, + uint8_t *output, + uint32_t outputByteLen +) +{ + for (uint32_t i0 = 0U; i0 < outputByteLen / 168U; i0++) + { + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, state, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(output + i0 * 168U, hbuf, 168U * sizeof (uint8_t)); + for (uint32_t i1 = 0U; i1 < 24U; i1++) + { + uint64_t _C[5U] = { 0U }; + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + _C[i] = + state[i + + 0U] + ^ (state[i + 5U] ^ (state[i + 10U] ^ (state[i + 15U] ^ state[i + 20U])));); + KRML_MAYBE_FOR5(i2, + 0U, + 5U, + 1U, + uint64_t uu____0 = _C[(i2 + 1U) % 5U]; + uint64_t _D = _C[(i2 + 4U) % 5U] ^ (uu____0 << 1U | uu____0 >> 63U); + KRML_MAYBE_FOR5(i, 0U, 5U, 1U, state[i2 + 5U * i] = state[i2 + 5U * i] ^ _D;);); + uint64_t x = state[1U]; + uint64_t current = x; + for (uint32_t i = 0U; i < 24U; i++) + { + uint32_t _Y = Hacl_Impl_SHA3_Vec_keccak_piln[i]; + uint32_t r = Hacl_Impl_SHA3_Vec_keccak_rotc[i]; + uint64_t temp = state[_Y]; + uint64_t uu____1 = current; + state[_Y] = uu____1 << r | uu____1 >> (64U - r); + current = temp; + } + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + uint64_t v0 = state[0U + 5U * i] ^ (~state[1U + 5U * i] & state[2U + 5U * i]); + uint64_t v1 = state[1U + 5U * i] ^ (~state[2U + 5U * i] & state[3U + 5U * i]); + uint64_t v2 = state[2U + 5U * i] ^ (~state[3U + 5U * i] & state[4U + 5U * i]); + uint64_t v3 = state[3U + 5U * i] ^ (~state[4U + 5U * i] & state[0U + 5U * i]); + uint64_t v4 = state[4U + 5U * i] ^ (~state[0U + 5U * i] & state[1U + 5U * i]); + state[0U + 5U * i] = v0; + state[1U + 5U * i] = v1; + state[2U + 5U * i] = v2; + state[3U + 5U * i] = v3; + state[4U + 5U * i] = v4;); + uint64_t c = Hacl_Impl_SHA3_Vec_keccak_rndc[i1]; + state[0U] = state[0U] ^ c; + } + } +} + diff --git a/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c b/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c index b9bfcee59..9046f3dbe 100644 --- a/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c +++ b/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c @@ -26,20 +26,19 @@ #include "Hacl_Hash_SHA3_Simd256.h" #include "internal/Hacl_Hash_SHA3_Scalar.h" -#include "libintvector.h" void Hacl_Hash_SHA3_Simd256_shake128( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, + uint32_t outputByteLen, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint32_t outputByteLen, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ) { K____uint8_t___uint8_t____K____uint8_t___uint8_t_ @@ -438,63 +437,63 @@ Hacl_Hash_SHA3_Simd256_shake128( K____uint8_t___uint8_t____K____uint8_t___uint8_t_ b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; uint32_t rem1 = inputByteLen % rateInBytes; - uint8_t *b32 = ib.snd.snd.snd; - uint8_t *b22 = ib.snd.snd.fst; - uint8_t *b12 = ib.snd.fst; - uint8_t *b02 = ib.fst; + uint8_t *b31 = ib.snd.snd.snd; + uint8_t *b21 = ib.snd.snd.fst; + uint8_t *b11 = ib.snd.fst; + uint8_t *b01 = ib.fst; uint8_t *bl3 = b_.snd.snd.snd; uint8_t *bl2 = b_.snd.snd.fst; uint8_t *bl1 = b_.snd.fst; uint8_t *bl0 = b_.fst; - memcpy(bl0, b02 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl1, b12 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl2, b22 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl3, b32 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl0, b01 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl1, b11 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl2, b21 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl3, b31 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b32 = b_.snd.snd.snd; + uint8_t *b22 = b_.snd.snd.fst; + uint8_t *b12 = b_.snd.fst; + uint8_t *b02 = b_.fst; + b02[rem] = 0x1FU; + b12[rem] = 0x1FU; + b22[rem] = 0x1FU; + b32[rem] = 0x1FU; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; uint8_t *b33 = b_.snd.snd.snd; uint8_t *b23 = b_.snd.snd.fst; uint8_t *b13 = b_.snd.fst; uint8_t *b03 = b_.fst; - b03[rem] = 0x1FU; - b13[rem] = 0x1FU; - b23[rem] = 0x1FU; - b33[rem] = 0x1FU; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b34 = b_.snd.snd.snd; - uint8_t *b24 = b_.snd.snd.fst; - uint8_t *b14 = b_.snd.fst; - uint8_t *b04 = b_.fst; - ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04); - ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14); - ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24); - ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34); - ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 32U); - ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 32U); - ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 32U); - ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 32U); - ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 64U); - ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 64U); - ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 64U); - ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 64U); - ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 96U); - ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 96U); - ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 96U); - ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 96U); - ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 128U); - ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 128U); - ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 128U); - ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 128U); - ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 160U); - ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 160U); - ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 160U); - ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 160U); - ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 192U); - ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 192U); - ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 192U); - ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 192U); - ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 224U); - ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 224U); - ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 224U); - ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 224U); + ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03); + ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13); + ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23); + ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33); + ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 32U); + ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 32U); + ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 32U); + ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 32U); + ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 64U); + ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 64U); + ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 64U); + ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 64U); + ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 96U); + ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 96U); + ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 96U); + ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 96U); + ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 128U); + ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 128U); + ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 128U); + ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 128U); + ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 160U); + ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 160U); + ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 160U); + ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 160U); + ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 192U); + ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 192U); + ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 192U); + ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 192U); + ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 224U); + ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 224U); + ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 224U); + ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 224U); Lib_IntVector_Intrinsics_vec256 v00 = ws32[0U]; Lib_IntVector_Intrinsics_vec256 v10 = ws32[1U]; Lib_IntVector_Intrinsics_vec256 v20 = ws32[2U]; @@ -723,57 +722,57 @@ Hacl_Hash_SHA3_Simd256_shake128( { s[i] = Lib_IntVector_Intrinsics_vec256_xor(s[i], ws32[i]); } - uint8_t b05[256U] = { 0U }; - uint8_t b15[256U] = { 0U }; - uint8_t b25[256U] = { 0U }; - uint8_t b35[256U] = { 0U }; + uint8_t b04[256U] = { 0U }; + uint8_t b14[256U] = { 0U }; + uint8_t b24[256U] = { 0U }; + uint8_t b34[256U] = { 0U }; K____uint8_t___uint8_t____K____uint8_t___uint8_t_ - b = { .fst = b05, .snd = { .fst = b15, .snd = { .fst = b25, .snd = b35 } } }; - uint8_t *b36 = b.snd.snd.snd; + b = { .fst = b04, .snd = { .fst = b14, .snd = { .fst = b24, .snd = b34 } } }; + uint8_t *b35 = b.snd.snd.snd; + uint8_t *b25 = b.snd.snd.fst; + uint8_t *b15 = b.snd.fst; + uint8_t *b05 = b.fst; + b05[rateInBytes - 1U] = 0x80U; + b15[rateInBytes - 1U] = 0x80U; + b25[rateInBytes - 1U] = 0x80U; + b35[rateInBytes - 1U] = 0x80U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b.snd.snd.snd; uint8_t *b26 = b.snd.snd.fst; uint8_t *b16 = b.snd.fst; uint8_t *b06 = b.fst; - b06[rateInBytes - 1U] = 0x80U; - b16[rateInBytes - 1U] = 0x80U; - b26[rateInBytes - 1U] = 0x80U; - b36[rateInBytes - 1U] = 0x80U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b37 = b.snd.snd.snd; - uint8_t *b27 = b.snd.snd.fst; - uint8_t *b17 = b.snd.fst; - uint8_t *b07 = b.fst; - ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07); - ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17); - ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27); - ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37); - ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 32U); - ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 32U); - ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 32U); - ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 32U); - ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 64U); - ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 64U); - ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 64U); - ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 64U); - ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 96U); - ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 96U); - ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 96U); - ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 96U); - ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 128U); - ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 128U); - ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 128U); - ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 128U); - ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 160U); - ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 160U); - ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 160U); - ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 160U); - ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 192U); - ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 192U); - ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 192U); - ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 192U); - ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 224U); - ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 224U); - ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 224U); - ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 224U); + ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06); + ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16); + ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26); + ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 32U); + ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 32U); + ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 32U); + ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 64U); + ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 64U); + ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 64U); + ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 96U); + ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 96U); + ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 96U); + ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 128U); + ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 128U); + ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 128U); + ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 160U); + ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 160U); + ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 160U); + ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 192U); + ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 192U); + ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 192U); + ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 224U); + ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 224U); + ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 224U); + ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); Lib_IntVector_Intrinsics_vec256 v08 = ws34[0U]; Lib_IntVector_Intrinsics_vec256 v18 = ws34[1U]; Lib_IntVector_Intrinsics_vec256 v28 = ws34[2U]; @@ -1295,62 +1294,49 @@ Hacl_Hash_SHA3_Simd256_shake128( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < rateInBytes / 32U; i++) - { - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = rateInBytes % 32U; - uint32_t j = rateInBytes / 32U; - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + uint8_t *b36 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0 + i0 * rateInBytes, hbuf, rateInBytes * sizeof (uint8_t)); + memcpy(b1 + i0 * rateInBytes, hbuf + 256U, rateInBytes * sizeof (uint8_t)); + memcpy(b2 + i0 * rateInBytes, hbuf + 512U, rateInBytes * sizeof (uint8_t)); + memcpy(b36 + i0 * rateInBytes, hbuf + 768U, rateInBytes * sizeof (uint8_t)); for (uint32_t i1 = 0U; i1 < 24U; i1++) { KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; @@ -1645,76 +1631,63 @@ Hacl_Hash_SHA3_Simd256_shake128( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < remOut / 32U; i++) - { - uint8_t *b3 = rb.snd.snd.snd; - uint8_t *b2 = rb.snd.snd.fst; - uint8_t *b1 = rb.snd.fst; - uint8_t *b0 = rb.fst; - memcpy(b0 + outputByteLen - remOut + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b1 + outputByteLen - remOut + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b2 + outputByteLen - remOut + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b3 + outputByteLen - remOut + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = remOut % 32U; - uint32_t j = remOut / 32U; - uint8_t *b3 = rb.snd.snd.snd; + uint8_t *b36 = rb.snd.snd.snd; uint8_t *b2 = rb.snd.snd.fst; uint8_t *b1 = rb.snd.fst; uint8_t *b0 = rb.fst; - memcpy(b0 + outputByteLen - remOut + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b1 + outputByteLen - remOut + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b2 + outputByteLen - remOut + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b3 + outputByteLen - remOut + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + memcpy(b0 + outputByteLen - remOut, hbuf, remOut * sizeof (uint8_t)); + memcpy(b1 + outputByteLen - remOut, hbuf + 256U, remOut * sizeof (uint8_t)); + memcpy(b2 + outputByteLen - remOut, hbuf + 512U, remOut * sizeof (uint8_t)); + memcpy(b36 + outputByteLen - remOut, hbuf + 768U, remOut * sizeof (uint8_t)); } void Hacl_Hash_SHA3_Simd256_shake256( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, + uint32_t outputByteLen, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint32_t outputByteLen, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ) { K____uint8_t___uint8_t____K____uint8_t___uint8_t_ @@ -2113,63 +2086,63 @@ Hacl_Hash_SHA3_Simd256_shake256( K____uint8_t___uint8_t____K____uint8_t___uint8_t_ b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; uint32_t rem1 = inputByteLen % rateInBytes; - uint8_t *b32 = ib.snd.snd.snd; - uint8_t *b22 = ib.snd.snd.fst; - uint8_t *b12 = ib.snd.fst; - uint8_t *b02 = ib.fst; + uint8_t *b31 = ib.snd.snd.snd; + uint8_t *b21 = ib.snd.snd.fst; + uint8_t *b11 = ib.snd.fst; + uint8_t *b01 = ib.fst; uint8_t *bl3 = b_.snd.snd.snd; uint8_t *bl2 = b_.snd.snd.fst; uint8_t *bl1 = b_.snd.fst; uint8_t *bl0 = b_.fst; - memcpy(bl0, b02 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl1, b12 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl2, b22 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl3, b32 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl0, b01 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl1, b11 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl2, b21 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl3, b31 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b32 = b_.snd.snd.snd; + uint8_t *b22 = b_.snd.snd.fst; + uint8_t *b12 = b_.snd.fst; + uint8_t *b02 = b_.fst; + b02[rem] = 0x1FU; + b12[rem] = 0x1FU; + b22[rem] = 0x1FU; + b32[rem] = 0x1FU; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; uint8_t *b33 = b_.snd.snd.snd; uint8_t *b23 = b_.snd.snd.fst; uint8_t *b13 = b_.snd.fst; uint8_t *b03 = b_.fst; - b03[rem] = 0x1FU; - b13[rem] = 0x1FU; - b23[rem] = 0x1FU; - b33[rem] = 0x1FU; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b34 = b_.snd.snd.snd; - uint8_t *b24 = b_.snd.snd.fst; - uint8_t *b14 = b_.snd.fst; - uint8_t *b04 = b_.fst; - ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04); - ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14); - ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24); - ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34); - ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 32U); - ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 32U); - ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 32U); - ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 32U); - ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 64U); - ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 64U); - ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 64U); - ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 64U); - ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 96U); - ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 96U); - ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 96U); - ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 96U); - ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 128U); - ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 128U); - ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 128U); - ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 128U); - ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 160U); - ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 160U); - ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 160U); - ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 160U); - ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 192U); - ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 192U); - ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 192U); - ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 192U); - ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 224U); - ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 224U); - ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 224U); - ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 224U); + ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03); + ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13); + ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23); + ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33); + ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 32U); + ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 32U); + ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 32U); + ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 32U); + ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 64U); + ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 64U); + ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 64U); + ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 64U); + ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 96U); + ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 96U); + ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 96U); + ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 96U); + ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 128U); + ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 128U); + ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 128U); + ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 128U); + ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 160U); + ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 160U); + ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 160U); + ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 160U); + ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 192U); + ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 192U); + ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 192U); + ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 192U); + ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 224U); + ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 224U); + ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 224U); + ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 224U); Lib_IntVector_Intrinsics_vec256 v00 = ws32[0U]; Lib_IntVector_Intrinsics_vec256 v10 = ws32[1U]; Lib_IntVector_Intrinsics_vec256 v20 = ws32[2U]; @@ -2398,57 +2371,57 @@ Hacl_Hash_SHA3_Simd256_shake256( { s[i] = Lib_IntVector_Intrinsics_vec256_xor(s[i], ws32[i]); } - uint8_t b05[256U] = { 0U }; - uint8_t b15[256U] = { 0U }; - uint8_t b25[256U] = { 0U }; - uint8_t b35[256U] = { 0U }; + uint8_t b04[256U] = { 0U }; + uint8_t b14[256U] = { 0U }; + uint8_t b24[256U] = { 0U }; + uint8_t b34[256U] = { 0U }; K____uint8_t___uint8_t____K____uint8_t___uint8_t_ - b = { .fst = b05, .snd = { .fst = b15, .snd = { .fst = b25, .snd = b35 } } }; - uint8_t *b36 = b.snd.snd.snd; + b = { .fst = b04, .snd = { .fst = b14, .snd = { .fst = b24, .snd = b34 } } }; + uint8_t *b35 = b.snd.snd.snd; + uint8_t *b25 = b.snd.snd.fst; + uint8_t *b15 = b.snd.fst; + uint8_t *b05 = b.fst; + b05[rateInBytes - 1U] = 0x80U; + b15[rateInBytes - 1U] = 0x80U; + b25[rateInBytes - 1U] = 0x80U; + b35[rateInBytes - 1U] = 0x80U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b.snd.snd.snd; uint8_t *b26 = b.snd.snd.fst; uint8_t *b16 = b.snd.fst; uint8_t *b06 = b.fst; - b06[rateInBytes - 1U] = 0x80U; - b16[rateInBytes - 1U] = 0x80U; - b26[rateInBytes - 1U] = 0x80U; - b36[rateInBytes - 1U] = 0x80U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b37 = b.snd.snd.snd; - uint8_t *b27 = b.snd.snd.fst; - uint8_t *b17 = b.snd.fst; - uint8_t *b07 = b.fst; - ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07); - ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17); - ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27); - ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37); - ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 32U); - ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 32U); - ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 32U); - ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 32U); - ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 64U); - ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 64U); - ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 64U); - ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 64U); - ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 96U); - ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 96U); - ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 96U); - ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 96U); - ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 128U); - ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 128U); - ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 128U); - ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 128U); - ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 160U); - ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 160U); - ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 160U); - ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 160U); - ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 192U); - ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 192U); - ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 192U); - ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 192U); - ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 224U); - ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 224U); - ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 224U); - ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 224U); + ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06); + ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16); + ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26); + ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 32U); + ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 32U); + ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 32U); + ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 64U); + ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 64U); + ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 64U); + ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 96U); + ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 96U); + ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 96U); + ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 128U); + ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 128U); + ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 128U); + ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 160U); + ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 160U); + ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 160U); + ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 192U); + ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 192U); + ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 192U); + ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 224U); + ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 224U); + ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 224U); + ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); Lib_IntVector_Intrinsics_vec256 v08 = ws34[0U]; Lib_IntVector_Intrinsics_vec256 v18 = ws34[1U]; Lib_IntVector_Intrinsics_vec256 v28 = ws34[2U]; @@ -2970,62 +2943,49 @@ Hacl_Hash_SHA3_Simd256_shake256( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < rateInBytes / 32U; i++) - { - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = rateInBytes % 32U; - uint32_t j = rateInBytes / 32U; - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + uint8_t *b36 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0 + i0 * rateInBytes, hbuf, rateInBytes * sizeof (uint8_t)); + memcpy(b1 + i0 * rateInBytes, hbuf + 256U, rateInBytes * sizeof (uint8_t)); + memcpy(b2 + i0 * rateInBytes, hbuf + 512U, rateInBytes * sizeof (uint8_t)); + memcpy(b36 + i0 * rateInBytes, hbuf + 768U, rateInBytes * sizeof (uint8_t)); for (uint32_t i1 = 0U; i1 < 24U; i1++) { KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; @@ -3320,75 +3280,62 @@ Hacl_Hash_SHA3_Simd256_shake256( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < remOut / 32U; i++) - { - uint8_t *b3 = rb.snd.snd.snd; - uint8_t *b2 = rb.snd.snd.fst; - uint8_t *b1 = rb.snd.fst; - uint8_t *b0 = rb.fst; - memcpy(b0 + outputByteLen - remOut + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b1 + outputByteLen - remOut + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b2 + outputByteLen - remOut + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b3 + outputByteLen - remOut + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = remOut % 32U; - uint32_t j = remOut / 32U; - uint8_t *b3 = rb.snd.snd.snd; + uint8_t *b36 = rb.snd.snd.snd; uint8_t *b2 = rb.snd.snd.fst; uint8_t *b1 = rb.snd.fst; uint8_t *b0 = rb.fst; - memcpy(b0 + outputByteLen - remOut + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b1 + outputByteLen - remOut + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b2 + outputByteLen - remOut + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b3 + outputByteLen - remOut + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + memcpy(b0 + outputByteLen - remOut, hbuf, remOut * sizeof (uint8_t)); + memcpy(b1 + outputByteLen - remOut, hbuf + 256U, remOut * sizeof (uint8_t)); + memcpy(b2 + outputByteLen - remOut, hbuf + 512U, remOut * sizeof (uint8_t)); + memcpy(b36 + outputByteLen - remOut, hbuf + 768U, remOut * sizeof (uint8_t)); } void Hacl_Hash_SHA3_Simd256_sha3_224( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ) { K____uint8_t___uint8_t____K____uint8_t___uint8_t_ @@ -3787,63 +3734,63 @@ Hacl_Hash_SHA3_Simd256_sha3_224( K____uint8_t___uint8_t____K____uint8_t___uint8_t_ b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; uint32_t rem1 = inputByteLen % rateInBytes; - uint8_t *b32 = ib.snd.snd.snd; - uint8_t *b22 = ib.snd.snd.fst; - uint8_t *b12 = ib.snd.fst; - uint8_t *b02 = ib.fst; + uint8_t *b31 = ib.snd.snd.snd; + uint8_t *b21 = ib.snd.snd.fst; + uint8_t *b11 = ib.snd.fst; + uint8_t *b01 = ib.fst; uint8_t *bl3 = b_.snd.snd.snd; uint8_t *bl2 = b_.snd.snd.fst; uint8_t *bl1 = b_.snd.fst; uint8_t *bl0 = b_.fst; - memcpy(bl0, b02 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl1, b12 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl2, b22 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl3, b32 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl0, b01 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl1, b11 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl2, b21 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl3, b31 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b32 = b_.snd.snd.snd; + uint8_t *b22 = b_.snd.snd.fst; + uint8_t *b12 = b_.snd.fst; + uint8_t *b02 = b_.fst; + b02[rem] = 0x06U; + b12[rem] = 0x06U; + b22[rem] = 0x06U; + b32[rem] = 0x06U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; uint8_t *b33 = b_.snd.snd.snd; uint8_t *b23 = b_.snd.snd.fst; uint8_t *b13 = b_.snd.fst; uint8_t *b03 = b_.fst; - b03[rem] = 0x06U; - b13[rem] = 0x06U; - b23[rem] = 0x06U; - b33[rem] = 0x06U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b34 = b_.snd.snd.snd; - uint8_t *b24 = b_.snd.snd.fst; - uint8_t *b14 = b_.snd.fst; - uint8_t *b04 = b_.fst; - ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04); - ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14); - ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24); - ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34); - ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 32U); - ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 32U); - ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 32U); - ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 32U); - ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 64U); - ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 64U); - ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 64U); - ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 64U); - ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 96U); - ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 96U); - ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 96U); - ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 96U); - ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 128U); - ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 128U); - ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 128U); - ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 128U); - ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 160U); - ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 160U); - ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 160U); - ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 160U); - ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 192U); - ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 192U); - ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 192U); - ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 192U); - ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 224U); - ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 224U); - ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 224U); - ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 224U); + ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03); + ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13); + ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23); + ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33); + ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 32U); + ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 32U); + ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 32U); + ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 32U); + ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 64U); + ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 64U); + ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 64U); + ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 64U); + ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 96U); + ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 96U); + ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 96U); + ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 96U); + ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 128U); + ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 128U); + ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 128U); + ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 128U); + ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 160U); + ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 160U); + ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 160U); + ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 160U); + ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 192U); + ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 192U); + ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 192U); + ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 192U); + ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 224U); + ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 224U); + ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 224U); + ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 224U); Lib_IntVector_Intrinsics_vec256 v00 = ws32[0U]; Lib_IntVector_Intrinsics_vec256 v10 = ws32[1U]; Lib_IntVector_Intrinsics_vec256 v20 = ws32[2U]; @@ -4072,57 +4019,57 @@ Hacl_Hash_SHA3_Simd256_sha3_224( { s[i] = Lib_IntVector_Intrinsics_vec256_xor(s[i], ws32[i]); } - uint8_t b05[256U] = { 0U }; - uint8_t b15[256U] = { 0U }; - uint8_t b25[256U] = { 0U }; - uint8_t b35[256U] = { 0U }; + uint8_t b04[256U] = { 0U }; + uint8_t b14[256U] = { 0U }; + uint8_t b24[256U] = { 0U }; + uint8_t b34[256U] = { 0U }; K____uint8_t___uint8_t____K____uint8_t___uint8_t_ - b = { .fst = b05, .snd = { .fst = b15, .snd = { .fst = b25, .snd = b35 } } }; - uint8_t *b36 = b.snd.snd.snd; + b = { .fst = b04, .snd = { .fst = b14, .snd = { .fst = b24, .snd = b34 } } }; + uint8_t *b35 = b.snd.snd.snd; + uint8_t *b25 = b.snd.snd.fst; + uint8_t *b15 = b.snd.fst; + uint8_t *b05 = b.fst; + b05[rateInBytes - 1U] = 0x80U; + b15[rateInBytes - 1U] = 0x80U; + b25[rateInBytes - 1U] = 0x80U; + b35[rateInBytes - 1U] = 0x80U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b.snd.snd.snd; uint8_t *b26 = b.snd.snd.fst; uint8_t *b16 = b.snd.fst; uint8_t *b06 = b.fst; - b06[rateInBytes - 1U] = 0x80U; - b16[rateInBytes - 1U] = 0x80U; - b26[rateInBytes - 1U] = 0x80U; - b36[rateInBytes - 1U] = 0x80U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b37 = b.snd.snd.snd; - uint8_t *b27 = b.snd.snd.fst; - uint8_t *b17 = b.snd.fst; - uint8_t *b07 = b.fst; - ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07); - ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17); - ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27); - ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37); - ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 32U); - ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 32U); - ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 32U); - ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 32U); - ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 64U); - ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 64U); - ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 64U); - ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 64U); - ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 96U); - ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 96U); - ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 96U); - ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 96U); - ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 128U); - ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 128U); - ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 128U); - ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 128U); - ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 160U); - ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 160U); - ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 160U); - ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 160U); - ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 192U); - ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 192U); - ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 192U); - ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 192U); - ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 224U); - ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 224U); - ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 224U); - ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 224U); + ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06); + ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16); + ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26); + ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 32U); + ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 32U); + ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 32U); + ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 64U); + ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 64U); + ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 64U); + ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 96U); + ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 96U); + ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 96U); + ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 128U); + ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 128U); + ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 128U); + ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 160U); + ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 160U); + ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 160U); + ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 192U); + ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 192U); + ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 192U); + ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 224U); + ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 224U); + ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 224U); + ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); Lib_IntVector_Intrinsics_vec256 v08 = ws34[0U]; Lib_IntVector_Intrinsics_vec256 v18 = ws34[1U]; Lib_IntVector_Intrinsics_vec256 v28 = ws34[2U]; @@ -4644,62 +4591,49 @@ Hacl_Hash_SHA3_Simd256_sha3_224( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < rateInBytes / 32U; i++) - { - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = rateInBytes % 32U; - uint32_t j = rateInBytes / 32U; - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + uint8_t *b36 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0 + i0 * rateInBytes, hbuf, rateInBytes * sizeof (uint8_t)); + memcpy(b1 + i0 * rateInBytes, hbuf + 256U, rateInBytes * sizeof (uint8_t)); + memcpy(b2 + i0 * rateInBytes, hbuf + 512U, rateInBytes * sizeof (uint8_t)); + memcpy(b36 + i0 * rateInBytes, hbuf + 768U, rateInBytes * sizeof (uint8_t)); for (uint32_t i1 = 0U; i1 < 24U; i1++) { KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; @@ -4994,75 +4928,62 @@ Hacl_Hash_SHA3_Simd256_sha3_224( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < remOut / 32U; i++) - { - uint8_t *b3 = rb.snd.snd.snd; - uint8_t *b2 = rb.snd.snd.fst; - uint8_t *b1 = rb.snd.fst; - uint8_t *b0 = rb.fst; - memcpy(b0 + 28U - remOut + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b1 + 28U - remOut + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b2 + 28U - remOut + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b3 + 28U - remOut + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = remOut % 32U; - uint32_t j = remOut / 32U; - uint8_t *b3 = rb.snd.snd.snd; + uint8_t *b36 = rb.snd.snd.snd; uint8_t *b2 = rb.snd.snd.fst; uint8_t *b1 = rb.snd.fst; uint8_t *b0 = rb.fst; - memcpy(b0 + 28U - remOut + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b1 + 28U - remOut + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b2 + 28U - remOut + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b3 + 28U - remOut + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + memcpy(b0 + 28U - remOut, hbuf, remOut * sizeof (uint8_t)); + memcpy(b1 + 28U - remOut, hbuf + 256U, remOut * sizeof (uint8_t)); + memcpy(b2 + 28U - remOut, hbuf + 512U, remOut * sizeof (uint8_t)); + memcpy(b36 + 28U - remOut, hbuf + 768U, remOut * sizeof (uint8_t)); } void Hacl_Hash_SHA3_Simd256_sha3_256( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ) { K____uint8_t___uint8_t____K____uint8_t___uint8_t_ @@ -5461,63 +5382,63 @@ Hacl_Hash_SHA3_Simd256_sha3_256( K____uint8_t___uint8_t____K____uint8_t___uint8_t_ b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; uint32_t rem1 = inputByteLen % rateInBytes; - uint8_t *b32 = ib.snd.snd.snd; - uint8_t *b22 = ib.snd.snd.fst; - uint8_t *b12 = ib.snd.fst; - uint8_t *b02 = ib.fst; + uint8_t *b31 = ib.snd.snd.snd; + uint8_t *b21 = ib.snd.snd.fst; + uint8_t *b11 = ib.snd.fst; + uint8_t *b01 = ib.fst; uint8_t *bl3 = b_.snd.snd.snd; uint8_t *bl2 = b_.snd.snd.fst; uint8_t *bl1 = b_.snd.fst; uint8_t *bl0 = b_.fst; - memcpy(bl0, b02 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl1, b12 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl2, b22 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl3, b32 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl0, b01 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl1, b11 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl2, b21 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl3, b31 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b32 = b_.snd.snd.snd; + uint8_t *b22 = b_.snd.snd.fst; + uint8_t *b12 = b_.snd.fst; + uint8_t *b02 = b_.fst; + b02[rem] = 0x06U; + b12[rem] = 0x06U; + b22[rem] = 0x06U; + b32[rem] = 0x06U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; uint8_t *b33 = b_.snd.snd.snd; uint8_t *b23 = b_.snd.snd.fst; uint8_t *b13 = b_.snd.fst; uint8_t *b03 = b_.fst; - b03[rem] = 0x06U; - b13[rem] = 0x06U; - b23[rem] = 0x06U; - b33[rem] = 0x06U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b34 = b_.snd.snd.snd; - uint8_t *b24 = b_.snd.snd.fst; - uint8_t *b14 = b_.snd.fst; - uint8_t *b04 = b_.fst; - ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04); - ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14); - ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24); - ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34); - ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 32U); - ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 32U); - ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 32U); - ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 32U); - ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 64U); - ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 64U); - ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 64U); - ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 64U); - ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 96U); - ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 96U); - ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 96U); - ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 96U); - ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 128U); - ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 128U); - ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 128U); - ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 128U); - ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 160U); - ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 160U); - ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 160U); - ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 160U); - ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 192U); - ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 192U); - ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 192U); - ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 192U); - ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 224U); - ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 224U); - ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 224U); - ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 224U); + ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03); + ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13); + ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23); + ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33); + ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 32U); + ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 32U); + ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 32U); + ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 32U); + ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 64U); + ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 64U); + ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 64U); + ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 64U); + ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 96U); + ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 96U); + ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 96U); + ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 96U); + ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 128U); + ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 128U); + ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 128U); + ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 128U); + ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 160U); + ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 160U); + ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 160U); + ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 160U); + ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 192U); + ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 192U); + ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 192U); + ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 192U); + ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 224U); + ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 224U); + ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 224U); + ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 224U); Lib_IntVector_Intrinsics_vec256 v00 = ws32[0U]; Lib_IntVector_Intrinsics_vec256 v10 = ws32[1U]; Lib_IntVector_Intrinsics_vec256 v20 = ws32[2U]; @@ -5746,57 +5667,57 @@ Hacl_Hash_SHA3_Simd256_sha3_256( { s[i] = Lib_IntVector_Intrinsics_vec256_xor(s[i], ws32[i]); } - uint8_t b05[256U] = { 0U }; - uint8_t b15[256U] = { 0U }; - uint8_t b25[256U] = { 0U }; - uint8_t b35[256U] = { 0U }; + uint8_t b04[256U] = { 0U }; + uint8_t b14[256U] = { 0U }; + uint8_t b24[256U] = { 0U }; + uint8_t b34[256U] = { 0U }; K____uint8_t___uint8_t____K____uint8_t___uint8_t_ - b = { .fst = b05, .snd = { .fst = b15, .snd = { .fst = b25, .snd = b35 } } }; - uint8_t *b36 = b.snd.snd.snd; + b = { .fst = b04, .snd = { .fst = b14, .snd = { .fst = b24, .snd = b34 } } }; + uint8_t *b35 = b.snd.snd.snd; + uint8_t *b25 = b.snd.snd.fst; + uint8_t *b15 = b.snd.fst; + uint8_t *b05 = b.fst; + b05[rateInBytes - 1U] = 0x80U; + b15[rateInBytes - 1U] = 0x80U; + b25[rateInBytes - 1U] = 0x80U; + b35[rateInBytes - 1U] = 0x80U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b.snd.snd.snd; uint8_t *b26 = b.snd.snd.fst; uint8_t *b16 = b.snd.fst; uint8_t *b06 = b.fst; - b06[rateInBytes - 1U] = 0x80U; - b16[rateInBytes - 1U] = 0x80U; - b26[rateInBytes - 1U] = 0x80U; - b36[rateInBytes - 1U] = 0x80U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b37 = b.snd.snd.snd; - uint8_t *b27 = b.snd.snd.fst; - uint8_t *b17 = b.snd.fst; - uint8_t *b07 = b.fst; - ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07); - ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17); - ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27); - ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37); - ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 32U); - ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 32U); - ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 32U); - ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 32U); - ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 64U); - ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 64U); - ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 64U); - ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 64U); - ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 96U); - ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 96U); - ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 96U); - ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 96U); - ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 128U); - ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 128U); - ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 128U); - ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 128U); - ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 160U); - ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 160U); - ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 160U); - ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 160U); - ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 192U); - ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 192U); - ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 192U); - ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 192U); - ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 224U); - ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 224U); - ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 224U); - ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 224U); + ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06); + ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16); + ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26); + ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 32U); + ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 32U); + ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 32U); + ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 64U); + ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 64U); + ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 64U); + ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 96U); + ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 96U); + ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 96U); + ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 128U); + ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 128U); + ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 128U); + ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 160U); + ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 160U); + ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 160U); + ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 192U); + ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 192U); + ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 192U); + ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 224U); + ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 224U); + ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 224U); + ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); Lib_IntVector_Intrinsics_vec256 v08 = ws34[0U]; Lib_IntVector_Intrinsics_vec256 v18 = ws34[1U]; Lib_IntVector_Intrinsics_vec256 v28 = ws34[2U]; @@ -6318,62 +6239,49 @@ Hacl_Hash_SHA3_Simd256_sha3_256( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < rateInBytes / 32U; i++) - { - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = rateInBytes % 32U; - uint32_t j = rateInBytes / 32U; - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + uint8_t *b36 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0 + i0 * rateInBytes, hbuf, rateInBytes * sizeof (uint8_t)); + memcpy(b1 + i0 * rateInBytes, hbuf + 256U, rateInBytes * sizeof (uint8_t)); + memcpy(b2 + i0 * rateInBytes, hbuf + 512U, rateInBytes * sizeof (uint8_t)); + memcpy(b36 + i0 * rateInBytes, hbuf + 768U, rateInBytes * sizeof (uint8_t)); for (uint32_t i1 = 0U; i1 < 24U; i1++) { KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; @@ -6668,75 +6576,62 @@ Hacl_Hash_SHA3_Simd256_sha3_256( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < remOut / 32U; i++) - { - uint8_t *b3 = rb.snd.snd.snd; - uint8_t *b2 = rb.snd.snd.fst; - uint8_t *b1 = rb.snd.fst; - uint8_t *b0 = rb.fst; - memcpy(b0 + 32U - remOut + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b1 + 32U - remOut + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b2 + 32U - remOut + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b3 + 32U - remOut + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = remOut % 32U; - uint32_t j = remOut / 32U; - uint8_t *b3 = rb.snd.snd.snd; + uint8_t *b36 = rb.snd.snd.snd; uint8_t *b2 = rb.snd.snd.fst; uint8_t *b1 = rb.snd.fst; uint8_t *b0 = rb.fst; - memcpy(b0 + 32U - remOut + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b1 + 32U - remOut + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b2 + 32U - remOut + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b3 + 32U - remOut + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + memcpy(b0 + 32U - remOut, hbuf, remOut * sizeof (uint8_t)); + memcpy(b1 + 32U - remOut, hbuf + 256U, remOut * sizeof (uint8_t)); + memcpy(b2 + 32U - remOut, hbuf + 512U, remOut * sizeof (uint8_t)); + memcpy(b36 + 32U - remOut, hbuf + 768U, remOut * sizeof (uint8_t)); } void Hacl_Hash_SHA3_Simd256_sha3_384( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ) { K____uint8_t___uint8_t____K____uint8_t___uint8_t_ @@ -7135,63 +7030,63 @@ Hacl_Hash_SHA3_Simd256_sha3_384( K____uint8_t___uint8_t____K____uint8_t___uint8_t_ b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; uint32_t rem1 = inputByteLen % rateInBytes; - uint8_t *b32 = ib.snd.snd.snd; - uint8_t *b22 = ib.snd.snd.fst; - uint8_t *b12 = ib.snd.fst; - uint8_t *b02 = ib.fst; + uint8_t *b31 = ib.snd.snd.snd; + uint8_t *b21 = ib.snd.snd.fst; + uint8_t *b11 = ib.snd.fst; + uint8_t *b01 = ib.fst; uint8_t *bl3 = b_.snd.snd.snd; uint8_t *bl2 = b_.snd.snd.fst; uint8_t *bl1 = b_.snd.fst; uint8_t *bl0 = b_.fst; - memcpy(bl0, b02 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl1, b12 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl2, b22 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl3, b32 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl0, b01 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl1, b11 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl2, b21 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl3, b31 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b32 = b_.snd.snd.snd; + uint8_t *b22 = b_.snd.snd.fst; + uint8_t *b12 = b_.snd.fst; + uint8_t *b02 = b_.fst; + b02[rem] = 0x06U; + b12[rem] = 0x06U; + b22[rem] = 0x06U; + b32[rem] = 0x06U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; uint8_t *b33 = b_.snd.snd.snd; uint8_t *b23 = b_.snd.snd.fst; uint8_t *b13 = b_.snd.fst; uint8_t *b03 = b_.fst; - b03[rem] = 0x06U; - b13[rem] = 0x06U; - b23[rem] = 0x06U; - b33[rem] = 0x06U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b34 = b_.snd.snd.snd; - uint8_t *b24 = b_.snd.snd.fst; - uint8_t *b14 = b_.snd.fst; - uint8_t *b04 = b_.fst; - ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04); - ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14); - ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24); - ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34); - ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 32U); - ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 32U); - ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 32U); - ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 32U); - ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 64U); - ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 64U); - ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 64U); - ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 64U); - ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 96U); - ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 96U); - ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 96U); - ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 96U); - ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 128U); - ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 128U); - ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 128U); - ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 128U); - ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 160U); - ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 160U); - ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 160U); - ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 160U); - ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 192U); - ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 192U); - ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 192U); - ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 192U); - ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 224U); - ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 224U); - ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 224U); - ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 224U); + ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03); + ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13); + ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23); + ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33); + ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 32U); + ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 32U); + ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 32U); + ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 32U); + ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 64U); + ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 64U); + ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 64U); + ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 64U); + ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 96U); + ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 96U); + ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 96U); + ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 96U); + ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 128U); + ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 128U); + ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 128U); + ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 128U); + ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 160U); + ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 160U); + ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 160U); + ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 160U); + ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 192U); + ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 192U); + ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 192U); + ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 192U); + ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 224U); + ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 224U); + ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 224U); + ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 224U); Lib_IntVector_Intrinsics_vec256 v00 = ws32[0U]; Lib_IntVector_Intrinsics_vec256 v10 = ws32[1U]; Lib_IntVector_Intrinsics_vec256 v20 = ws32[2U]; @@ -7420,57 +7315,57 @@ Hacl_Hash_SHA3_Simd256_sha3_384( { s[i] = Lib_IntVector_Intrinsics_vec256_xor(s[i], ws32[i]); } - uint8_t b05[256U] = { 0U }; - uint8_t b15[256U] = { 0U }; - uint8_t b25[256U] = { 0U }; - uint8_t b35[256U] = { 0U }; + uint8_t b04[256U] = { 0U }; + uint8_t b14[256U] = { 0U }; + uint8_t b24[256U] = { 0U }; + uint8_t b34[256U] = { 0U }; K____uint8_t___uint8_t____K____uint8_t___uint8_t_ - b = { .fst = b05, .snd = { .fst = b15, .snd = { .fst = b25, .snd = b35 } } }; - uint8_t *b36 = b.snd.snd.snd; + b = { .fst = b04, .snd = { .fst = b14, .snd = { .fst = b24, .snd = b34 } } }; + uint8_t *b35 = b.snd.snd.snd; + uint8_t *b25 = b.snd.snd.fst; + uint8_t *b15 = b.snd.fst; + uint8_t *b05 = b.fst; + b05[rateInBytes - 1U] = 0x80U; + b15[rateInBytes - 1U] = 0x80U; + b25[rateInBytes - 1U] = 0x80U; + b35[rateInBytes - 1U] = 0x80U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b.snd.snd.snd; uint8_t *b26 = b.snd.snd.fst; uint8_t *b16 = b.snd.fst; uint8_t *b06 = b.fst; - b06[rateInBytes - 1U] = 0x80U; - b16[rateInBytes - 1U] = 0x80U; - b26[rateInBytes - 1U] = 0x80U; - b36[rateInBytes - 1U] = 0x80U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b37 = b.snd.snd.snd; - uint8_t *b27 = b.snd.snd.fst; - uint8_t *b17 = b.snd.fst; - uint8_t *b07 = b.fst; - ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07); - ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17); - ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27); - ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37); - ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 32U); - ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 32U); - ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 32U); - ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 32U); - ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 64U); - ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 64U); - ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 64U); - ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 64U); - ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 96U); - ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 96U); - ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 96U); - ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 96U); - ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 128U); - ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 128U); - ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 128U); - ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 128U); - ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 160U); - ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 160U); - ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 160U); - ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 160U); - ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 192U); - ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 192U); - ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 192U); - ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 192U); - ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 224U); - ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 224U); - ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 224U); - ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 224U); + ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06); + ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16); + ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26); + ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 32U); + ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 32U); + ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 32U); + ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 64U); + ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 64U); + ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 64U); + ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 96U); + ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 96U); + ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 96U); + ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 128U); + ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 128U); + ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 128U); + ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 160U); + ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 160U); + ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 160U); + ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 192U); + ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 192U); + ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 192U); + ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 224U); + ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 224U); + ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 224U); + ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); Lib_IntVector_Intrinsics_vec256 v08 = ws34[0U]; Lib_IntVector_Intrinsics_vec256 v18 = ws34[1U]; Lib_IntVector_Intrinsics_vec256 v28 = ws34[2U]; @@ -7992,62 +7887,49 @@ Hacl_Hash_SHA3_Simd256_sha3_384( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < rateInBytes / 32U; i++) - { - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = rateInBytes % 32U; - uint32_t j = rateInBytes / 32U; - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + uint8_t *b36 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0 + i0 * rateInBytes, hbuf, rateInBytes * sizeof (uint8_t)); + memcpy(b1 + i0 * rateInBytes, hbuf + 256U, rateInBytes * sizeof (uint8_t)); + memcpy(b2 + i0 * rateInBytes, hbuf + 512U, rateInBytes * sizeof (uint8_t)); + memcpy(b36 + i0 * rateInBytes, hbuf + 768U, rateInBytes * sizeof (uint8_t)); for (uint32_t i1 = 0U; i1 < 24U; i1++) { KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; @@ -8342,75 +8224,62 @@ Hacl_Hash_SHA3_Simd256_sha3_384( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < remOut / 32U; i++) - { - uint8_t *b3 = rb.snd.snd.snd; - uint8_t *b2 = rb.snd.snd.fst; - uint8_t *b1 = rb.snd.fst; - uint8_t *b0 = rb.fst; - memcpy(b0 + 48U - remOut + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b1 + 48U - remOut + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b2 + 48U - remOut + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b3 + 48U - remOut + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = remOut % 32U; - uint32_t j = remOut / 32U; - uint8_t *b3 = rb.snd.snd.snd; + uint8_t *b36 = rb.snd.snd.snd; uint8_t *b2 = rb.snd.snd.fst; uint8_t *b1 = rb.snd.fst; uint8_t *b0 = rb.fst; - memcpy(b0 + 48U - remOut + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b1 + 48U - remOut + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b2 + 48U - remOut + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b3 + 48U - remOut + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + memcpy(b0 + 48U - remOut, hbuf, remOut * sizeof (uint8_t)); + memcpy(b1 + 48U - remOut, hbuf + 256U, remOut * sizeof (uint8_t)); + memcpy(b2 + 48U - remOut, hbuf + 512U, remOut * sizeof (uint8_t)); + memcpy(b36 + 48U - remOut, hbuf + 768U, remOut * sizeof (uint8_t)); } void Hacl_Hash_SHA3_Simd256_sha3_512( - uint32_t inputByteLen, - uint8_t *input0, - uint8_t *input1, - uint8_t *input2, - uint8_t *input3, uint8_t *output0, uint8_t *output1, uint8_t *output2, - uint8_t *output3 + uint8_t *output3, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint32_t inputByteLen ) { K____uint8_t___uint8_t____K____uint8_t___uint8_t_ @@ -8809,63 +8678,63 @@ Hacl_Hash_SHA3_Simd256_sha3_512( K____uint8_t___uint8_t____K____uint8_t___uint8_t_ b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; uint32_t rem1 = inputByteLen % rateInBytes; - uint8_t *b32 = ib.snd.snd.snd; - uint8_t *b22 = ib.snd.snd.fst; - uint8_t *b12 = ib.snd.fst; - uint8_t *b02 = ib.fst; + uint8_t *b31 = ib.snd.snd.snd; + uint8_t *b21 = ib.snd.snd.fst; + uint8_t *b11 = ib.snd.fst; + uint8_t *b01 = ib.fst; uint8_t *bl3 = b_.snd.snd.snd; uint8_t *bl2 = b_.snd.snd.fst; uint8_t *bl1 = b_.snd.fst; uint8_t *bl0 = b_.fst; - memcpy(bl0, b02 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl1, b12 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl2, b22 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl3, b32 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl0, b01 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl1, b11 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl2, b21 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl3, b31 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b32 = b_.snd.snd.snd; + uint8_t *b22 = b_.snd.snd.fst; + uint8_t *b12 = b_.snd.fst; + uint8_t *b02 = b_.fst; + b02[rem] = 0x06U; + b12[rem] = 0x06U; + b22[rem] = 0x06U; + b32[rem] = 0x06U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; uint8_t *b33 = b_.snd.snd.snd; uint8_t *b23 = b_.snd.snd.fst; uint8_t *b13 = b_.snd.fst; uint8_t *b03 = b_.fst; - b03[rem] = 0x06U; - b13[rem] = 0x06U; - b23[rem] = 0x06U; - b33[rem] = 0x06U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b34 = b_.snd.snd.snd; - uint8_t *b24 = b_.snd.snd.fst; - uint8_t *b14 = b_.snd.fst; - uint8_t *b04 = b_.fst; - ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04); - ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14); - ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24); - ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34); - ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 32U); - ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 32U); - ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 32U); - ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 32U); - ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 64U); - ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 64U); - ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 64U); - ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 64U); - ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 96U); - ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 96U); - ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 96U); - ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 96U); - ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 128U); - ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 128U); - ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 128U); - ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 128U); - ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 160U); - ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 160U); - ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 160U); - ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 160U); - ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 192U); - ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 192U); - ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 192U); - ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 192U); - ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 224U); - ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 224U); - ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 224U); - ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 224U); + ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03); + ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13); + ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23); + ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33); + ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 32U); + ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 32U); + ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 32U); + ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 32U); + ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 64U); + ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 64U); + ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 64U); + ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 64U); + ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 96U); + ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 96U); + ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 96U); + ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 96U); + ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 128U); + ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 128U); + ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 128U); + ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 128U); + ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 160U); + ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 160U); + ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 160U); + ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 160U); + ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 192U); + ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 192U); + ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 192U); + ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 192U); + ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 224U); + ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 224U); + ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 224U); + ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 224U); Lib_IntVector_Intrinsics_vec256 v00 = ws32[0U]; Lib_IntVector_Intrinsics_vec256 v10 = ws32[1U]; Lib_IntVector_Intrinsics_vec256 v20 = ws32[2U]; @@ -9094,57 +8963,57 @@ Hacl_Hash_SHA3_Simd256_sha3_512( { s[i] = Lib_IntVector_Intrinsics_vec256_xor(s[i], ws32[i]); } - uint8_t b05[256U] = { 0U }; - uint8_t b15[256U] = { 0U }; - uint8_t b25[256U] = { 0U }; - uint8_t b35[256U] = { 0U }; + uint8_t b04[256U] = { 0U }; + uint8_t b14[256U] = { 0U }; + uint8_t b24[256U] = { 0U }; + uint8_t b34[256U] = { 0U }; K____uint8_t___uint8_t____K____uint8_t___uint8_t_ - b = { .fst = b05, .snd = { .fst = b15, .snd = { .fst = b25, .snd = b35 } } }; - uint8_t *b36 = b.snd.snd.snd; + b = { .fst = b04, .snd = { .fst = b14, .snd = { .fst = b24, .snd = b34 } } }; + uint8_t *b35 = b.snd.snd.snd; + uint8_t *b25 = b.snd.snd.fst; + uint8_t *b15 = b.snd.fst; + uint8_t *b05 = b.fst; + b05[rateInBytes - 1U] = 0x80U; + b15[rateInBytes - 1U] = 0x80U; + b25[rateInBytes - 1U] = 0x80U; + b35[rateInBytes - 1U] = 0x80U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b.snd.snd.snd; uint8_t *b26 = b.snd.snd.fst; uint8_t *b16 = b.snd.fst; uint8_t *b06 = b.fst; - b06[rateInBytes - 1U] = 0x80U; - b16[rateInBytes - 1U] = 0x80U; - b26[rateInBytes - 1U] = 0x80U; - b36[rateInBytes - 1U] = 0x80U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b37 = b.snd.snd.snd; - uint8_t *b27 = b.snd.snd.fst; - uint8_t *b17 = b.snd.fst; - uint8_t *b07 = b.fst; - ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07); - ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17); - ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27); - ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37); - ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 32U); - ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 32U); - ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 32U); - ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 32U); - ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 64U); - ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 64U); - ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 64U); - ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 64U); - ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 96U); - ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 96U); - ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 96U); - ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 96U); - ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 128U); - ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 128U); - ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 128U); - ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 128U); - ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 160U); - ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 160U); - ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 160U); - ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 160U); - ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 192U); - ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 192U); - ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 192U); - ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 192U); - ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 224U); - ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 224U); - ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 224U); - ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 224U); + ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06); + ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16); + ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26); + ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 32U); + ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 32U); + ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 32U); + ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 64U); + ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 64U); + ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 64U); + ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 96U); + ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 96U); + ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 96U); + ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 128U); + ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 128U); + ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 128U); + ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 160U); + ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 160U); + ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 160U); + ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 192U); + ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 192U); + ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 192U); + ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 224U); + ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 224U); + ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 224U); + ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); Lib_IntVector_Intrinsics_vec256 v08 = ws34[0U]; Lib_IntVector_Intrinsics_vec256 v18 = ws34[1U]; Lib_IntVector_Intrinsics_vec256 v28 = ws34[2U]; @@ -9666,62 +9535,49 @@ Hacl_Hash_SHA3_Simd256_sha3_512( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < rateInBytes / 32U; i++) - { - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = rateInBytes % 32U; - uint32_t j = rateInBytes / 32U; - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + uint8_t *b36 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0 + i0 * rateInBytes, hbuf, rateInBytes * sizeof (uint8_t)); + memcpy(b1 + i0 * rateInBytes, hbuf + 256U, rateInBytes * sizeof (uint8_t)); + memcpy(b2 + i0 * rateInBytes, hbuf + 512U, rateInBytes * sizeof (uint8_t)); + memcpy(b36 + i0 * rateInBytes, hbuf + 768U, rateInBytes * sizeof (uint8_t)); for (uint32_t i1 = 0U; i1 < 24U; i1++) { KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; @@ -10016,61 +9872,1482 @@ Hacl_Hash_SHA3_Simd256_sha3_512( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < remOut / 32U; i++) - { - uint8_t *b3 = rb.snd.snd.snd; - uint8_t *b2 = rb.snd.snd.fst; - uint8_t *b1 = rb.snd.fst; - uint8_t *b0 = rb.fst; - memcpy(b0 + 64U - remOut + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b1 + 64U - remOut + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b2 + 64U - remOut + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b3 + 64U - remOut + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = remOut % 32U; - uint32_t j = remOut / 32U; - uint8_t *b3 = rb.snd.snd.snd; + uint8_t *b36 = rb.snd.snd.snd; uint8_t *b2 = rb.snd.snd.fst; uint8_t *b1 = rb.snd.fst; uint8_t *b0 = rb.fst; - memcpy(b0 + 64U - remOut + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b1 + 64U - remOut + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b2 + 64U - remOut + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b3 + 64U - remOut + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + memcpy(b0 + 64U - remOut, hbuf, remOut * sizeof (uint8_t)); + memcpy(b1 + 64U - remOut, hbuf + 256U, remOut * sizeof (uint8_t)); + memcpy(b2 + 64U - remOut, hbuf + 512U, remOut * sizeof (uint8_t)); + memcpy(b36 + 64U - remOut, hbuf + 768U, remOut * sizeof (uint8_t)); +} + +uint64_t *Hacl_Hash_SHA3_Simd256_state_malloc(void) +{ + uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(100U, sizeof (uint64_t)); + return buf; +} + +void Hacl_Hash_SHA3_Simd256_state_free(uint64_t *s) +{ + KRML_HOST_FREE(s); +} + +void +Hacl_Hash_SHA3_Simd256_shake128_absorb_nblocks( + Lib_IntVector_Intrinsics_vec256 *state, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint32_t inputByteLen +) +{ + for (uint32_t i0 = 0U; i0 < inputByteLen / 168U; i0++) + { + uint8_t b00[256U] = { 0U }; + uint8_t b10[256U] = { 0U }; + uint8_t b20[256U] = { 0U }; + uint8_t b30[256U] = { 0U }; + K____uint8_t___uint8_t____K____uint8_t___uint8_t_ + b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; + uint8_t *b01 = input0; + uint8_t *b11 = input1; + uint8_t *b21 = input2; + uint8_t *b31 = input3; + uint8_t *bl3 = b_.snd.snd.snd; + uint8_t *bl2 = b_.snd.snd.fst; + uint8_t *bl1 = b_.snd.fst; + uint8_t *bl0 = b_.fst; + memcpy(bl0, b01 + i0 * 168U, 168U * sizeof (uint8_t)); + memcpy(bl1, b11 + i0 * 168U, 168U * sizeof (uint8_t)); + memcpy(bl2, b21 + i0 * 168U, 168U * sizeof (uint8_t)); + memcpy(bl3, b31 + i0 * 168U, 168U * sizeof (uint8_t)); + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b_.snd.snd.snd; + uint8_t *b2 = b_.snd.snd.fst; + uint8_t *b1 = b_.snd.fst; + uint8_t *b0 = b_.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 32U); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 32U); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 32U); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 64U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 64U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 64U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 96U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 96U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 96U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 128U); + ws[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 128U); + ws[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 128U); + ws[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 160U); + ws[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 160U); + ws[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 160U); + ws[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 192U); + ws[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 192U); + ws[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 192U); + ws[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 224U); + ws[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 224U); + ws[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 224U); + ws[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); + Lib_IntVector_Intrinsics_vec256 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 ws0 = v0__; + Lib_IntVector_Intrinsics_vec256 ws1 = v2__; + Lib_IntVector_Intrinsics_vec256 ws2 = v1__; + Lib_IntVector_Intrinsics_vec256 ws3 = v3__; + Lib_IntVector_Intrinsics_vec256 v01 = ws[4U]; + Lib_IntVector_Intrinsics_vec256 v11 = ws[5U]; + Lib_IntVector_Intrinsics_vec256 v21 = ws[6U]; + Lib_IntVector_Intrinsics_vec256 v31 = ws[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 ws4 = v0__0; + Lib_IntVector_Intrinsics_vec256 ws5 = v2__0; + Lib_IntVector_Intrinsics_vec256 ws6 = v1__0; + Lib_IntVector_Intrinsics_vec256 ws7 = v3__0; + Lib_IntVector_Intrinsics_vec256 v02 = ws[8U]; + Lib_IntVector_Intrinsics_vec256 v12 = ws[9U]; + Lib_IntVector_Intrinsics_vec256 v22 = ws[10U]; + Lib_IntVector_Intrinsics_vec256 v32 = ws[11U]; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v0__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v1__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v2__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 + v3__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 ws8 = v0__1; + Lib_IntVector_Intrinsics_vec256 ws9 = v2__1; + Lib_IntVector_Intrinsics_vec256 ws10 = v1__1; + Lib_IntVector_Intrinsics_vec256 ws11 = v3__1; + Lib_IntVector_Intrinsics_vec256 v03 = ws[12U]; + Lib_IntVector_Intrinsics_vec256 v13 = ws[13U]; + Lib_IntVector_Intrinsics_vec256 v23 = ws[14U]; + Lib_IntVector_Intrinsics_vec256 v33 = ws[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v03, v13); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v03, v13); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v23, v33); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v23, v33); + Lib_IntVector_Intrinsics_vec256 + v0__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v1__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v2__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 + v3__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 ws12 = v0__2; + Lib_IntVector_Intrinsics_vec256 ws13 = v2__2; + Lib_IntVector_Intrinsics_vec256 ws14 = v1__2; + Lib_IntVector_Intrinsics_vec256 ws15 = v3__2; + Lib_IntVector_Intrinsics_vec256 v04 = ws[16U]; + Lib_IntVector_Intrinsics_vec256 v14 = ws[17U]; + Lib_IntVector_Intrinsics_vec256 v24 = ws[18U]; + Lib_IntVector_Intrinsics_vec256 v34 = ws[19U]; + Lib_IntVector_Intrinsics_vec256 + v0_3 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v04, v14); + Lib_IntVector_Intrinsics_vec256 + v1_3 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v04, v14); + Lib_IntVector_Intrinsics_vec256 + v2_3 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v24, v34); + Lib_IntVector_Intrinsics_vec256 + v3_3 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v24, v34); + Lib_IntVector_Intrinsics_vec256 + v0__3 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_3, v2_3); + Lib_IntVector_Intrinsics_vec256 + v1__3 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_3, v2_3); + Lib_IntVector_Intrinsics_vec256 + v2__3 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_3, v3_3); + Lib_IntVector_Intrinsics_vec256 + v3__3 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_3, v3_3); + Lib_IntVector_Intrinsics_vec256 ws16 = v0__3; + Lib_IntVector_Intrinsics_vec256 ws17 = v2__3; + Lib_IntVector_Intrinsics_vec256 ws18 = v1__3; + Lib_IntVector_Intrinsics_vec256 ws19 = v3__3; + Lib_IntVector_Intrinsics_vec256 v05 = ws[20U]; + Lib_IntVector_Intrinsics_vec256 v15 = ws[21U]; + Lib_IntVector_Intrinsics_vec256 v25 = ws[22U]; + Lib_IntVector_Intrinsics_vec256 v35 = ws[23U]; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v05, v15); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v05, v15); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v25, v35); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v25, v35); + Lib_IntVector_Intrinsics_vec256 + v0__4 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_4, v2_4); + Lib_IntVector_Intrinsics_vec256 + v1__4 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_4, v2_4); + Lib_IntVector_Intrinsics_vec256 + v2__4 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_4, v3_4); + Lib_IntVector_Intrinsics_vec256 + v3__4 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_4, v3_4); + Lib_IntVector_Intrinsics_vec256 ws20 = v0__4; + Lib_IntVector_Intrinsics_vec256 ws21 = v2__4; + Lib_IntVector_Intrinsics_vec256 ws22 = v1__4; + Lib_IntVector_Intrinsics_vec256 ws23 = v3__4; + Lib_IntVector_Intrinsics_vec256 v06 = ws[24U]; + Lib_IntVector_Intrinsics_vec256 v16 = ws[25U]; + Lib_IntVector_Intrinsics_vec256 v26 = ws[26U]; + Lib_IntVector_Intrinsics_vec256 v36 = ws[27U]; + Lib_IntVector_Intrinsics_vec256 + v0_5 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v06, v16); + Lib_IntVector_Intrinsics_vec256 + v1_5 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v06, v16); + Lib_IntVector_Intrinsics_vec256 + v2_5 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v26, v36); + Lib_IntVector_Intrinsics_vec256 + v3_5 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v26, v36); + Lib_IntVector_Intrinsics_vec256 + v0__5 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1__5 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2__5 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3__5 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 ws24 = v0__5; + Lib_IntVector_Intrinsics_vec256 ws25 = v2__5; + Lib_IntVector_Intrinsics_vec256 ws26 = v1__5; + Lib_IntVector_Intrinsics_vec256 ws27 = v3__5; + Lib_IntVector_Intrinsics_vec256 v0 = ws[28U]; + Lib_IntVector_Intrinsics_vec256 v1 = ws[29U]; + Lib_IntVector_Intrinsics_vec256 v2 = ws[30U]; + Lib_IntVector_Intrinsics_vec256 v3 = ws[31U]; + Lib_IntVector_Intrinsics_vec256 + v0_6 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_6 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_6 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_6 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__6 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_6, v2_6); + Lib_IntVector_Intrinsics_vec256 + v1__6 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_6, v2_6); + Lib_IntVector_Intrinsics_vec256 + v2__6 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_6, v3_6); + Lib_IntVector_Intrinsics_vec256 + v3__6 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_6, v3_6); + Lib_IntVector_Intrinsics_vec256 ws28 = v0__6; + Lib_IntVector_Intrinsics_vec256 ws29 = v2__6; + Lib_IntVector_Intrinsics_vec256 ws30 = v1__6; + Lib_IntVector_Intrinsics_vec256 ws31 = v3__6; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + ws[16U] = ws16; + ws[17U] = ws17; + ws[18U] = ws18; + ws[19U] = ws19; + ws[20U] = ws20; + ws[21U] = ws21; + ws[22U] = ws22; + ws[23U] = ws23; + ws[24U] = ws24; + ws[25U] = ws25; + ws[26U] = ws26; + ws[27U] = ws27; + ws[28U] = ws28; + ws[29U] = ws29; + ws[30U] = ws30; + ws[31U] = ws31; + for (uint32_t i = 0U; i < 25U; i++) + { + state[i] = Lib_IntVector_Intrinsics_vec256_xor(state[i], ws[i]); + } + for (uint32_t i1 = 0U; i1 < 24U; i1++) + { + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____0 = state[i + 0U]; + Lib_IntVector_Intrinsics_vec256 uu____1 = state[i + 5U]; + Lib_IntVector_Intrinsics_vec256 uu____2 = state[i + 10U]; + _C[i] = + Lib_IntVector_Intrinsics_vec256_xor(uu____0, + Lib_IntVector_Intrinsics_vec256_xor(uu____1, + Lib_IntVector_Intrinsics_vec256_xor(uu____2, + Lib_IntVector_Intrinsics_vec256_xor(state[i + 15U], state[i + 20U]))));); + KRML_MAYBE_FOR5(i2, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____3 = _C[(i2 + 4U) % 5U]; + Lib_IntVector_Intrinsics_vec256 uu____4 = _C[(i2 + 1U) % 5U]; + Lib_IntVector_Intrinsics_vec256 + _D = + Lib_IntVector_Intrinsics_vec256_xor(uu____3, + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_left64(uu____4, + 1U), + Lib_IntVector_Intrinsics_vec256_shift_right64(uu____4, 63U))); + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + state[i2 + 5U * i] = Lib_IntVector_Intrinsics_vec256_xor(state[i2 + 5U * i], _D););); + Lib_IntVector_Intrinsics_vec256 x = state[1U]; + Lib_IntVector_Intrinsics_vec256 current = x; + for (uint32_t i = 0U; i < 24U; i++) + { + uint32_t _Y = Hacl_Impl_SHA3_Vec_keccak_piln[i]; + uint32_t r = Hacl_Impl_SHA3_Vec_keccak_rotc[i]; + Lib_IntVector_Intrinsics_vec256 temp = state[_Y]; + Lib_IntVector_Intrinsics_vec256 uu____5 = current; + state[_Y] = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_left64(uu____5, + r), + Lib_IntVector_Intrinsics_vec256_shift_right64(uu____5, 64U - r)); + current = temp; + } + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____6 = state[0U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____7 = Lib_IntVector_Intrinsics_vec256_lognot(state[1U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v07 = + Lib_IntVector_Intrinsics_vec256_xor(uu____6, + Lib_IntVector_Intrinsics_vec256_and(uu____7, state[2U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____8 = state[1U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____9 = Lib_IntVector_Intrinsics_vec256_lognot(state[2U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v17 = + Lib_IntVector_Intrinsics_vec256_xor(uu____8, + Lib_IntVector_Intrinsics_vec256_and(uu____9, state[3U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____10 = state[2U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____11 = Lib_IntVector_Intrinsics_vec256_lognot(state[3U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v27 = + Lib_IntVector_Intrinsics_vec256_xor(uu____10, + Lib_IntVector_Intrinsics_vec256_and(uu____11, state[4U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____12 = state[3U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____13 = Lib_IntVector_Intrinsics_vec256_lognot(state[4U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v37 = + Lib_IntVector_Intrinsics_vec256_xor(uu____12, + Lib_IntVector_Intrinsics_vec256_and(uu____13, state[0U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____14 = state[4U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____15 = Lib_IntVector_Intrinsics_vec256_lognot(state[0U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v4 = + Lib_IntVector_Intrinsics_vec256_xor(uu____14, + Lib_IntVector_Intrinsics_vec256_and(uu____15, state[1U + 5U * i])); + state[0U + 5U * i] = v07; + state[1U + 5U * i] = v17; + state[2U + 5U * i] = v27; + state[3U + 5U * i] = v37; + state[4U + 5U * i] = v4;); + uint64_t c = Hacl_Impl_SHA3_Vec_keccak_rndc[i1]; + Lib_IntVector_Intrinsics_vec256 uu____16 = state[0U]; + state[0U] = + Lib_IntVector_Intrinsics_vec256_xor(uu____16, + Lib_IntVector_Intrinsics_vec256_load64(c)); + } + } +} + +void +Hacl_Hash_SHA3_Simd256_shake128_absorb_final( + Lib_IntVector_Intrinsics_vec256 *state, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint32_t inputByteLen +) +{ + uint32_t rem = inputByteLen % 168U; + uint8_t b00[256U] = { 0U }; + uint8_t b10[256U] = { 0U }; + uint8_t b20[256U] = { 0U }; + uint8_t b30[256U] = { 0U }; + K____uint8_t___uint8_t____K____uint8_t___uint8_t_ + b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; + uint32_t rem1 = inputByteLen % 168U; + uint8_t *b01 = input0; + uint8_t *b11 = input1; + uint8_t *b21 = input2; + uint8_t *b31 = input3; + uint8_t *bl3 = b_.snd.snd.snd; + uint8_t *bl2 = b_.snd.snd.fst; + uint8_t *bl1 = b_.snd.fst; + uint8_t *bl0 = b_.fst; + memcpy(bl0, b01 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl1, b11 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl2, b21 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl3, b31 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b32 = b_.snd.snd.snd; + uint8_t *b22 = b_.snd.snd.fst; + uint8_t *b12 = b_.snd.fst; + uint8_t *b02 = b_.fst; + b02[rem] = 0x1FU; + b12[rem] = 0x1FU; + b22[rem] = 0x1FU; + b32[rem] = 0x1FU; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b33 = b_.snd.snd.snd; + uint8_t *b23 = b_.snd.snd.fst; + uint8_t *b13 = b_.snd.fst; + uint8_t *b03 = b_.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 32U); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 32U); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 32U); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 32U); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 64U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 64U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 64U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 64U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 96U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 96U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 96U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 96U); + ws[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 128U); + ws[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 128U); + ws[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 128U); + ws[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 128U); + ws[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 160U); + ws[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 160U); + ws[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 160U); + ws[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 160U); + ws[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 192U); + ws[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 192U); + ws[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 192U); + ws[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 192U); + ws[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 224U); + ws[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 224U); + ws[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 224U); + ws[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 224U); + Lib_IntVector_Intrinsics_vec256 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 ws00 = v0__; + Lib_IntVector_Intrinsics_vec256 ws110 = v2__; + Lib_IntVector_Intrinsics_vec256 ws210 = v1__; + Lib_IntVector_Intrinsics_vec256 ws32 = v3__; + Lib_IntVector_Intrinsics_vec256 v01 = ws[4U]; + Lib_IntVector_Intrinsics_vec256 v11 = ws[5U]; + Lib_IntVector_Intrinsics_vec256 v21 = ws[6U]; + Lib_IntVector_Intrinsics_vec256 v31 = ws[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 ws40 = v0__0; + Lib_IntVector_Intrinsics_vec256 ws50 = v2__0; + Lib_IntVector_Intrinsics_vec256 ws60 = v1__0; + Lib_IntVector_Intrinsics_vec256 ws70 = v3__0; + Lib_IntVector_Intrinsics_vec256 v02 = ws[8U]; + Lib_IntVector_Intrinsics_vec256 v12 = ws[9U]; + Lib_IntVector_Intrinsics_vec256 v22 = ws[10U]; + Lib_IntVector_Intrinsics_vec256 v32 = ws[11U]; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v0__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v1__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v2__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 + v3__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 ws80 = v0__1; + Lib_IntVector_Intrinsics_vec256 ws90 = v2__1; + Lib_IntVector_Intrinsics_vec256 ws100 = v1__1; + Lib_IntVector_Intrinsics_vec256 ws111 = v3__1; + Lib_IntVector_Intrinsics_vec256 v03 = ws[12U]; + Lib_IntVector_Intrinsics_vec256 v13 = ws[13U]; + Lib_IntVector_Intrinsics_vec256 v23 = ws[14U]; + Lib_IntVector_Intrinsics_vec256 v33 = ws[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v03, v13); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v03, v13); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v23, v33); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v23, v33); + Lib_IntVector_Intrinsics_vec256 + v0__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v1__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v2__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 + v3__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 ws120 = v0__2; + Lib_IntVector_Intrinsics_vec256 ws130 = v2__2; + Lib_IntVector_Intrinsics_vec256 ws140 = v1__2; + Lib_IntVector_Intrinsics_vec256 ws150 = v3__2; + Lib_IntVector_Intrinsics_vec256 v04 = ws[16U]; + Lib_IntVector_Intrinsics_vec256 v14 = ws[17U]; + Lib_IntVector_Intrinsics_vec256 v24 = ws[18U]; + Lib_IntVector_Intrinsics_vec256 v34 = ws[19U]; + Lib_IntVector_Intrinsics_vec256 + v0_3 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v04, v14); + Lib_IntVector_Intrinsics_vec256 + v1_3 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v04, v14); + Lib_IntVector_Intrinsics_vec256 + v2_3 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v24, v34); + Lib_IntVector_Intrinsics_vec256 + v3_3 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v24, v34); + Lib_IntVector_Intrinsics_vec256 + v0__3 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_3, v2_3); + Lib_IntVector_Intrinsics_vec256 + v1__3 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_3, v2_3); + Lib_IntVector_Intrinsics_vec256 + v2__3 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_3, v3_3); + Lib_IntVector_Intrinsics_vec256 + v3__3 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_3, v3_3); + Lib_IntVector_Intrinsics_vec256 ws160 = v0__3; + Lib_IntVector_Intrinsics_vec256 ws170 = v2__3; + Lib_IntVector_Intrinsics_vec256 ws180 = v1__3; + Lib_IntVector_Intrinsics_vec256 ws190 = v3__3; + Lib_IntVector_Intrinsics_vec256 v05 = ws[20U]; + Lib_IntVector_Intrinsics_vec256 v15 = ws[21U]; + Lib_IntVector_Intrinsics_vec256 v25 = ws[22U]; + Lib_IntVector_Intrinsics_vec256 v35 = ws[23U]; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v05, v15); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v05, v15); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v25, v35); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v25, v35); + Lib_IntVector_Intrinsics_vec256 + v0__4 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_4, v2_4); + Lib_IntVector_Intrinsics_vec256 + v1__4 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_4, v2_4); + Lib_IntVector_Intrinsics_vec256 + v2__4 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_4, v3_4); + Lib_IntVector_Intrinsics_vec256 + v3__4 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_4, v3_4); + Lib_IntVector_Intrinsics_vec256 ws200 = v0__4; + Lib_IntVector_Intrinsics_vec256 ws211 = v2__4; + Lib_IntVector_Intrinsics_vec256 ws220 = v1__4; + Lib_IntVector_Intrinsics_vec256 ws230 = v3__4; + Lib_IntVector_Intrinsics_vec256 v06 = ws[24U]; + Lib_IntVector_Intrinsics_vec256 v16 = ws[25U]; + Lib_IntVector_Intrinsics_vec256 v26 = ws[26U]; + Lib_IntVector_Intrinsics_vec256 v36 = ws[27U]; + Lib_IntVector_Intrinsics_vec256 + v0_5 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v06, v16); + Lib_IntVector_Intrinsics_vec256 + v1_5 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v06, v16); + Lib_IntVector_Intrinsics_vec256 + v2_5 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v26, v36); + Lib_IntVector_Intrinsics_vec256 + v3_5 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v26, v36); + Lib_IntVector_Intrinsics_vec256 + v0__5 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1__5 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2__5 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3__5 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 ws240 = v0__5; + Lib_IntVector_Intrinsics_vec256 ws250 = v2__5; + Lib_IntVector_Intrinsics_vec256 ws260 = v1__5; + Lib_IntVector_Intrinsics_vec256 ws270 = v3__5; + Lib_IntVector_Intrinsics_vec256 v07 = ws[28U]; + Lib_IntVector_Intrinsics_vec256 v17 = ws[29U]; + Lib_IntVector_Intrinsics_vec256 v27 = ws[30U]; + Lib_IntVector_Intrinsics_vec256 v37 = ws[31U]; + Lib_IntVector_Intrinsics_vec256 + v0_6 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v07, v17); + Lib_IntVector_Intrinsics_vec256 + v1_6 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v07, v17); + Lib_IntVector_Intrinsics_vec256 + v2_6 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v27, v37); + Lib_IntVector_Intrinsics_vec256 + v3_6 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v27, v37); + Lib_IntVector_Intrinsics_vec256 + v0__6 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_6, v2_6); + Lib_IntVector_Intrinsics_vec256 + v1__6 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_6, v2_6); + Lib_IntVector_Intrinsics_vec256 + v2__6 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_6, v3_6); + Lib_IntVector_Intrinsics_vec256 + v3__6 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_6, v3_6); + Lib_IntVector_Intrinsics_vec256 ws280 = v0__6; + Lib_IntVector_Intrinsics_vec256 ws290 = v2__6; + Lib_IntVector_Intrinsics_vec256 ws300 = v1__6; + Lib_IntVector_Intrinsics_vec256 ws310 = v3__6; + ws[0U] = ws00; + ws[1U] = ws110; + ws[2U] = ws210; + ws[3U] = ws32; + ws[4U] = ws40; + ws[5U] = ws50; + ws[6U] = ws60; + ws[7U] = ws70; + ws[8U] = ws80; + ws[9U] = ws90; + ws[10U] = ws100; + ws[11U] = ws111; + ws[12U] = ws120; + ws[13U] = ws130; + ws[14U] = ws140; + ws[15U] = ws150; + ws[16U] = ws160; + ws[17U] = ws170; + ws[18U] = ws180; + ws[19U] = ws190; + ws[20U] = ws200; + ws[21U] = ws211; + ws[22U] = ws220; + ws[23U] = ws230; + ws[24U] = ws240; + ws[25U] = ws250; + ws[26U] = ws260; + ws[27U] = ws270; + ws[28U] = ws280; + ws[29U] = ws290; + ws[30U] = ws300; + ws[31U] = ws310; + for (uint32_t i = 0U; i < 25U; i++) + { + state[i] = Lib_IntVector_Intrinsics_vec256_xor(state[i], ws[i]); + } + uint8_t b04[256U] = { 0U }; + uint8_t b14[256U] = { 0U }; + uint8_t b24[256U] = { 0U }; + uint8_t b34[256U] = { 0U }; + K____uint8_t___uint8_t____K____uint8_t___uint8_t_ + b = { .fst = b04, .snd = { .fst = b14, .snd = { .fst = b24, .snd = b34 } } }; + uint8_t *b35 = b.snd.snd.snd; + uint8_t *b25 = b.snd.snd.fst; + uint8_t *b15 = b.snd.fst; + uint8_t *b05 = b.fst; + b05[167U] = 0x80U; + b15[167U] = 0x80U; + b25[167U] = 0x80U; + b35[167U] = 0x80U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws33[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b.snd.snd.snd; + uint8_t *b2 = b.snd.snd.fst; + uint8_t *b1 = b.snd.fst; + uint8_t *b0 = b.fst; + ws33[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0); + ws33[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1); + ws33[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2); + ws33[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws33[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 32U); + ws33[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 32U); + ws33[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 32U); + ws33[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws33[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 64U); + ws33[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 64U); + ws33[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 64U); + ws33[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws33[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 96U); + ws33[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 96U); + ws33[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 96U); + ws33[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws33[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 128U); + ws33[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 128U); + ws33[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 128U); + ws33[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws33[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 160U); + ws33[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 160U); + ws33[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 160U); + ws33[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws33[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 192U); + ws33[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 192U); + ws33[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 192U); + ws33[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws33[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 224U); + ws33[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 224U); + ws33[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 224U); + ws33[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); + Lib_IntVector_Intrinsics_vec256 v08 = ws33[0U]; + Lib_IntVector_Intrinsics_vec256 v18 = ws33[1U]; + Lib_IntVector_Intrinsics_vec256 v28 = ws33[2U]; + Lib_IntVector_Intrinsics_vec256 v38 = ws33[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_7 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v08, v18); + Lib_IntVector_Intrinsics_vec256 + v1_7 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v08, v18); + Lib_IntVector_Intrinsics_vec256 + v2_7 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v28, v38); + Lib_IntVector_Intrinsics_vec256 + v3_7 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v28, v38); + Lib_IntVector_Intrinsics_vec256 + v0__7 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_7, v2_7); + Lib_IntVector_Intrinsics_vec256 + v1__7 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_7, v2_7); + Lib_IntVector_Intrinsics_vec256 + v2__7 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_7, v3_7); + Lib_IntVector_Intrinsics_vec256 + v3__7 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_7, v3_7); + Lib_IntVector_Intrinsics_vec256 ws0 = v0__7; + Lib_IntVector_Intrinsics_vec256 ws1 = v2__7; + Lib_IntVector_Intrinsics_vec256 ws2 = v1__7; + Lib_IntVector_Intrinsics_vec256 ws3 = v3__7; + Lib_IntVector_Intrinsics_vec256 v09 = ws33[4U]; + Lib_IntVector_Intrinsics_vec256 v19 = ws33[5U]; + Lib_IntVector_Intrinsics_vec256 v29 = ws33[6U]; + Lib_IntVector_Intrinsics_vec256 v39 = ws33[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_8 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v09, v19); + Lib_IntVector_Intrinsics_vec256 + v1_8 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v09, v19); + Lib_IntVector_Intrinsics_vec256 + v2_8 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v29, v39); + Lib_IntVector_Intrinsics_vec256 + v3_8 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v29, v39); + Lib_IntVector_Intrinsics_vec256 + v0__8 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_8, v2_8); + Lib_IntVector_Intrinsics_vec256 + v1__8 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_8, v2_8); + Lib_IntVector_Intrinsics_vec256 + v2__8 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_8, v3_8); + Lib_IntVector_Intrinsics_vec256 + v3__8 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_8, v3_8); + Lib_IntVector_Intrinsics_vec256 ws4 = v0__8; + Lib_IntVector_Intrinsics_vec256 ws5 = v2__8; + Lib_IntVector_Intrinsics_vec256 ws6 = v1__8; + Lib_IntVector_Intrinsics_vec256 ws7 = v3__8; + Lib_IntVector_Intrinsics_vec256 v010 = ws33[8U]; + Lib_IntVector_Intrinsics_vec256 v110 = ws33[9U]; + Lib_IntVector_Intrinsics_vec256 v210 = ws33[10U]; + Lib_IntVector_Intrinsics_vec256 v310 = ws33[11U]; + Lib_IntVector_Intrinsics_vec256 + v0_9 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v010, v110); + Lib_IntVector_Intrinsics_vec256 + v1_9 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v010, v110); + Lib_IntVector_Intrinsics_vec256 + v2_9 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v210, v310); + Lib_IntVector_Intrinsics_vec256 + v3_9 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v210, v310); + Lib_IntVector_Intrinsics_vec256 + v0__9 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_9, v2_9); + Lib_IntVector_Intrinsics_vec256 + v1__9 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_9, v2_9); + Lib_IntVector_Intrinsics_vec256 + v2__9 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_9, v3_9); + Lib_IntVector_Intrinsics_vec256 + v3__9 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_9, v3_9); + Lib_IntVector_Intrinsics_vec256 ws8 = v0__9; + Lib_IntVector_Intrinsics_vec256 ws9 = v2__9; + Lib_IntVector_Intrinsics_vec256 ws10 = v1__9; + Lib_IntVector_Intrinsics_vec256 ws11 = v3__9; + Lib_IntVector_Intrinsics_vec256 v011 = ws33[12U]; + Lib_IntVector_Intrinsics_vec256 v111 = ws33[13U]; + Lib_IntVector_Intrinsics_vec256 v211 = ws33[14U]; + Lib_IntVector_Intrinsics_vec256 v311 = ws33[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_10 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v011, v111); + Lib_IntVector_Intrinsics_vec256 + v1_10 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v011, v111); + Lib_IntVector_Intrinsics_vec256 + v2_10 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v211, v311); + Lib_IntVector_Intrinsics_vec256 + v3_10 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v211, v311); + Lib_IntVector_Intrinsics_vec256 + v0__10 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v2_10); + Lib_IntVector_Intrinsics_vec256 + v1__10 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v2_10); + Lib_IntVector_Intrinsics_vec256 + v2__10 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v3_10); + Lib_IntVector_Intrinsics_vec256 + v3__10 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v3_10); + Lib_IntVector_Intrinsics_vec256 ws12 = v0__10; + Lib_IntVector_Intrinsics_vec256 ws13 = v2__10; + Lib_IntVector_Intrinsics_vec256 ws14 = v1__10; + Lib_IntVector_Intrinsics_vec256 ws15 = v3__10; + Lib_IntVector_Intrinsics_vec256 v012 = ws33[16U]; + Lib_IntVector_Intrinsics_vec256 v112 = ws33[17U]; + Lib_IntVector_Intrinsics_vec256 v212 = ws33[18U]; + Lib_IntVector_Intrinsics_vec256 v312 = ws33[19U]; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v012, v112); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v012, v112); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v212, v312); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v212, v312); + Lib_IntVector_Intrinsics_vec256 + v0__11 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_11, v2_11); + Lib_IntVector_Intrinsics_vec256 + v1__11 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_11, v2_11); + Lib_IntVector_Intrinsics_vec256 + v2__11 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_11, v3_11); + Lib_IntVector_Intrinsics_vec256 + v3__11 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_11, v3_11); + Lib_IntVector_Intrinsics_vec256 ws16 = v0__11; + Lib_IntVector_Intrinsics_vec256 ws17 = v2__11; + Lib_IntVector_Intrinsics_vec256 ws18 = v1__11; + Lib_IntVector_Intrinsics_vec256 ws19 = v3__11; + Lib_IntVector_Intrinsics_vec256 v013 = ws33[20U]; + Lib_IntVector_Intrinsics_vec256 v113 = ws33[21U]; + Lib_IntVector_Intrinsics_vec256 v213 = ws33[22U]; + Lib_IntVector_Intrinsics_vec256 v313 = ws33[23U]; + Lib_IntVector_Intrinsics_vec256 + v0_12 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v013, v113); + Lib_IntVector_Intrinsics_vec256 + v1_12 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v013, v113); + Lib_IntVector_Intrinsics_vec256 + v2_12 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v213, v313); + Lib_IntVector_Intrinsics_vec256 + v3_12 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v213, v313); + Lib_IntVector_Intrinsics_vec256 + v0__12 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v2_12); + Lib_IntVector_Intrinsics_vec256 + v1__12 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v2_12); + Lib_IntVector_Intrinsics_vec256 + v2__12 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v3_12); + Lib_IntVector_Intrinsics_vec256 + v3__12 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v3_12); + Lib_IntVector_Intrinsics_vec256 ws20 = v0__12; + Lib_IntVector_Intrinsics_vec256 ws21 = v2__12; + Lib_IntVector_Intrinsics_vec256 ws22 = v1__12; + Lib_IntVector_Intrinsics_vec256 ws23 = v3__12; + Lib_IntVector_Intrinsics_vec256 v014 = ws33[24U]; + Lib_IntVector_Intrinsics_vec256 v114 = ws33[25U]; + Lib_IntVector_Intrinsics_vec256 v214 = ws33[26U]; + Lib_IntVector_Intrinsics_vec256 v314 = ws33[27U]; + Lib_IntVector_Intrinsics_vec256 + v0_13 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v014, v114); + Lib_IntVector_Intrinsics_vec256 + v1_13 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v014, v114); + Lib_IntVector_Intrinsics_vec256 + v2_13 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v214, v314); + Lib_IntVector_Intrinsics_vec256 + v3_13 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v214, v314); + Lib_IntVector_Intrinsics_vec256 + v0__13 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_13, v2_13); + Lib_IntVector_Intrinsics_vec256 + v1__13 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_13, v2_13); + Lib_IntVector_Intrinsics_vec256 + v2__13 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_13, v3_13); + Lib_IntVector_Intrinsics_vec256 + v3__13 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_13, v3_13); + Lib_IntVector_Intrinsics_vec256 ws24 = v0__13; + Lib_IntVector_Intrinsics_vec256 ws25 = v2__13; + Lib_IntVector_Intrinsics_vec256 ws26 = v1__13; + Lib_IntVector_Intrinsics_vec256 ws27 = v3__13; + Lib_IntVector_Intrinsics_vec256 v0 = ws33[28U]; + Lib_IntVector_Intrinsics_vec256 v1 = ws33[29U]; + Lib_IntVector_Intrinsics_vec256 v2 = ws33[30U]; + Lib_IntVector_Intrinsics_vec256 v3 = ws33[31U]; + Lib_IntVector_Intrinsics_vec256 + v0_14 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_14 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_14 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_14 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__14 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_14, v2_14); + Lib_IntVector_Intrinsics_vec256 + v1__14 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_14, v2_14); + Lib_IntVector_Intrinsics_vec256 + v2__14 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_14, v3_14); + Lib_IntVector_Intrinsics_vec256 + v3__14 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_14, v3_14); + Lib_IntVector_Intrinsics_vec256 ws28 = v0__14; + Lib_IntVector_Intrinsics_vec256 ws29 = v2__14; + Lib_IntVector_Intrinsics_vec256 ws30 = v1__14; + Lib_IntVector_Intrinsics_vec256 ws31 = v3__14; + ws33[0U] = ws0; + ws33[1U] = ws1; + ws33[2U] = ws2; + ws33[3U] = ws3; + ws33[4U] = ws4; + ws33[5U] = ws5; + ws33[6U] = ws6; + ws33[7U] = ws7; + ws33[8U] = ws8; + ws33[9U] = ws9; + ws33[10U] = ws10; + ws33[11U] = ws11; + ws33[12U] = ws12; + ws33[13U] = ws13; + ws33[14U] = ws14; + ws33[15U] = ws15; + ws33[16U] = ws16; + ws33[17U] = ws17; + ws33[18U] = ws18; + ws33[19U] = ws19; + ws33[20U] = ws20; + ws33[21U] = ws21; + ws33[22U] = ws22; + ws33[23U] = ws23; + ws33[24U] = ws24; + ws33[25U] = ws25; + ws33[26U] = ws26; + ws33[27U] = ws27; + ws33[28U] = ws28; + ws33[29U] = ws29; + ws33[30U] = ws30; + ws33[31U] = ws31; + for (uint32_t i = 0U; i < 25U; i++) + { + state[i] = Lib_IntVector_Intrinsics_vec256_xor(state[i], ws33[i]); + } + for (uint32_t i0 = 0U; i0 < 24U; i0++) + { + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____0 = state[i + 0U]; + Lib_IntVector_Intrinsics_vec256 uu____1 = state[i + 5U]; + Lib_IntVector_Intrinsics_vec256 uu____2 = state[i + 10U]; + _C[i] = + Lib_IntVector_Intrinsics_vec256_xor(uu____0, + Lib_IntVector_Intrinsics_vec256_xor(uu____1, + Lib_IntVector_Intrinsics_vec256_xor(uu____2, + Lib_IntVector_Intrinsics_vec256_xor(state[i + 15U], state[i + 20U]))));); + KRML_MAYBE_FOR5(i1, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____3 = _C[(i1 + 4U) % 5U]; + Lib_IntVector_Intrinsics_vec256 uu____4 = _C[(i1 + 1U) % 5U]; + Lib_IntVector_Intrinsics_vec256 + _D = + Lib_IntVector_Intrinsics_vec256_xor(uu____3, + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_left64(uu____4, + 1U), + Lib_IntVector_Intrinsics_vec256_shift_right64(uu____4, 63U))); + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + state[i1 + 5U * i] = Lib_IntVector_Intrinsics_vec256_xor(state[i1 + 5U * i], _D););); + Lib_IntVector_Intrinsics_vec256 x = state[1U]; + Lib_IntVector_Intrinsics_vec256 current = x; + for (uint32_t i = 0U; i < 24U; i++) + { + uint32_t _Y = Hacl_Impl_SHA3_Vec_keccak_piln[i]; + uint32_t r = Hacl_Impl_SHA3_Vec_keccak_rotc[i]; + Lib_IntVector_Intrinsics_vec256 temp = state[_Y]; + Lib_IntVector_Intrinsics_vec256 uu____5 = current; + state[_Y] = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_left64(uu____5, r), + Lib_IntVector_Intrinsics_vec256_shift_right64(uu____5, 64U - r)); + current = temp; + } + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____6 = state[0U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____7 = Lib_IntVector_Intrinsics_vec256_lognot(state[1U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v015 = + Lib_IntVector_Intrinsics_vec256_xor(uu____6, + Lib_IntVector_Intrinsics_vec256_and(uu____7, state[2U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____8 = state[1U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____9 = Lib_IntVector_Intrinsics_vec256_lognot(state[2U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v115 = + Lib_IntVector_Intrinsics_vec256_xor(uu____8, + Lib_IntVector_Intrinsics_vec256_and(uu____9, state[3U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____10 = state[2U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____11 = Lib_IntVector_Intrinsics_vec256_lognot(state[3U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v215 = + Lib_IntVector_Intrinsics_vec256_xor(uu____10, + Lib_IntVector_Intrinsics_vec256_and(uu____11, state[4U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____12 = state[3U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____13 = Lib_IntVector_Intrinsics_vec256_lognot(state[4U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v315 = + Lib_IntVector_Intrinsics_vec256_xor(uu____12, + Lib_IntVector_Intrinsics_vec256_and(uu____13, state[0U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____14 = state[4U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____15 = Lib_IntVector_Intrinsics_vec256_lognot(state[0U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v4 = + Lib_IntVector_Intrinsics_vec256_xor(uu____14, + Lib_IntVector_Intrinsics_vec256_and(uu____15, state[1U + 5U * i])); + state[0U + 5U * i] = v015; + state[1U + 5U * i] = v115; + state[2U + 5U * i] = v215; + state[3U + 5U * i] = v315; + state[4U + 5U * i] = v4;); + uint64_t c = Hacl_Impl_SHA3_Vec_keccak_rndc[i0]; + Lib_IntVector_Intrinsics_vec256 uu____16 = state[0U]; + state[0U] = + Lib_IntVector_Intrinsics_vec256_xor(uu____16, + Lib_IntVector_Intrinsics_vec256_load64(c)); + } +} + +void +Hacl_Hash_SHA3_Simd256_shake128_squeeze_nblocks( + Lib_IntVector_Intrinsics_vec256 *state, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, + uint32_t outputByteLen +) +{ + for (uint32_t i0 = 0U; i0 < outputByteLen / 168U; i0++) + { + uint8_t hbuf[1024U] = { 0U }; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws[32U] KRML_POST_ALIGN(32) = { 0U }; + memcpy(ws, state, 25U * sizeof (Lib_IntVector_Intrinsics_vec256)); + Lib_IntVector_Intrinsics_vec256 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 ws0 = v0__; + Lib_IntVector_Intrinsics_vec256 ws1 = v2__; + Lib_IntVector_Intrinsics_vec256 ws2 = v1__; + Lib_IntVector_Intrinsics_vec256 ws3 = v3__; + Lib_IntVector_Intrinsics_vec256 v01 = ws[4U]; + Lib_IntVector_Intrinsics_vec256 v11 = ws[5U]; + Lib_IntVector_Intrinsics_vec256 v21 = ws[6U]; + Lib_IntVector_Intrinsics_vec256 v31 = ws[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 ws4 = v0__0; + Lib_IntVector_Intrinsics_vec256 ws5 = v2__0; + Lib_IntVector_Intrinsics_vec256 ws6 = v1__0; + Lib_IntVector_Intrinsics_vec256 ws7 = v3__0; + Lib_IntVector_Intrinsics_vec256 v02 = ws[8U]; + Lib_IntVector_Intrinsics_vec256 v12 = ws[9U]; + Lib_IntVector_Intrinsics_vec256 v22 = ws[10U]; + Lib_IntVector_Intrinsics_vec256 v32 = ws[11U]; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v0__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v1__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v2__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 + v3__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 ws8 = v0__1; + Lib_IntVector_Intrinsics_vec256 ws9 = v2__1; + Lib_IntVector_Intrinsics_vec256 ws10 = v1__1; + Lib_IntVector_Intrinsics_vec256 ws11 = v3__1; + Lib_IntVector_Intrinsics_vec256 v03 = ws[12U]; + Lib_IntVector_Intrinsics_vec256 v13 = ws[13U]; + Lib_IntVector_Intrinsics_vec256 v23 = ws[14U]; + Lib_IntVector_Intrinsics_vec256 v33 = ws[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v03, v13); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v03, v13); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v23, v33); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v23, v33); + Lib_IntVector_Intrinsics_vec256 + v0__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v1__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v2__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 + v3__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 ws12 = v0__2; + Lib_IntVector_Intrinsics_vec256 ws13 = v2__2; + Lib_IntVector_Intrinsics_vec256 ws14 = v1__2; + Lib_IntVector_Intrinsics_vec256 ws15 = v3__2; + Lib_IntVector_Intrinsics_vec256 v04 = ws[16U]; + Lib_IntVector_Intrinsics_vec256 v14 = ws[17U]; + Lib_IntVector_Intrinsics_vec256 v24 = ws[18U]; + Lib_IntVector_Intrinsics_vec256 v34 = ws[19U]; + Lib_IntVector_Intrinsics_vec256 + v0_3 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v04, v14); + Lib_IntVector_Intrinsics_vec256 + v1_3 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v04, v14); + Lib_IntVector_Intrinsics_vec256 + v2_3 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v24, v34); + Lib_IntVector_Intrinsics_vec256 + v3_3 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v24, v34); + Lib_IntVector_Intrinsics_vec256 + v0__3 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_3, v2_3); + Lib_IntVector_Intrinsics_vec256 + v1__3 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_3, v2_3); + Lib_IntVector_Intrinsics_vec256 + v2__3 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_3, v3_3); + Lib_IntVector_Intrinsics_vec256 + v3__3 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_3, v3_3); + Lib_IntVector_Intrinsics_vec256 ws16 = v0__3; + Lib_IntVector_Intrinsics_vec256 ws17 = v2__3; + Lib_IntVector_Intrinsics_vec256 ws18 = v1__3; + Lib_IntVector_Intrinsics_vec256 ws19 = v3__3; + Lib_IntVector_Intrinsics_vec256 v05 = ws[20U]; + Lib_IntVector_Intrinsics_vec256 v15 = ws[21U]; + Lib_IntVector_Intrinsics_vec256 v25 = ws[22U]; + Lib_IntVector_Intrinsics_vec256 v35 = ws[23U]; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v05, v15); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v05, v15); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v25, v35); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v25, v35); + Lib_IntVector_Intrinsics_vec256 + v0__4 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_4, v2_4); + Lib_IntVector_Intrinsics_vec256 + v1__4 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_4, v2_4); + Lib_IntVector_Intrinsics_vec256 + v2__4 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_4, v3_4); + Lib_IntVector_Intrinsics_vec256 + v3__4 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_4, v3_4); + Lib_IntVector_Intrinsics_vec256 ws20 = v0__4; + Lib_IntVector_Intrinsics_vec256 ws21 = v2__4; + Lib_IntVector_Intrinsics_vec256 ws22 = v1__4; + Lib_IntVector_Intrinsics_vec256 ws23 = v3__4; + Lib_IntVector_Intrinsics_vec256 v06 = ws[24U]; + Lib_IntVector_Intrinsics_vec256 v16 = ws[25U]; + Lib_IntVector_Intrinsics_vec256 v26 = ws[26U]; + Lib_IntVector_Intrinsics_vec256 v36 = ws[27U]; + Lib_IntVector_Intrinsics_vec256 + v0_5 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v06, v16); + Lib_IntVector_Intrinsics_vec256 + v1_5 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v06, v16); + Lib_IntVector_Intrinsics_vec256 + v2_5 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v26, v36); + Lib_IntVector_Intrinsics_vec256 + v3_5 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v26, v36); + Lib_IntVector_Intrinsics_vec256 + v0__5 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1__5 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2__5 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3__5 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 ws24 = v0__5; + Lib_IntVector_Intrinsics_vec256 ws25 = v2__5; + Lib_IntVector_Intrinsics_vec256 ws26 = v1__5; + Lib_IntVector_Intrinsics_vec256 ws27 = v3__5; + Lib_IntVector_Intrinsics_vec256 v0 = ws[28U]; + Lib_IntVector_Intrinsics_vec256 v1 = ws[29U]; + Lib_IntVector_Intrinsics_vec256 v2 = ws[30U]; + Lib_IntVector_Intrinsics_vec256 v3 = ws[31U]; + Lib_IntVector_Intrinsics_vec256 + v0_6 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_6 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_6 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_6 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__6 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_6, v2_6); + Lib_IntVector_Intrinsics_vec256 + v1__6 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_6, v2_6); + Lib_IntVector_Intrinsics_vec256 + v2__6 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_6, v3_6); + Lib_IntVector_Intrinsics_vec256 + v3__6 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_6, v3_6); + Lib_IntVector_Intrinsics_vec256 ws28 = v0__6; + Lib_IntVector_Intrinsics_vec256 ws29 = v2__6; + Lib_IntVector_Intrinsics_vec256 ws30 = v1__6; + Lib_IntVector_Intrinsics_vec256 ws31 = v3__6; + ws[0U] = ws0; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; + ws[31U] = ws31; + for (uint32_t i = 0U; i < 32U; i++) + { + Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); + } + uint8_t *b0 = output0; + uint8_t *b1 = output1; + uint8_t *b2 = output2; + uint8_t *b3 = output3; + memcpy(b0 + i0 * 168U, hbuf, 168U * sizeof (uint8_t)); + memcpy(b1 + i0 * 168U, hbuf + 256U, 168U * sizeof (uint8_t)); + memcpy(b2 + i0 * 168U, hbuf + 512U, 168U * sizeof (uint8_t)); + memcpy(b3 + i0 * 168U, hbuf + 768U, 168U * sizeof (uint8_t)); + for (uint32_t i1 = 0U; i1 < 24U; i1++) + { + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____0 = state[i + 0U]; + Lib_IntVector_Intrinsics_vec256 uu____1 = state[i + 5U]; + Lib_IntVector_Intrinsics_vec256 uu____2 = state[i + 10U]; + _C[i] = + Lib_IntVector_Intrinsics_vec256_xor(uu____0, + Lib_IntVector_Intrinsics_vec256_xor(uu____1, + Lib_IntVector_Intrinsics_vec256_xor(uu____2, + Lib_IntVector_Intrinsics_vec256_xor(state[i + 15U], state[i + 20U]))));); + KRML_MAYBE_FOR5(i2, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____3 = _C[(i2 + 4U) % 5U]; + Lib_IntVector_Intrinsics_vec256 uu____4 = _C[(i2 + 1U) % 5U]; + Lib_IntVector_Intrinsics_vec256 + _D = + Lib_IntVector_Intrinsics_vec256_xor(uu____3, + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_left64(uu____4, + 1U), + Lib_IntVector_Intrinsics_vec256_shift_right64(uu____4, 63U))); + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + state[i2 + 5U * i] = Lib_IntVector_Intrinsics_vec256_xor(state[i2 + 5U * i], _D););); + Lib_IntVector_Intrinsics_vec256 x = state[1U]; + Lib_IntVector_Intrinsics_vec256 current = x; + for (uint32_t i = 0U; i < 24U; i++) + { + uint32_t _Y = Hacl_Impl_SHA3_Vec_keccak_piln[i]; + uint32_t r = Hacl_Impl_SHA3_Vec_keccak_rotc[i]; + Lib_IntVector_Intrinsics_vec256 temp = state[_Y]; + Lib_IntVector_Intrinsics_vec256 uu____5 = current; + state[_Y] = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_left64(uu____5, + r), + Lib_IntVector_Intrinsics_vec256_shift_right64(uu____5, 64U - r)); + current = temp; + } + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____6 = state[0U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____7 = Lib_IntVector_Intrinsics_vec256_lognot(state[1U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v07 = + Lib_IntVector_Intrinsics_vec256_xor(uu____6, + Lib_IntVector_Intrinsics_vec256_and(uu____7, state[2U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____8 = state[1U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____9 = Lib_IntVector_Intrinsics_vec256_lognot(state[2U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v17 = + Lib_IntVector_Intrinsics_vec256_xor(uu____8, + Lib_IntVector_Intrinsics_vec256_and(uu____9, state[3U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____10 = state[2U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____11 = Lib_IntVector_Intrinsics_vec256_lognot(state[3U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v27 = + Lib_IntVector_Intrinsics_vec256_xor(uu____10, + Lib_IntVector_Intrinsics_vec256_and(uu____11, state[4U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____12 = state[3U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____13 = Lib_IntVector_Intrinsics_vec256_lognot(state[4U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v37 = + Lib_IntVector_Intrinsics_vec256_xor(uu____12, + Lib_IntVector_Intrinsics_vec256_and(uu____13, state[0U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____14 = state[4U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____15 = Lib_IntVector_Intrinsics_vec256_lognot(state[0U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v4 = + Lib_IntVector_Intrinsics_vec256_xor(uu____14, + Lib_IntVector_Intrinsics_vec256_and(uu____15, state[1U + 5U * i])); + state[0U + 5U * i] = v07; + state[1U + 5U * i] = v17; + state[2U + 5U * i] = v27; + state[3U + 5U * i] = v37; + state[4U + 5U * i] = v4;); + uint64_t c = Hacl_Impl_SHA3_Vec_keccak_rndc[i1]; + Lib_IntVector_Intrinsics_vec256 uu____16 = state[0U]; + state[0U] = + Lib_IntVector_Intrinsics_vec256_xor(uu____16, + Lib_IntVector_Intrinsics_vec256_load64(c)); + } + } } diff --git a/sys/hacl/c/src/msvc/Hacl_Hash_SHA3_Scalar.c b/sys/hacl/c/src/msvc/Hacl_Hash_SHA3_Scalar.c index 43d574827..6d6806a37 100644 --- a/sys/hacl/c/src/msvc/Hacl_Hash_SHA3_Scalar.c +++ b/sys/hacl/c/src/msvc/Hacl_Hash_SHA3_Scalar.c @@ -55,10 +55,10 @@ Hacl_Impl_SHA3_Vec_keccak_rndc[24U] = void Hacl_Hash_SHA3_Scalar_shake128( - uint32_t inputByteLen, - uint8_t *input, + uint8_t *output, uint32_t outputByteLen, - uint8_t *output + uint8_t *input, + uint32_t inputByteLen ) { uint32_t rateInBytes = 168U; @@ -447,10 +447,10 @@ Hacl_Hash_SHA3_Scalar_shake128( void Hacl_Hash_SHA3_Scalar_shake256( - uint32_t inputByteLen, - uint8_t *input, + uint8_t *output, uint32_t outputByteLen, - uint8_t *output + uint8_t *input, + uint32_t inputByteLen ) { uint32_t rateInBytes = 136U; @@ -837,7 +837,7 @@ Hacl_Hash_SHA3_Scalar_shake256( memcpy(output + outputByteLen - remOut, hbuf, remOut * sizeof (uint8_t)); } -void Hacl_Hash_SHA3_Scalar_sha3_224(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +void Hacl_Hash_SHA3_Scalar_sha3_224(uint8_t *output, uint8_t *input, uint32_t inputByteLen) { uint32_t rateInBytes = 144U; uint64_t s[25U] = { 0U }; @@ -1223,7 +1223,7 @@ void Hacl_Hash_SHA3_Scalar_sha3_224(uint32_t inputByteLen, uint8_t *input, uint8 memcpy(output + 28U - remOut, hbuf, remOut * sizeof (uint8_t)); } -void Hacl_Hash_SHA3_Scalar_sha3_256(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +void Hacl_Hash_SHA3_Scalar_sha3_256(uint8_t *output, uint8_t *input, uint32_t inputByteLen) { uint32_t rateInBytes = 136U; uint64_t s[25U] = { 0U }; @@ -1609,7 +1609,7 @@ void Hacl_Hash_SHA3_Scalar_sha3_256(uint32_t inputByteLen, uint8_t *input, uint8 memcpy(output + 32U - remOut, hbuf, remOut * sizeof (uint8_t)); } -void Hacl_Hash_SHA3_Scalar_sha3_384(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +void Hacl_Hash_SHA3_Scalar_sha3_384(uint8_t *output, uint8_t *input, uint32_t inputByteLen) { uint32_t rateInBytes = 104U; uint64_t s[25U] = { 0U }; @@ -1995,7 +1995,7 @@ void Hacl_Hash_SHA3_Scalar_sha3_384(uint32_t inputByteLen, uint8_t *input, uint8 memcpy(output + 48U - remOut, hbuf, remOut * sizeof (uint8_t)); } -void Hacl_Hash_SHA3_Scalar_sha3_512(uint32_t inputByteLen, uint8_t *input, uint8_t *output) +void Hacl_Hash_SHA3_Scalar_sha3_512(uint8_t *output, uint8_t *input, uint32_t inputByteLen) { uint32_t rateInBytes = 72U; uint64_t s[25U] = { 0U }; @@ -2381,3 +2381,418 @@ void Hacl_Hash_SHA3_Scalar_sha3_512(uint32_t inputByteLen, uint8_t *input, uint8 memcpy(output + 64U - remOut, hbuf, remOut * sizeof (uint8_t)); } +uint64_t *Hacl_Hash_SHA3_Scalar_state_malloc(void) +{ + uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); + return buf; +} + +void Hacl_Hash_SHA3_Scalar_state_free(uint64_t *s) +{ + KRML_HOST_FREE(s); +} + +void +Hacl_Hash_SHA3_Scalar_shake128_absorb_nblocks( + uint64_t *state, + uint8_t *input, + uint32_t inputByteLen +) +{ + for (uint32_t i0 = 0U; i0 < inputByteLen / 168U; i0++) + { + uint8_t b1[256U] = { 0U }; + uint8_t *b_ = b1; + uint8_t *b0 = input; + uint8_t *bl0 = b_; + memcpy(bl0, b0 + i0 * 168U, 168U * sizeof (uint8_t)); + uint64_t ws[32U] = { 0U }; + uint8_t *b = b_; + uint64_t u = load64_le(b); + ws[0U] = u; + uint64_t u0 = load64_le(b + 8U); + ws[1U] = u0; + uint64_t u1 = load64_le(b + 16U); + ws[2U] = u1; + uint64_t u2 = load64_le(b + 24U); + ws[3U] = u2; + uint64_t u3 = load64_le(b + 32U); + ws[4U] = u3; + uint64_t u4 = load64_le(b + 40U); + ws[5U] = u4; + uint64_t u5 = load64_le(b + 48U); + ws[6U] = u5; + uint64_t u6 = load64_le(b + 56U); + ws[7U] = u6; + uint64_t u7 = load64_le(b + 64U); + ws[8U] = u7; + uint64_t u8 = load64_le(b + 72U); + ws[9U] = u8; + uint64_t u9 = load64_le(b + 80U); + ws[10U] = u9; + uint64_t u10 = load64_le(b + 88U); + ws[11U] = u10; + uint64_t u11 = load64_le(b + 96U); + ws[12U] = u11; + uint64_t u12 = load64_le(b + 104U); + ws[13U] = u12; + uint64_t u13 = load64_le(b + 112U); + ws[14U] = u13; + uint64_t u14 = load64_le(b + 120U); + ws[15U] = u14; + uint64_t u15 = load64_le(b + 128U); + ws[16U] = u15; + uint64_t u16 = load64_le(b + 136U); + ws[17U] = u16; + uint64_t u17 = load64_le(b + 144U); + ws[18U] = u17; + uint64_t u18 = load64_le(b + 152U); + ws[19U] = u18; + uint64_t u19 = load64_le(b + 160U); + ws[20U] = u19; + uint64_t u20 = load64_le(b + 168U); + ws[21U] = u20; + uint64_t u21 = load64_le(b + 176U); + ws[22U] = u21; + uint64_t u22 = load64_le(b + 184U); + ws[23U] = u22; + uint64_t u23 = load64_le(b + 192U); + ws[24U] = u23; + uint64_t u24 = load64_le(b + 200U); + ws[25U] = u24; + uint64_t u25 = load64_le(b + 208U); + ws[26U] = u25; + uint64_t u26 = load64_le(b + 216U); + ws[27U] = u26; + uint64_t u27 = load64_le(b + 224U); + ws[28U] = u27; + uint64_t u28 = load64_le(b + 232U); + ws[29U] = u28; + uint64_t u29 = load64_le(b + 240U); + ws[30U] = u29; + uint64_t u30 = load64_le(b + 248U); + ws[31U] = u30; + for (uint32_t i = 0U; i < 25U; i++) + { + state[i] = state[i] ^ ws[i]; + } + for (uint32_t i1 = 0U; i1 < 24U; i1++) + { + uint64_t _C[5U] = { 0U }; + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + _C[i] = + state[i + + 0U] + ^ (state[i + 5U] ^ (state[i + 10U] ^ (state[i + 15U] ^ state[i + 20U])));); + KRML_MAYBE_FOR5(i2, + 0U, + 5U, + 1U, + uint64_t uu____0 = _C[(i2 + 1U) % 5U]; + uint64_t _D = _C[(i2 + 4U) % 5U] ^ (uu____0 << 1U | uu____0 >> 63U); + KRML_MAYBE_FOR5(i, 0U, 5U, 1U, state[i2 + 5U * i] = state[i2 + 5U * i] ^ _D;);); + uint64_t x = state[1U]; + uint64_t current = x; + for (uint32_t i = 0U; i < 24U; i++) + { + uint32_t _Y = Hacl_Impl_SHA3_Vec_keccak_piln[i]; + uint32_t r = Hacl_Impl_SHA3_Vec_keccak_rotc[i]; + uint64_t temp = state[_Y]; + uint64_t uu____1 = current; + state[_Y] = uu____1 << r | uu____1 >> (64U - r); + current = temp; + } + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + uint64_t v0 = state[0U + 5U * i] ^ (~state[1U + 5U * i] & state[2U + 5U * i]); + uint64_t v1 = state[1U + 5U * i] ^ (~state[2U + 5U * i] & state[3U + 5U * i]); + uint64_t v2 = state[2U + 5U * i] ^ (~state[3U + 5U * i] & state[4U + 5U * i]); + uint64_t v3 = state[3U + 5U * i] ^ (~state[4U + 5U * i] & state[0U + 5U * i]); + uint64_t v4 = state[4U + 5U * i] ^ (~state[0U + 5U * i] & state[1U + 5U * i]); + state[0U + 5U * i] = v0; + state[1U + 5U * i] = v1; + state[2U + 5U * i] = v2; + state[3U + 5U * i] = v3; + state[4U + 5U * i] = v4;); + uint64_t c = Hacl_Impl_SHA3_Vec_keccak_rndc[i1]; + state[0U] = state[0U] ^ c; + } + } +} + +void +Hacl_Hash_SHA3_Scalar_shake128_absorb_final( + uint64_t *state, + uint8_t *input, + uint32_t inputByteLen +) +{ + uint32_t rem = inputByteLen % 168U; + uint8_t b2[256U] = { 0U }; + uint8_t *b_ = b2; + uint32_t rem1 = inputByteLen % 168U; + uint8_t *b00 = input; + uint8_t *bl0 = b_; + memcpy(bl0, b00 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b01 = b_; + b01[rem] = 0x1FU; + uint64_t ws[32U] = { 0U }; + uint8_t *b = b_; + uint64_t u0 = load64_le(b); + ws[0U] = u0; + uint64_t u1 = load64_le(b + 8U); + ws[1U] = u1; + uint64_t u2 = load64_le(b + 16U); + ws[2U] = u2; + uint64_t u3 = load64_le(b + 24U); + ws[3U] = u3; + uint64_t u4 = load64_le(b + 32U); + ws[4U] = u4; + uint64_t u5 = load64_le(b + 40U); + ws[5U] = u5; + uint64_t u6 = load64_le(b + 48U); + ws[6U] = u6; + uint64_t u7 = load64_le(b + 56U); + ws[7U] = u7; + uint64_t u8 = load64_le(b + 64U); + ws[8U] = u8; + uint64_t u9 = load64_le(b + 72U); + ws[9U] = u9; + uint64_t u10 = load64_le(b + 80U); + ws[10U] = u10; + uint64_t u11 = load64_le(b + 88U); + ws[11U] = u11; + uint64_t u12 = load64_le(b + 96U); + ws[12U] = u12; + uint64_t u13 = load64_le(b + 104U); + ws[13U] = u13; + uint64_t u14 = load64_le(b + 112U); + ws[14U] = u14; + uint64_t u15 = load64_le(b + 120U); + ws[15U] = u15; + uint64_t u16 = load64_le(b + 128U); + ws[16U] = u16; + uint64_t u17 = load64_le(b + 136U); + ws[17U] = u17; + uint64_t u18 = load64_le(b + 144U); + ws[18U] = u18; + uint64_t u19 = load64_le(b + 152U); + ws[19U] = u19; + uint64_t u20 = load64_le(b + 160U); + ws[20U] = u20; + uint64_t u21 = load64_le(b + 168U); + ws[21U] = u21; + uint64_t u22 = load64_le(b + 176U); + ws[22U] = u22; + uint64_t u23 = load64_le(b + 184U); + ws[23U] = u23; + uint64_t u24 = load64_le(b + 192U); + ws[24U] = u24; + uint64_t u25 = load64_le(b + 200U); + ws[25U] = u25; + uint64_t u26 = load64_le(b + 208U); + ws[26U] = u26; + uint64_t u27 = load64_le(b + 216U); + ws[27U] = u27; + uint64_t u28 = load64_le(b + 224U); + ws[28U] = u28; + uint64_t u29 = load64_le(b + 232U); + ws[29U] = u29; + uint64_t u30 = load64_le(b + 240U); + ws[30U] = u30; + uint64_t u31 = load64_le(b + 248U); + ws[31U] = u31; + for (uint32_t i = 0U; i < 25U; i++) + { + state[i] = state[i] ^ ws[i]; + } + uint8_t b3[256U] = { 0U }; + uint8_t *b4 = b3; + uint8_t *b0 = b4; + b0[167U] = 0x80U; + uint64_t ws0[32U] = { 0U }; + uint8_t *b1 = b4; + uint64_t u = load64_le(b1); + ws0[0U] = u; + uint64_t u32 = load64_le(b1 + 8U); + ws0[1U] = u32; + uint64_t u33 = load64_le(b1 + 16U); + ws0[2U] = u33; + uint64_t u34 = load64_le(b1 + 24U); + ws0[3U] = u34; + uint64_t u35 = load64_le(b1 + 32U); + ws0[4U] = u35; + uint64_t u36 = load64_le(b1 + 40U); + ws0[5U] = u36; + uint64_t u37 = load64_le(b1 + 48U); + ws0[6U] = u37; + uint64_t u38 = load64_le(b1 + 56U); + ws0[7U] = u38; + uint64_t u39 = load64_le(b1 + 64U); + ws0[8U] = u39; + uint64_t u40 = load64_le(b1 + 72U); + ws0[9U] = u40; + uint64_t u41 = load64_le(b1 + 80U); + ws0[10U] = u41; + uint64_t u42 = load64_le(b1 + 88U); + ws0[11U] = u42; + uint64_t u43 = load64_le(b1 + 96U); + ws0[12U] = u43; + uint64_t u44 = load64_le(b1 + 104U); + ws0[13U] = u44; + uint64_t u45 = load64_le(b1 + 112U); + ws0[14U] = u45; + uint64_t u46 = load64_le(b1 + 120U); + ws0[15U] = u46; + uint64_t u47 = load64_le(b1 + 128U); + ws0[16U] = u47; + uint64_t u48 = load64_le(b1 + 136U); + ws0[17U] = u48; + uint64_t u49 = load64_le(b1 + 144U); + ws0[18U] = u49; + uint64_t u50 = load64_le(b1 + 152U); + ws0[19U] = u50; + uint64_t u51 = load64_le(b1 + 160U); + ws0[20U] = u51; + uint64_t u52 = load64_le(b1 + 168U); + ws0[21U] = u52; + uint64_t u53 = load64_le(b1 + 176U); + ws0[22U] = u53; + uint64_t u54 = load64_le(b1 + 184U); + ws0[23U] = u54; + uint64_t u55 = load64_le(b1 + 192U); + ws0[24U] = u55; + uint64_t u56 = load64_le(b1 + 200U); + ws0[25U] = u56; + uint64_t u57 = load64_le(b1 + 208U); + ws0[26U] = u57; + uint64_t u58 = load64_le(b1 + 216U); + ws0[27U] = u58; + uint64_t u59 = load64_le(b1 + 224U); + ws0[28U] = u59; + uint64_t u60 = load64_le(b1 + 232U); + ws0[29U] = u60; + uint64_t u61 = load64_le(b1 + 240U); + ws0[30U] = u61; + uint64_t u62 = load64_le(b1 + 248U); + ws0[31U] = u62; + for (uint32_t i = 0U; i < 25U; i++) + { + state[i] = state[i] ^ ws0[i]; + } + for (uint32_t i0 = 0U; i0 < 24U; i0++) + { + uint64_t _C[5U] = { 0U }; + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + _C[i] = state[i + 0U] ^ (state[i + 5U] ^ (state[i + 10U] ^ (state[i + 15U] ^ state[i + 20U])));); + KRML_MAYBE_FOR5(i1, + 0U, + 5U, + 1U, + uint64_t uu____0 = _C[(i1 + 1U) % 5U]; + uint64_t _D = _C[(i1 + 4U) % 5U] ^ (uu____0 << 1U | uu____0 >> 63U); + KRML_MAYBE_FOR5(i, 0U, 5U, 1U, state[i1 + 5U * i] = state[i1 + 5U * i] ^ _D;);); + uint64_t x = state[1U]; + uint64_t current = x; + for (uint32_t i = 0U; i < 24U; i++) + { + uint32_t _Y = Hacl_Impl_SHA3_Vec_keccak_piln[i]; + uint32_t r = Hacl_Impl_SHA3_Vec_keccak_rotc[i]; + uint64_t temp = state[_Y]; + uint64_t uu____1 = current; + state[_Y] = uu____1 << r | uu____1 >> (64U - r); + current = temp; + } + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + uint64_t v0 = state[0U + 5U * i] ^ (~state[1U + 5U * i] & state[2U + 5U * i]); + uint64_t v1 = state[1U + 5U * i] ^ (~state[2U + 5U * i] & state[3U + 5U * i]); + uint64_t v2 = state[2U + 5U * i] ^ (~state[3U + 5U * i] & state[4U + 5U * i]); + uint64_t v3 = state[3U + 5U * i] ^ (~state[4U + 5U * i] & state[0U + 5U * i]); + uint64_t v4 = state[4U + 5U * i] ^ (~state[0U + 5U * i] & state[1U + 5U * i]); + state[0U + 5U * i] = v0; + state[1U + 5U * i] = v1; + state[2U + 5U * i] = v2; + state[3U + 5U * i] = v3; + state[4U + 5U * i] = v4;); + uint64_t c = Hacl_Impl_SHA3_Vec_keccak_rndc[i0]; + state[0U] = state[0U] ^ c; + } +} + +void +Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks( + uint64_t *state, + uint8_t *output, + uint32_t outputByteLen +) +{ + for (uint32_t i0 = 0U; i0 < outputByteLen / 168U; i0++) + { + uint8_t hbuf[256U] = { 0U }; + uint64_t ws[32U] = { 0U }; + memcpy(ws, state, 25U * sizeof (uint64_t)); + for (uint32_t i = 0U; i < 32U; i++) + { + store64_le(hbuf + i * 8U, ws[i]); + } + memcpy(output + i0 * 168U, hbuf, 168U * sizeof (uint8_t)); + for (uint32_t i1 = 0U; i1 < 24U; i1++) + { + uint64_t _C[5U] = { 0U }; + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + _C[i] = + state[i + + 0U] + ^ (state[i + 5U] ^ (state[i + 10U] ^ (state[i + 15U] ^ state[i + 20U])));); + KRML_MAYBE_FOR5(i2, + 0U, + 5U, + 1U, + uint64_t uu____0 = _C[(i2 + 1U) % 5U]; + uint64_t _D = _C[(i2 + 4U) % 5U] ^ (uu____0 << 1U | uu____0 >> 63U); + KRML_MAYBE_FOR5(i, 0U, 5U, 1U, state[i2 + 5U * i] = state[i2 + 5U * i] ^ _D;);); + uint64_t x = state[1U]; + uint64_t current = x; + for (uint32_t i = 0U; i < 24U; i++) + { + uint32_t _Y = Hacl_Impl_SHA3_Vec_keccak_piln[i]; + uint32_t r = Hacl_Impl_SHA3_Vec_keccak_rotc[i]; + uint64_t temp = state[_Y]; + uint64_t uu____1 = current; + state[_Y] = uu____1 << r | uu____1 >> (64U - r); + current = temp; + } + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + uint64_t v0 = state[0U + 5U * i] ^ (~state[1U + 5U * i] & state[2U + 5U * i]); + uint64_t v1 = state[1U + 5U * i] ^ (~state[2U + 5U * i] & state[3U + 5U * i]); + uint64_t v2 = state[2U + 5U * i] ^ (~state[3U + 5U * i] & state[4U + 5U * i]); + uint64_t v3 = state[3U + 5U * i] ^ (~state[4U + 5U * i] & state[0U + 5U * i]); + uint64_t v4 = state[4U + 5U * i] ^ (~state[0U + 5U * i] & state[1U + 5U * i]); + state[0U + 5U * i] = v0; + state[1U + 5U * i] = v1; + state[2U + 5U * i] = v2; + state[3U + 5U * i] = v3; + state[4U + 5U * i] = v4;); + uint64_t c = Hacl_Impl_SHA3_Vec_keccak_rndc[i1]; + state[0U] = state[0U] ^ c; + } + } +} + diff --git a/sys/hacl/c/src/msvc/Hacl_Hash_SHA3_Simd256.c b/sys/hacl/c/src/msvc/Hacl_Hash_SHA3_Simd256.c index b9bfcee59..9046f3dbe 100644 --- a/sys/hacl/c/src/msvc/Hacl_Hash_SHA3_Simd256.c +++ b/sys/hacl/c/src/msvc/Hacl_Hash_SHA3_Simd256.c @@ -26,20 +26,19 @@ #include "Hacl_Hash_SHA3_Simd256.h" #include "internal/Hacl_Hash_SHA3_Scalar.h" -#include "libintvector.h" void Hacl_Hash_SHA3_Simd256_shake128( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, + uint32_t outputByteLen, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint32_t outputByteLen, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ) { K____uint8_t___uint8_t____K____uint8_t___uint8_t_ @@ -438,63 +437,63 @@ Hacl_Hash_SHA3_Simd256_shake128( K____uint8_t___uint8_t____K____uint8_t___uint8_t_ b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; uint32_t rem1 = inputByteLen % rateInBytes; - uint8_t *b32 = ib.snd.snd.snd; - uint8_t *b22 = ib.snd.snd.fst; - uint8_t *b12 = ib.snd.fst; - uint8_t *b02 = ib.fst; + uint8_t *b31 = ib.snd.snd.snd; + uint8_t *b21 = ib.snd.snd.fst; + uint8_t *b11 = ib.snd.fst; + uint8_t *b01 = ib.fst; uint8_t *bl3 = b_.snd.snd.snd; uint8_t *bl2 = b_.snd.snd.fst; uint8_t *bl1 = b_.snd.fst; uint8_t *bl0 = b_.fst; - memcpy(bl0, b02 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl1, b12 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl2, b22 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl3, b32 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl0, b01 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl1, b11 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl2, b21 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl3, b31 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b32 = b_.snd.snd.snd; + uint8_t *b22 = b_.snd.snd.fst; + uint8_t *b12 = b_.snd.fst; + uint8_t *b02 = b_.fst; + b02[rem] = 0x1FU; + b12[rem] = 0x1FU; + b22[rem] = 0x1FU; + b32[rem] = 0x1FU; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; uint8_t *b33 = b_.snd.snd.snd; uint8_t *b23 = b_.snd.snd.fst; uint8_t *b13 = b_.snd.fst; uint8_t *b03 = b_.fst; - b03[rem] = 0x1FU; - b13[rem] = 0x1FU; - b23[rem] = 0x1FU; - b33[rem] = 0x1FU; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b34 = b_.snd.snd.snd; - uint8_t *b24 = b_.snd.snd.fst; - uint8_t *b14 = b_.snd.fst; - uint8_t *b04 = b_.fst; - ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04); - ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14); - ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24); - ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34); - ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 32U); - ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 32U); - ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 32U); - ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 32U); - ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 64U); - ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 64U); - ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 64U); - ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 64U); - ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 96U); - ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 96U); - ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 96U); - ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 96U); - ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 128U); - ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 128U); - ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 128U); - ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 128U); - ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 160U); - ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 160U); - ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 160U); - ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 160U); - ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 192U); - ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 192U); - ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 192U); - ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 192U); - ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 224U); - ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 224U); - ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 224U); - ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 224U); + ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03); + ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13); + ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23); + ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33); + ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 32U); + ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 32U); + ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 32U); + ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 32U); + ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 64U); + ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 64U); + ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 64U); + ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 64U); + ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 96U); + ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 96U); + ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 96U); + ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 96U); + ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 128U); + ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 128U); + ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 128U); + ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 128U); + ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 160U); + ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 160U); + ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 160U); + ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 160U); + ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 192U); + ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 192U); + ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 192U); + ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 192U); + ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 224U); + ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 224U); + ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 224U); + ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 224U); Lib_IntVector_Intrinsics_vec256 v00 = ws32[0U]; Lib_IntVector_Intrinsics_vec256 v10 = ws32[1U]; Lib_IntVector_Intrinsics_vec256 v20 = ws32[2U]; @@ -723,57 +722,57 @@ Hacl_Hash_SHA3_Simd256_shake128( { s[i] = Lib_IntVector_Intrinsics_vec256_xor(s[i], ws32[i]); } - uint8_t b05[256U] = { 0U }; - uint8_t b15[256U] = { 0U }; - uint8_t b25[256U] = { 0U }; - uint8_t b35[256U] = { 0U }; + uint8_t b04[256U] = { 0U }; + uint8_t b14[256U] = { 0U }; + uint8_t b24[256U] = { 0U }; + uint8_t b34[256U] = { 0U }; K____uint8_t___uint8_t____K____uint8_t___uint8_t_ - b = { .fst = b05, .snd = { .fst = b15, .snd = { .fst = b25, .snd = b35 } } }; - uint8_t *b36 = b.snd.snd.snd; + b = { .fst = b04, .snd = { .fst = b14, .snd = { .fst = b24, .snd = b34 } } }; + uint8_t *b35 = b.snd.snd.snd; + uint8_t *b25 = b.snd.snd.fst; + uint8_t *b15 = b.snd.fst; + uint8_t *b05 = b.fst; + b05[rateInBytes - 1U] = 0x80U; + b15[rateInBytes - 1U] = 0x80U; + b25[rateInBytes - 1U] = 0x80U; + b35[rateInBytes - 1U] = 0x80U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b.snd.snd.snd; uint8_t *b26 = b.snd.snd.fst; uint8_t *b16 = b.snd.fst; uint8_t *b06 = b.fst; - b06[rateInBytes - 1U] = 0x80U; - b16[rateInBytes - 1U] = 0x80U; - b26[rateInBytes - 1U] = 0x80U; - b36[rateInBytes - 1U] = 0x80U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b37 = b.snd.snd.snd; - uint8_t *b27 = b.snd.snd.fst; - uint8_t *b17 = b.snd.fst; - uint8_t *b07 = b.fst; - ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07); - ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17); - ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27); - ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37); - ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 32U); - ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 32U); - ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 32U); - ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 32U); - ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 64U); - ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 64U); - ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 64U); - ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 64U); - ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 96U); - ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 96U); - ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 96U); - ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 96U); - ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 128U); - ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 128U); - ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 128U); - ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 128U); - ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 160U); - ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 160U); - ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 160U); - ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 160U); - ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 192U); - ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 192U); - ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 192U); - ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 192U); - ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 224U); - ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 224U); - ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 224U); - ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 224U); + ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06); + ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16); + ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26); + ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 32U); + ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 32U); + ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 32U); + ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 64U); + ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 64U); + ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 64U); + ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 96U); + ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 96U); + ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 96U); + ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 128U); + ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 128U); + ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 128U); + ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 160U); + ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 160U); + ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 160U); + ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 192U); + ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 192U); + ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 192U); + ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 224U); + ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 224U); + ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 224U); + ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); Lib_IntVector_Intrinsics_vec256 v08 = ws34[0U]; Lib_IntVector_Intrinsics_vec256 v18 = ws34[1U]; Lib_IntVector_Intrinsics_vec256 v28 = ws34[2U]; @@ -1295,62 +1294,49 @@ Hacl_Hash_SHA3_Simd256_shake128( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < rateInBytes / 32U; i++) - { - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = rateInBytes % 32U; - uint32_t j = rateInBytes / 32U; - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + uint8_t *b36 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0 + i0 * rateInBytes, hbuf, rateInBytes * sizeof (uint8_t)); + memcpy(b1 + i0 * rateInBytes, hbuf + 256U, rateInBytes * sizeof (uint8_t)); + memcpy(b2 + i0 * rateInBytes, hbuf + 512U, rateInBytes * sizeof (uint8_t)); + memcpy(b36 + i0 * rateInBytes, hbuf + 768U, rateInBytes * sizeof (uint8_t)); for (uint32_t i1 = 0U; i1 < 24U; i1++) { KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; @@ -1645,76 +1631,63 @@ Hacl_Hash_SHA3_Simd256_shake128( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < remOut / 32U; i++) - { - uint8_t *b3 = rb.snd.snd.snd; - uint8_t *b2 = rb.snd.snd.fst; - uint8_t *b1 = rb.snd.fst; - uint8_t *b0 = rb.fst; - memcpy(b0 + outputByteLen - remOut + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b1 + outputByteLen - remOut + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b2 + outputByteLen - remOut + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b3 + outputByteLen - remOut + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = remOut % 32U; - uint32_t j = remOut / 32U; - uint8_t *b3 = rb.snd.snd.snd; + uint8_t *b36 = rb.snd.snd.snd; uint8_t *b2 = rb.snd.snd.fst; uint8_t *b1 = rb.snd.fst; uint8_t *b0 = rb.fst; - memcpy(b0 + outputByteLen - remOut + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b1 + outputByteLen - remOut + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b2 + outputByteLen - remOut + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b3 + outputByteLen - remOut + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + memcpy(b0 + outputByteLen - remOut, hbuf, remOut * sizeof (uint8_t)); + memcpy(b1 + outputByteLen - remOut, hbuf + 256U, remOut * sizeof (uint8_t)); + memcpy(b2 + outputByteLen - remOut, hbuf + 512U, remOut * sizeof (uint8_t)); + memcpy(b36 + outputByteLen - remOut, hbuf + 768U, remOut * sizeof (uint8_t)); } void Hacl_Hash_SHA3_Simd256_shake256( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, + uint32_t outputByteLen, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint32_t outputByteLen, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ) { K____uint8_t___uint8_t____K____uint8_t___uint8_t_ @@ -2113,63 +2086,63 @@ Hacl_Hash_SHA3_Simd256_shake256( K____uint8_t___uint8_t____K____uint8_t___uint8_t_ b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; uint32_t rem1 = inputByteLen % rateInBytes; - uint8_t *b32 = ib.snd.snd.snd; - uint8_t *b22 = ib.snd.snd.fst; - uint8_t *b12 = ib.snd.fst; - uint8_t *b02 = ib.fst; + uint8_t *b31 = ib.snd.snd.snd; + uint8_t *b21 = ib.snd.snd.fst; + uint8_t *b11 = ib.snd.fst; + uint8_t *b01 = ib.fst; uint8_t *bl3 = b_.snd.snd.snd; uint8_t *bl2 = b_.snd.snd.fst; uint8_t *bl1 = b_.snd.fst; uint8_t *bl0 = b_.fst; - memcpy(bl0, b02 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl1, b12 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl2, b22 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl3, b32 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl0, b01 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl1, b11 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl2, b21 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl3, b31 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b32 = b_.snd.snd.snd; + uint8_t *b22 = b_.snd.snd.fst; + uint8_t *b12 = b_.snd.fst; + uint8_t *b02 = b_.fst; + b02[rem] = 0x1FU; + b12[rem] = 0x1FU; + b22[rem] = 0x1FU; + b32[rem] = 0x1FU; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; uint8_t *b33 = b_.snd.snd.snd; uint8_t *b23 = b_.snd.snd.fst; uint8_t *b13 = b_.snd.fst; uint8_t *b03 = b_.fst; - b03[rem] = 0x1FU; - b13[rem] = 0x1FU; - b23[rem] = 0x1FU; - b33[rem] = 0x1FU; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b34 = b_.snd.snd.snd; - uint8_t *b24 = b_.snd.snd.fst; - uint8_t *b14 = b_.snd.fst; - uint8_t *b04 = b_.fst; - ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04); - ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14); - ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24); - ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34); - ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 32U); - ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 32U); - ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 32U); - ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 32U); - ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 64U); - ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 64U); - ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 64U); - ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 64U); - ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 96U); - ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 96U); - ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 96U); - ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 96U); - ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 128U); - ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 128U); - ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 128U); - ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 128U); - ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 160U); - ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 160U); - ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 160U); - ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 160U); - ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 192U); - ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 192U); - ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 192U); - ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 192U); - ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 224U); - ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 224U); - ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 224U); - ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 224U); + ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03); + ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13); + ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23); + ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33); + ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 32U); + ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 32U); + ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 32U); + ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 32U); + ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 64U); + ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 64U); + ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 64U); + ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 64U); + ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 96U); + ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 96U); + ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 96U); + ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 96U); + ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 128U); + ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 128U); + ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 128U); + ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 128U); + ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 160U); + ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 160U); + ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 160U); + ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 160U); + ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 192U); + ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 192U); + ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 192U); + ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 192U); + ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 224U); + ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 224U); + ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 224U); + ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 224U); Lib_IntVector_Intrinsics_vec256 v00 = ws32[0U]; Lib_IntVector_Intrinsics_vec256 v10 = ws32[1U]; Lib_IntVector_Intrinsics_vec256 v20 = ws32[2U]; @@ -2398,57 +2371,57 @@ Hacl_Hash_SHA3_Simd256_shake256( { s[i] = Lib_IntVector_Intrinsics_vec256_xor(s[i], ws32[i]); } - uint8_t b05[256U] = { 0U }; - uint8_t b15[256U] = { 0U }; - uint8_t b25[256U] = { 0U }; - uint8_t b35[256U] = { 0U }; + uint8_t b04[256U] = { 0U }; + uint8_t b14[256U] = { 0U }; + uint8_t b24[256U] = { 0U }; + uint8_t b34[256U] = { 0U }; K____uint8_t___uint8_t____K____uint8_t___uint8_t_ - b = { .fst = b05, .snd = { .fst = b15, .snd = { .fst = b25, .snd = b35 } } }; - uint8_t *b36 = b.snd.snd.snd; + b = { .fst = b04, .snd = { .fst = b14, .snd = { .fst = b24, .snd = b34 } } }; + uint8_t *b35 = b.snd.snd.snd; + uint8_t *b25 = b.snd.snd.fst; + uint8_t *b15 = b.snd.fst; + uint8_t *b05 = b.fst; + b05[rateInBytes - 1U] = 0x80U; + b15[rateInBytes - 1U] = 0x80U; + b25[rateInBytes - 1U] = 0x80U; + b35[rateInBytes - 1U] = 0x80U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b.snd.snd.snd; uint8_t *b26 = b.snd.snd.fst; uint8_t *b16 = b.snd.fst; uint8_t *b06 = b.fst; - b06[rateInBytes - 1U] = 0x80U; - b16[rateInBytes - 1U] = 0x80U; - b26[rateInBytes - 1U] = 0x80U; - b36[rateInBytes - 1U] = 0x80U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b37 = b.snd.snd.snd; - uint8_t *b27 = b.snd.snd.fst; - uint8_t *b17 = b.snd.fst; - uint8_t *b07 = b.fst; - ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07); - ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17); - ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27); - ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37); - ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 32U); - ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 32U); - ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 32U); - ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 32U); - ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 64U); - ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 64U); - ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 64U); - ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 64U); - ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 96U); - ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 96U); - ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 96U); - ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 96U); - ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 128U); - ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 128U); - ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 128U); - ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 128U); - ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 160U); - ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 160U); - ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 160U); - ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 160U); - ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 192U); - ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 192U); - ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 192U); - ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 192U); - ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 224U); - ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 224U); - ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 224U); - ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 224U); + ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06); + ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16); + ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26); + ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 32U); + ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 32U); + ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 32U); + ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 64U); + ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 64U); + ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 64U); + ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 96U); + ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 96U); + ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 96U); + ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 128U); + ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 128U); + ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 128U); + ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 160U); + ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 160U); + ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 160U); + ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 192U); + ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 192U); + ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 192U); + ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 224U); + ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 224U); + ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 224U); + ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); Lib_IntVector_Intrinsics_vec256 v08 = ws34[0U]; Lib_IntVector_Intrinsics_vec256 v18 = ws34[1U]; Lib_IntVector_Intrinsics_vec256 v28 = ws34[2U]; @@ -2970,62 +2943,49 @@ Hacl_Hash_SHA3_Simd256_shake256( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < rateInBytes / 32U; i++) - { - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = rateInBytes % 32U; - uint32_t j = rateInBytes / 32U; - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + uint8_t *b36 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0 + i0 * rateInBytes, hbuf, rateInBytes * sizeof (uint8_t)); + memcpy(b1 + i0 * rateInBytes, hbuf + 256U, rateInBytes * sizeof (uint8_t)); + memcpy(b2 + i0 * rateInBytes, hbuf + 512U, rateInBytes * sizeof (uint8_t)); + memcpy(b36 + i0 * rateInBytes, hbuf + 768U, rateInBytes * sizeof (uint8_t)); for (uint32_t i1 = 0U; i1 < 24U; i1++) { KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; @@ -3320,75 +3280,62 @@ Hacl_Hash_SHA3_Simd256_shake256( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < remOut / 32U; i++) - { - uint8_t *b3 = rb.snd.snd.snd; - uint8_t *b2 = rb.snd.snd.fst; - uint8_t *b1 = rb.snd.fst; - uint8_t *b0 = rb.fst; - memcpy(b0 + outputByteLen - remOut + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b1 + outputByteLen - remOut + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b2 + outputByteLen - remOut + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b3 + outputByteLen - remOut + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = remOut % 32U; - uint32_t j = remOut / 32U; - uint8_t *b3 = rb.snd.snd.snd; + uint8_t *b36 = rb.snd.snd.snd; uint8_t *b2 = rb.snd.snd.fst; uint8_t *b1 = rb.snd.fst; uint8_t *b0 = rb.fst; - memcpy(b0 + outputByteLen - remOut + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b1 + outputByteLen - remOut + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b2 + outputByteLen - remOut + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b3 + outputByteLen - remOut + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + memcpy(b0 + outputByteLen - remOut, hbuf, remOut * sizeof (uint8_t)); + memcpy(b1 + outputByteLen - remOut, hbuf + 256U, remOut * sizeof (uint8_t)); + memcpy(b2 + outputByteLen - remOut, hbuf + 512U, remOut * sizeof (uint8_t)); + memcpy(b36 + outputByteLen - remOut, hbuf + 768U, remOut * sizeof (uint8_t)); } void Hacl_Hash_SHA3_Simd256_sha3_224( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ) { K____uint8_t___uint8_t____K____uint8_t___uint8_t_ @@ -3787,63 +3734,63 @@ Hacl_Hash_SHA3_Simd256_sha3_224( K____uint8_t___uint8_t____K____uint8_t___uint8_t_ b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; uint32_t rem1 = inputByteLen % rateInBytes; - uint8_t *b32 = ib.snd.snd.snd; - uint8_t *b22 = ib.snd.snd.fst; - uint8_t *b12 = ib.snd.fst; - uint8_t *b02 = ib.fst; + uint8_t *b31 = ib.snd.snd.snd; + uint8_t *b21 = ib.snd.snd.fst; + uint8_t *b11 = ib.snd.fst; + uint8_t *b01 = ib.fst; uint8_t *bl3 = b_.snd.snd.snd; uint8_t *bl2 = b_.snd.snd.fst; uint8_t *bl1 = b_.snd.fst; uint8_t *bl0 = b_.fst; - memcpy(bl0, b02 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl1, b12 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl2, b22 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl3, b32 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl0, b01 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl1, b11 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl2, b21 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl3, b31 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b32 = b_.snd.snd.snd; + uint8_t *b22 = b_.snd.snd.fst; + uint8_t *b12 = b_.snd.fst; + uint8_t *b02 = b_.fst; + b02[rem] = 0x06U; + b12[rem] = 0x06U; + b22[rem] = 0x06U; + b32[rem] = 0x06U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; uint8_t *b33 = b_.snd.snd.snd; uint8_t *b23 = b_.snd.snd.fst; uint8_t *b13 = b_.snd.fst; uint8_t *b03 = b_.fst; - b03[rem] = 0x06U; - b13[rem] = 0x06U; - b23[rem] = 0x06U; - b33[rem] = 0x06U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b34 = b_.snd.snd.snd; - uint8_t *b24 = b_.snd.snd.fst; - uint8_t *b14 = b_.snd.fst; - uint8_t *b04 = b_.fst; - ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04); - ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14); - ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24); - ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34); - ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 32U); - ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 32U); - ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 32U); - ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 32U); - ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 64U); - ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 64U); - ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 64U); - ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 64U); - ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 96U); - ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 96U); - ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 96U); - ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 96U); - ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 128U); - ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 128U); - ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 128U); - ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 128U); - ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 160U); - ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 160U); - ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 160U); - ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 160U); - ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 192U); - ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 192U); - ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 192U); - ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 192U); - ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 224U); - ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 224U); - ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 224U); - ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 224U); + ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03); + ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13); + ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23); + ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33); + ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 32U); + ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 32U); + ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 32U); + ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 32U); + ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 64U); + ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 64U); + ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 64U); + ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 64U); + ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 96U); + ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 96U); + ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 96U); + ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 96U); + ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 128U); + ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 128U); + ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 128U); + ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 128U); + ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 160U); + ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 160U); + ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 160U); + ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 160U); + ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 192U); + ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 192U); + ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 192U); + ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 192U); + ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 224U); + ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 224U); + ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 224U); + ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 224U); Lib_IntVector_Intrinsics_vec256 v00 = ws32[0U]; Lib_IntVector_Intrinsics_vec256 v10 = ws32[1U]; Lib_IntVector_Intrinsics_vec256 v20 = ws32[2U]; @@ -4072,57 +4019,57 @@ Hacl_Hash_SHA3_Simd256_sha3_224( { s[i] = Lib_IntVector_Intrinsics_vec256_xor(s[i], ws32[i]); } - uint8_t b05[256U] = { 0U }; - uint8_t b15[256U] = { 0U }; - uint8_t b25[256U] = { 0U }; - uint8_t b35[256U] = { 0U }; + uint8_t b04[256U] = { 0U }; + uint8_t b14[256U] = { 0U }; + uint8_t b24[256U] = { 0U }; + uint8_t b34[256U] = { 0U }; K____uint8_t___uint8_t____K____uint8_t___uint8_t_ - b = { .fst = b05, .snd = { .fst = b15, .snd = { .fst = b25, .snd = b35 } } }; - uint8_t *b36 = b.snd.snd.snd; + b = { .fst = b04, .snd = { .fst = b14, .snd = { .fst = b24, .snd = b34 } } }; + uint8_t *b35 = b.snd.snd.snd; + uint8_t *b25 = b.snd.snd.fst; + uint8_t *b15 = b.snd.fst; + uint8_t *b05 = b.fst; + b05[rateInBytes - 1U] = 0x80U; + b15[rateInBytes - 1U] = 0x80U; + b25[rateInBytes - 1U] = 0x80U; + b35[rateInBytes - 1U] = 0x80U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b.snd.snd.snd; uint8_t *b26 = b.snd.snd.fst; uint8_t *b16 = b.snd.fst; uint8_t *b06 = b.fst; - b06[rateInBytes - 1U] = 0x80U; - b16[rateInBytes - 1U] = 0x80U; - b26[rateInBytes - 1U] = 0x80U; - b36[rateInBytes - 1U] = 0x80U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b37 = b.snd.snd.snd; - uint8_t *b27 = b.snd.snd.fst; - uint8_t *b17 = b.snd.fst; - uint8_t *b07 = b.fst; - ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07); - ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17); - ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27); - ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37); - ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 32U); - ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 32U); - ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 32U); - ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 32U); - ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 64U); - ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 64U); - ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 64U); - ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 64U); - ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 96U); - ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 96U); - ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 96U); - ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 96U); - ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 128U); - ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 128U); - ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 128U); - ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 128U); - ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 160U); - ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 160U); - ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 160U); - ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 160U); - ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 192U); - ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 192U); - ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 192U); - ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 192U); - ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 224U); - ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 224U); - ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 224U); - ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 224U); + ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06); + ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16); + ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26); + ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 32U); + ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 32U); + ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 32U); + ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 64U); + ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 64U); + ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 64U); + ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 96U); + ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 96U); + ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 96U); + ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 128U); + ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 128U); + ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 128U); + ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 160U); + ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 160U); + ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 160U); + ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 192U); + ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 192U); + ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 192U); + ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 224U); + ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 224U); + ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 224U); + ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); Lib_IntVector_Intrinsics_vec256 v08 = ws34[0U]; Lib_IntVector_Intrinsics_vec256 v18 = ws34[1U]; Lib_IntVector_Intrinsics_vec256 v28 = ws34[2U]; @@ -4644,62 +4591,49 @@ Hacl_Hash_SHA3_Simd256_sha3_224( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < rateInBytes / 32U; i++) - { - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = rateInBytes % 32U; - uint32_t j = rateInBytes / 32U; - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + uint8_t *b36 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0 + i0 * rateInBytes, hbuf, rateInBytes * sizeof (uint8_t)); + memcpy(b1 + i0 * rateInBytes, hbuf + 256U, rateInBytes * sizeof (uint8_t)); + memcpy(b2 + i0 * rateInBytes, hbuf + 512U, rateInBytes * sizeof (uint8_t)); + memcpy(b36 + i0 * rateInBytes, hbuf + 768U, rateInBytes * sizeof (uint8_t)); for (uint32_t i1 = 0U; i1 < 24U; i1++) { KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; @@ -4994,75 +4928,62 @@ Hacl_Hash_SHA3_Simd256_sha3_224( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < remOut / 32U; i++) - { - uint8_t *b3 = rb.snd.snd.snd; - uint8_t *b2 = rb.snd.snd.fst; - uint8_t *b1 = rb.snd.fst; - uint8_t *b0 = rb.fst; - memcpy(b0 + 28U - remOut + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b1 + 28U - remOut + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b2 + 28U - remOut + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b3 + 28U - remOut + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = remOut % 32U; - uint32_t j = remOut / 32U; - uint8_t *b3 = rb.snd.snd.snd; + uint8_t *b36 = rb.snd.snd.snd; uint8_t *b2 = rb.snd.snd.fst; uint8_t *b1 = rb.snd.fst; uint8_t *b0 = rb.fst; - memcpy(b0 + 28U - remOut + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b1 + 28U - remOut + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b2 + 28U - remOut + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b3 + 28U - remOut + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + memcpy(b0 + 28U - remOut, hbuf, remOut * sizeof (uint8_t)); + memcpy(b1 + 28U - remOut, hbuf + 256U, remOut * sizeof (uint8_t)); + memcpy(b2 + 28U - remOut, hbuf + 512U, remOut * sizeof (uint8_t)); + memcpy(b36 + 28U - remOut, hbuf + 768U, remOut * sizeof (uint8_t)); } void Hacl_Hash_SHA3_Simd256_sha3_256( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ) { K____uint8_t___uint8_t____K____uint8_t___uint8_t_ @@ -5461,63 +5382,63 @@ Hacl_Hash_SHA3_Simd256_sha3_256( K____uint8_t___uint8_t____K____uint8_t___uint8_t_ b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; uint32_t rem1 = inputByteLen % rateInBytes; - uint8_t *b32 = ib.snd.snd.snd; - uint8_t *b22 = ib.snd.snd.fst; - uint8_t *b12 = ib.snd.fst; - uint8_t *b02 = ib.fst; + uint8_t *b31 = ib.snd.snd.snd; + uint8_t *b21 = ib.snd.snd.fst; + uint8_t *b11 = ib.snd.fst; + uint8_t *b01 = ib.fst; uint8_t *bl3 = b_.snd.snd.snd; uint8_t *bl2 = b_.snd.snd.fst; uint8_t *bl1 = b_.snd.fst; uint8_t *bl0 = b_.fst; - memcpy(bl0, b02 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl1, b12 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl2, b22 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl3, b32 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl0, b01 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl1, b11 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl2, b21 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl3, b31 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b32 = b_.snd.snd.snd; + uint8_t *b22 = b_.snd.snd.fst; + uint8_t *b12 = b_.snd.fst; + uint8_t *b02 = b_.fst; + b02[rem] = 0x06U; + b12[rem] = 0x06U; + b22[rem] = 0x06U; + b32[rem] = 0x06U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; uint8_t *b33 = b_.snd.snd.snd; uint8_t *b23 = b_.snd.snd.fst; uint8_t *b13 = b_.snd.fst; uint8_t *b03 = b_.fst; - b03[rem] = 0x06U; - b13[rem] = 0x06U; - b23[rem] = 0x06U; - b33[rem] = 0x06U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b34 = b_.snd.snd.snd; - uint8_t *b24 = b_.snd.snd.fst; - uint8_t *b14 = b_.snd.fst; - uint8_t *b04 = b_.fst; - ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04); - ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14); - ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24); - ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34); - ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 32U); - ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 32U); - ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 32U); - ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 32U); - ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 64U); - ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 64U); - ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 64U); - ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 64U); - ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 96U); - ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 96U); - ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 96U); - ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 96U); - ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 128U); - ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 128U); - ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 128U); - ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 128U); - ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 160U); - ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 160U); - ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 160U); - ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 160U); - ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 192U); - ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 192U); - ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 192U); - ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 192U); - ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 224U); - ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 224U); - ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 224U); - ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 224U); + ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03); + ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13); + ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23); + ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33); + ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 32U); + ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 32U); + ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 32U); + ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 32U); + ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 64U); + ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 64U); + ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 64U); + ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 64U); + ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 96U); + ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 96U); + ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 96U); + ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 96U); + ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 128U); + ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 128U); + ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 128U); + ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 128U); + ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 160U); + ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 160U); + ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 160U); + ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 160U); + ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 192U); + ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 192U); + ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 192U); + ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 192U); + ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 224U); + ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 224U); + ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 224U); + ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 224U); Lib_IntVector_Intrinsics_vec256 v00 = ws32[0U]; Lib_IntVector_Intrinsics_vec256 v10 = ws32[1U]; Lib_IntVector_Intrinsics_vec256 v20 = ws32[2U]; @@ -5746,57 +5667,57 @@ Hacl_Hash_SHA3_Simd256_sha3_256( { s[i] = Lib_IntVector_Intrinsics_vec256_xor(s[i], ws32[i]); } - uint8_t b05[256U] = { 0U }; - uint8_t b15[256U] = { 0U }; - uint8_t b25[256U] = { 0U }; - uint8_t b35[256U] = { 0U }; + uint8_t b04[256U] = { 0U }; + uint8_t b14[256U] = { 0U }; + uint8_t b24[256U] = { 0U }; + uint8_t b34[256U] = { 0U }; K____uint8_t___uint8_t____K____uint8_t___uint8_t_ - b = { .fst = b05, .snd = { .fst = b15, .snd = { .fst = b25, .snd = b35 } } }; - uint8_t *b36 = b.snd.snd.snd; + b = { .fst = b04, .snd = { .fst = b14, .snd = { .fst = b24, .snd = b34 } } }; + uint8_t *b35 = b.snd.snd.snd; + uint8_t *b25 = b.snd.snd.fst; + uint8_t *b15 = b.snd.fst; + uint8_t *b05 = b.fst; + b05[rateInBytes - 1U] = 0x80U; + b15[rateInBytes - 1U] = 0x80U; + b25[rateInBytes - 1U] = 0x80U; + b35[rateInBytes - 1U] = 0x80U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b.snd.snd.snd; uint8_t *b26 = b.snd.snd.fst; uint8_t *b16 = b.snd.fst; uint8_t *b06 = b.fst; - b06[rateInBytes - 1U] = 0x80U; - b16[rateInBytes - 1U] = 0x80U; - b26[rateInBytes - 1U] = 0x80U; - b36[rateInBytes - 1U] = 0x80U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b37 = b.snd.snd.snd; - uint8_t *b27 = b.snd.snd.fst; - uint8_t *b17 = b.snd.fst; - uint8_t *b07 = b.fst; - ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07); - ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17); - ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27); - ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37); - ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 32U); - ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 32U); - ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 32U); - ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 32U); - ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 64U); - ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 64U); - ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 64U); - ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 64U); - ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 96U); - ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 96U); - ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 96U); - ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 96U); - ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 128U); - ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 128U); - ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 128U); - ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 128U); - ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 160U); - ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 160U); - ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 160U); - ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 160U); - ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 192U); - ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 192U); - ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 192U); - ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 192U); - ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 224U); - ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 224U); - ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 224U); - ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 224U); + ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06); + ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16); + ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26); + ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 32U); + ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 32U); + ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 32U); + ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 64U); + ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 64U); + ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 64U); + ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 96U); + ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 96U); + ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 96U); + ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 128U); + ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 128U); + ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 128U); + ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 160U); + ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 160U); + ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 160U); + ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 192U); + ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 192U); + ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 192U); + ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 224U); + ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 224U); + ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 224U); + ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); Lib_IntVector_Intrinsics_vec256 v08 = ws34[0U]; Lib_IntVector_Intrinsics_vec256 v18 = ws34[1U]; Lib_IntVector_Intrinsics_vec256 v28 = ws34[2U]; @@ -6318,62 +6239,49 @@ Hacl_Hash_SHA3_Simd256_sha3_256( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < rateInBytes / 32U; i++) - { - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = rateInBytes % 32U; - uint32_t j = rateInBytes / 32U; - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + uint8_t *b36 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0 + i0 * rateInBytes, hbuf, rateInBytes * sizeof (uint8_t)); + memcpy(b1 + i0 * rateInBytes, hbuf + 256U, rateInBytes * sizeof (uint8_t)); + memcpy(b2 + i0 * rateInBytes, hbuf + 512U, rateInBytes * sizeof (uint8_t)); + memcpy(b36 + i0 * rateInBytes, hbuf + 768U, rateInBytes * sizeof (uint8_t)); for (uint32_t i1 = 0U; i1 < 24U; i1++) { KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; @@ -6668,75 +6576,62 @@ Hacl_Hash_SHA3_Simd256_sha3_256( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < remOut / 32U; i++) - { - uint8_t *b3 = rb.snd.snd.snd; - uint8_t *b2 = rb.snd.snd.fst; - uint8_t *b1 = rb.snd.fst; - uint8_t *b0 = rb.fst; - memcpy(b0 + 32U - remOut + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b1 + 32U - remOut + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b2 + 32U - remOut + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b3 + 32U - remOut + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = remOut % 32U; - uint32_t j = remOut / 32U; - uint8_t *b3 = rb.snd.snd.snd; + uint8_t *b36 = rb.snd.snd.snd; uint8_t *b2 = rb.snd.snd.fst; uint8_t *b1 = rb.snd.fst; uint8_t *b0 = rb.fst; - memcpy(b0 + 32U - remOut + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b1 + 32U - remOut + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b2 + 32U - remOut + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b3 + 32U - remOut + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + memcpy(b0 + 32U - remOut, hbuf, remOut * sizeof (uint8_t)); + memcpy(b1 + 32U - remOut, hbuf + 256U, remOut * sizeof (uint8_t)); + memcpy(b2 + 32U - remOut, hbuf + 512U, remOut * sizeof (uint8_t)); + memcpy(b36 + 32U - remOut, hbuf + 768U, remOut * sizeof (uint8_t)); } void Hacl_Hash_SHA3_Simd256_sha3_384( - uint32_t inputByteLen, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, uint8_t *input0, uint8_t *input1, uint8_t *input2, uint8_t *input3, - uint8_t *output0, - uint8_t *output1, - uint8_t *output2, - uint8_t *output3 + uint32_t inputByteLen ) { K____uint8_t___uint8_t____K____uint8_t___uint8_t_ @@ -7135,63 +7030,63 @@ Hacl_Hash_SHA3_Simd256_sha3_384( K____uint8_t___uint8_t____K____uint8_t___uint8_t_ b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; uint32_t rem1 = inputByteLen % rateInBytes; - uint8_t *b32 = ib.snd.snd.snd; - uint8_t *b22 = ib.snd.snd.fst; - uint8_t *b12 = ib.snd.fst; - uint8_t *b02 = ib.fst; + uint8_t *b31 = ib.snd.snd.snd; + uint8_t *b21 = ib.snd.snd.fst; + uint8_t *b11 = ib.snd.fst; + uint8_t *b01 = ib.fst; uint8_t *bl3 = b_.snd.snd.snd; uint8_t *bl2 = b_.snd.snd.fst; uint8_t *bl1 = b_.snd.fst; uint8_t *bl0 = b_.fst; - memcpy(bl0, b02 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl1, b12 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl2, b22 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl3, b32 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl0, b01 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl1, b11 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl2, b21 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl3, b31 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b32 = b_.snd.snd.snd; + uint8_t *b22 = b_.snd.snd.fst; + uint8_t *b12 = b_.snd.fst; + uint8_t *b02 = b_.fst; + b02[rem] = 0x06U; + b12[rem] = 0x06U; + b22[rem] = 0x06U; + b32[rem] = 0x06U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; uint8_t *b33 = b_.snd.snd.snd; uint8_t *b23 = b_.snd.snd.fst; uint8_t *b13 = b_.snd.fst; uint8_t *b03 = b_.fst; - b03[rem] = 0x06U; - b13[rem] = 0x06U; - b23[rem] = 0x06U; - b33[rem] = 0x06U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b34 = b_.snd.snd.snd; - uint8_t *b24 = b_.snd.snd.fst; - uint8_t *b14 = b_.snd.fst; - uint8_t *b04 = b_.fst; - ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04); - ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14); - ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24); - ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34); - ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 32U); - ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 32U); - ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 32U); - ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 32U); - ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 64U); - ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 64U); - ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 64U); - ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 64U); - ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 96U); - ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 96U); - ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 96U); - ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 96U); - ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 128U); - ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 128U); - ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 128U); - ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 128U); - ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 160U); - ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 160U); - ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 160U); - ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 160U); - ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 192U); - ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 192U); - ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 192U); - ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 192U); - ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 224U); - ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 224U); - ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 224U); - ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 224U); + ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03); + ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13); + ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23); + ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33); + ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 32U); + ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 32U); + ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 32U); + ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 32U); + ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 64U); + ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 64U); + ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 64U); + ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 64U); + ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 96U); + ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 96U); + ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 96U); + ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 96U); + ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 128U); + ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 128U); + ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 128U); + ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 128U); + ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 160U); + ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 160U); + ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 160U); + ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 160U); + ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 192U); + ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 192U); + ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 192U); + ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 192U); + ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 224U); + ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 224U); + ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 224U); + ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 224U); Lib_IntVector_Intrinsics_vec256 v00 = ws32[0U]; Lib_IntVector_Intrinsics_vec256 v10 = ws32[1U]; Lib_IntVector_Intrinsics_vec256 v20 = ws32[2U]; @@ -7420,57 +7315,57 @@ Hacl_Hash_SHA3_Simd256_sha3_384( { s[i] = Lib_IntVector_Intrinsics_vec256_xor(s[i], ws32[i]); } - uint8_t b05[256U] = { 0U }; - uint8_t b15[256U] = { 0U }; - uint8_t b25[256U] = { 0U }; - uint8_t b35[256U] = { 0U }; + uint8_t b04[256U] = { 0U }; + uint8_t b14[256U] = { 0U }; + uint8_t b24[256U] = { 0U }; + uint8_t b34[256U] = { 0U }; K____uint8_t___uint8_t____K____uint8_t___uint8_t_ - b = { .fst = b05, .snd = { .fst = b15, .snd = { .fst = b25, .snd = b35 } } }; - uint8_t *b36 = b.snd.snd.snd; + b = { .fst = b04, .snd = { .fst = b14, .snd = { .fst = b24, .snd = b34 } } }; + uint8_t *b35 = b.snd.snd.snd; + uint8_t *b25 = b.snd.snd.fst; + uint8_t *b15 = b.snd.fst; + uint8_t *b05 = b.fst; + b05[rateInBytes - 1U] = 0x80U; + b15[rateInBytes - 1U] = 0x80U; + b25[rateInBytes - 1U] = 0x80U; + b35[rateInBytes - 1U] = 0x80U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b.snd.snd.snd; uint8_t *b26 = b.snd.snd.fst; uint8_t *b16 = b.snd.fst; uint8_t *b06 = b.fst; - b06[rateInBytes - 1U] = 0x80U; - b16[rateInBytes - 1U] = 0x80U; - b26[rateInBytes - 1U] = 0x80U; - b36[rateInBytes - 1U] = 0x80U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b37 = b.snd.snd.snd; - uint8_t *b27 = b.snd.snd.fst; - uint8_t *b17 = b.snd.fst; - uint8_t *b07 = b.fst; - ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07); - ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17); - ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27); - ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37); - ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 32U); - ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 32U); - ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 32U); - ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 32U); - ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 64U); - ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 64U); - ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 64U); - ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 64U); - ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 96U); - ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 96U); - ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 96U); - ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 96U); - ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 128U); - ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 128U); - ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 128U); - ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 128U); - ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 160U); - ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 160U); - ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 160U); - ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 160U); - ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 192U); - ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 192U); - ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 192U); - ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 192U); - ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 224U); - ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 224U); - ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 224U); - ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 224U); + ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06); + ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16); + ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26); + ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 32U); + ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 32U); + ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 32U); + ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 64U); + ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 64U); + ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 64U); + ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 96U); + ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 96U); + ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 96U); + ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 128U); + ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 128U); + ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 128U); + ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 160U); + ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 160U); + ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 160U); + ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 192U); + ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 192U); + ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 192U); + ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 224U); + ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 224U); + ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 224U); + ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); Lib_IntVector_Intrinsics_vec256 v08 = ws34[0U]; Lib_IntVector_Intrinsics_vec256 v18 = ws34[1U]; Lib_IntVector_Intrinsics_vec256 v28 = ws34[2U]; @@ -7992,62 +7887,49 @@ Hacl_Hash_SHA3_Simd256_sha3_384( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < rateInBytes / 32U; i++) - { - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = rateInBytes % 32U; - uint32_t j = rateInBytes / 32U; - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + uint8_t *b36 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0 + i0 * rateInBytes, hbuf, rateInBytes * sizeof (uint8_t)); + memcpy(b1 + i0 * rateInBytes, hbuf + 256U, rateInBytes * sizeof (uint8_t)); + memcpy(b2 + i0 * rateInBytes, hbuf + 512U, rateInBytes * sizeof (uint8_t)); + memcpy(b36 + i0 * rateInBytes, hbuf + 768U, rateInBytes * sizeof (uint8_t)); for (uint32_t i1 = 0U; i1 < 24U; i1++) { KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; @@ -8342,75 +8224,62 @@ Hacl_Hash_SHA3_Simd256_sha3_384( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < remOut / 32U; i++) - { - uint8_t *b3 = rb.snd.snd.snd; - uint8_t *b2 = rb.snd.snd.fst; - uint8_t *b1 = rb.snd.fst; - uint8_t *b0 = rb.fst; - memcpy(b0 + 48U - remOut + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b1 + 48U - remOut + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b2 + 48U - remOut + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b3 + 48U - remOut + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = remOut % 32U; - uint32_t j = remOut / 32U; - uint8_t *b3 = rb.snd.snd.snd; + uint8_t *b36 = rb.snd.snd.snd; uint8_t *b2 = rb.snd.snd.fst; uint8_t *b1 = rb.snd.fst; uint8_t *b0 = rb.fst; - memcpy(b0 + 48U - remOut + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b1 + 48U - remOut + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b2 + 48U - remOut + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b3 + 48U - remOut + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + memcpy(b0 + 48U - remOut, hbuf, remOut * sizeof (uint8_t)); + memcpy(b1 + 48U - remOut, hbuf + 256U, remOut * sizeof (uint8_t)); + memcpy(b2 + 48U - remOut, hbuf + 512U, remOut * sizeof (uint8_t)); + memcpy(b36 + 48U - remOut, hbuf + 768U, remOut * sizeof (uint8_t)); } void Hacl_Hash_SHA3_Simd256_sha3_512( - uint32_t inputByteLen, - uint8_t *input0, - uint8_t *input1, - uint8_t *input2, - uint8_t *input3, uint8_t *output0, uint8_t *output1, uint8_t *output2, - uint8_t *output3 + uint8_t *output3, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint32_t inputByteLen ) { K____uint8_t___uint8_t____K____uint8_t___uint8_t_ @@ -8809,63 +8678,63 @@ Hacl_Hash_SHA3_Simd256_sha3_512( K____uint8_t___uint8_t____K____uint8_t___uint8_t_ b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; uint32_t rem1 = inputByteLen % rateInBytes; - uint8_t *b32 = ib.snd.snd.snd; - uint8_t *b22 = ib.snd.snd.fst; - uint8_t *b12 = ib.snd.fst; - uint8_t *b02 = ib.fst; + uint8_t *b31 = ib.snd.snd.snd; + uint8_t *b21 = ib.snd.snd.fst; + uint8_t *b11 = ib.snd.fst; + uint8_t *b01 = ib.fst; uint8_t *bl3 = b_.snd.snd.snd; uint8_t *bl2 = b_.snd.snd.fst; uint8_t *bl1 = b_.snd.fst; uint8_t *bl0 = b_.fst; - memcpy(bl0, b02 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl1, b12 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl2, b22 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); - memcpy(bl3, b32 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl0, b01 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl1, b11 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl2, b21 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl3, b31 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b32 = b_.snd.snd.snd; + uint8_t *b22 = b_.snd.snd.fst; + uint8_t *b12 = b_.snd.fst; + uint8_t *b02 = b_.fst; + b02[rem] = 0x06U; + b12[rem] = 0x06U; + b22[rem] = 0x06U; + b32[rem] = 0x06U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; uint8_t *b33 = b_.snd.snd.snd; uint8_t *b23 = b_.snd.snd.fst; uint8_t *b13 = b_.snd.fst; uint8_t *b03 = b_.fst; - b03[rem] = 0x06U; - b13[rem] = 0x06U; - b23[rem] = 0x06U; - b33[rem] = 0x06U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws32[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b34 = b_.snd.snd.snd; - uint8_t *b24 = b_.snd.snd.fst; - uint8_t *b14 = b_.snd.fst; - uint8_t *b04 = b_.fst; - ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04); - ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14); - ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24); - ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34); - ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 32U); - ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 32U); - ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 32U); - ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 32U); - ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 64U); - ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 64U); - ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 64U); - ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 64U); - ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 96U); - ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 96U); - ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 96U); - ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 96U); - ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 128U); - ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 128U); - ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 128U); - ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 128U); - ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 160U); - ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 160U); - ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 160U); - ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 160U); - ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 192U); - ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 192U); - ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 192U); - ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 192U); - ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b04 + 224U); - ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b14 + 224U); - ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b24 + 224U); - ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b34 + 224U); + ws32[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03); + ws32[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13); + ws32[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23); + ws32[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33); + ws32[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 32U); + ws32[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 32U); + ws32[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 32U); + ws32[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 32U); + ws32[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 64U); + ws32[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 64U); + ws32[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 64U); + ws32[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 64U); + ws32[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 96U); + ws32[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 96U); + ws32[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 96U); + ws32[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 96U); + ws32[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 128U); + ws32[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 128U); + ws32[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 128U); + ws32[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 128U); + ws32[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 160U); + ws32[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 160U); + ws32[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 160U); + ws32[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 160U); + ws32[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 192U); + ws32[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 192U); + ws32[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 192U); + ws32[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 192U); + ws32[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 224U); + ws32[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 224U); + ws32[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 224U); + ws32[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 224U); Lib_IntVector_Intrinsics_vec256 v00 = ws32[0U]; Lib_IntVector_Intrinsics_vec256 v10 = ws32[1U]; Lib_IntVector_Intrinsics_vec256 v20 = ws32[2U]; @@ -9094,57 +8963,57 @@ Hacl_Hash_SHA3_Simd256_sha3_512( { s[i] = Lib_IntVector_Intrinsics_vec256_xor(s[i], ws32[i]); } - uint8_t b05[256U] = { 0U }; - uint8_t b15[256U] = { 0U }; - uint8_t b25[256U] = { 0U }; - uint8_t b35[256U] = { 0U }; + uint8_t b04[256U] = { 0U }; + uint8_t b14[256U] = { 0U }; + uint8_t b24[256U] = { 0U }; + uint8_t b34[256U] = { 0U }; K____uint8_t___uint8_t____K____uint8_t___uint8_t_ - b = { .fst = b05, .snd = { .fst = b15, .snd = { .fst = b25, .snd = b35 } } }; - uint8_t *b36 = b.snd.snd.snd; + b = { .fst = b04, .snd = { .fst = b14, .snd = { .fst = b24, .snd = b34 } } }; + uint8_t *b35 = b.snd.snd.snd; + uint8_t *b25 = b.snd.snd.fst; + uint8_t *b15 = b.snd.fst; + uint8_t *b05 = b.fst; + b05[rateInBytes - 1U] = 0x80U; + b15[rateInBytes - 1U] = 0x80U; + b25[rateInBytes - 1U] = 0x80U; + b35[rateInBytes - 1U] = 0x80U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b.snd.snd.snd; uint8_t *b26 = b.snd.snd.fst; uint8_t *b16 = b.snd.fst; uint8_t *b06 = b.fst; - b06[rateInBytes - 1U] = 0x80U; - b16[rateInBytes - 1U] = 0x80U; - b26[rateInBytes - 1U] = 0x80U; - b36[rateInBytes - 1U] = 0x80U; - KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws34[32U] KRML_POST_ALIGN(32) = { 0U }; - uint8_t *b37 = b.snd.snd.snd; - uint8_t *b27 = b.snd.snd.fst; - uint8_t *b17 = b.snd.fst; - uint8_t *b07 = b.fst; - ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07); - ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17); - ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27); - ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37); - ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 32U); - ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 32U); - ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 32U); - ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 32U); - ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 64U); - ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 64U); - ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 64U); - ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 64U); - ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 96U); - ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 96U); - ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 96U); - ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 96U); - ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 128U); - ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 128U); - ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 128U); - ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 128U); - ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 160U); - ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 160U); - ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 160U); - ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 160U); - ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 192U); - ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 192U); - ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 192U); - ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 192U); - ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b07 + 224U); - ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b17 + 224U); - ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b27 + 224U); - ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b37 + 224U); + ws34[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06); + ws34[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16); + ws34[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26); + ws34[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws34[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 32U); + ws34[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 32U); + ws34[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 32U); + ws34[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws34[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 64U); + ws34[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 64U); + ws34[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 64U); + ws34[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws34[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 96U); + ws34[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 96U); + ws34[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 96U); + ws34[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws34[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 128U); + ws34[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 128U); + ws34[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 128U); + ws34[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws34[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 160U); + ws34[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 160U); + ws34[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 160U); + ws34[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws34[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 192U); + ws34[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 192U); + ws34[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 192U); + ws34[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws34[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b06 + 224U); + ws34[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b16 + 224U); + ws34[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b26 + 224U); + ws34[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); Lib_IntVector_Intrinsics_vec256 v08 = ws34[0U]; Lib_IntVector_Intrinsics_vec256 v18 = ws34[1U]; Lib_IntVector_Intrinsics_vec256 v28 = ws34[2U]; @@ -9666,62 +9535,49 @@ Hacl_Hash_SHA3_Simd256_sha3_512( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < rateInBytes / 32U; i++) - { - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = rateInBytes % 32U; - uint32_t j = rateInBytes / 32U; - uint8_t *b31 = rb.snd.snd.snd; - uint8_t *b21 = rb.snd.snd.fst; - uint8_t *b11 = rb.snd.fst; - uint8_t *b01 = rb.fst; - memcpy(b01 + i0 * rateInBytes + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b11 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b21 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b31 + i0 * rateInBytes + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + uint8_t *b36 = rb.snd.snd.snd; + uint8_t *b2 = rb.snd.snd.fst; + uint8_t *b1 = rb.snd.fst; + uint8_t *b0 = rb.fst; + memcpy(b0 + i0 * rateInBytes, hbuf, rateInBytes * sizeof (uint8_t)); + memcpy(b1 + i0 * rateInBytes, hbuf + 256U, rateInBytes * sizeof (uint8_t)); + memcpy(b2 + i0 * rateInBytes, hbuf + 512U, rateInBytes * sizeof (uint8_t)); + memcpy(b36 + i0 * rateInBytes, hbuf + 768U, rateInBytes * sizeof (uint8_t)); for (uint32_t i1 = 0U; i1 < 24U; i1++) { KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; @@ -10016,61 +9872,1482 @@ Hacl_Hash_SHA3_Simd256_sha3_512( Lib_IntVector_Intrinsics_vec256 ws30 = v1__22; Lib_IntVector_Intrinsics_vec256 ws31 = v3__22; ws[0U] = ws0; - ws[1U] = ws1; - ws[2U] = ws2; - ws[3U] = ws3; - ws[4U] = ws4; - ws[5U] = ws5; - ws[6U] = ws6; - ws[7U] = ws7; - ws[8U] = ws8; - ws[9U] = ws9; - ws[10U] = ws10; - ws[11U] = ws11; - ws[12U] = ws12; - ws[13U] = ws13; - ws[14U] = ws14; - ws[15U] = ws15; - ws[16U] = ws16; - ws[17U] = ws17; - ws[18U] = ws18; - ws[19U] = ws19; - ws[20U] = ws20; - ws[21U] = ws21; - ws[22U] = ws22; - ws[23U] = ws23; - ws[24U] = ws24; - ws[25U] = ws25; - ws[26U] = ws26; - ws[27U] = ws27; - ws[28U] = ws28; - ws[29U] = ws29; - ws[30U] = ws30; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; ws[31U] = ws31; for (uint32_t i = 0U; i < 32U; i++) { Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); } - for (uint32_t i = 0U; i < remOut / 32U; i++) - { - uint8_t *b3 = rb.snd.snd.snd; - uint8_t *b2 = rb.snd.snd.fst; - uint8_t *b1 = rb.snd.fst; - uint8_t *b0 = rb.fst; - memcpy(b0 + 64U - remOut + i * 32U, hbuf + i * 128U, 32U * sizeof (uint8_t)); - memcpy(b1 + 64U - remOut + i * 32U, hbuf + i * 128U + 32U, 32U * sizeof (uint8_t)); - memcpy(b2 + 64U - remOut + i * 32U, hbuf + i * 128U + 64U, 32U * sizeof (uint8_t)); - memcpy(b3 + 64U - remOut + i * 32U, hbuf + i * 128U + 96U, 32U * sizeof (uint8_t)); - } - uint32_t rem0 = remOut % 32U; - uint32_t j = remOut / 32U; - uint8_t *b3 = rb.snd.snd.snd; + uint8_t *b36 = rb.snd.snd.snd; uint8_t *b2 = rb.snd.snd.fst; uint8_t *b1 = rb.snd.fst; uint8_t *b0 = rb.fst; - memcpy(b0 + 64U - remOut + j * 32U, hbuf + j * 128U, rem0 * sizeof (uint8_t)); - memcpy(b1 + 64U - remOut + j * 32U, hbuf + j * 128U + 32U, rem0 * sizeof (uint8_t)); - memcpy(b2 + 64U - remOut + j * 32U, hbuf + j * 128U + 64U, rem0 * sizeof (uint8_t)); - memcpy(b3 + 64U - remOut + j * 32U, hbuf + j * 128U + 96U, rem0 * sizeof (uint8_t)); + memcpy(b0 + 64U - remOut, hbuf, remOut * sizeof (uint8_t)); + memcpy(b1 + 64U - remOut, hbuf + 256U, remOut * sizeof (uint8_t)); + memcpy(b2 + 64U - remOut, hbuf + 512U, remOut * sizeof (uint8_t)); + memcpy(b36 + 64U - remOut, hbuf + 768U, remOut * sizeof (uint8_t)); +} + +uint64_t *Hacl_Hash_SHA3_Simd256_state_malloc(void) +{ + uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(100U, sizeof (uint64_t)); + return buf; +} + +void Hacl_Hash_SHA3_Simd256_state_free(uint64_t *s) +{ + KRML_HOST_FREE(s); +} + +void +Hacl_Hash_SHA3_Simd256_shake128_absorb_nblocks( + Lib_IntVector_Intrinsics_vec256 *state, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint32_t inputByteLen +) +{ + for (uint32_t i0 = 0U; i0 < inputByteLen / 168U; i0++) + { + uint8_t b00[256U] = { 0U }; + uint8_t b10[256U] = { 0U }; + uint8_t b20[256U] = { 0U }; + uint8_t b30[256U] = { 0U }; + K____uint8_t___uint8_t____K____uint8_t___uint8_t_ + b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; + uint8_t *b01 = input0; + uint8_t *b11 = input1; + uint8_t *b21 = input2; + uint8_t *b31 = input3; + uint8_t *bl3 = b_.snd.snd.snd; + uint8_t *bl2 = b_.snd.snd.fst; + uint8_t *bl1 = b_.snd.fst; + uint8_t *bl0 = b_.fst; + memcpy(bl0, b01 + i0 * 168U, 168U * sizeof (uint8_t)); + memcpy(bl1, b11 + i0 * 168U, 168U * sizeof (uint8_t)); + memcpy(bl2, b21 + i0 * 168U, 168U * sizeof (uint8_t)); + memcpy(bl3, b31 + i0 * 168U, 168U * sizeof (uint8_t)); + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b_.snd.snd.snd; + uint8_t *b2 = b_.snd.snd.fst; + uint8_t *b1 = b_.snd.fst; + uint8_t *b0 = b_.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 32U); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 32U); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 32U); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 64U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 64U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 64U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 96U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 96U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 96U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 128U); + ws[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 128U); + ws[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 128U); + ws[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 160U); + ws[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 160U); + ws[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 160U); + ws[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 192U); + ws[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 192U); + ws[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 192U); + ws[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 224U); + ws[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 224U); + ws[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 224U); + ws[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); + Lib_IntVector_Intrinsics_vec256 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 ws0 = v0__; + Lib_IntVector_Intrinsics_vec256 ws1 = v2__; + Lib_IntVector_Intrinsics_vec256 ws2 = v1__; + Lib_IntVector_Intrinsics_vec256 ws3 = v3__; + Lib_IntVector_Intrinsics_vec256 v01 = ws[4U]; + Lib_IntVector_Intrinsics_vec256 v11 = ws[5U]; + Lib_IntVector_Intrinsics_vec256 v21 = ws[6U]; + Lib_IntVector_Intrinsics_vec256 v31 = ws[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 ws4 = v0__0; + Lib_IntVector_Intrinsics_vec256 ws5 = v2__0; + Lib_IntVector_Intrinsics_vec256 ws6 = v1__0; + Lib_IntVector_Intrinsics_vec256 ws7 = v3__0; + Lib_IntVector_Intrinsics_vec256 v02 = ws[8U]; + Lib_IntVector_Intrinsics_vec256 v12 = ws[9U]; + Lib_IntVector_Intrinsics_vec256 v22 = ws[10U]; + Lib_IntVector_Intrinsics_vec256 v32 = ws[11U]; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v0__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v1__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v2__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 + v3__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 ws8 = v0__1; + Lib_IntVector_Intrinsics_vec256 ws9 = v2__1; + Lib_IntVector_Intrinsics_vec256 ws10 = v1__1; + Lib_IntVector_Intrinsics_vec256 ws11 = v3__1; + Lib_IntVector_Intrinsics_vec256 v03 = ws[12U]; + Lib_IntVector_Intrinsics_vec256 v13 = ws[13U]; + Lib_IntVector_Intrinsics_vec256 v23 = ws[14U]; + Lib_IntVector_Intrinsics_vec256 v33 = ws[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v03, v13); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v03, v13); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v23, v33); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v23, v33); + Lib_IntVector_Intrinsics_vec256 + v0__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v1__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v2__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 + v3__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 ws12 = v0__2; + Lib_IntVector_Intrinsics_vec256 ws13 = v2__2; + Lib_IntVector_Intrinsics_vec256 ws14 = v1__2; + Lib_IntVector_Intrinsics_vec256 ws15 = v3__2; + Lib_IntVector_Intrinsics_vec256 v04 = ws[16U]; + Lib_IntVector_Intrinsics_vec256 v14 = ws[17U]; + Lib_IntVector_Intrinsics_vec256 v24 = ws[18U]; + Lib_IntVector_Intrinsics_vec256 v34 = ws[19U]; + Lib_IntVector_Intrinsics_vec256 + v0_3 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v04, v14); + Lib_IntVector_Intrinsics_vec256 + v1_3 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v04, v14); + Lib_IntVector_Intrinsics_vec256 + v2_3 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v24, v34); + Lib_IntVector_Intrinsics_vec256 + v3_3 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v24, v34); + Lib_IntVector_Intrinsics_vec256 + v0__3 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_3, v2_3); + Lib_IntVector_Intrinsics_vec256 + v1__3 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_3, v2_3); + Lib_IntVector_Intrinsics_vec256 + v2__3 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_3, v3_3); + Lib_IntVector_Intrinsics_vec256 + v3__3 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_3, v3_3); + Lib_IntVector_Intrinsics_vec256 ws16 = v0__3; + Lib_IntVector_Intrinsics_vec256 ws17 = v2__3; + Lib_IntVector_Intrinsics_vec256 ws18 = v1__3; + Lib_IntVector_Intrinsics_vec256 ws19 = v3__3; + Lib_IntVector_Intrinsics_vec256 v05 = ws[20U]; + Lib_IntVector_Intrinsics_vec256 v15 = ws[21U]; + Lib_IntVector_Intrinsics_vec256 v25 = ws[22U]; + Lib_IntVector_Intrinsics_vec256 v35 = ws[23U]; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v05, v15); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v05, v15); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v25, v35); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v25, v35); + Lib_IntVector_Intrinsics_vec256 + v0__4 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_4, v2_4); + Lib_IntVector_Intrinsics_vec256 + v1__4 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_4, v2_4); + Lib_IntVector_Intrinsics_vec256 + v2__4 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_4, v3_4); + Lib_IntVector_Intrinsics_vec256 + v3__4 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_4, v3_4); + Lib_IntVector_Intrinsics_vec256 ws20 = v0__4; + Lib_IntVector_Intrinsics_vec256 ws21 = v2__4; + Lib_IntVector_Intrinsics_vec256 ws22 = v1__4; + Lib_IntVector_Intrinsics_vec256 ws23 = v3__4; + Lib_IntVector_Intrinsics_vec256 v06 = ws[24U]; + Lib_IntVector_Intrinsics_vec256 v16 = ws[25U]; + Lib_IntVector_Intrinsics_vec256 v26 = ws[26U]; + Lib_IntVector_Intrinsics_vec256 v36 = ws[27U]; + Lib_IntVector_Intrinsics_vec256 + v0_5 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v06, v16); + Lib_IntVector_Intrinsics_vec256 + v1_5 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v06, v16); + Lib_IntVector_Intrinsics_vec256 + v2_5 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v26, v36); + Lib_IntVector_Intrinsics_vec256 + v3_5 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v26, v36); + Lib_IntVector_Intrinsics_vec256 + v0__5 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1__5 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2__5 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3__5 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 ws24 = v0__5; + Lib_IntVector_Intrinsics_vec256 ws25 = v2__5; + Lib_IntVector_Intrinsics_vec256 ws26 = v1__5; + Lib_IntVector_Intrinsics_vec256 ws27 = v3__5; + Lib_IntVector_Intrinsics_vec256 v0 = ws[28U]; + Lib_IntVector_Intrinsics_vec256 v1 = ws[29U]; + Lib_IntVector_Intrinsics_vec256 v2 = ws[30U]; + Lib_IntVector_Intrinsics_vec256 v3 = ws[31U]; + Lib_IntVector_Intrinsics_vec256 + v0_6 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_6 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_6 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_6 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__6 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_6, v2_6); + Lib_IntVector_Intrinsics_vec256 + v1__6 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_6, v2_6); + Lib_IntVector_Intrinsics_vec256 + v2__6 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_6, v3_6); + Lib_IntVector_Intrinsics_vec256 + v3__6 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_6, v3_6); + Lib_IntVector_Intrinsics_vec256 ws28 = v0__6; + Lib_IntVector_Intrinsics_vec256 ws29 = v2__6; + Lib_IntVector_Intrinsics_vec256 ws30 = v1__6; + Lib_IntVector_Intrinsics_vec256 ws31 = v3__6; + ws[0U] = ws0; + ws[1U] = ws1; + ws[2U] = ws2; + ws[3U] = ws3; + ws[4U] = ws4; + ws[5U] = ws5; + ws[6U] = ws6; + ws[7U] = ws7; + ws[8U] = ws8; + ws[9U] = ws9; + ws[10U] = ws10; + ws[11U] = ws11; + ws[12U] = ws12; + ws[13U] = ws13; + ws[14U] = ws14; + ws[15U] = ws15; + ws[16U] = ws16; + ws[17U] = ws17; + ws[18U] = ws18; + ws[19U] = ws19; + ws[20U] = ws20; + ws[21U] = ws21; + ws[22U] = ws22; + ws[23U] = ws23; + ws[24U] = ws24; + ws[25U] = ws25; + ws[26U] = ws26; + ws[27U] = ws27; + ws[28U] = ws28; + ws[29U] = ws29; + ws[30U] = ws30; + ws[31U] = ws31; + for (uint32_t i = 0U; i < 25U; i++) + { + state[i] = Lib_IntVector_Intrinsics_vec256_xor(state[i], ws[i]); + } + for (uint32_t i1 = 0U; i1 < 24U; i1++) + { + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____0 = state[i + 0U]; + Lib_IntVector_Intrinsics_vec256 uu____1 = state[i + 5U]; + Lib_IntVector_Intrinsics_vec256 uu____2 = state[i + 10U]; + _C[i] = + Lib_IntVector_Intrinsics_vec256_xor(uu____0, + Lib_IntVector_Intrinsics_vec256_xor(uu____1, + Lib_IntVector_Intrinsics_vec256_xor(uu____2, + Lib_IntVector_Intrinsics_vec256_xor(state[i + 15U], state[i + 20U]))));); + KRML_MAYBE_FOR5(i2, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____3 = _C[(i2 + 4U) % 5U]; + Lib_IntVector_Intrinsics_vec256 uu____4 = _C[(i2 + 1U) % 5U]; + Lib_IntVector_Intrinsics_vec256 + _D = + Lib_IntVector_Intrinsics_vec256_xor(uu____3, + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_left64(uu____4, + 1U), + Lib_IntVector_Intrinsics_vec256_shift_right64(uu____4, 63U))); + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + state[i2 + 5U * i] = Lib_IntVector_Intrinsics_vec256_xor(state[i2 + 5U * i], _D););); + Lib_IntVector_Intrinsics_vec256 x = state[1U]; + Lib_IntVector_Intrinsics_vec256 current = x; + for (uint32_t i = 0U; i < 24U; i++) + { + uint32_t _Y = Hacl_Impl_SHA3_Vec_keccak_piln[i]; + uint32_t r = Hacl_Impl_SHA3_Vec_keccak_rotc[i]; + Lib_IntVector_Intrinsics_vec256 temp = state[_Y]; + Lib_IntVector_Intrinsics_vec256 uu____5 = current; + state[_Y] = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_left64(uu____5, + r), + Lib_IntVector_Intrinsics_vec256_shift_right64(uu____5, 64U - r)); + current = temp; + } + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____6 = state[0U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____7 = Lib_IntVector_Intrinsics_vec256_lognot(state[1U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v07 = + Lib_IntVector_Intrinsics_vec256_xor(uu____6, + Lib_IntVector_Intrinsics_vec256_and(uu____7, state[2U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____8 = state[1U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____9 = Lib_IntVector_Intrinsics_vec256_lognot(state[2U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v17 = + Lib_IntVector_Intrinsics_vec256_xor(uu____8, + Lib_IntVector_Intrinsics_vec256_and(uu____9, state[3U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____10 = state[2U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____11 = Lib_IntVector_Intrinsics_vec256_lognot(state[3U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v27 = + Lib_IntVector_Intrinsics_vec256_xor(uu____10, + Lib_IntVector_Intrinsics_vec256_and(uu____11, state[4U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____12 = state[3U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____13 = Lib_IntVector_Intrinsics_vec256_lognot(state[4U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v37 = + Lib_IntVector_Intrinsics_vec256_xor(uu____12, + Lib_IntVector_Intrinsics_vec256_and(uu____13, state[0U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____14 = state[4U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____15 = Lib_IntVector_Intrinsics_vec256_lognot(state[0U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v4 = + Lib_IntVector_Intrinsics_vec256_xor(uu____14, + Lib_IntVector_Intrinsics_vec256_and(uu____15, state[1U + 5U * i])); + state[0U + 5U * i] = v07; + state[1U + 5U * i] = v17; + state[2U + 5U * i] = v27; + state[3U + 5U * i] = v37; + state[4U + 5U * i] = v4;); + uint64_t c = Hacl_Impl_SHA3_Vec_keccak_rndc[i1]; + Lib_IntVector_Intrinsics_vec256 uu____16 = state[0U]; + state[0U] = + Lib_IntVector_Intrinsics_vec256_xor(uu____16, + Lib_IntVector_Intrinsics_vec256_load64(c)); + } + } +} + +void +Hacl_Hash_SHA3_Simd256_shake128_absorb_final( + Lib_IntVector_Intrinsics_vec256 *state, + uint8_t *input0, + uint8_t *input1, + uint8_t *input2, + uint8_t *input3, + uint32_t inputByteLen +) +{ + uint32_t rem = inputByteLen % 168U; + uint8_t b00[256U] = { 0U }; + uint8_t b10[256U] = { 0U }; + uint8_t b20[256U] = { 0U }; + uint8_t b30[256U] = { 0U }; + K____uint8_t___uint8_t____K____uint8_t___uint8_t_ + b_ = { .fst = b00, .snd = { .fst = b10, .snd = { .fst = b20, .snd = b30 } } }; + uint32_t rem1 = inputByteLen % 168U; + uint8_t *b01 = input0; + uint8_t *b11 = input1; + uint8_t *b21 = input2; + uint8_t *b31 = input3; + uint8_t *bl3 = b_.snd.snd.snd; + uint8_t *bl2 = b_.snd.snd.fst; + uint8_t *bl1 = b_.snd.fst; + uint8_t *bl0 = b_.fst; + memcpy(bl0, b01 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl1, b11 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl2, b21 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + memcpy(bl3, b31 + inputByteLen - rem1, rem1 * sizeof (uint8_t)); + uint8_t *b32 = b_.snd.snd.snd; + uint8_t *b22 = b_.snd.snd.fst; + uint8_t *b12 = b_.snd.fst; + uint8_t *b02 = b_.fst; + b02[rem] = 0x1FU; + b12[rem] = 0x1FU; + b22[rem] = 0x1FU; + b32[rem] = 0x1FU; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b33 = b_.snd.snd.snd; + uint8_t *b23 = b_.snd.snd.fst; + uint8_t *b13 = b_.snd.fst; + uint8_t *b03 = b_.fst; + ws[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03); + ws[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13); + ws[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23); + ws[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33); + ws[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 32U); + ws[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 32U); + ws[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 32U); + ws[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 32U); + ws[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 64U); + ws[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 64U); + ws[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 64U); + ws[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 64U); + ws[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 96U); + ws[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 96U); + ws[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 96U); + ws[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 96U); + ws[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 128U); + ws[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 128U); + ws[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 128U); + ws[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 128U); + ws[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 160U); + ws[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 160U); + ws[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 160U); + ws[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 160U); + ws[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 192U); + ws[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 192U); + ws[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 192U); + ws[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 192U); + ws[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b03 + 224U); + ws[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b13 + 224U); + ws[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b23 + 224U); + ws[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b33 + 224U); + Lib_IntVector_Intrinsics_vec256 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 ws00 = v0__; + Lib_IntVector_Intrinsics_vec256 ws110 = v2__; + Lib_IntVector_Intrinsics_vec256 ws210 = v1__; + Lib_IntVector_Intrinsics_vec256 ws32 = v3__; + Lib_IntVector_Intrinsics_vec256 v01 = ws[4U]; + Lib_IntVector_Intrinsics_vec256 v11 = ws[5U]; + Lib_IntVector_Intrinsics_vec256 v21 = ws[6U]; + Lib_IntVector_Intrinsics_vec256 v31 = ws[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 ws40 = v0__0; + Lib_IntVector_Intrinsics_vec256 ws50 = v2__0; + Lib_IntVector_Intrinsics_vec256 ws60 = v1__0; + Lib_IntVector_Intrinsics_vec256 ws70 = v3__0; + Lib_IntVector_Intrinsics_vec256 v02 = ws[8U]; + Lib_IntVector_Intrinsics_vec256 v12 = ws[9U]; + Lib_IntVector_Intrinsics_vec256 v22 = ws[10U]; + Lib_IntVector_Intrinsics_vec256 v32 = ws[11U]; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v0__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v1__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v2__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 + v3__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 ws80 = v0__1; + Lib_IntVector_Intrinsics_vec256 ws90 = v2__1; + Lib_IntVector_Intrinsics_vec256 ws100 = v1__1; + Lib_IntVector_Intrinsics_vec256 ws111 = v3__1; + Lib_IntVector_Intrinsics_vec256 v03 = ws[12U]; + Lib_IntVector_Intrinsics_vec256 v13 = ws[13U]; + Lib_IntVector_Intrinsics_vec256 v23 = ws[14U]; + Lib_IntVector_Intrinsics_vec256 v33 = ws[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v03, v13); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v03, v13); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v23, v33); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v23, v33); + Lib_IntVector_Intrinsics_vec256 + v0__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v1__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v2__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 + v3__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 ws120 = v0__2; + Lib_IntVector_Intrinsics_vec256 ws130 = v2__2; + Lib_IntVector_Intrinsics_vec256 ws140 = v1__2; + Lib_IntVector_Intrinsics_vec256 ws150 = v3__2; + Lib_IntVector_Intrinsics_vec256 v04 = ws[16U]; + Lib_IntVector_Intrinsics_vec256 v14 = ws[17U]; + Lib_IntVector_Intrinsics_vec256 v24 = ws[18U]; + Lib_IntVector_Intrinsics_vec256 v34 = ws[19U]; + Lib_IntVector_Intrinsics_vec256 + v0_3 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v04, v14); + Lib_IntVector_Intrinsics_vec256 + v1_3 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v04, v14); + Lib_IntVector_Intrinsics_vec256 + v2_3 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v24, v34); + Lib_IntVector_Intrinsics_vec256 + v3_3 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v24, v34); + Lib_IntVector_Intrinsics_vec256 + v0__3 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_3, v2_3); + Lib_IntVector_Intrinsics_vec256 + v1__3 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_3, v2_3); + Lib_IntVector_Intrinsics_vec256 + v2__3 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_3, v3_3); + Lib_IntVector_Intrinsics_vec256 + v3__3 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_3, v3_3); + Lib_IntVector_Intrinsics_vec256 ws160 = v0__3; + Lib_IntVector_Intrinsics_vec256 ws170 = v2__3; + Lib_IntVector_Intrinsics_vec256 ws180 = v1__3; + Lib_IntVector_Intrinsics_vec256 ws190 = v3__3; + Lib_IntVector_Intrinsics_vec256 v05 = ws[20U]; + Lib_IntVector_Intrinsics_vec256 v15 = ws[21U]; + Lib_IntVector_Intrinsics_vec256 v25 = ws[22U]; + Lib_IntVector_Intrinsics_vec256 v35 = ws[23U]; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v05, v15); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v05, v15); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v25, v35); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v25, v35); + Lib_IntVector_Intrinsics_vec256 + v0__4 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_4, v2_4); + Lib_IntVector_Intrinsics_vec256 + v1__4 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_4, v2_4); + Lib_IntVector_Intrinsics_vec256 + v2__4 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_4, v3_4); + Lib_IntVector_Intrinsics_vec256 + v3__4 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_4, v3_4); + Lib_IntVector_Intrinsics_vec256 ws200 = v0__4; + Lib_IntVector_Intrinsics_vec256 ws211 = v2__4; + Lib_IntVector_Intrinsics_vec256 ws220 = v1__4; + Lib_IntVector_Intrinsics_vec256 ws230 = v3__4; + Lib_IntVector_Intrinsics_vec256 v06 = ws[24U]; + Lib_IntVector_Intrinsics_vec256 v16 = ws[25U]; + Lib_IntVector_Intrinsics_vec256 v26 = ws[26U]; + Lib_IntVector_Intrinsics_vec256 v36 = ws[27U]; + Lib_IntVector_Intrinsics_vec256 + v0_5 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v06, v16); + Lib_IntVector_Intrinsics_vec256 + v1_5 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v06, v16); + Lib_IntVector_Intrinsics_vec256 + v2_5 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v26, v36); + Lib_IntVector_Intrinsics_vec256 + v3_5 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v26, v36); + Lib_IntVector_Intrinsics_vec256 + v0__5 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1__5 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2__5 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3__5 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 ws240 = v0__5; + Lib_IntVector_Intrinsics_vec256 ws250 = v2__5; + Lib_IntVector_Intrinsics_vec256 ws260 = v1__5; + Lib_IntVector_Intrinsics_vec256 ws270 = v3__5; + Lib_IntVector_Intrinsics_vec256 v07 = ws[28U]; + Lib_IntVector_Intrinsics_vec256 v17 = ws[29U]; + Lib_IntVector_Intrinsics_vec256 v27 = ws[30U]; + Lib_IntVector_Intrinsics_vec256 v37 = ws[31U]; + Lib_IntVector_Intrinsics_vec256 + v0_6 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v07, v17); + Lib_IntVector_Intrinsics_vec256 + v1_6 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v07, v17); + Lib_IntVector_Intrinsics_vec256 + v2_6 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v27, v37); + Lib_IntVector_Intrinsics_vec256 + v3_6 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v27, v37); + Lib_IntVector_Intrinsics_vec256 + v0__6 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_6, v2_6); + Lib_IntVector_Intrinsics_vec256 + v1__6 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_6, v2_6); + Lib_IntVector_Intrinsics_vec256 + v2__6 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_6, v3_6); + Lib_IntVector_Intrinsics_vec256 + v3__6 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_6, v3_6); + Lib_IntVector_Intrinsics_vec256 ws280 = v0__6; + Lib_IntVector_Intrinsics_vec256 ws290 = v2__6; + Lib_IntVector_Intrinsics_vec256 ws300 = v1__6; + Lib_IntVector_Intrinsics_vec256 ws310 = v3__6; + ws[0U] = ws00; + ws[1U] = ws110; + ws[2U] = ws210; + ws[3U] = ws32; + ws[4U] = ws40; + ws[5U] = ws50; + ws[6U] = ws60; + ws[7U] = ws70; + ws[8U] = ws80; + ws[9U] = ws90; + ws[10U] = ws100; + ws[11U] = ws111; + ws[12U] = ws120; + ws[13U] = ws130; + ws[14U] = ws140; + ws[15U] = ws150; + ws[16U] = ws160; + ws[17U] = ws170; + ws[18U] = ws180; + ws[19U] = ws190; + ws[20U] = ws200; + ws[21U] = ws211; + ws[22U] = ws220; + ws[23U] = ws230; + ws[24U] = ws240; + ws[25U] = ws250; + ws[26U] = ws260; + ws[27U] = ws270; + ws[28U] = ws280; + ws[29U] = ws290; + ws[30U] = ws300; + ws[31U] = ws310; + for (uint32_t i = 0U; i < 25U; i++) + { + state[i] = Lib_IntVector_Intrinsics_vec256_xor(state[i], ws[i]); + } + uint8_t b04[256U] = { 0U }; + uint8_t b14[256U] = { 0U }; + uint8_t b24[256U] = { 0U }; + uint8_t b34[256U] = { 0U }; + K____uint8_t___uint8_t____K____uint8_t___uint8_t_ + b = { .fst = b04, .snd = { .fst = b14, .snd = { .fst = b24, .snd = b34 } } }; + uint8_t *b35 = b.snd.snd.snd; + uint8_t *b25 = b.snd.snd.fst; + uint8_t *b15 = b.snd.fst; + uint8_t *b05 = b.fst; + b05[167U] = 0x80U; + b15[167U] = 0x80U; + b25[167U] = 0x80U; + b35[167U] = 0x80U; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws33[32U] KRML_POST_ALIGN(32) = { 0U }; + uint8_t *b3 = b.snd.snd.snd; + uint8_t *b2 = b.snd.snd.fst; + uint8_t *b1 = b.snd.fst; + uint8_t *b0 = b.fst; + ws33[0U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0); + ws33[1U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1); + ws33[2U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2); + ws33[3U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3); + ws33[4U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 32U); + ws33[5U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 32U); + ws33[6U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 32U); + ws33[7U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 32U); + ws33[8U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 64U); + ws33[9U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 64U); + ws33[10U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 64U); + ws33[11U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 64U); + ws33[12U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 96U); + ws33[13U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 96U); + ws33[14U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 96U); + ws33[15U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 96U); + ws33[16U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 128U); + ws33[17U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 128U); + ws33[18U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 128U); + ws33[19U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 128U); + ws33[20U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 160U); + ws33[21U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 160U); + ws33[22U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 160U); + ws33[23U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 160U); + ws33[24U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 192U); + ws33[25U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 192U); + ws33[26U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 192U); + ws33[27U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 192U); + ws33[28U] = Lib_IntVector_Intrinsics_vec256_load64_le(b0 + 224U); + ws33[29U] = Lib_IntVector_Intrinsics_vec256_load64_le(b1 + 224U); + ws33[30U] = Lib_IntVector_Intrinsics_vec256_load64_le(b2 + 224U); + ws33[31U] = Lib_IntVector_Intrinsics_vec256_load64_le(b3 + 224U); + Lib_IntVector_Intrinsics_vec256 v08 = ws33[0U]; + Lib_IntVector_Intrinsics_vec256 v18 = ws33[1U]; + Lib_IntVector_Intrinsics_vec256 v28 = ws33[2U]; + Lib_IntVector_Intrinsics_vec256 v38 = ws33[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_7 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v08, v18); + Lib_IntVector_Intrinsics_vec256 + v1_7 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v08, v18); + Lib_IntVector_Intrinsics_vec256 + v2_7 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v28, v38); + Lib_IntVector_Intrinsics_vec256 + v3_7 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v28, v38); + Lib_IntVector_Intrinsics_vec256 + v0__7 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_7, v2_7); + Lib_IntVector_Intrinsics_vec256 + v1__7 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_7, v2_7); + Lib_IntVector_Intrinsics_vec256 + v2__7 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_7, v3_7); + Lib_IntVector_Intrinsics_vec256 + v3__7 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_7, v3_7); + Lib_IntVector_Intrinsics_vec256 ws0 = v0__7; + Lib_IntVector_Intrinsics_vec256 ws1 = v2__7; + Lib_IntVector_Intrinsics_vec256 ws2 = v1__7; + Lib_IntVector_Intrinsics_vec256 ws3 = v3__7; + Lib_IntVector_Intrinsics_vec256 v09 = ws33[4U]; + Lib_IntVector_Intrinsics_vec256 v19 = ws33[5U]; + Lib_IntVector_Intrinsics_vec256 v29 = ws33[6U]; + Lib_IntVector_Intrinsics_vec256 v39 = ws33[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_8 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v09, v19); + Lib_IntVector_Intrinsics_vec256 + v1_8 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v09, v19); + Lib_IntVector_Intrinsics_vec256 + v2_8 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v29, v39); + Lib_IntVector_Intrinsics_vec256 + v3_8 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v29, v39); + Lib_IntVector_Intrinsics_vec256 + v0__8 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_8, v2_8); + Lib_IntVector_Intrinsics_vec256 + v1__8 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_8, v2_8); + Lib_IntVector_Intrinsics_vec256 + v2__8 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_8, v3_8); + Lib_IntVector_Intrinsics_vec256 + v3__8 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_8, v3_8); + Lib_IntVector_Intrinsics_vec256 ws4 = v0__8; + Lib_IntVector_Intrinsics_vec256 ws5 = v2__8; + Lib_IntVector_Intrinsics_vec256 ws6 = v1__8; + Lib_IntVector_Intrinsics_vec256 ws7 = v3__8; + Lib_IntVector_Intrinsics_vec256 v010 = ws33[8U]; + Lib_IntVector_Intrinsics_vec256 v110 = ws33[9U]; + Lib_IntVector_Intrinsics_vec256 v210 = ws33[10U]; + Lib_IntVector_Intrinsics_vec256 v310 = ws33[11U]; + Lib_IntVector_Intrinsics_vec256 + v0_9 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v010, v110); + Lib_IntVector_Intrinsics_vec256 + v1_9 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v010, v110); + Lib_IntVector_Intrinsics_vec256 + v2_9 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v210, v310); + Lib_IntVector_Intrinsics_vec256 + v3_9 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v210, v310); + Lib_IntVector_Intrinsics_vec256 + v0__9 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_9, v2_9); + Lib_IntVector_Intrinsics_vec256 + v1__9 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_9, v2_9); + Lib_IntVector_Intrinsics_vec256 + v2__9 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_9, v3_9); + Lib_IntVector_Intrinsics_vec256 + v3__9 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_9, v3_9); + Lib_IntVector_Intrinsics_vec256 ws8 = v0__9; + Lib_IntVector_Intrinsics_vec256 ws9 = v2__9; + Lib_IntVector_Intrinsics_vec256 ws10 = v1__9; + Lib_IntVector_Intrinsics_vec256 ws11 = v3__9; + Lib_IntVector_Intrinsics_vec256 v011 = ws33[12U]; + Lib_IntVector_Intrinsics_vec256 v111 = ws33[13U]; + Lib_IntVector_Intrinsics_vec256 v211 = ws33[14U]; + Lib_IntVector_Intrinsics_vec256 v311 = ws33[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_10 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v011, v111); + Lib_IntVector_Intrinsics_vec256 + v1_10 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v011, v111); + Lib_IntVector_Intrinsics_vec256 + v2_10 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v211, v311); + Lib_IntVector_Intrinsics_vec256 + v3_10 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v211, v311); + Lib_IntVector_Intrinsics_vec256 + v0__10 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_10, v2_10); + Lib_IntVector_Intrinsics_vec256 + v1__10 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_10, v2_10); + Lib_IntVector_Intrinsics_vec256 + v2__10 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_10, v3_10); + Lib_IntVector_Intrinsics_vec256 + v3__10 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_10, v3_10); + Lib_IntVector_Intrinsics_vec256 ws12 = v0__10; + Lib_IntVector_Intrinsics_vec256 ws13 = v2__10; + Lib_IntVector_Intrinsics_vec256 ws14 = v1__10; + Lib_IntVector_Intrinsics_vec256 ws15 = v3__10; + Lib_IntVector_Intrinsics_vec256 v012 = ws33[16U]; + Lib_IntVector_Intrinsics_vec256 v112 = ws33[17U]; + Lib_IntVector_Intrinsics_vec256 v212 = ws33[18U]; + Lib_IntVector_Intrinsics_vec256 v312 = ws33[19U]; + Lib_IntVector_Intrinsics_vec256 + v0_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v012, v112); + Lib_IntVector_Intrinsics_vec256 + v1_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v012, v112); + Lib_IntVector_Intrinsics_vec256 + v2_11 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v212, v312); + Lib_IntVector_Intrinsics_vec256 + v3_11 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v212, v312); + Lib_IntVector_Intrinsics_vec256 + v0__11 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_11, v2_11); + Lib_IntVector_Intrinsics_vec256 + v1__11 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_11, v2_11); + Lib_IntVector_Intrinsics_vec256 + v2__11 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_11, v3_11); + Lib_IntVector_Intrinsics_vec256 + v3__11 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_11, v3_11); + Lib_IntVector_Intrinsics_vec256 ws16 = v0__11; + Lib_IntVector_Intrinsics_vec256 ws17 = v2__11; + Lib_IntVector_Intrinsics_vec256 ws18 = v1__11; + Lib_IntVector_Intrinsics_vec256 ws19 = v3__11; + Lib_IntVector_Intrinsics_vec256 v013 = ws33[20U]; + Lib_IntVector_Intrinsics_vec256 v113 = ws33[21U]; + Lib_IntVector_Intrinsics_vec256 v213 = ws33[22U]; + Lib_IntVector_Intrinsics_vec256 v313 = ws33[23U]; + Lib_IntVector_Intrinsics_vec256 + v0_12 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v013, v113); + Lib_IntVector_Intrinsics_vec256 + v1_12 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v013, v113); + Lib_IntVector_Intrinsics_vec256 + v2_12 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v213, v313); + Lib_IntVector_Intrinsics_vec256 + v3_12 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v213, v313); + Lib_IntVector_Intrinsics_vec256 + v0__12 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_12, v2_12); + Lib_IntVector_Intrinsics_vec256 + v1__12 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_12, v2_12); + Lib_IntVector_Intrinsics_vec256 + v2__12 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_12, v3_12); + Lib_IntVector_Intrinsics_vec256 + v3__12 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_12, v3_12); + Lib_IntVector_Intrinsics_vec256 ws20 = v0__12; + Lib_IntVector_Intrinsics_vec256 ws21 = v2__12; + Lib_IntVector_Intrinsics_vec256 ws22 = v1__12; + Lib_IntVector_Intrinsics_vec256 ws23 = v3__12; + Lib_IntVector_Intrinsics_vec256 v014 = ws33[24U]; + Lib_IntVector_Intrinsics_vec256 v114 = ws33[25U]; + Lib_IntVector_Intrinsics_vec256 v214 = ws33[26U]; + Lib_IntVector_Intrinsics_vec256 v314 = ws33[27U]; + Lib_IntVector_Intrinsics_vec256 + v0_13 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v014, v114); + Lib_IntVector_Intrinsics_vec256 + v1_13 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v014, v114); + Lib_IntVector_Intrinsics_vec256 + v2_13 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v214, v314); + Lib_IntVector_Intrinsics_vec256 + v3_13 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v214, v314); + Lib_IntVector_Intrinsics_vec256 + v0__13 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_13, v2_13); + Lib_IntVector_Intrinsics_vec256 + v1__13 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_13, v2_13); + Lib_IntVector_Intrinsics_vec256 + v2__13 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_13, v3_13); + Lib_IntVector_Intrinsics_vec256 + v3__13 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_13, v3_13); + Lib_IntVector_Intrinsics_vec256 ws24 = v0__13; + Lib_IntVector_Intrinsics_vec256 ws25 = v2__13; + Lib_IntVector_Intrinsics_vec256 ws26 = v1__13; + Lib_IntVector_Intrinsics_vec256 ws27 = v3__13; + Lib_IntVector_Intrinsics_vec256 v0 = ws33[28U]; + Lib_IntVector_Intrinsics_vec256 v1 = ws33[29U]; + Lib_IntVector_Intrinsics_vec256 v2 = ws33[30U]; + Lib_IntVector_Intrinsics_vec256 v3 = ws33[31U]; + Lib_IntVector_Intrinsics_vec256 + v0_14 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_14 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_14 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_14 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__14 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_14, v2_14); + Lib_IntVector_Intrinsics_vec256 + v1__14 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_14, v2_14); + Lib_IntVector_Intrinsics_vec256 + v2__14 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_14, v3_14); + Lib_IntVector_Intrinsics_vec256 + v3__14 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_14, v3_14); + Lib_IntVector_Intrinsics_vec256 ws28 = v0__14; + Lib_IntVector_Intrinsics_vec256 ws29 = v2__14; + Lib_IntVector_Intrinsics_vec256 ws30 = v1__14; + Lib_IntVector_Intrinsics_vec256 ws31 = v3__14; + ws33[0U] = ws0; + ws33[1U] = ws1; + ws33[2U] = ws2; + ws33[3U] = ws3; + ws33[4U] = ws4; + ws33[5U] = ws5; + ws33[6U] = ws6; + ws33[7U] = ws7; + ws33[8U] = ws8; + ws33[9U] = ws9; + ws33[10U] = ws10; + ws33[11U] = ws11; + ws33[12U] = ws12; + ws33[13U] = ws13; + ws33[14U] = ws14; + ws33[15U] = ws15; + ws33[16U] = ws16; + ws33[17U] = ws17; + ws33[18U] = ws18; + ws33[19U] = ws19; + ws33[20U] = ws20; + ws33[21U] = ws21; + ws33[22U] = ws22; + ws33[23U] = ws23; + ws33[24U] = ws24; + ws33[25U] = ws25; + ws33[26U] = ws26; + ws33[27U] = ws27; + ws33[28U] = ws28; + ws33[29U] = ws29; + ws33[30U] = ws30; + ws33[31U] = ws31; + for (uint32_t i = 0U; i < 25U; i++) + { + state[i] = Lib_IntVector_Intrinsics_vec256_xor(state[i], ws33[i]); + } + for (uint32_t i0 = 0U; i0 < 24U; i0++) + { + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____0 = state[i + 0U]; + Lib_IntVector_Intrinsics_vec256 uu____1 = state[i + 5U]; + Lib_IntVector_Intrinsics_vec256 uu____2 = state[i + 10U]; + _C[i] = + Lib_IntVector_Intrinsics_vec256_xor(uu____0, + Lib_IntVector_Intrinsics_vec256_xor(uu____1, + Lib_IntVector_Intrinsics_vec256_xor(uu____2, + Lib_IntVector_Intrinsics_vec256_xor(state[i + 15U], state[i + 20U]))));); + KRML_MAYBE_FOR5(i1, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____3 = _C[(i1 + 4U) % 5U]; + Lib_IntVector_Intrinsics_vec256 uu____4 = _C[(i1 + 1U) % 5U]; + Lib_IntVector_Intrinsics_vec256 + _D = + Lib_IntVector_Intrinsics_vec256_xor(uu____3, + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_left64(uu____4, + 1U), + Lib_IntVector_Intrinsics_vec256_shift_right64(uu____4, 63U))); + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + state[i1 + 5U * i] = Lib_IntVector_Intrinsics_vec256_xor(state[i1 + 5U * i], _D););); + Lib_IntVector_Intrinsics_vec256 x = state[1U]; + Lib_IntVector_Intrinsics_vec256 current = x; + for (uint32_t i = 0U; i < 24U; i++) + { + uint32_t _Y = Hacl_Impl_SHA3_Vec_keccak_piln[i]; + uint32_t r = Hacl_Impl_SHA3_Vec_keccak_rotc[i]; + Lib_IntVector_Intrinsics_vec256 temp = state[_Y]; + Lib_IntVector_Intrinsics_vec256 uu____5 = current; + state[_Y] = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_left64(uu____5, r), + Lib_IntVector_Intrinsics_vec256_shift_right64(uu____5, 64U - r)); + current = temp; + } + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____6 = state[0U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____7 = Lib_IntVector_Intrinsics_vec256_lognot(state[1U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v015 = + Lib_IntVector_Intrinsics_vec256_xor(uu____6, + Lib_IntVector_Intrinsics_vec256_and(uu____7, state[2U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____8 = state[1U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____9 = Lib_IntVector_Intrinsics_vec256_lognot(state[2U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v115 = + Lib_IntVector_Intrinsics_vec256_xor(uu____8, + Lib_IntVector_Intrinsics_vec256_and(uu____9, state[3U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____10 = state[2U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____11 = Lib_IntVector_Intrinsics_vec256_lognot(state[3U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v215 = + Lib_IntVector_Intrinsics_vec256_xor(uu____10, + Lib_IntVector_Intrinsics_vec256_and(uu____11, state[4U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____12 = state[3U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____13 = Lib_IntVector_Intrinsics_vec256_lognot(state[4U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v315 = + Lib_IntVector_Intrinsics_vec256_xor(uu____12, + Lib_IntVector_Intrinsics_vec256_and(uu____13, state[0U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____14 = state[4U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____15 = Lib_IntVector_Intrinsics_vec256_lognot(state[0U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v4 = + Lib_IntVector_Intrinsics_vec256_xor(uu____14, + Lib_IntVector_Intrinsics_vec256_and(uu____15, state[1U + 5U * i])); + state[0U + 5U * i] = v015; + state[1U + 5U * i] = v115; + state[2U + 5U * i] = v215; + state[3U + 5U * i] = v315; + state[4U + 5U * i] = v4;); + uint64_t c = Hacl_Impl_SHA3_Vec_keccak_rndc[i0]; + Lib_IntVector_Intrinsics_vec256 uu____16 = state[0U]; + state[0U] = + Lib_IntVector_Intrinsics_vec256_xor(uu____16, + Lib_IntVector_Intrinsics_vec256_load64(c)); + } +} + +void +Hacl_Hash_SHA3_Simd256_shake128_squeeze_nblocks( + Lib_IntVector_Intrinsics_vec256 *state, + uint8_t *output0, + uint8_t *output1, + uint8_t *output2, + uint8_t *output3, + uint32_t outputByteLen +) +{ + for (uint32_t i0 = 0U; i0 < outputByteLen / 168U; i0++) + { + uint8_t hbuf[1024U] = { 0U }; + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 ws[32U] KRML_POST_ALIGN(32) = { 0U }; + memcpy(ws, state, 25U * sizeof (Lib_IntVector_Intrinsics_vec256)); + Lib_IntVector_Intrinsics_vec256 v00 = ws[0U]; + Lib_IntVector_Intrinsics_vec256 v10 = ws[1U]; + Lib_IntVector_Intrinsics_vec256 v20 = ws[2U]; + Lib_IntVector_Intrinsics_vec256 v30 = ws[3U]; + Lib_IntVector_Intrinsics_vec256 + v0_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v1_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v00, v10); + Lib_IntVector_Intrinsics_vec256 + v2_ = Lib_IntVector_Intrinsics_vec256_interleave_low64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v3_ = Lib_IntVector_Intrinsics_vec256_interleave_high64(v20, v30); + Lib_IntVector_Intrinsics_vec256 + v0__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v1__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_, v2_); + Lib_IntVector_Intrinsics_vec256 + v2__ = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 + v3__ = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_, v3_); + Lib_IntVector_Intrinsics_vec256 ws0 = v0__; + Lib_IntVector_Intrinsics_vec256 ws1 = v2__; + Lib_IntVector_Intrinsics_vec256 ws2 = v1__; + Lib_IntVector_Intrinsics_vec256 ws3 = v3__; + Lib_IntVector_Intrinsics_vec256 v01 = ws[4U]; + Lib_IntVector_Intrinsics_vec256 v11 = ws[5U]; + Lib_IntVector_Intrinsics_vec256 v21 = ws[6U]; + Lib_IntVector_Intrinsics_vec256 v31 = ws[7U]; + Lib_IntVector_Intrinsics_vec256 + v0_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v1_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v01, v11); + Lib_IntVector_Intrinsics_vec256 + v2_0 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v3_0 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v21, v31); + Lib_IntVector_Intrinsics_vec256 + v0__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v1__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_0, v2_0); + Lib_IntVector_Intrinsics_vec256 + v2__0 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 + v3__0 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_0, v3_0); + Lib_IntVector_Intrinsics_vec256 ws4 = v0__0; + Lib_IntVector_Intrinsics_vec256 ws5 = v2__0; + Lib_IntVector_Intrinsics_vec256 ws6 = v1__0; + Lib_IntVector_Intrinsics_vec256 ws7 = v3__0; + Lib_IntVector_Intrinsics_vec256 v02 = ws[8U]; + Lib_IntVector_Intrinsics_vec256 v12 = ws[9U]; + Lib_IntVector_Intrinsics_vec256 v22 = ws[10U]; + Lib_IntVector_Intrinsics_vec256 v32 = ws[11U]; + Lib_IntVector_Intrinsics_vec256 + v0_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v1_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v02, v12); + Lib_IntVector_Intrinsics_vec256 + v2_1 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v3_1 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v22, v32); + Lib_IntVector_Intrinsics_vec256 + v0__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v1__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_1, v2_1); + Lib_IntVector_Intrinsics_vec256 + v2__1 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 + v3__1 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_1, v3_1); + Lib_IntVector_Intrinsics_vec256 ws8 = v0__1; + Lib_IntVector_Intrinsics_vec256 ws9 = v2__1; + Lib_IntVector_Intrinsics_vec256 ws10 = v1__1; + Lib_IntVector_Intrinsics_vec256 ws11 = v3__1; + Lib_IntVector_Intrinsics_vec256 v03 = ws[12U]; + Lib_IntVector_Intrinsics_vec256 v13 = ws[13U]; + Lib_IntVector_Intrinsics_vec256 v23 = ws[14U]; + Lib_IntVector_Intrinsics_vec256 v33 = ws[15U]; + Lib_IntVector_Intrinsics_vec256 + v0_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v03, v13); + Lib_IntVector_Intrinsics_vec256 + v1_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v03, v13); + Lib_IntVector_Intrinsics_vec256 + v2_2 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v23, v33); + Lib_IntVector_Intrinsics_vec256 + v3_2 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v23, v33); + Lib_IntVector_Intrinsics_vec256 + v0__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v1__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_2, v2_2); + Lib_IntVector_Intrinsics_vec256 + v2__2 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 + v3__2 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_2, v3_2); + Lib_IntVector_Intrinsics_vec256 ws12 = v0__2; + Lib_IntVector_Intrinsics_vec256 ws13 = v2__2; + Lib_IntVector_Intrinsics_vec256 ws14 = v1__2; + Lib_IntVector_Intrinsics_vec256 ws15 = v3__2; + Lib_IntVector_Intrinsics_vec256 v04 = ws[16U]; + Lib_IntVector_Intrinsics_vec256 v14 = ws[17U]; + Lib_IntVector_Intrinsics_vec256 v24 = ws[18U]; + Lib_IntVector_Intrinsics_vec256 v34 = ws[19U]; + Lib_IntVector_Intrinsics_vec256 + v0_3 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v04, v14); + Lib_IntVector_Intrinsics_vec256 + v1_3 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v04, v14); + Lib_IntVector_Intrinsics_vec256 + v2_3 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v24, v34); + Lib_IntVector_Intrinsics_vec256 + v3_3 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v24, v34); + Lib_IntVector_Intrinsics_vec256 + v0__3 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_3, v2_3); + Lib_IntVector_Intrinsics_vec256 + v1__3 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_3, v2_3); + Lib_IntVector_Intrinsics_vec256 + v2__3 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_3, v3_3); + Lib_IntVector_Intrinsics_vec256 + v3__3 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_3, v3_3); + Lib_IntVector_Intrinsics_vec256 ws16 = v0__3; + Lib_IntVector_Intrinsics_vec256 ws17 = v2__3; + Lib_IntVector_Intrinsics_vec256 ws18 = v1__3; + Lib_IntVector_Intrinsics_vec256 ws19 = v3__3; + Lib_IntVector_Intrinsics_vec256 v05 = ws[20U]; + Lib_IntVector_Intrinsics_vec256 v15 = ws[21U]; + Lib_IntVector_Intrinsics_vec256 v25 = ws[22U]; + Lib_IntVector_Intrinsics_vec256 v35 = ws[23U]; + Lib_IntVector_Intrinsics_vec256 + v0_4 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v05, v15); + Lib_IntVector_Intrinsics_vec256 + v1_4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v05, v15); + Lib_IntVector_Intrinsics_vec256 + v2_4 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v25, v35); + Lib_IntVector_Intrinsics_vec256 + v3_4 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v25, v35); + Lib_IntVector_Intrinsics_vec256 + v0__4 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_4, v2_4); + Lib_IntVector_Intrinsics_vec256 + v1__4 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_4, v2_4); + Lib_IntVector_Intrinsics_vec256 + v2__4 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_4, v3_4); + Lib_IntVector_Intrinsics_vec256 + v3__4 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_4, v3_4); + Lib_IntVector_Intrinsics_vec256 ws20 = v0__4; + Lib_IntVector_Intrinsics_vec256 ws21 = v2__4; + Lib_IntVector_Intrinsics_vec256 ws22 = v1__4; + Lib_IntVector_Intrinsics_vec256 ws23 = v3__4; + Lib_IntVector_Intrinsics_vec256 v06 = ws[24U]; + Lib_IntVector_Intrinsics_vec256 v16 = ws[25U]; + Lib_IntVector_Intrinsics_vec256 v26 = ws[26U]; + Lib_IntVector_Intrinsics_vec256 v36 = ws[27U]; + Lib_IntVector_Intrinsics_vec256 + v0_5 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v06, v16); + Lib_IntVector_Intrinsics_vec256 + v1_5 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v06, v16); + Lib_IntVector_Intrinsics_vec256 + v2_5 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v26, v36); + Lib_IntVector_Intrinsics_vec256 + v3_5 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v26, v36); + Lib_IntVector_Intrinsics_vec256 + v0__5 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v1__5 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_5, v2_5); + Lib_IntVector_Intrinsics_vec256 + v2__5 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 + v3__5 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_5, v3_5); + Lib_IntVector_Intrinsics_vec256 ws24 = v0__5; + Lib_IntVector_Intrinsics_vec256 ws25 = v2__5; + Lib_IntVector_Intrinsics_vec256 ws26 = v1__5; + Lib_IntVector_Intrinsics_vec256 ws27 = v3__5; + Lib_IntVector_Intrinsics_vec256 v0 = ws[28U]; + Lib_IntVector_Intrinsics_vec256 v1 = ws[29U]; + Lib_IntVector_Intrinsics_vec256 v2 = ws[30U]; + Lib_IntVector_Intrinsics_vec256 v3 = ws[31U]; + Lib_IntVector_Intrinsics_vec256 + v0_6 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v1_6 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v0, v1); + Lib_IntVector_Intrinsics_vec256 + v2_6 = Lib_IntVector_Intrinsics_vec256_interleave_low64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v3_6 = Lib_IntVector_Intrinsics_vec256_interleave_high64(v2, v3); + Lib_IntVector_Intrinsics_vec256 + v0__6 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v0_6, v2_6); + Lib_IntVector_Intrinsics_vec256 + v1__6 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v0_6, v2_6); + Lib_IntVector_Intrinsics_vec256 + v2__6 = Lib_IntVector_Intrinsics_vec256_interleave_low128(v1_6, v3_6); + Lib_IntVector_Intrinsics_vec256 + v3__6 = Lib_IntVector_Intrinsics_vec256_interleave_high128(v1_6, v3_6); + Lib_IntVector_Intrinsics_vec256 ws28 = v0__6; + Lib_IntVector_Intrinsics_vec256 ws29 = v2__6; + Lib_IntVector_Intrinsics_vec256 ws30 = v1__6; + Lib_IntVector_Intrinsics_vec256 ws31 = v3__6; + ws[0U] = ws0; + ws[1U] = ws4; + ws[2U] = ws8; + ws[3U] = ws12; + ws[4U] = ws16; + ws[5U] = ws20; + ws[6U] = ws24; + ws[7U] = ws28; + ws[8U] = ws1; + ws[9U] = ws5; + ws[10U] = ws9; + ws[11U] = ws13; + ws[12U] = ws17; + ws[13U] = ws21; + ws[14U] = ws25; + ws[15U] = ws29; + ws[16U] = ws2; + ws[17U] = ws6; + ws[18U] = ws10; + ws[19U] = ws14; + ws[20U] = ws18; + ws[21U] = ws22; + ws[22U] = ws26; + ws[23U] = ws30; + ws[24U] = ws3; + ws[25U] = ws7; + ws[26U] = ws11; + ws[27U] = ws15; + ws[28U] = ws19; + ws[29U] = ws23; + ws[30U] = ws27; + ws[31U] = ws31; + for (uint32_t i = 0U; i < 32U; i++) + { + Lib_IntVector_Intrinsics_vec256_store64_le(hbuf + i * 32U, ws[i]); + } + uint8_t *b0 = output0; + uint8_t *b1 = output1; + uint8_t *b2 = output2; + uint8_t *b3 = output3; + memcpy(b0 + i0 * 168U, hbuf, 168U * sizeof (uint8_t)); + memcpy(b1 + i0 * 168U, hbuf + 256U, 168U * sizeof (uint8_t)); + memcpy(b2 + i0 * 168U, hbuf + 512U, 168U * sizeof (uint8_t)); + memcpy(b3 + i0 * 168U, hbuf + 768U, 168U * sizeof (uint8_t)); + for (uint32_t i1 = 0U; i1 < 24U; i1++) + { + KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 _C[5U] KRML_POST_ALIGN(32) = { 0U }; + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____0 = state[i + 0U]; + Lib_IntVector_Intrinsics_vec256 uu____1 = state[i + 5U]; + Lib_IntVector_Intrinsics_vec256 uu____2 = state[i + 10U]; + _C[i] = + Lib_IntVector_Intrinsics_vec256_xor(uu____0, + Lib_IntVector_Intrinsics_vec256_xor(uu____1, + Lib_IntVector_Intrinsics_vec256_xor(uu____2, + Lib_IntVector_Intrinsics_vec256_xor(state[i + 15U], state[i + 20U]))));); + KRML_MAYBE_FOR5(i2, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____3 = _C[(i2 + 4U) % 5U]; + Lib_IntVector_Intrinsics_vec256 uu____4 = _C[(i2 + 1U) % 5U]; + Lib_IntVector_Intrinsics_vec256 + _D = + Lib_IntVector_Intrinsics_vec256_xor(uu____3, + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_left64(uu____4, + 1U), + Lib_IntVector_Intrinsics_vec256_shift_right64(uu____4, 63U))); + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + state[i2 + 5U * i] = Lib_IntVector_Intrinsics_vec256_xor(state[i2 + 5U * i], _D););); + Lib_IntVector_Intrinsics_vec256 x = state[1U]; + Lib_IntVector_Intrinsics_vec256 current = x; + for (uint32_t i = 0U; i < 24U; i++) + { + uint32_t _Y = Hacl_Impl_SHA3_Vec_keccak_piln[i]; + uint32_t r = Hacl_Impl_SHA3_Vec_keccak_rotc[i]; + Lib_IntVector_Intrinsics_vec256 temp = state[_Y]; + Lib_IntVector_Intrinsics_vec256 uu____5 = current; + state[_Y] = + Lib_IntVector_Intrinsics_vec256_or(Lib_IntVector_Intrinsics_vec256_shift_left64(uu____5, + r), + Lib_IntVector_Intrinsics_vec256_shift_right64(uu____5, 64U - r)); + current = temp; + } + KRML_MAYBE_FOR5(i, + 0U, + 5U, + 1U, + Lib_IntVector_Intrinsics_vec256 uu____6 = state[0U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____7 = Lib_IntVector_Intrinsics_vec256_lognot(state[1U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v07 = + Lib_IntVector_Intrinsics_vec256_xor(uu____6, + Lib_IntVector_Intrinsics_vec256_and(uu____7, state[2U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____8 = state[1U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____9 = Lib_IntVector_Intrinsics_vec256_lognot(state[2U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v17 = + Lib_IntVector_Intrinsics_vec256_xor(uu____8, + Lib_IntVector_Intrinsics_vec256_and(uu____9, state[3U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____10 = state[2U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____11 = Lib_IntVector_Intrinsics_vec256_lognot(state[3U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v27 = + Lib_IntVector_Intrinsics_vec256_xor(uu____10, + Lib_IntVector_Intrinsics_vec256_and(uu____11, state[4U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____12 = state[3U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____13 = Lib_IntVector_Intrinsics_vec256_lognot(state[4U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v37 = + Lib_IntVector_Intrinsics_vec256_xor(uu____12, + Lib_IntVector_Intrinsics_vec256_and(uu____13, state[0U + 5U * i])); + Lib_IntVector_Intrinsics_vec256 uu____14 = state[4U + 5U * i]; + Lib_IntVector_Intrinsics_vec256 + uu____15 = Lib_IntVector_Intrinsics_vec256_lognot(state[0U + 5U * i]); + Lib_IntVector_Intrinsics_vec256 + v4 = + Lib_IntVector_Intrinsics_vec256_xor(uu____14, + Lib_IntVector_Intrinsics_vec256_and(uu____15, state[1U + 5U * i])); + state[0U + 5U * i] = v07; + state[1U + 5U * i] = v17; + state[2U + 5U * i] = v27; + state[3U + 5U * i] = v37; + state[4U + 5U * i] = v4;); + uint64_t c = Hacl_Impl_SHA3_Vec_keccak_rndc[i1]; + Lib_IntVector_Intrinsics_vec256 uu____16 = state[0U]; + state[0U] = + Lib_IntVector_Intrinsics_vec256_xor(uu____16, + Lib_IntVector_Intrinsics_vec256_load64(c)); + } + } } diff --git a/sys/hacl/src/bindings.rs b/sys/hacl/src/bindings.rs index dc1fcb151..3cfa48402 100644 --- a/sys/hacl/src/bindings.rs +++ b/sys/hacl/src/bindings.rs @@ -321,6 +321,33 @@ extern "C" { extern "C" { pub fn Hacl_Hash_SHA3_sha3_512(output: *mut u8, input: *mut u8, input_len: u32); } +extern "C" { + pub fn Hacl_Hash_SHA3_Scalar_state_malloc() -> *mut u64; +} +extern "C" { + pub fn Hacl_Hash_SHA3_Scalar_state_free(s: *mut u64); +} +extern "C" { + pub fn Hacl_Hash_SHA3_Scalar_shake128_absorb_nblocks( + state: *mut u64, + input: *mut u8, + inputByteLen: u32, + ); +} +extern "C" { + pub fn Hacl_Hash_SHA3_Scalar_shake128_absorb_final( + state: *mut u64, + input: *mut u8, + inputByteLen: u32, + ); +} +extern "C" { + pub fn Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks( + state: *mut u64, + output: *mut u8, + outputByteLen: u32, + ); +} extern "C" { pub fn Hacl_Hash_SHA3_absorb_inner(rateInBytes: u32, block: *mut u8, s: *mut u64); } From 2e73fbb8242e7185ab3d4172c9cbc98b2a80de03 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Wed, 21 Feb 2024 10:39:24 +0100 Subject: [PATCH 02/28] trying to extract c --- kyber-c.yaml | 17 +++++++++++++++++ kyber-crate.sh | 25 +++++++++++++++++++------ 2 files changed, 36 insertions(+), 6 deletions(-) create mode 100644 kyber-c.yaml diff --git a/kyber-c.yaml b/kyber-c.yaml new file mode 100644 index 000000000..ccbb99d2b --- /dev/null +++ b/kyber-c.yaml @@ -0,0 +1,17 @@ +files: + - name: libcrux_digest + api: + - [libcrux, digest] + - name: libcrux_platform + api: + - [libcrux_platform] + - name: libcrux_kyber + api: + - [libcrux_kyber, kyber768] + private: + - [libcrux_kyber, "*"] + include_in_c: + - '"libcrux_hacl_glue.h"' + - name: core + private: + - [core, "*"] diff --git a/kyber-crate.sh b/kyber-crate.sh index 2629feeb5..ca954dd8e 100755 --- a/kyber-crate.sh +++ b/kyber-crate.sh @@ -2,6 +2,7 @@ set -e +rm -rf kyber-crate mkdir -p kyber-crate/src cp -r src/kem/kyber* kyber-crate/src cd kyber-crate @@ -30,6 +31,7 @@ hex = { version = "0.4.3", features = ["serde"] } serde_json = { version = "1.0" } serde = { version = "1.0", features = ["derive"] } rand = { version = "0.8" } +rand_core = { version = "0.6" } EOF # Fixup Rust for standalone crate @@ -39,18 +41,30 @@ for file in src/*; do $SED -i 's/pub(in .*)/pub(crate)/g' $file $SED -i 's/pub(super)/pub(crate)/g' $file $SED -i 's/crate::/libcrux::/g' $file + $SED -i 's/libcrux::hax_utils/crate::hax_utils/g' $file + $SED -i 's/kem::kyber/crate/g' $file $SED -i 's/pub mod kyber512;//g' $file $SED -i 's/pub mod kyber1024;//g' $file fi done +cat >src/hax_utils.rs < {}; +} + +pub(crate) use hax_debug_assert; +EOF + +$SED -i '1ipub(crate) mod hax_utils;' src/lib.rs + mkdir -p tests cp -r ../kyber-crate-tests/* tests/ rm src/kyber512.rs rm src/kyber1024.rs # Build & test -cargo test +cargo build # Extract if [[ -z "$CHARON_HOME" ]]; then @@ -66,14 +80,13 @@ if [[ -z "$HACL_PACKAGES_HOME" ]]; then exit 1 fi +echo "Running charon ..." $CHARON_HOME/bin/charon --errors-as-warnings mkdir -p c cd c -$EURYDICE_HOME/eurydice ../libcrux_kyber.llbc -# Add header -$SED -i -z 's!\(#include "libcrux_kyber.h"\)!\1\n#include "libcrux_hacl_glue.h"!g' libcrux_kyber.c -# Drop definition -$SED -i -z 's!typedef struct __uint8_t_840size_t__uint8_t_840size_t__uint8_t_840size_t__uint8_t_840size_t__s.*__uint8_t_840size_t__uint8_t_840size_t__uint8_t_840size_t__uint8_t_840size_t_;!!g' libcrux_kyber.c + +echo "Running eurydice ..." +$EURYDICE_HOME/eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc clang-format --style=Mozilla -i libcrux_kyber.c libcrux_kyber.h cp $EURYDICE_HOME/include/eurydice_glue.h . From b6f21bc17b4f29d514791d493876d67107ef3aba Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 21 Feb 2024 10:54:15 +0100 Subject: [PATCH 03/28] sort imports to work with kyber-crate.sh --- src/kem/kyber.rs | 4 +--- src/kem/kyber/constant_time_ops.rs | 3 ++- src/kem/kyber/sampling.rs | 10 +++++----- src/kem/kyber/serialize.rs | 3 ++- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/kem/kyber.rs b/src/kem/kyber.rs index 4c5276724..df5b6d8b8 100644 --- a/src/kem/kyber.rs +++ b/src/kem/kyber.rs @@ -33,15 +33,13 @@ pub use types::{MlKemCiphertext, MlKemKeyPair, MlKemPrivateKey, MlKemPublicKey}; // https://github.com/cryspen/libcrux/issues/123 pub type MlKemSharedSecret = [u8; constants::SHARED_SECRET_SIZE]; -use crate::kem::kyber::ind_cpa::{deserialize_public_key, serialize_public_key}; - use self::{ constant_time_ops::{ compare_ciphertexts_in_constant_time, select_shared_secret_in_constant_time, }, constants::{CPA_PKE_KEY_GENERATION_SEED_SIZE, H_DIGEST_SIZE, SHARED_SECRET_SIZE}, hash_functions::{G, H, PRF}, - ind_cpa::into_padded_array, + ind_cpa::{deserialize_public_key, into_padded_array, serialize_public_key}, }; /// Seed size for key generation diff --git a/src/kem/kyber/constant_time_ops.rs b/src/kem/kyber/constant_time_ops.rs index 5577493c4..2066a1d74 100644 --- a/src/kem/kyber/constant_time_ops.rs +++ b/src/kem/kyber/constant_time_ops.rs @@ -1,4 +1,5 @@ -use crate::{hax_utils::hax_debug_assert, kem::kyber::constants::SHARED_SECRET_SIZE}; +use super::constants::SHARED_SECRET_SIZE; +use crate::hax_utils::hax_debug_assert; // Examine the output that LLVM produces for this code from time to time to ensure // operations are not being optimized away/constant-timedness is not being broken. diff --git a/src/kem/kyber/sampling.rs b/src/kem/kyber/sampling.rs index 0cc86c811..2202f8a42 100644 --- a/src/kem/kyber/sampling.rs +++ b/src/kem/kyber/sampling.rs @@ -1,10 +1,10 @@ use super::{ arithmetic::{FieldElement, PolynomialRingElement}, constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS}, + hash_functions::{XOF_absorb, XOF_squeeze_block, XOF_squeeze_three_blocks}, }; -use crate::{cloop, hax_utils::hax_debug_assert, - kem::kyber::hash_functions::{XOF_absorb, XOF_squeeze_block, XOF_squeeze_three_blocks}}; - +use crate::cloop; +use crate::hax_utils::hax_debug_assert; /// If `bytes` contains a set of uniformly random bytes, this function /// uniformly samples a ring element `รข` that is treated as being the NTT representation @@ -82,7 +82,8 @@ pub fn sample_from_xof(seeds: [[u8; 34]; K]) -> [PolynomialRingE let mut xof_states = XOF_absorb::(seeds); let randomness = XOF_squeeze_three_blocks(&mut xof_states); - let mut done = sample_from_uniform_distribution_next(randomness, &mut sampled_coefficients, &mut out); + let mut done = + sample_from_uniform_distribution_next(randomness, &mut sampled_coefficients, &mut out); // Requiring more than 5 blocks to sample a ring element should be very // unlikely according to: @@ -100,7 +101,6 @@ pub fn sample_from_xof(seeds: [[u8; 34]; K]) -> [PolynomialRingE out } - /// Given a series of uniformly random bytes in `randomness`, for some number `eta`, /// the `sample_from_binomial_distribution_{eta}` functions sample /// a ring element from a binomial distribution centered at 0 that uses two sets diff --git a/src/kem/kyber/serialize.rs b/src/kem/kyber/serialize.rs index 44b6d058a..ef9a360df 100644 --- a/src/kem/kyber/serialize.rs +++ b/src/kem/kyber/serialize.rs @@ -6,7 +6,8 @@ use super::{ }, constants::{BYTES_PER_RING_ELEMENT, SHARED_SECRET_SIZE}, }; -use crate::{cloop, hax_utils::hax_debug_assert}; +use crate::cloop; +use crate::hax_utils::hax_debug_assert; #[cfg(not(hax))] use super::constants::COEFFICIENTS_IN_RING_ELEMENT; From 635439b3286db1753886b69ac1df2299aea28939 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Wed, 21 Feb 2024 17:03:34 +0100 Subject: [PATCH 04/28] eurydice initialization experiments --- src/kem/kyber/hash_functions.rs | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/src/kem/kyber/hash_functions.rs b/src/kem/kyber/hash_functions.rs index f4662c21d..4cebb224d 100644 --- a/src/kem/kyber/hash_functions.rs +++ b/src/kem/kyber/hash_functions.rs @@ -70,23 +70,34 @@ pub(crate) fn XOFx4( // Currently it only supports Scalar SHAKE, adapting it to SIMD SHAKE is a todo type XofState = crate::digest::incremental::Shake128State; +// The following does not work with Eurydice because of "from_fn" #[inline(always)] pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> [XofState; K] { - let mut out = - core::array::from_fn(|_| crate::digest::incremental::Shake128State::new()); - + let mut out = core::array::from_fn(|_| crate::digest::incremental::Shake128State::new()); for i in 0..K { out[i].absorb_final(&input[i]); } out } +// The following is an experiment to avoid "from_fn" and use "map" instead +#[inline(always)] +pub(crate) fn XofStateAbsorb(input: [u8; 34]) -> XofState { + let mut out = crate::digest::incremental::Shake128State::new(); + out.absorb_final(&input); + out +} + +#[inline(always)] +pub(crate) fn XOF_absorb_map(input: [[u8; 34]; K]) -> [XofState; K] { + input.map(XofStateAbsorb) +} + #[inline(always)] pub(crate) fn XOF_squeeze_three_blocks( state: &mut [XofState; K], ) -> [[u8; 168 * 3]; K] { let mut out = [[0; 168 * 3]; K]; - for i in 0..K { out[i] = state[i].squeeze_nblocks(); } @@ -95,8 +106,7 @@ pub(crate) fn XOF_squeeze_three_blocks( #[inline(always)] pub(crate) fn XOF_squeeze_block(state: &mut [XofState; K]) -> [[u8; 168]; K] { - let mut out = [[0; 168]; K]; - + let mut out: [[u8; 168]; K] = [[0; 168]; K]; for i in 0..K { out[i] = state[i].squeeze_nblocks(); } From 26aaa66a9fe760ce8ebe2f2e380df9f41036c3ce Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Thu, 22 Feb 2024 17:13:46 +0100 Subject: [PATCH 05/28] added SIMD - wip - and passing hax --- hax-driver.py | 2 +- kyber-crate.sh | 2 +- proofs/fstar/extraction/Libcrux.Digest.fst | 48 --- proofs/fstar/extraction/Libcrux.Digest.fsti | 22 +- .../Libcrux.Kem.Kyber.Constants.fsti | 2 - .../Libcrux.Kem.Kyber.Hash_functions.fst | 193 ++++++----- .../Libcrux.Kem.Kyber.Hash_functions.fsti | 16 +- .../extraction/Libcrux.Kem.Kyber.Ind_cpa.fst | 172 +++++----- .../extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti | 16 +- .../Libcrux.Kem.Kyber.Kyber1024.fst | 28 +- .../Libcrux.Kem.Kyber.Kyber1024.fsti | 10 +- .../extraction/Libcrux.Kem.Kyber.Kyber512.fst | 28 +- .../Libcrux.Kem.Kyber.Kyber512.fsti | 10 +- .../extraction/Libcrux.Kem.Kyber.Kyber768.fst | 28 +- .../Libcrux.Kem.Kyber.Kyber768.fsti | 10 +- .../extraction/Libcrux.Kem.Kyber.Matrix.fst | 13 +- .../extraction/Libcrux.Kem.Kyber.Sampling.fst | 308 ++++++++++++------ .../Libcrux.Kem.Kyber.Sampling.fsti | 17 +- proofs/fstar/extraction/Libcrux.Kem.Kyber.fst | 50 +-- .../fstar/extraction/Libcrux.Kem.Kyber.fsti | 10 +- src/digest.rs | 44 ++- src/hacl/sha3.rs | 80 ++++- src/kem/kyber/constants.rs | 6 - src/kem/kyber/hash_functions.rs | 144 ++++---- sys/hacl/src/bindings.rs | 38 +++ 25 files changed, 775 insertions(+), 522 deletions(-) delete mode 100644 proofs/fstar/extraction/Libcrux.Digest.fst diff --git a/hax-driver.py b/hax-driver.py index 3a1244798..dbda01f8c 100755 --- a/hax-driver.py +++ b/hax-driver.py @@ -127,7 +127,7 @@ def shell(command, expect=0, cwd=None, env={}): f"-** +libcrux::kem::kyber::** +!libcrux_platform::platform::* {exclude_sha3_implementations} -libcrux::**::types::index_impls::**", "fstar", "--interfaces", - "+* -libcrux::kem::kyber::types +!libcrux_platform::**", + "+* -libcrux::kem::kyber::types +!libcrux_platform::** +!libcrux::digest::**", ], cwd=".", env=hax_env, diff --git a/kyber-crate.sh b/kyber-crate.sh index ca954dd8e..98017dfc4 100755 --- a/kyber-crate.sh +++ b/kyber-crate.sh @@ -86,7 +86,7 @@ mkdir -p c cd c echo "Running eurydice ..." -$EURYDICE_HOME/eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc +$EURYDICE_HOME/eurydice --log * --config ../../kyber-c.yaml ../libcrux_kyber.llbc clang-format --style=Mozilla -i libcrux_kyber.c libcrux_kyber.h cp $EURYDICE_HOME/include/eurydice_glue.h . diff --git a/proofs/fstar/extraction/Libcrux.Digest.fst b/proofs/fstar/extraction/Libcrux.Digest.fst deleted file mode 100644 index 94f37dd21..000000000 --- a/proofs/fstar/extraction/Libcrux.Digest.fst +++ /dev/null @@ -1,48 +0,0 @@ -module Libcrux.Digest -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul - -let sha3_256_ (payload: t_Slice u8) = Libcrux.Hacl.Sha3.sha256 payload - -let sha3_512_ (payload: t_Slice u8) = Libcrux.Hacl.Sha3.sha512 payload - -let shake128 (v_LEN: usize) (data: t_Slice u8) = Libcrux.Hacl.Sha3.shake128 v_LEN data - -let shake256 (v_LEN: usize) (data: t_Slice u8) = Libcrux.Hacl.Sha3.shake256 v_LEN data - -let shake128x4_portable (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) = - let input_len:usize = Core.Slice.impl__len data0 in - let _:Prims.unit = - if true - then - let _:Prims.unit = - if - ~.((input_len =. (Core.Slice.impl__len data1 <: usize) <: bool) && - (input_len =. (Core.Slice.impl__len data2 <: usize) <: bool) && - (input_len =. (Core.Slice.impl__len data3 <: usize) <: bool) && - (input_len <=. (cast (Core.Num.impl__u32__MAX <: u32) <: usize) <: bool) && - (v_LEN <=. (cast (Core.Num.impl__u32__MAX <: u32) <: usize) <: bool)) - then - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: input_len == data1.len() && input_len == data2.len() &&\\n input_len == data3.len() && input_len <= u32::MAX as usize &&\\n LEN <= u32::MAX as usize" - - <: - Rust_primitives.Hax.t_Never) - in - () - in - let digest0:t_Array u8 v_LEN = Libcrux.Hacl.Sha3.shake128 v_LEN data0 in - let digest1:t_Array u8 v_LEN = Libcrux.Hacl.Sha3.shake128 v_LEN data1 in - let digest2:t_Array u8 v_LEN = Libcrux.Hacl.Sha3.shake128 v_LEN data2 in - let digest3:t_Array u8 v_LEN = Libcrux.Hacl.Sha3.shake128 v_LEN data3 in - digest0, digest1, digest2, digest3 - <: - (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) - -let shake128x4_256_ (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) = - shake128x4_portable v_LEN data0 data1 data2 data3 - -let shake128x4 (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) = - if Libcrux_platform.Platform.simd256_support () - then shake128x4_256_ v_LEN data0 data1 data2 data3 - else shake128x4_portable v_LEN data0 data1 data2 data3 diff --git a/proofs/fstar/extraction/Libcrux.Digest.fsti b/proofs/fstar/extraction/Libcrux.Digest.fsti index 59887e419..96326373f 100644 --- a/proofs/fstar/extraction/Libcrux.Digest.fsti +++ b/proofs/fstar/extraction/Libcrux.Digest.fsti @@ -9,23 +9,15 @@ val sha3_256_ (payload: t_Slice u8) val sha3_512_ (payload: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) -val shake128 (v_LEN: usize) (data: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) - val shake256 (v_LEN: usize) (data: t_Slice u8) : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) -val shake128x4_portable (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) - Prims.l_True - (fun _ -> Prims.l_True) +type t_Shake128State + +val shake128_absorb_final (st: t_Shake128State) (data: t_Slice u8) + : Prims.Pure t_Shake128State Prims.l_True (fun _ -> Prims.l_True) -val shake128x4_256_ (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) - Prims.l_True - (fun _ -> Prims.l_True) +val shake128_init: Prims.unit -> Prims.Pure t_Shake128State Prims.l_True (fun _ -> Prims.l_True) -val shake128x4 (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) - Prims.l_True - (fun _ -> Prims.l_True) +val shake128_squeeze_nblocks (v_OUTPUT_BYTES: usize) (st: t_Shake128State) + : Prims.Pure (t_Shake128State & t_Array u8 v_OUTPUT_BYTES) Prims.l_True (fun _ -> Prims.l_True) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Constants.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Constants.fsti index 938e50fe2..7bb3171bd 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Constants.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Constants.fsti @@ -17,6 +17,4 @@ let v_FIELD_MODULUS: i32 = 3329l let v_H_DIGEST_SIZE: usize = sz 32 -let v_REJECTION_SAMPLING_SEED_SIZE: usize = sz 168 *! sz 5 - let v_SHARED_SECRET_SIZE: usize = sz 32 diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst index 48e40e681..e47090628 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst @@ -9,95 +9,128 @@ let v_H (input: t_Slice u8) = Libcrux.Digest.sha3_256_ input let v_PRF (v_LEN: usize) (input: t_Slice u8) = Libcrux.Digest.shake256 v_LEN input -let v_XOFx4 (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = - let out:t_Array (t_Array u8 (sz 840)) v_K = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 840) <: t_Array u8 (sz 840)) v_K +let v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = + let (out_vec: Alloc.Vec.t_Vec Libcrux.Digest.t_Shake128State Alloc.Alloc.t_Global):Alloc.Vec.t_Vec + Libcrux.Digest.t_Shake128State Alloc.Alloc.t_Global = + Alloc.Vec.impl__new () in - let out:t_Array (t_Array u8 (sz 840)) v_K = - if ~.(Libcrux_platform.Platform.simd256_support () <: bool) - then - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = v_K - } - <: - Core.Ops.Range.t_Range usize) - <: - Core.Ops.Range.t_Range usize) - out - (fun out i -> - let out:t_Array (t_Array u8 (sz 840)) v_K = out in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - i - (Libcrux.Digest.shake128 (sz 840) - (Rust_primitives.unsize (input.[ i ] <: t_Array u8 (sz 34)) <: t_Slice u8) - <: - t_Array u8 (sz 840)) + let out_vec:Alloc.Vec.t_Vec Libcrux.Digest.t_Shake128State Alloc.Alloc.t_Global = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } <: - t_Array (t_Array u8 (sz 840)) v_K) - else - let out:t_Array (t_Array u8 (sz 840)) v_K = - match cast (v_K <: usize) <: u8 with - | 2uy -> - let d0, d1, _, _:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & - t_Array u8 (sz 840)) = - Libcrux.Digest.shake128x4 (sz 840) - (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) - (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) - (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) - (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) - in - let out:t_Array (t_Array u8 (sz 840)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) d0 - in - let out:t_Array (t_Array u8 (sz 840)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) d1 - in - out - | 3uy -> - let d0, d1, d2, _:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & - t_Array u8 (sz 840)) = - Libcrux.Digest.shake128x4 (sz 840) - (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) - (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) - (Rust_primitives.unsize (input.[ sz 2 ] <: t_Array u8 (sz 34)) <: t_Slice u8) - (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + out_vec + (fun out_vec i -> + let out_vec:Alloc.Vec.t_Vec Libcrux.Digest.t_Shake128State Alloc.Alloc.t_Global = + out_vec in - let out:t_Array (t_Array u8 (sz 840)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) d0 + let i:usize = i in + let st:Libcrux.Digest.t_Shake128State = Libcrux.Digest.shake128_init () in + let st:Libcrux.Digest.t_Shake128State = + Libcrux.Digest.shake128_absorb_final st + (Rust_primitives.unsize (input.[ i ] <: t_Array u8 (sz 34)) <: t_Slice u8) in - let out:t_Array (t_Array u8 (sz 840)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) d1 + let out_vec:Alloc.Vec.t_Vec Libcrux.Digest.t_Shake128State Alloc.Alloc.t_Global = + Alloc.Vec.impl_1__push out_vec st in - let out:t_Array (t_Array u8 (sz 840)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) d2 + out_vec) + in + let (states: t_Array Libcrux.Digest.t_Shake128State v_K):t_Array Libcrux.Digest.t_Shake128State + v_K = + Core.Result.impl__unwrap_or_else (Core.Convert.f_try_into out_vec + <: + Core.Result.t_Result (t_Array Libcrux.Digest.t_Shake128State v_K) + (Alloc.Vec.t_Vec Libcrux.Digest.t_Shake128State Alloc.Alloc.t_Global)) + (fun temp_0_ -> + let _:Alloc.Vec.t_Vec Libcrux.Digest.t_Shake128State Alloc.Alloc.t_Global = temp_0_ in + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "explicit panic" + <: + Rust_primitives.Hax.t_Never) + <: + t_Array Libcrux.Digest.t_Shake128State v_K) + in + { f_states = states } <: t_XofState v_K + +let v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState v_K) = + let (out: t_Array (t_Array u8 (sz 168)) v_K):t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 168) <: t_Array u8 (sz 168)) v_K + in + let out, xof_state:(t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + (out, xof_state <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K)) + (fun temp_0_ i -> + let out, xof_state:(t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) = temp_0_ in + let i:usize = i in + let tmp0, out:(Libcrux.Digest.t_Shake128State & t_Array u8 (sz 168)) = + Libcrux.Digest.shake128_squeeze_nblocks (sz 168) + (xof_state.f_states.[ i ] <: Libcrux.Digest.t_Shake128State) in - out - | 4uy -> - let d0, d1, d2, d3:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & - t_Array u8 (sz 840)) = - Libcrux.Digest.shake128x4 (sz 840) - (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) - (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) - (Rust_primitives.unsize (input.[ sz 2 ] <: t_Array u8 (sz 34)) <: t_Slice u8) - (Rust_primitives.unsize (input.[ sz 3 ] <: t_Array u8 (sz 34)) <: t_Slice u8) + let xof_state:t_XofState v_K = + { + xof_state with + f_states + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize xof_state.f_states i tmp0 + } + <: + t_XofState v_K in - let out:t_Array (t_Array u8 (sz 840)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) d0 + let hoist21:t_Array u8 (sz 168) = out in + let hoist22:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out i hoist21 in - let out:t_Array (t_Array u8 (sz 840)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) d1 + hoist22, xof_state <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K)) + in + let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in + xof_state, hax_temp_output <: (t_XofState v_K & t_Array (t_Array u8 (sz 168)) v_K) + +let v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState v_K) = + let out:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 504) <: t_Array u8 (sz 504)) v_K + in + let out, xof_state:(t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + (out, xof_state <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K)) + (fun temp_0_ i -> + let out, xof_state:(t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) = temp_0_ in + let i:usize = i in + let tmp0, out:(Libcrux.Digest.t_Shake128State & t_Array u8 (sz 504)) = + Libcrux.Digest.shake128_squeeze_nblocks (sz 504) + (xof_state.f_states.[ i ] <: Libcrux.Digest.t_Shake128State) in - let out:t_Array (t_Array u8 (sz 840)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) d2 + let xof_state:t_XofState v_K = + { + xof_state with + f_states + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize xof_state.f_states i tmp0 + } + <: + t_XofState v_K in - let out:t_Array (t_Array u8 (sz 840)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 3) d3 + let hoist23:t_Array u8 (sz 504) = out in + let hoist24:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out i hoist23 in - out - | _ -> out - in - out + hoist24, xof_state <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K)) in - out + let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in + xof_state, hax_temp_output <: (t_XofState v_K & t_Array (t_Array u8 (sz 504)) v_K) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti index 2b580727c..472825a59 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti @@ -10,5 +10,17 @@ val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun val v_PRF (v_LEN: usize) (input: t_Slice u8) : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) -val v_XOFx4 (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) - : Prims.Pure (t_Array (t_Array u8 (sz 840)) v_K) Prims.l_True (fun _ -> Prims.l_True) +type t_XofState (v_K: usize) = { f_states:t_Array Libcrux.Digest.t_Shake128State v_K } + +val v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) + : Prims.Pure (t_XofState v_K) Prims.l_True (fun _ -> Prims.l_True) + +val v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState v_K) + : Prims.Pure (t_XofState v_K & t_Array (t_Array u8 (sz 168)) v_K) + Prims.l_True + (fun _ -> Prims.l_True) + +val v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState v_K) + : Prims.Pure (t_XofState v_K & t_Array (t_Array u8 (sz 504)) v_K) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst index 263bd0153..748683122 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst @@ -334,92 +334,6 @@ let decrypt in Libcrux.Kem.Kyber.Serialize.compress_then_serialize_message message -let encrypt - (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: t_Slice u8) - (message: t_Array u8 (sz 32)) - (randomness: t_Slice u8) - = - let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = - deserialize_public_key v_K - (public_key.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE } - <: - Core.Ops.Range.t_RangeTo usize ] - <: - t_Slice u8) - in - let seed:t_Slice u8 = - public_key.[ { Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - in - let v_A_transpose:t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K = - Libcrux.Kem.Kyber.Matrix.sample_matrix_A v_K - (into_padded_array (sz 34) seed <: t_Array u8 (sz 34)) - false - in - let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = into_padded_array (sz 33) randomness in - let r_as_ntt, domain_separator:(t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & - u8) = - sample_vector_cbd_then_ntt v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE prf_input 0uy - in - let tmp0, tmp1, out:(t_Array u8 (sz 33) & u8 & - t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) = - sample_ring_element_cbd v_K v_ETA2_RANDOMNESS_SIZE v_ETA2 prf_input domain_separator - in - let prf_input:t_Array u8 (sz 33) = tmp0 in - let domain_separator:u8 = tmp1 in - let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = out in - let prf_input:t_Array u8 (sz 33) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_input (sz 32) domain_separator - in - let (prf_output: t_Array u8 v_ETA2_RANDOMNESS_SIZE):t_Array u8 v_ETA2_RANDOMNESS_SIZE = - Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA2_RANDOMNESS_SIZE - (Rust_primitives.unsize prf_input <: t_Slice u8) - in - let error_2_:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = - Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA2 - (Rust_primitives.unsize prf_output <: t_Slice u8) - in - let u:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = - Libcrux.Kem.Kyber.Matrix.compute_vector_u v_K v_A_transpose r_as_ntt error_1_ - in - let message_as_ring_element:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = - Libcrux.Kem.Kyber.Serialize.deserialize_then_decompress_message message - in - let v:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = - Libcrux.Kem.Kyber.Matrix.compute_ring_element_v v_K - tt_as_ntt - r_as_ntt - error_2_ - message_as_ring_element - in - let c1:t_Array u8 v_C1_LEN = - compress_then_serialize_u v_K v_C1_LEN v_U_COMPRESSION_FACTOR v_BLOCK_LEN u - in - let c2:t_Array u8 v_C2_LEN = - Libcrux.Kem.Kyber.Serialize.compress_then_serialize_ring_element_v v_V_COMPRESSION_FACTOR - v_C2_LEN - v - in - let (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE):t_Array u8 v_CIPHERTEXT_SIZE = - into_padded_array v_CIPHERTEXT_SIZE (Rust_primitives.unsize c1 <: t_Slice u8) - in - let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from ciphertext - ({ Core.Ops.Range.f_start = v_C1_LEN } <: Core.Ops.Range.t_RangeFrom usize) - (Core.Slice.impl__copy_from_slice (ciphertext.[ { Core.Ops.Range.f_start = v_C1_LEN } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - (Core.Array.impl_23__as_slice v_C2_LEN c2 <: t_Slice u8) - <: - t_Slice u8) - in - ciphertext - let serialize_secret_key (v_K v_OUT_LEN: usize) (key: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) @@ -529,6 +443,92 @@ let serialize_public_key in public_key_serialized +let encrypt + (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: t_Slice u8) + (message: t_Array u8 (sz 32)) + (randomness: t_Slice u8) + = + let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + deserialize_public_key v_K + (public_key.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE } + <: + Core.Ops.Range.t_RangeTo usize ] + <: + t_Slice u8) + in + let seed:t_Slice u8 = + public_key.[ { Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + in + let v_A_transpose:t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K = + Libcrux.Kem.Kyber.Matrix.sample_matrix_A v_K + (into_padded_array (sz 34) seed <: t_Array u8 (sz 34)) + false + in + let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = into_padded_array (sz 33) randomness in + let r_as_ntt, domain_separator:(t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + u8) = + sample_vector_cbd_then_ntt v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE prf_input 0uy + in + let tmp0, tmp1, out:(t_Array u8 (sz 33) & u8 & + t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) = + sample_ring_element_cbd v_K v_ETA2_RANDOMNESS_SIZE v_ETA2 prf_input domain_separator + in + let prf_input:t_Array u8 (sz 33) = tmp0 in + let domain_separator:u8 = tmp1 in + let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = out in + let prf_input:t_Array u8 (sz 33) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_input (sz 32) domain_separator + in + let (prf_output: t_Array u8 v_ETA2_RANDOMNESS_SIZE):t_Array u8 v_ETA2_RANDOMNESS_SIZE = + Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA2_RANDOMNESS_SIZE + (Rust_primitives.unsize prf_input <: t_Slice u8) + in + let error_2_:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA2 + (Rust_primitives.unsize prf_output <: t_Slice u8) + in + let u:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + Libcrux.Kem.Kyber.Matrix.compute_vector_u v_K v_A_transpose r_as_ntt error_1_ + in + let message_as_ring_element:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + Libcrux.Kem.Kyber.Serialize.deserialize_then_decompress_message message + in + let v:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + Libcrux.Kem.Kyber.Matrix.compute_ring_element_v v_K + tt_as_ntt + r_as_ntt + error_2_ + message_as_ring_element + in + let c1:t_Array u8 v_C1_LEN = + compress_then_serialize_u v_K v_C1_LEN v_U_COMPRESSION_FACTOR v_BLOCK_LEN u + in + let c2:t_Array u8 v_C2_LEN = + Libcrux.Kem.Kyber.Serialize.compress_then_serialize_ring_element_v v_V_COMPRESSION_FACTOR + v_C2_LEN + v + in + let (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE):t_Array u8 v_CIPHERTEXT_SIZE = + into_padded_array v_CIPHERTEXT_SIZE (Rust_primitives.unsize c1 <: t_Slice u8) + in + let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from ciphertext + ({ Core.Ops.Range.f_start = v_C1_LEN } <: Core.Ops.Range.t_RangeFrom usize) + (Core.Slice.impl__copy_from_slice (ciphertext.[ { Core.Ops.Range.f_start = v_C1_LEN } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + (Core.Array.impl_23__as_slice v_C2_LEN c2 <: t_Slice u8) + <: + t_Slice u8) + in + ciphertext + let generate_keypair (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti index 81393a922..f476d9657 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti @@ -52,14 +52,6 @@ val decrypt (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val encrypt - (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: t_Slice u8) - (message: t_Array u8 (sz 32)) - (randomness: t_Slice u8) - : Prims.Pure (t_Array u8 v_CIPHERTEXT_SIZE) Prims.l_True (fun _ -> Prims.l_True) - val serialize_secret_key (v_K v_OUT_LEN: usize) (key: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) @@ -71,6 +63,14 @@ val serialize_public_key (seed_for_a: t_Slice u8) : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) +val encrypt + (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: t_Slice u8) + (message: t_Array u8 (sz 32)) + (randomness: t_Slice u8) + : Prims.Pure (t_Array u8 v_CIPHERTEXT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + val generate_keypair (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fst index 87276fe9b..998e32e1e 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fst @@ -3,20 +3,6 @@ module Libcrux.Kem.Kyber.Kyber1024 open Core open FStar.Mul -let decapsulate - (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 3168)) - (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1568)) - = - Libcrux.Kem.Kyber.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) (sz 1536) (sz 1408) - (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) secret_key ciphertext - -let encapsulate - (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux.Kem.Kyber.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) - (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness - let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) = if Libcrux.Kem.Kyber.validate_public_key (sz 4) @@ -32,6 +18,20 @@ let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (s <: Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) +let decapsulate + (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux.Kem.Kyber.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) (sz 1536) (sz 1408) + (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) secret_key ciphertext + +let encapsulate + (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux.Kem.Kyber.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) + (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + let generate_key_pair (randomness: t_Array u8 (sz 64)) = Libcrux.Kem.Kyber.generate_keypair (sz 4) (sz 1536) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fsti index fafa6c85a..6d46bf638 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fsti @@ -71,6 +71,11 @@ let t_MlKem1024PrivateKey = Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 3168) unfold let t_MlKem1024PublicKey = Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568) +val validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568))) + Prims.l_True + (fun _ -> Prims.l_True) + val decapsulate (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1568)) @@ -83,11 +88,6 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -val validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568))) - Prims.l_True - (fun _ -> Prims.l_True) - val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux.Kem.Kyber.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) Prims.l_True diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fst index f86ddb2c0..02548a5b5 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fst @@ -3,20 +3,6 @@ module Libcrux.Kem.Kyber.Kyber512 open Core open FStar.Mul -let decapsulate - (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 1632)) - (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 768)) - = - Libcrux.Kem.Kyber.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) (sz 768) (sz 640) - (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) secret_key ciphertext - -let encapsulate - (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux.Kem.Kyber.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) - (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness - let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) = if Libcrux.Kem.Kyber.validate_public_key (sz 2) @@ -32,6 +18,20 @@ let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (s <: Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) +let decapsulate + (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux.Kem.Kyber.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) (sz 768) (sz 640) + (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) secret_key ciphertext + +let encapsulate + (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux.Kem.Kyber.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) + (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + let generate_key_pair (randomness: t_Array u8 (sz 64)) = Libcrux.Kem.Kyber.generate_keypair (sz 2) (sz 768) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fsti index 33108ba19..0220c80d7 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fsti @@ -71,6 +71,11 @@ let t_MlKem512PrivateKey = Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 1632) unfold let t_MlKem512PublicKey = Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800) +val validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800))) + Prims.l_True + (fun _ -> Prims.l_True) + val decapsulate (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 768)) @@ -83,11 +88,6 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -val validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800))) - Prims.l_True - (fun _ -> Prims.l_True) - val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux.Kem.Kyber.Types.t_MlKemKeyPair (sz 1632) (sz 800)) Prims.l_True diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fst index 7b7edf6d7..62208cfc6 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fst @@ -3,20 +3,6 @@ module Libcrux.Kem.Kyber.Kyber768 open Core open FStar.Mul -let decapsulate - (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) - (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1088)) - = - Libcrux.Kem.Kyber.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) (sz 1152) (sz 960) - (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) secret_key ciphertext - -let encapsulate - (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux.Kem.Kyber.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960) (sz 128) (sz 10) - (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness - let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) = if Libcrux.Kem.Kyber.validate_public_key (sz 3) @@ -32,6 +18,20 @@ let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (s <: Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) +let decapsulate + (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux.Kem.Kyber.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) (sz 1152) (sz 960) + (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) secret_key ciphertext + +let encapsulate + (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux.Kem.Kyber.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960) (sz 128) (sz 10) + (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + let generate_key_pair (randomness: t_Array u8 (sz 64)) = Libcrux.Kem.Kyber.generate_keypair (sz 3) (sz 1152) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fsti index 5f68851e0..6f9f11070 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fsti @@ -71,6 +71,11 @@ let t_MlKem768PrivateKey = Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400) unfold let t_MlKem768PublicKey = Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184) +val validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184))) + Prims.l_True + (fun _ -> Prims.l_True) + val decapsulate (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1088)) @@ -83,11 +88,6 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -val validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184))) - Prims.l_True - (fun _ -> Prims.l_True) - val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux.Kem.Kyber.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) Prims.l_True diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst index 6cfbc72fe..ced9b7441 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Matrix.fst @@ -482,8 +482,8 @@ let sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool) = in seeds) in - let xof_bytes:t_Array (t_Array u8 (sz 840)) v_K = - Libcrux.Kem.Kyber.Hash_functions.v_XOFx4 v_K seeds + let sampled:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + Libcrux.Kem.Kyber.Sampling.sample_from_xof v_K seeds in Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; @@ -500,11 +500,6 @@ let sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool) = v_A_transpose in let j:usize = j in - let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = - Libcrux.Kem.Kyber.Sampling.sample_from_uniform_distribution (xof_bytes.[ j ] - <: - t_Array u8 (sz 840)) - in if transpose then let v_A_transpose:t_Array @@ -516,7 +511,7 @@ let sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool) = <: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) i - sampled + (sampled.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) <: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) in @@ -531,7 +526,7 @@ let sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool) = <: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) j - sampled + (sampled.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) <: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) in diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst index 94988a9fe..c0c6ae69b 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst @@ -3,11 +3,6 @@ module Libcrux.Kem.Kyber.Sampling open Core open FStar.Mul -let rejection_sampling_panic_with_diagnostic (_: Prims.unit) = - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "explicit panic" - <: - Rust_primitives.Hax.t_Never) - let sample_from_binomial_distribution_2_ (randomness: t_Slice u8) = let (sampled: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement):Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = @@ -158,114 +153,227 @@ let sample_from_binomial_distribution (v_ETA: usize) (randomness: t_Slice u8) = <: Rust_primitives.Hax.t_Never) -let sample_from_uniform_distribution (randomness: t_Array u8 (sz 840)) = - let (sampled_coefficients: usize):usize = sz 0 in - let (out: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement):Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement - = - Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO - in - let done:bool = false in - let done, out, sampled_coefficients:(bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & - usize) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Slice.impl__chunks ( - Rust_primitives.unsize randomness <: t_Slice u8) - (sz 3) +let sample_from_uniform_distribution_next + (v_K v_N: usize) + (randomness: t_Array (t_Array u8 v_N) v_K) + (sampled_coefficients: t_Array usize v_K) + (out: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) + = + let done:bool = true in + let done, out, sampled_coefficients:(bool & + t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } <: - Core.Slice.Iter.t_Chunks u8) + Core.Ops.Range.t_Range usize) <: - Core.Slice.Iter.t_Chunks u8) + Core.Ops.Range.t_Range usize) (done, out, sampled_coefficients <: - (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)) - (fun temp_0_ bytes -> + (bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array usize v_K + )) + (fun temp_0_ i -> let done, out, sampled_coefficients:(bool & - Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & - usize) = + t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K) = temp_0_ in - let bytes:t_Slice u8 = bytes in - if ~.done <: bool - then - let b1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in - let b2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in - let b3:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in - let d1:i32 = ((b2 &. 15l <: i32) <>! 4l <: i32) in - let out, sampled_coefficients:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & - usize) = - if - d1 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS && - sampled_coefficients <. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - then - let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = - { - out with - Libcrux.Kem.Kyber.Arithmetic.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - .Libcrux.Kem.Kyber.Arithmetic.f_coefficients - sampled_coefficients - d1 - } - <: - Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement - in - out, sampled_coefficients +! sz 1 - <: - (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) - else - out, sampled_coefficients + let i:usize = i in + let out, sampled_coefficients:(t_Array + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Slice.impl__chunks + (Rust_primitives.unsize (randomness.[ i ] <: t_Array u8 v_N) <: t_Slice u8) + (sz 3) + <: + Core.Slice.Iter.t_Chunks u8) <: - (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) - in - let out, sampled_coefficients:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & - usize) = - if - d2 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS && - sampled_coefficients <. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - then - let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = - { - out with - Libcrux.Kem.Kyber.Arithmetic.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - .Libcrux.Kem.Kyber.Arithmetic.f_coefficients - sampled_coefficients - d2 - } - <: - Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement - in - let sampled_coefficients:usize = sampled_coefficients +! sz 1 in - out, sampled_coefficients + Core.Slice.Iter.t_Chunks u8) + (out, sampled_coefficients <: - (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) - else - out, sampled_coefficients - <: - (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) - in - if sampled_coefficients =. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - then - let done:bool = true in - done, out, sampled_coefficients - <: - (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) - else - done, out, sampled_coefficients - <: - (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) + (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K)) + (fun temp_0_ bytes -> + let out, sampled_coefficients:(t_Array + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K) = + temp_0_ + in + let bytes:t_Slice u8 = bytes in + let b1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let b2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in + let b3:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in + let d1:i32 = ((b2 &. 15l <: i32) <>! 4l <: i32) in + let out, sampled_coefficients:(t_Array + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K) = + if + d1 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS && + (sampled_coefficients.[ i ] <: usize) <. + Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + let out:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + i + ({ + (out.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (out.[ i ] + <: + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + (sampled_coefficients.[ i ] <: usize) + d1 + <: + t_Array i32 (sz 256) + } + <: + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + in + out, + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_coefficients + i + ((sampled_coefficients.[ i ] <: usize) +! sz 1 <: usize) + <: + (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K) + else + out, sampled_coefficients + <: + (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K) + in + if + d2 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS && + (sampled_coefficients.[ i ] <: usize) <. + Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + let out:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + i + ({ + (out.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (out.[ i ] + <: + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + (sampled_coefficients.[ i ] <: usize) + d2 + <: + t_Array i32 (sz 256) + } + <: + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + in + let sampled_coefficients:t_Array usize v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_coefficients + i + ((sampled_coefficients.[ i ] <: usize) +! sz 1 <: usize) + in + out, sampled_coefficients + <: + (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K) + else + out, sampled_coefficients + <: + (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K)) + in + if + (sampled_coefficients.[ i ] <: usize) <. + Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + false, out, sampled_coefficients + <: + (bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K) else done, out, sampled_coefficients <: - (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)) + (bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K)) + in + let hax_temp_output:bool = done in + sampled_coefficients, out, hax_temp_output + <: + (t_Array usize v_K & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & bool) + +let sample_from_xof (v_K: usize) (seeds: t_Array (t_Array u8 (sz 34)) v_K) = + let (sampled_coefficients: t_Array usize v_K):t_Array usize v_K = + Rust_primitives.Hax.repeat (sz 0) v_K + in + let (out: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K):t_Array + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K in - let _:Prims.unit = - if ~.done - then - let _:Prims.unit = rejection_sampling_panic_with_diagnostic () in - () + let xof_states:Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K = + Libcrux.Kem.Kyber.Hash_functions.v_XOF_absorb v_K seeds + in + let tmp0, out:(Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K & t_Array (t_Array u8 (sz 504)) v_K + ) = + Libcrux.Kem.Kyber.Hash_functions.v_XOF_squeeze_three_blocks v_K xof_states + in + let xof_states:Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K = tmp0 in + let randomness:t_Array (t_Array u8 (sz 504)) v_K = out in + let tmp0, tmp1, out:(t_Array usize v_K & + t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + bool) = + sample_from_uniform_distribution_next v_K (sz 504) randomness sampled_coefficients out + in + let sampled_coefficients:t_Array usize v_K = tmp0 in + let out:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = tmp1 in + let done:bool = out in + let done, out, sampled_coefficients, xof_states:(bool & + t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K & + Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let done, out, sampled_coefficients, xof_states:(bool & + t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K & + Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K) = + temp_0_ + in + ~.done <: bool) + (done, out, sampled_coefficients, xof_states + <: + (bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array usize v_K & + Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K)) + (fun temp_0_ -> + let done, out, sampled_coefficients, xof_states:(bool & + t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K & + Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K) = + temp_0_ + in + let tmp0, out:(Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K & + t_Array (t_Array u8 (sz 168)) v_K) = + Libcrux.Kem.Kyber.Hash_functions.v_XOF_squeeze_block v_K xof_states + in + let xof_states:Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K = tmp0 in + let randomness:t_Array (t_Array u8 (sz 168)) v_K = out in + let tmp0, tmp1, out:(t_Array usize v_K & + t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + bool) = + sample_from_uniform_distribution_next v_K (sz 168) randomness sampled_coefficients out + in + let sampled_coefficients:t_Array usize v_K = tmp0 in + let out:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = tmp1 in + let hoist25:bool = out in + let done:bool = hoist25 in + done, out, sampled_coefficients, xof_states + <: + (bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array usize v_K & + Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K)) in let _:Prims.unit = () <: Prims.unit in out diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fsti index 4000929f6..6c5f8500e 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fsti @@ -3,9 +3,6 @@ module Libcrux.Kem.Kyber.Sampling open Core open FStar.Mul -val rejection_sampling_panic_with_diagnostic: Prims.unit - -> Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True) - val sample_from_binomial_distribution_2_ (randomness: t_Slice u8) : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement (requires (Core.Slice.impl__len randomness <: usize) =. (sz 2 *! sz 64 <: usize)) @@ -73,7 +70,17 @@ val sample_from_binomial_distribution (v_ETA: usize) (randomness: t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val sample_from_uniform_distribution (randomness: t_Array u8 (sz 840)) - : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement +val sample_from_uniform_distribution_next + (v_K v_N: usize) + (randomness: t_Array (t_Array u8 v_N) v_K) + (sampled_coefficients: t_Array usize v_K) + (out: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) + : Prims.Pure + (t_Array usize v_K & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & bool) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_from_xof (v_K: usize) (seeds: t_Array (t_Array u8 (sz 34)) v_K) + : Prims.Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) Prims.l_True (fun _ -> Prims.l_True) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst index b2ee09192..68bfa171d 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst @@ -108,6 +108,31 @@ let serialize_kem_secret_key in out +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + let pk:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + Libcrux.Kem.Kyber.Ind_cpa.deserialize_public_key v_K + (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } + <: + Core.Ops.Range.t_RangeTo usize ] + <: + t_Slice u8) + in + let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + Libcrux.Kem.Kyber.Ind_cpa.serialize_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + pk + (public_key.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + in + public_key =. public_key_serialized + let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -264,31 +289,6 @@ let encapsulate <: (Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) -let validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - let pk:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = - Libcrux.Kem.Kyber.Ind_cpa.deserialize_public_key v_K - (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } - <: - Core.Ops.Range.t_RangeTo usize ] - <: - t_Slice u8) - in - let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - Libcrux.Kem.Kyber.Ind_cpa.serialize_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - pk - (public_key.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - in - public_key =. public_key_serialized - let generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.fsti index 45e259a23..0e9ad2744 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.fsti @@ -15,6 +15,11 @@ val serialize_kem_secret_key (private_key public_key implicit_rejection_value: t_Slice u8) : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) Prims.l_True (fun _ -> Prims.l_True) +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -31,11 +36,6 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) - val generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) diff --git a/src/digest.rs b/src/digest.rs index d9bcab9a1..735528c4c 100644 --- a/src/digest.rs +++ b/src/digest.rs @@ -24,7 +24,6 @@ use crate::hacl::{ use libcrux_platform::{simd128_support, simd256_support}; -pub use sha3::incremental; #[derive(Debug)] pub enum Error { @@ -366,6 +365,49 @@ pub fn shake128(data: &[u8]) -> [u8; LEN] { sha3::shake128(data) } +/// SHAKE 128 Incremental API (Scalar) +pub struct Shake128State(sha3::incremental::Shake128State); + +pub fn shake128_init() -> Shake128State { + Shake128State(sha3::incremental::Shake128State::new()) +} + +pub fn shake128_absorb_nblocks(st:&mut Shake128State,data:&[u8]) { + st.0.absorb_nblocks(data); +} + +pub fn shake128_absorb_final(st:&mut Shake128State,data:&[u8]) { + st.0.absorb_final(data); +} + +pub fn shake128_squeeze_nblocks(st:&mut Shake128State) -> [u8;OUTPUT_BYTES] { + st.0.squeeze_nblocks() +} + +/// SHAKE 128 Incremental API (SIMD) +#[cfg(simd256)] +pub struct Shake128StateX4(sha3::incremental_x4::Shake128StateX4); + +#[cfg(simd256)] +pub fn shake128_init_x4() -> Shake128StateX4 { + Shake128StateX4(sha3::incremental_x4::Shake128StateX4::new()) +} + +#[cfg(simd256)] +pub fn shake128_absorb_nblocks_x4(st:&mut Shake128StateX4,data0:&[u8],data1:&[u8],data2:&[u8],data3:&[u8]) { + st.0.absorb_nblocks(data0,data1,data2,data3); +} + +#[cfg(simd256)] +pub fn shake128_absorb_final_x4(st:&mut Shake128StateX4,data0:&[u8],data1:&[u8],data2:&[u8],data3:&[u8]) { + st.0.absorb_final(data0,data1,data2,data3); +} + +#[cfg(simd256)] +pub fn shake128_squeeze_nblocks_x4(st:&mut Shake128StateX4) -> [[u8;OUTPUT_BYTES];4] { + st.0.squeeze_nblocks() +} + /// SHAKE 256 /// /// The caller must define the size of the output in the return type. diff --git a/src/hacl/sha3.rs b/src/hacl/sha3.rs index 12050482f..a7bd3eda9 100644 --- a/src/hacl/sha3.rs +++ b/src/hacl/sha3.rs @@ -294,4 +294,82 @@ pub mod incremental { unsafe { Hacl_Hash_SHA3_Scalar_state_free(self.state) } } } -} \ No newline at end of file +} + +#[cfg(simd256)] +pub mod incremental_x4 { + use libcrux_hacl::{ + Hacl_Hash_SHA3_Simd256_shake128_absorb_final, Hacl_Hash_SHA3_Simd256_shake128_absorb_nblocks, Hacl_Hash_SHA3_Simd256_shake128_squeeze_nblocks, Hacl_Hash_SHA3_Simd256_state_free, Hacl_Hash_SHA3_Simd256_state_malloc, Lib_IntVector_Intrinsics_vec256 + }; + + /// SHAKE 128 + /// + + /// Handle to internal SHAKE 129 state + pub struct Shake128State { + state: *mut Lib_IntVector_Intrinsics_vec256, + } + + impl Shake128StateX4 { + pub fn new() -> Self { + let state = Self { + state: unsafe { Hacl_Hash_SHA3_Simd256_state_malloc() }, + }; + + state + } + + pub fn absorb_nblocks(&mut self, input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) { + debug_assert!(input0.len() == input1.len() && input0.len() == input2.len() && input0.len() == input3.len()); + debug_assert!(input0.len() % 168 == 0); + + unsafe { + Hacl_Hash_SHA3_Scimd256_shake128_absorb_nblocks( + self.state, + input0.as_ptr() as _, + input1.as_ptr() as _, + input2.as_ptr() as _, + input3.as_ptr() as _, + input0.len() as u32, + ) + }; + } + + pub fn absorb_final(&mut self, input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) { + debug_assert!(input0.len() == input1.len() && input0.len() == input2.len() && input0.len() == input3.len()); + debug_assert!(input0.len() < 168); + + unsafe { + Hacl_Hash_SHA3_Simd256_shake128_absorb_final( + self.state, + input0.as_ptr() as _, + input1.as_ptr() as _, + input2.as_ptr() as _, + input3.as_ptr() as _, + input0.len() as u32, + ) + }; + } + pub fn squeeze_nblocks(&mut self) -> [[u8; OUTPUT_BYTES];4] { + debug_assert!(OUTPUT_BYTES % 168 == 0); + let mut output = [[0u8; OUTPUT_BYTES];4]; + unsafe { + Hacl_Hash_SHA3_Simd256_shake128_squeeze_nblocks( + self.state, + output[0].as_mut_ptr(), + output[1].as_mut_ptr(), + output[2].as_mut_ptr(), + output[3].as_mut_ptr(), + OUTPUT_BYTES as u32, + ) + }; + + output + } + } + impl Drop for Shake128StateX4 { + fn drop(&mut self) { + unsafe { Hacl_Hash_SHA3_Simd256_state_free(self.state) } + } + } +} diff --git a/src/kem/kyber/constants.rs b/src/kem/kyber/constants.rs index f64a05b2f..a48705a2f 100644 --- a/src/kem/kyber/constants.rs +++ b/src/kem/kyber/constants.rs @@ -13,12 +13,6 @@ pub(crate) const BITS_PER_RING_ELEMENT: usize = COEFFICIENTS_IN_RING_ELEMENT * 1 /// Bytes required per (uncompressed) ring element pub(crate) const BYTES_PER_RING_ELEMENT: usize = BITS_PER_RING_ELEMENT / 8; -/// Seed size for rejection sampling. -/// -/// See for some background regarding -/// this choice. -pub(crate) const REJECTION_SAMPLING_SEED_SIZE: usize = 168 * 5; - /// PKE message size pub(crate) const SHARED_SECRET_SIZE: usize = 32; diff --git a/src/kem/kyber/hash_functions.rs b/src/kem/kyber/hash_functions.rs index 4cebb224d..0c37d1c11 100644 --- a/src/kem/kyber/hash_functions.rs +++ b/src/kem/kyber/hash_functions.rs @@ -1,10 +1,13 @@ #![allow(non_snake_case)] -use libcrux_platform::simd256_support; +use digest::{Shake128State,shake128_init,shake128_absorb_final,shake128_squeeze_nblocks}; +#[cfg(simd256)] +use digest::{Shake128StateX4,shake128_init_x4,shake128_absorb_final_x4,shake128_squeeze_nblocks_x4}; +// use libcrux_platform::simd256_support; use crate::digest::{self, digest_size, Algorithm}; -use super::constants::{H_DIGEST_SIZE, REJECTION_SAMPLING_SEED_SIZE}; +use super::constants::{H_DIGEST_SIZE}; pub(crate) fn G(input: &[u8]) -> [u8; digest_size(Algorithm::Sha3_512)] { digest::sha3_512(input) @@ -18,97 +21,98 @@ pub(crate) fn PRF(input: &[u8]) -> [u8; LEN] { digest::shake256::(input) } +// The following API uses the repeated squeeze API +// The first version uses Scalar SHAKE 128 +#[cfg(not(simd256))] +pub(crate) struct XofState { + states: [Shake128State; K] +} + +#[cfg(not(simd256))] #[inline(always)] -pub(crate) fn XOFx4( - input: [[u8; 34]; K], -) -> [[u8; REJECTION_SAMPLING_SEED_SIZE]; K] { - let mut out = [[0u8; REJECTION_SAMPLING_SEED_SIZE]; K]; - - if !simd256_support() { - // Without SIMD256 support we fake it and call shak128 4 times. - // While shak128x4 does this too, this is faster because we only do the - // required number of invocations (K). - for i in 0..K { - out[i] = digest::shake128::(&input[i]); - } - } else { - // Always do 4 SHA3 at a time even if we need less. - // XXX: Cast for hax extraction - match K as u8 { - 2 => { - let (d0, d1, _, _) = digest::shake128x4::( - &input[0], &input[1], &input[0], &input[1], - ); - out[0] = d0; - out[1] = d1; - } - 3 => { - let (d0, d1, d2, _) = digest::shake128x4::( - &input[0], &input[1], &input[2], &input[0], - ); - out[0] = d0; - out[1] = d1; - out[2] = d2; - } - 4 => { - let (d0, d1, d2, d3) = digest::shake128x4::( - &input[0], &input[1], &input[2], &input[3], - ); - out[0] = d0; - out[1] = d1; - out[2] = d2; - out[3] = d3; - } - _ => unreachable!(), - }; +pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { + let mut out_vec : Vec = Vec::new(); + for i in 0..K { + let mut st = shake128_init(); + shake128_absorb_final(&mut st,&input[i]); + out_vec.push(st); } + let states:[Shake128State; K] = out_vec.try_into().unwrap_or_else(|_| panic!()); + XofState {states} - out + // The following does not work with Eurydice because of "from_fn" + // let mut out : [Shake128State; K] = + // core::array::from_fn(|_| Shake128State::new()); + // for i in 0..K { + // out[i].absorb_final(&input[i]); + // } + // out } -// The following API uses the repeated squeeze API -// Currently it only supports Scalar SHAKE, adapting it to SIMD SHAKE is a todo -type XofState = crate::digest::incremental::Shake128State; - -// The following does not work with Eurydice because of "from_fn" +#[cfg(not(simd256))] #[inline(always)] -pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> [XofState; K] { - let mut out = core::array::from_fn(|_| crate::digest::incremental::Shake128State::new()); +pub(crate) fn XOF_squeeze_three_blocks( + xof_state: &mut XofState, +) -> [[u8; 168 * 3]; K] { + let mut out = [[0; 168 * 3]; K]; for i in 0..K { - out[i].absorb_final(&input[i]); + out[i] = shake128_squeeze_nblocks(&mut xof_state.states[i]); } out } -// The following is an experiment to avoid "from_fn" and use "map" instead +#[cfg(not(simd256))] #[inline(always)] -pub(crate) fn XofStateAbsorb(input: [u8; 34]) -> XofState { - let mut out = crate::digest::incremental::Shake128State::new(); - out.absorb_final(&input); +pub(crate) fn XOF_squeeze_block(xof_state: &mut XofState) -> [[u8; 168]; K] { + let mut out: [[u8; 168]; K] = [[0; 168]; K]; + for i in 0..K { + out[i] = shake128_squeeze_nblocks(&mut xof_state.states[i]); + } out -} +} + +// The following API uses the repeated squeeze API +// The second version uses SIMD256 SHAKE 128 +#[cfg(simd256)] +type XofState = X4(crate::digest::Shake128StateX4); +#[cfg(simd256)] #[inline(always)] -pub(crate) fn XOF_absorb_map(input: [[u8; 34]; K]) -> [XofState; K] { - input.map(XofStateAbsorb) +pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { + let mut out : crate::digest::Shake128StateX4 = crate::digest::Shake128StateX4::new(); + match K { + 2 => {out.absorb_final(input[0],input[1],input[0],input[0]);out} + 3 => {out.absorb_final(input[0],input[1],input[2],input[0]);out} + 4 => {out.absorb_final(input[0],input[1],input[2],input[3]);out} + _ => {unreachable!()} + } } +#[cfg(simd256)] #[inline(always)] pub(crate) fn XOF_squeeze_three_blocks( - state: &mut [XofState; K], + state: &mut XofState, ) -> [[u8; 168 * 3]; K] { - let mut out = [[0; 168 * 3]; K]; - for i in 0..K { - out[i] = state[i].squeeze_nblocks(); + let mut output = [[0; 168 * 3]; K]; + let mut tmp = [[0; 168 * 3]; 2]; + match K { + 2 => {state.squeeze_nblocks(&mut output[0],&mut output[1],&mut tmp[0],&mut tmp[1]); output} + 3 => {state.squeeze_nblocks(&mut output[0],&mut output[1],&mut output[2],&mut tmp[1]); output} + 4 => {state.squeeze_nblocks(&mut output[0],&mut output[1],&mut output[2],&mut output[3]); output} + _ => {unreachable!()} } - out } +#[cfg(simd256)] #[inline(always)] -pub(crate) fn XOF_squeeze_block(state: &mut [XofState; K]) -> [[u8; 168]; K] { +pub(crate) fn XOF_squeeze_block(state: &mut XofState) -> [[u8; 168]; K] { let mut out: [[u8; 168]; K] = [[0; 168]; K]; - for i in 0..K { - out[i] = state[i].squeeze_nblocks(); + let mut tmp = [[0; 168 * 3]; 2]; + match K { + 2 => {state.squeeze_nblocks(&mut output[0],&mut output[1],&mut tmp[0],&mut tmp[1]); output} + 3 => {state.squeeze_nblocks(&mut output[0],&mut output[1],&mut output[2],&mut tmp[0]); output} + 4 => {state.squeeze_nblocks(&mut output[0],&mut output[1],&mut output[2],&mut output[3]); output} + _ => {unreachable!()} } - out -} \ No newline at end of file +} + diff --git a/sys/hacl/src/bindings.rs b/sys/hacl/src/bindings.rs index 3cfa48402..bba565ebc 100644 --- a/sys/hacl/src/bindings.rs +++ b/sys/hacl/src/bindings.rs @@ -348,6 +348,44 @@ extern "C" { outputByteLen: u32, ); } + +extern "C" { + pub fn Hacl_Hash_SHA3_Simd256_state_malloc() -> *mut Lib_IntVector_Intrinsics_vec256; +} +extern "C" { + pub fn Hacl_Hash_SHA3_Simd256_state_free(s: *mut Lib_IntVector_Intrinsics_vec256); +} +extern "C" { + pub fn Hacl_Hash_SHA3_Simd256_shake128_absorb_nblocks( + state: *mut Lib_IntVector_Intrinsics_vec256, + input0: *mut u8, + input1: *mut u8, + input2: *mut u8, + input3: *mut u8, + inputByteLen: u32, + ); +} +extern "C" { + pub fn Hacl_Hash_SHA3_Simd256_shake128_absorb_final( + state: *mut Lib_IntVector_Intrinsics_vec256, + input0: *mut u8, + input1: *mut u8, + input2: *mut u8, + input3: *mut u8, + inputByteLen: u32, + ); +} +extern "C" { + pub fn Hacl_Hash_SHA3_Simd256_shake128_squeeze_nblocks( + state: *mut Lib_IntVector_Intrinsics_vec256, + output0: *mut u8, + output1: *mut u8, + output2: *mut u8, + output3: *mut u8, + outputByteLen: u32, + ); +} + extern "C" { pub fn Hacl_Hash_SHA3_absorb_inner(rateInBytes: u32, block: *mut u8, s: *mut u64); } From 2a2bf36e9e5c54ed20e6b5ce877cdcfc5189889e Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Thu, 22 Feb 2024 17:37:06 +0100 Subject: [PATCH 06/28] made sha3 internal state abstract --- proofs/fstar/extraction/Libcrux.Digest.fsti | 1 + .../Libcrux.Kem.Kyber.Hash_functions.fst | 19 +++++-------------- src/kem/kyber/hash_functions.rs | 6 ++++-- 3 files changed, 10 insertions(+), 16 deletions(-) diff --git a/proofs/fstar/extraction/Libcrux.Digest.fsti b/proofs/fstar/extraction/Libcrux.Digest.fsti index 96326373f..ff6b336ff 100644 --- a/proofs/fstar/extraction/Libcrux.Digest.fsti +++ b/proofs/fstar/extraction/Libcrux.Digest.fsti @@ -14,6 +14,7 @@ val shake256 (v_LEN: usize) (data: t_Slice u8) type t_Shake128State + val shake128_absorb_final (st: t_Shake128State) (data: t_Slice u8) : Prims.Pure t_Shake128State Prims.l_True (fun _ -> Prims.l_True) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst index e47090628..3929551a4 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst @@ -39,21 +39,12 @@ let v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = in out_vec) in - let (states: t_Array Libcrux.Digest.t_Shake128State v_K):t_Array Libcrux.Digest.t_Shake128State - v_K = - Core.Result.impl__unwrap_or_else (Core.Convert.f_try_into out_vec + match Core.Convert.f_try_into out_vec with + | Core.Result.Result_Ok states -> { f_states = states } <: t_XofState v_K + | Core.Result.Result_Err _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "explicit panic" <: - Core.Result.t_Result (t_Array Libcrux.Digest.t_Shake128State v_K) - (Alloc.Vec.t_Vec Libcrux.Digest.t_Shake128State Alloc.Alloc.t_Global)) - (fun temp_0_ -> - let _:Alloc.Vec.t_Vec Libcrux.Digest.t_Shake128State Alloc.Alloc.t_Global = temp_0_ in - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "explicit panic" - <: - Rust_primitives.Hax.t_Never) - <: - t_Array Libcrux.Digest.t_Shake128State v_K) - in - { f_states = states } <: t_XofState v_K + Rust_primitives.Hax.t_Never) let v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState v_K) = let (out: t_Array (t_Array u8 (sz 168)) v_K):t_Array (t_Array u8 (sz 168)) v_K = diff --git a/src/kem/kyber/hash_functions.rs b/src/kem/kyber/hash_functions.rs index 0c37d1c11..fe889bb1d 100644 --- a/src/kem/kyber/hash_functions.rs +++ b/src/kem/kyber/hash_functions.rs @@ -37,8 +37,10 @@ pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { shake128_absorb_final(&mut st,&input[i]); out_vec.push(st); } - let states:[Shake128State; K] = out_vec.try_into().unwrap_or_else(|_| panic!()); - XofState {states} + match out_vec.try_into() { + Ok(states) => XofState{states}, + Err(_) => panic!(), + } // The following does not work with Eurydice because of "from_fn" // let mut out : [Shake128State; K] = From eee97d8dd254486a8e53f6d091c4ab94e020a152 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 23 Feb 2024 08:59:58 +0100 Subject: [PATCH 07/28] Updated ml-kem C extraction (#208) * add a dockerfile for running extraction * remove a panic in C --- .docker/c/Dockerfile | 32 + .docker/c/install.sh | 75 + .docker/c/setup.sh | 23 + kyber-crate-tests/kyber.rs | 207 +- kyber-crate-tests/kyber_nistkats.rs | 20 +- kyber-crate.sh | 19 +- proofs/fstar/extraction-edited.patch | 2463 ++++++++--------- .../fstar/extraction-secret-independent.patch | 1603 ++++++----- proofs/fstar/extraction/Libcrux.Kem.Kyber.fst | 12 +- src/kem/kyber.rs | 10 +- src/kem/kyber/kyber768.rs | 7 +- 11 files changed, 2168 insertions(+), 2303 deletions(-) create mode 100644 .docker/c/Dockerfile create mode 100644 .docker/c/install.sh create mode 100644 .docker/c/setup.sh diff --git a/.docker/c/Dockerfile b/.docker/c/Dockerfile new file mode 100644 index 000000000..a8eddfbe2 --- /dev/null +++ b/.docker/c/Dockerfile @@ -0,0 +1,32 @@ +# This Dockerfile should be run from this directory +# `docker build . -t franziskus/libcrux-c` + +FROM ubuntu:24.04 +LABEL maintainer="Franziskus Kiefer " + +ENV SHELL /bin/bash +ENV USER user +ENV LOGNAME $USER +ENV HOME /home/$USER +ENV LANG en_US.UTF-8 +ENV LC_ALL $LANG +ENV PATH="$HOME/.cargo/bin:${PATH}" + +# Install dependencies. +ADD setup.sh /tmp/setup.sh +RUN bash /tmp/setup.sh + +WORKDIR $HOME +USER $USER +COPY --chown=$USER:$USER . $HOME/$USER + +# Setup & install. +ADD install.sh /tmp/install.sh +RUN bash /tmp/install.sh + +ENV FSTAR_HOME $HOME/fstar +ENV HACL_HOME $HOME/hacl-star +ENV KRML_HOME $HOME/karamel +ENV EURYDICE_HOME $HOME/eurydice +ENV CHARON_HOME $HOME/charon +ENV PATH "${PATH}:$HOME/fstar/bin:$HOME/z3/bin" diff --git a/.docker/c/install.sh b/.docker/c/install.sh new file mode 100644 index 000000000..acbd121d6 --- /dev/null +++ b/.docker/c/install.sh @@ -0,0 +1,75 @@ +#!/usr/bin/env bash + +set -v -e -x + +curl https://sh.rustup.rs -sSf | bash -s -- -y + +# Prepare the sources +opam init --bare --disable-sandboxing --shell-setup --yes +opam switch create 4.14.1 + +# Get F*, HACL*, Charon, Karamel, Eurydice for running proofs and extraction +curl -L https://github.com/FStarLang/FStar/releases/download/v2024.01.13/fstar_2024.01.13_Linux_x86_64.tar.gz \ + --output Fstar.tar.gz +tar --extract --file Fstar.tar.gz +rm -f Fstar.tar.gz + +curl -L https://github.com/FStarLang/binaries/raw/master/z3-tested/z3-4.8.5-x64-ubuntu-16.04.zip --output z3.zip +unzip z3.zip +rm -rf z3.zip +mv z3-4.8.5-x64-ubuntu-16.04/ z3 + +curl -L https://github.com/hacl-star/hacl-star/archive/443aed2deccfbee84f928fadc1f594f729c3aad4.zip \ + --output hacl-star.zip +unzip hacl-star.zip +rm -rf hacl-star.zip +mv hacl-star-443aed2deccfbee84f928fadc1f594f729c3aad4/ hacl-star + +curl -L https://github.com/AeneasVerif/charon/archive/89cecf5d1074fae7e8007be7f6cdf2f38e9782b1.zip \ + --output charon.zip +unzip charon.zip +rm -rf charon.zip +mv charon-89cecf5d1074fae7e8007be7f6cdf2f38e9782b1/ charon + +curl -L https://github.com/FStarLang/karamel/archive/08bfa78ae1df5639446e6c5897b07c9823fbf3b0.zip \ + --output karamel.zip +unzip karamel.zip +rm -rf karamel.zip +mv karamel-08bfa78ae1df5639446e6c5897b07c9823fbf3b0/ karamel + +curl -L https://github.com/AeneasVerif/eurydice/archive/7780d2b4c44c7811d02d7e05789b5611fd497480.zip \ + --output eurydice.zip +unzip eurydice.zip +rm -rf eurydice.zip +mv eurydice-7780d2b4c44c7811d02d7e05789b5611fd497480/ eurydice + +echo "export FSTAR_HOME=$HOME/fstar" >>$HOME/.profile +echo "export HACL_HOME=$HOME/hacl-star" >>$HOME/.profile +echo "export KRML_HOME=$HOME/karamel" >>$HOME/.profile +echo "export EURYDICE_HOME=$HOME/eurydice" >>$HOME/.profile +echo "export CHARON_HOME=$HOME/charon" >>$HOME/.profile +echo "export HAX_HOME=$HOME/hax" >>$HOME/.profile +echo "export PATH=\"${PATH}:$HOME/fstar/bin:$HOME/z3/bin\"" >>$HOME/.profile +echo "[[ ! -r /home/$USER/.opam/opam-init/init.sh ]] || source /home/$USER/.opam/opam-init/init.sh > /dev/null 2> /dev/null" >>$HOME/.profile + +source $HOME/.profile +opam install --yes ocamlfind visitors menhir ppx_deriving_yojson sedlex wasm fix process pprint zarith yaml easy_logging terminal +eval $(opam env) + +# Build everything +cd karamel +make -j +cd - + +cd charon +make -j +cd - + +cd eurydice/lib +rm -f charon +ln -s $CHARON_HOME/charon-ml charon +rm -f krml +ln -s $KRML_HOME/lib krml +cd ../ +make -j +cd ../ diff --git a/.docker/c/setup.sh b/.docker/c/setup.sh new file mode 100644 index 000000000..9c3a6d15d --- /dev/null +++ b/.docker/c/setup.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -v -e -x + +export DEBIAN_FRONTEND=noninteractive + +apt-get -y update +apt-get install -y \ + nodejs \ + build-essential \ + opam \ + jq \ + libgmp-dev \ + locales \ + curl +curl -fsSL https://deb.nodesource.com/setup_21.x | bash - +apt-get update +apt-get install -y nodejs + +locale-gen $LANG +DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales +useradd -d $HOME -s $SHELL -m $USER +echo "$USER:$USER" | chpasswd && adduser $USER sudo diff --git a/kyber-crate-tests/kyber.rs b/kyber-crate-tests/kyber.rs index d13d140c5..d30e7b266 100644 --- a/kyber-crate-tests/kyber.rs +++ b/kyber-crate-tests/kyber.rs @@ -1,200 +1,19 @@ -use libcrux::{ - digest::shake256, - kem::{self, Algorithm, Ct, PrivateKey}, -}; - -use rand::{CryptoRng, Rng}; - +use libcrux_kyber::kyber768::*; use rand::rngs::OsRng; +use rand::RngCore; -const SHARED_SECRET_SIZE: usize = 32; - -macro_rules! impl_consistency { - ($name:ident, $alg:expr) => { - #[test] - fn $name() { - let mut rng = OsRng; - - if let Ok((secret_key, public_key)) = kem::key_gen($alg, &mut rng) { - if let Ok((shared_secret, ciphertext)) = kem::encapsulate(&public_key, &mut rng) { - let shared_secret_decapsulated = - kem::decapsulate(&ciphertext, &secret_key).unwrap(); - assert_eq!(shared_secret.encode(), shared_secret_decapsulated.encode()); - } - } - - // If the randomness was not enough for the rejection sampling step - // in key-generation and encapsulation, simply return without - // failing. - } - }; -} - -fn modify_ciphertext(alg: Algorithm, rng: &mut (impl CryptoRng + Rng), ciphertext: Ct) -> Ct { - let mut raw_ciphertext = ciphertext.encode(); - - let mut random_u32: usize = rng.next_u32().try_into().unwrap(); - - let mut random_byte: u8 = (random_u32 & 0xFF) as u8; - if random_byte == 0 { - random_byte += 1; - } - random_u32 >>= 8; - - let position = random_u32 % raw_ciphertext.len(); - raw_ciphertext[position] ^= random_byte; - - Ct::decode(alg, &raw_ciphertext).unwrap() -} - -macro_rules! impl_modified_ciphertext { - ($name:ident, $alg:expr) => { - #[test] - fn $name() { - let mut rng = OsRng; - - if let Ok((secret_key, public_key)) = kem::key_gen($alg, &mut rng) { - if let Ok((shared_secret, ciphertext)) = kem::encapsulate(&public_key, &mut rng) { - let ciphertext = modify_ciphertext($alg, &mut rng, ciphertext); - let shared_secret_decapsulated = - kem::decapsulate(&ciphertext, &secret_key).unwrap(); - - assert_ne!(shared_secret.encode(), shared_secret_decapsulated.encode()); - } - } - // if the randomness was not enough for the rejection sampling step - // in key-generation and encapsulation, simply return without - // failing. - } - }; -} - -fn modify_secret_key( - alg: Algorithm, - rng: &mut (impl CryptoRng + Rng), - secret_key: PrivateKey, - modify_implicit_rejection_value: bool, -) -> PrivateKey { - let mut raw_secret_key = secret_key.encode(); - - let mut random_u32: usize = rng.next_u32().try_into().unwrap(); - - let mut random_byte: u8 = (random_u32 & 0xFF) as u8; - if random_byte == 0 { - random_byte += 1; - } - random_u32 >>= 8; - - let position = if modify_implicit_rejection_value { - (raw_secret_key.len() - SHARED_SECRET_SIZE) + (random_u32 % SHARED_SECRET_SIZE) - } else { - random_u32 % (raw_secret_key.len() - SHARED_SECRET_SIZE) - }; +#[test] +fn consistency_768() { + let mut rng = OsRng; + let mut randomness = [0u8; 64]; + rng.fill_bytes(&mut randomness); - raw_secret_key[position] ^= random_byte; + let kp = generate_key_pair(randomness); + let mut randomness = [0u8; 32]; + rng.fill_bytes(&mut randomness); - PrivateKey::decode(alg, &raw_secret_key).unwrap() -} - -fn compute_implicit_rejection_shared_secret( - ciphertext: Ct, - secret_key: PrivateKey, -) -> [u8; SHARED_SECRET_SIZE] { - let raw_secret_key = secret_key.encode(); - - let mut to_hash = raw_secret_key[raw_secret_key.len() - SHARED_SECRET_SIZE..].to_vec(); - to_hash.extend_from_slice(&ciphertext.encode()); - - shake256(&to_hash) -} - -macro_rules! impl_modified_secret_key { - ($name:ident, $alg:expr) => { - #[test] - fn $name() { - let mut rng = OsRng; - - if let Ok((secret_key, public_key)) = kem::key_gen($alg, &mut rng) { - if let Ok((shared_secret, ciphertext)) = kem::encapsulate(&public_key, &mut rng) { - let secret_key = modify_secret_key($alg, &mut rng, secret_key, false); - let shared_secret_decapsulated = - kem::decapsulate(&ciphertext, &secret_key).unwrap(); - assert_ne!(shared_secret.encode(), shared_secret_decapsulated.encode()); - - let secret_key = modify_secret_key($alg, &mut rng, secret_key, true); - let shared_secret_decapsulated = - kem::decapsulate(&ciphertext, &secret_key).unwrap(); - - assert_eq!( - shared_secret_decapsulated.encode(), - compute_implicit_rejection_shared_secret(ciphertext, secret_key) - ); - } - } - - // if the randomness was not enough for the rejection sampling step - // in key-generation and encapsulation, simply return without - // failing. - } - }; -} - -macro_rules! impl_modified_ciphertext_and_implicit_rejection_value { - ($name:ident, $alg:expr) => { - #[test] - fn $name() { - let mut rng = OsRng; - - if let Ok((secret_key, public_key)) = kem::key_gen($alg, &mut rng) { - if let Ok((_, ciphertext)) = kem::encapsulate(&public_key, &mut rng) { - let ciphertext = modify_ciphertext($alg, &mut rng, ciphertext); - let shared_secret_decapsulated = - kem::decapsulate(&ciphertext, &secret_key).unwrap(); - - let secret_key = modify_secret_key($alg, &mut rng, secret_key, true); - let shared_secret_decapsulated_1 = - kem::decapsulate(&ciphertext, &secret_key).unwrap(); - - assert_ne!( - shared_secret_decapsulated.encode(), - shared_secret_decapsulated_1.encode() - ); + let ct = encapsulate(kp.public_key(), randomness); + let shared_secret_decapsulated = decapsulate(kp.private_key(), &ct.0); - assert_eq!( - shared_secret_decapsulated_1.encode(), - compute_implicit_rejection_shared_secret(ciphertext, secret_key) - ); - } - } - - // if the randomness was not enough for the rejection sampling step - // in key-generation and encapsulation, simply return without - // failing. - } - }; + assert_eq!(shared_secret_decapsulated, ct.1); } - -impl_consistency!(consistency_512, Algorithm::Kyber512); -impl_consistency!(consistency_768, Algorithm::Kyber768); -impl_consistency!(consistency_1024, Algorithm::Kyber1024); - -impl_modified_ciphertext!(modified_ciphertext_512, Algorithm::Kyber512); -impl_modified_ciphertext!(modified_ciphertext_768, Algorithm::Kyber768); -impl_modified_ciphertext!(modified_ciphertext_1024, Algorithm::Kyber1024); - -impl_modified_secret_key!(modified_secret_key_512, Algorithm::Kyber512); -impl_modified_secret_key!(modified_secret_key_768, Algorithm::Kyber768); -impl_modified_secret_key!(modified_secret_key_1024, Algorithm::Kyber1024); - -impl_modified_ciphertext_and_implicit_rejection_value!( - modified_ciphertext_and_implicit_rejection_value_512, - Algorithm::Kyber512 -); -impl_modified_ciphertext_and_implicit_rejection_value!( - modified_ciphertext_and_implicit_rejection_value_768, - Algorithm::Kyber768 -); -impl_modified_ciphertext_and_implicit_rejection_value!( - modified_ciphertext_and_implicit_rejection_value_1024, - Algorithm::Kyber1024 -); diff --git a/kyber-crate-tests/kyber_nistkats.rs b/kyber-crate-tests/kyber_nistkats.rs index b1185d5c5..a4578b35b 100644 --- a/kyber-crate-tests/kyber_nistkats.rs +++ b/kyber-crate-tests/kyber_nistkats.rs @@ -71,24 +71,10 @@ macro_rules! impl_nist_known_answer_tests { }; } -// impl_nist_known_answer_tests!( -// kyber512_nist_known_answer_tests, -// 512, -// kyber512_generate_keypair_derand, -// kyber512_encapsulate_derand, -// kyber512_decapsulate_derand -// ); impl_nist_known_answer_tests!( kyber768_nist_known_answer_tests, 768, - generate_key_pair_768, - encapsulate_768, - decapsulate_768 + generate_key_pair, + encapsulate, + decapsulate ); -// impl_nist_known_answer_tests!( -// kyber1024_nist_known_answer_tests, -// 1024, -// kyber1024_generate_keypair_derand, -// kyber1024_encapsulate_derand, -// kyber1024_decapsulate_derand -// ); diff --git a/kyber-crate.sh b/kyber-crate.sh index 98017dfc4..d4684b8c5 100755 --- a/kyber-crate.sh +++ b/kyber-crate.sh @@ -75,10 +75,6 @@ if [[ -z "$EURYDICE_HOME" ]]; then echo "Please set EURYDICE_HOME to the Eurydice directory" 1>&2 exit 1 fi -if [[ -z "$HACL_PACKAGES_HOME" ]]; then - echo "Please set HACL_PACKAGES_HOME to the hacl-packages directory" 1>&2 - exit 1 -fi echo "Running charon ..." $CHARON_HOME/bin/charon --errors-as-warnings @@ -86,10 +82,13 @@ mkdir -p c cd c echo "Running eurydice ..." -$EURYDICE_HOME/eurydice --log * --config ../../kyber-c.yaml ../libcrux_kyber.llbc -clang-format --style=Mozilla -i libcrux_kyber.c libcrux_kyber.h - +$EURYDICE_HOME/eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc cp $EURYDICE_HOME/include/eurydice_glue.h . -cp internal/*.h $HACL_PACKAGES_HOME/libcrux/include/internal/ -cp *.h $HACL_PACKAGES_HOME/libcrux/include -cp *.c $HACL_PACKAGES_HOME/libcrux/src + +if [[ -n "$HACL_PACKAGES_HOME" ]]; then + clang-format --style=Mozilla -i libcrux_kyber.c libcrux_kyber.h + cp internal/*.h $HACL_PACKAGES_HOME/libcrux/include/internal/ + cp *.h $HACL_PACKAGES_HOME/libcrux/include + cp *.c $HACL_PACKAGES_HOME/libcrux/src +fi +echo "Please set HACL_PACKAGES_HOME to the hacl-packages directory to copy the code over" 1>&2 diff --git a/proofs/fstar/extraction-edited.patch b/proofs/fstar/extraction-edited.patch index b828a0d7d..364f5582c 100644 --- a/proofs/fstar/extraction-edited.patch +++ b/proofs/fstar/extraction-edited.patch @@ -1,6 +1,6 @@ diff -ruN extraction/BitVecEq.fst extraction-edited/BitVecEq.fst ---- extraction/BitVecEq.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/BitVecEq.fst 2024-02-20 10:46:13.853093120 +0100 +--- extraction/BitVecEq.fst 1970-01-01 01:00:00 ++++ extraction-edited/BitVecEq.fst 2024-02-22 11:01:52 @@ -0,0 +1,12 @@ +module BitVecEq + @@ -15,8 +15,8 @@ diff -ruN extraction/BitVecEq.fst extraction-edited/BitVecEq.fst + + diff -ruN extraction/BitVecEq.fsti extraction-edited/BitVecEq.fsti ---- extraction/BitVecEq.fsti 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/BitVecEq.fsti 2024-02-20 10:46:13.894092295 +0100 +--- extraction/BitVecEq.fsti 1970-01-01 01:00:00 ++++ extraction-edited/BitVecEq.fsti 2024-02-22 11:01:52 @@ -0,0 +1,294 @@ +module BitVecEq +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -313,8 +313,8 @@ diff -ruN extraction/BitVecEq.fsti extraction-edited/BitVecEq.fsti + = admit () +*) diff -ruN extraction/Libcrux.Digest.fst extraction-edited/Libcrux.Digest.fst ---- extraction/Libcrux.Digest.fst 2024-02-20 10:46:13.825093683 +0100 -+++ extraction-edited/Libcrux.Digest.fst 1970-01-01 01:00:00.000000000 +0100 +--- extraction/Libcrux.Digest.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Digest.fst 1970-01-01 01:00:00 @@ -1,48 +0,0 @@ -module Libcrux.Digest -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -365,8 +365,8 @@ diff -ruN extraction/Libcrux.Digest.fst extraction-edited/Libcrux.Digest.fst - then shake128x4_256_ v_LEN data0 data1 data2 data3 - else shake128x4_portable v_LEN data0 data1 data2 data3 diff -ruN extraction/Libcrux.Digest.fsti extraction-edited/Libcrux.Digest.fsti ---- extraction/Libcrux.Digest.fsti 2024-02-20 10:46:13.815093884 +0100 -+++ extraction-edited/Libcrux.Digest.fsti 2024-02-20 10:46:13.890092375 +0100 +--- extraction/Libcrux.Digest.fsti 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Digest.fsti 2024-02-22 11:01:52 @@ -3,6 +3,11 @@ open Core open FStar.Mul @@ -379,31 +379,21 @@ diff -ruN extraction/Libcrux.Digest.fsti extraction-edited/Libcrux.Digest.fsti val sha3_256_ (payload: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -@@ -19,11 +24,6 @@ - : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) - Prims.l_True - (fun _ -> Prims.l_True) -- --val shake128x4_256_ (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) +@@ -16,11 +21,6 @@ + : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) + + val shake128x4_portable (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) - Prims.l_True - (fun _ -> Prims.l_True) - - val shake128x4 (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) +- +-val shake128x4_256_ (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) -diff -ruN extraction/Libcrux.Kem.fst extraction-edited/Libcrux.Kem.fst ---- extraction/Libcrux.Kem.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Libcrux.Kem.fst 2024-02-20 10:46:13.879092596 +0100 -@@ -0,0 +1,6 @@ -+module Libcrux.Kem -+#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -+open Core -+open FStar.Mul -+ -+ + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst ---- extraction/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-20 10:46:13.828093623 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-20 10:46:13.874092697 +0100 +--- extraction/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-22 11:01:52 @@ -1,81 +1,364 @@ module Libcrux.Kem.Kyber.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -649,18 +639,18 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux. + }; + res +#pop-options -+ -+let montgomery_multiply_sfe_by_fer fe fer = -+ montgomery_reduce (mul_i32_b fe fer) -let montgomery_multiply_fe_by_fer (fe fer: i32) = montgomery_reduce (fe *! fer <: i32) ++let montgomery_multiply_sfe_by_fer fe fer = ++ montgomery_reduce (mul_i32_b fe fer) -let to_standard_domain (mfe: i32) = - montgomery_reduce (mfe *! v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS <: i32) -+let to_standard_domain mfe = -+ montgomery_reduce (mul_i32_b mfe (v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS <: i32_b 1353)) -let to_unsigned_representative (fe: i32) = ++let to_standard_domain mfe = ++ montgomery_reduce (mul_i32_b mfe (v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS <: i32_b 1353)) ++ +let to_unsigned_representative fe = let _:Prims.unit = () <: Prims.unit in - cast (fe +! (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS &. (fe >>! 31l <: i32) <: i32) <: i32) @@ -680,7 +670,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux. + assert (v fe < 0 ==> v res == v fe + 3329); + assert (v fe >= 0 ==> v res == v fe); + res <: int_t_d u16_inttype 12 -+ + +-let add_to_ring_element (v_K: usize) (lhs rhs: t_PolynomialRingElement) = +let derefine_poly_b #b x = + let r = createi (sz 256) (fun i -> (x.f_coefficients.[i] <: i32)) in + {f_coefficients = r} @@ -692,8 +683,7 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux. +let derefine_matrix_b #v_K #b x = + let r = createi v_K (fun i -> derefine_vector_b #v_K #b x.[i]) in + r - --let add_to_ring_element (v_K: usize) (lhs rhs: t_PolynomialRingElement) = ++ +let cast_poly_b #b1 #b2 x = + let r = createi (sz 256) (fun i -> (x.f_coefficients.[i] <: i32_b b2)) in + let res = {f_coefficients = r} in @@ -809,8 +799,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux. + + diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti ---- extraction/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-20 10:46:13.805094086 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-20 10:46:13.856093059 +0100 +--- extraction/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-22 11:01:52 @@ -3,10 +3,32 @@ open Core open FStar.Mul @@ -860,7 +850,10 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux -let v_MONTGOMERY_R: i32 = 1l <= 0 /\ v x < 3329 /\ (v x * v v_MONTGOMERY_R) % 3329 == 1 /\ x = 169l} + +let int_to_spec_fe (m:int) : Spec.Kyber.field_element = @@ -869,10 +862,7 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux + if m_v < 0 then + m_v + v Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS + else m_v - --val get_n_least_significant_bits (n: u8) (value: u32) -- : Prims.Pure u32 -- (requires n =. 4uy || n =. 5uy || n =. 10uy || n =. 11uy || n =. v_MONTGOMERY_SHIFT) ++ +let wf_fe_to_spec_fe (m: wfFieldElement): Spec.Kyber.field_element = + if v m < 0 + then v m + v Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS @@ -945,27 +935,24 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux - <: - i32) && - result <=. ((3l *! Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) /! 2l <: i32)) -- ++ montgomery_post value result) + -val montgomery_multiply_fe_by_fer (fe fer: i32) - : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -- + -val to_standard_domain (mfe: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -- --val to_unsigned_representative (fe: i32) -- : Prims.Pure u16 -- (requires -- fe >=. (Core.Ops.Arith.Neg.neg Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) && -- fe <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS) -+ montgomery_post value result) -+ -+ +val montgomery_multiply_sfe_by_fer #b1 #b2 (fe:i32_b b1) (fer: i32_b b2) + : Pure (i32_b (nat_div_ceil (b1 * b2) (v v_MONTGOMERY_R) + 1665)) + (requires (b1 * b2 < pow2_31)) + (ensures (fun result -> + montgomery_post (mul_i32_b fe fer) (result))) + -+ + +-val to_unsigned_representative (fe: i32) +- : Prims.Pure u16 +- (requires +- fe >=. (Core.Ops.Arith.Neg.neg Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) && +- fe <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS) +val to_standard_domain #b (mfe: i32_b b) + : Pure (i32_b (nat_div_ceil (b * 1353) (v v_MONTGOMERY_R) + 1665)) + (requires (b * 1353 < pow2_31)) @@ -985,9 +972,57 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux -type t_PolynomialRingElement = { f_coefficients:t_Array i32 (sz 256) } +type t_PolynomialRingElement = { f_coefficients:t_Array (t_FieldElement) (sz 256) } -+ + +-let impl__PolynomialRingElement__ZERO: t_PolynomialRingElement = +- { f_coefficients = Rust_primitives.Hax.repeat 0l (sz 256) } <: t_PolynomialRingElement +type t_PolynomialRingElement_b b = { f_coefficients:t_Array (i32_b b) (sz 256) } -+ + +-val add_to_ring_element (v_K: usize) (lhs rhs: t_PolynomialRingElement) +- : Prims.Pure t_PolynomialRingElement +- (requires +- Hax_lib.v_forall (fun i -> +- let i:usize = i in +- Hax_lib.implies (i <. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT +- <: +- bool) +- (fun temp_0_ -> +- let _:Prims.unit = temp_0_ in +- ((Core.Num.impl__i32__abs (lhs.f_coefficients.[ i ] <: i32) <: i32) <=. +- (((cast (v_K <: usize) <: i32) -! 1l <: i32) *! +- Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS +- <: +- i32) +- <: +- bool) && +- ((Core.Num.impl__i32__abs (rhs.f_coefficients.[ i ] <: i32) <: i32) <=. +- Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS +- <: +- bool)) +- <: +- bool)) +- (ensures +- fun result -> +- let result:t_PolynomialRingElement = result in +- Hax_lib.v_forall (fun i -> +- let i:usize = i in +- Hax_lib.implies (i <. +- (Core.Slice.impl__len (Rust_primitives.unsize result.f_coefficients +- <: +- t_Slice i32) +- <: +- usize) +- <: +- bool) +- (fun temp_0_ -> +- let _:Prims.unit = temp_0_ in +- (Core.Num.impl__i32__abs (result.f_coefficients.[ i ] <: i32) <: i32) <=. +- ((cast (v_K <: usize) <: i32) *! Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS +- <: +- i32) +- <: +- bool) +- <: +- bool)) +type wfPolynomialRingElement = t_PolynomialRingElement_b (v Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS - 1) + +val derefine_poly_b (#b1:nat) (x:t_PolynomialRingElement_b b1): @@ -1110,59 +1145,11 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux + (forall i. v result.f_coefficients.[i] == v lhs.f_coefficients.[i] + v rhs.f_coefficients.[i])) + + - --let impl__PolynomialRingElement__ZERO: t_PolynomialRingElement = -- { f_coefficients = Rust_primitives.Hax.repeat 0l (sz 256) } <: t_PolynomialRingElement - --val add_to_ring_element (v_K: usize) (lhs rhs: t_PolynomialRingElement) -- : Prims.Pure t_PolynomialRingElement -- (requires -- Hax_lib.v_forall (fun i -> -- let i:usize = i in -- Hax_lib.implies (i <. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT -- <: -- bool) -- (fun temp_0_ -> -- let _:Prims.unit = temp_0_ in -- ((Core.Num.impl__i32__abs (lhs.f_coefficients.[ i ] <: i32) <: i32) <=. -- (((cast (v_K <: usize) <: i32) -! 1l <: i32) *! -- Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS -- <: -- i32) -- <: -- bool) && -- ((Core.Num.impl__i32__abs (rhs.f_coefficients.[ i ] <: i32) <: i32) <=. -- Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS -- <: -- bool)) -- <: -- bool)) -- (ensures -- fun result -> -- let result:t_PolynomialRingElement = result in -- Hax_lib.v_forall (fun i -> -- let i:usize = i in -- Hax_lib.implies (i <. -- (Core.Slice.impl__len (Rust_primitives.unsize result.f_coefficients -- <: -- t_Slice i32) -- <: -- usize) -- <: -- bool) -- (fun temp_0_ -> -- let _:Prims.unit = temp_0_ in -- (Core.Num.impl__i32__abs (result.f_coefficients.[ i ] <: i32) <: i32) <=. -- ((cast (v_K <: usize) <: i32) *! Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS -- <: -- i32) -- <: -- bool) -- <: -- bool)) ++ ++ diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fst extraction-edited/Libcrux.Kem.Kyber.Compress.fst ---- extraction/Libcrux.Kem.Kyber.Compress.fst 2024-02-20 10:46:13.810093985 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-02-20 10:46:13.847093240 +0100 +--- extraction/Libcrux.Kem.Kyber.Compress.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-02-22 11:01:52 @@ -1,39 +1,79 @@ module Libcrux.Kem.Kyber.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1217,10 +1204,11 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fst extraction-edited/Libcrux.Ke + assert (v fe > 2496 ==> r1 = 0s); + assert (v res = v r1); + res -+ + +-let decompress_ciphertext_coefficient (coefficient_bits: u8) (fe: i32) = +let compress_ciphertext_coefficient coefficient_bits fe = -+ let _:Prims.unit = () <: Prims.unit in -+ let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in + let compressed:u32 = (cast (fe <: u16) <: u32) < v result >= 0 /\ v result < 3329) diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst ---- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-20 10:46:13.829093603 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-20 10:46:13.860092979 +0100 +--- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-22 11:01:52 @@ -4,56 +4,163 @@ open FStar.Mul @@ -1520,8 +1507,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/L + ) +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti ---- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-20 10:46:13.827093643 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-20 10:46:13.876092657 +0100 +--- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-22 11:01:52 @@ -20,7 +20,8 @@ val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) @@ -1552,738 +1539,358 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-edited/ - result =. rhs <: bool)) + Hax_lib.implies (selector =. 0uy <: bool) (fun _ -> result =. lhs <: bool) && + Hax_lib.implies (selector <>. 0uy <: bool) (fun _ -> result =. rhs <: bool)) -diff -ruN extraction/Libcrux.Kem.Kyber.fst extraction-edited/Libcrux.Kem.Kyber.fst ---- extraction/Libcrux.Kem.Kyber.fst 2024-02-20 10:46:13.795094287 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.fst 2024-02-20 10:46:13.851093160 +0100 -@@ -1,12 +1,29 @@ - module Libcrux.Kem.Kyber --#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fst extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst +--- extraction/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-22 11:01:52 +@@ -3,13 +3,23 @@ open Core open FStar.Mul --let serialize_kem_secret_key -+let update_at_range_lemma #n -+ (s: t_Slice 't) -+ (i: Core.Ops.Range.t_Range (int_t n) {(Core.Ops.Range.impl_index_range_slice 't n).in_range s i}) -+ (x: t_Slice 't) -+ : Lemma -+ (requires (Seq.length x == v i.f_end - v i.f_start)) -+ (ensures ( -+ let s' = Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x in -+ let len = v i.f_start in -+ forall (i: nat). i < len ==> Seq.index s i == Seq.index s' i -+ )) -+ [SMTPat (Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x)] -+ = let s' = Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x in -+ let len = v i.f_start in -+ introduce forall (i:nat {i < len}). Seq.index s i == Seq.index s' i -+ with (assert ( Seq.index (Seq.slice s 0 len) i == Seq.index s i -+ /\ Seq.index (Seq.slice s' 0 len) i == Seq.index s' i )) -+ -+let serialize_kem_secret_key #p - (v_SERIALIZED_KEY_LEN: usize) -- (private_key public_key implicit_rejection_value: t_Slice u8) -- = -+ (private_key public_key implicit_rejection_value: t_Slice u8) = - let out:t_Array u8 v_SERIALIZED_KEY_LEN = Rust_primitives.Hax.repeat 0uy v_SERIALIZED_KEY_LEN in - let pointer:usize = sz 0 in - let out:t_Array u8 v_SERIALIZED_KEY_LEN = -@@ -55,6 +72,8 @@ - t_Slice u8) +-let v_G (input: t_Slice u8) = Libcrux.Digest.sha3_512_ input ++let v_G (input: t_Slice u8) = ++ let res = Libcrux.Digest.sha3_512_ input in ++ admit(); // We assume that sha3_512 correctly implements G ++ res + +-let v_H (input: t_Slice u8) = Libcrux.Digest.sha3_256_ input ++let v_H (input: t_Slice u8) = ++ let res = Libcrux.Digest.sha3_256_ input in ++ admit(); // We assume that sha3_512 correctly implements H ++ res + +-let v_PRF (v_LEN: usize) (input: t_Slice u8) = Libcrux.Digest.shake256 v_LEN input ++let v_PRF (v_LEN: usize) (input: t_Slice u8) = ++ let res = Libcrux.Digest.shake256 v_LEN input in ++ admit(); // We assume that sha3_512 correctly implements H ++ res + +-let v_XOFx4 (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = ++let v_XOFx4 v_K (input: t_Array (t_Array u8 (sz 34)) v_K) = ++ assert (v v_K >= 2); + let out:t_Array (t_Array u8 (sz 840)) v_K = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 840) <: t_Array u8 (sz 840)) v_K in - let pointer:usize = pointer +! (Core.Slice.impl__len public_key <: usize) in -+ let h_public_key = (Rust_primitives.unsize (Libcrux.Kem.Kyber.Hash_functions.v_H public_key) -+ <: t_Slice u8) in - let out:t_Array u8 v_SERIALIZED_KEY_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range out - ({ -@@ -70,16 +89,7 @@ - pointer +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE <: usize - } - <: -- Core.Ops.Range.t_Range usize ] -- <: -- t_Slice u8) -- (Rust_primitives.unsize (Libcrux.Kem.Kyber.Hash_functions.v_H public_key -- <: -- t_Array u8 (sz 32)) -- <: -- t_Slice u8) -- <: -- t_Slice u8) -+ Core.Ops.Range.t_Range usize ]) h_public_key) +@@ -56,6 +66,7 @@ + in + out + | 3uy -> ++ assert (v (cast v_K <: u8) = 3); + let d0, d1, d2, _:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + Libcrux.Digest.shake128x4 (sz 840) +@@ -75,6 +86,7 @@ + in + out + | 4uy -> ++ assert (v (cast v_K <: u8) = 4); + let d0, d1, d2, d3:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + Libcrux.Digest.shake128x4 (sz 840) +@@ -100,4 +112,5 @@ + in + out in - let pointer:usize = pointer +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE in - let out:t_Array u8 v_SERIALIZED_KEY_LEN = -@@ -106,14 +116,32 @@ - <: - t_Slice u8) +- out ++ admit(); // We assume that shake128x4 correctly implements XOFx4 ++ out +diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti +--- extraction/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-22 11:01:52 +@@ -3,12 +3,17 @@ + open Core + open FStar.Mul + +-val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) ++val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True ++ (ensures (fun res -> res == Spec.Kyber.v_G input)) + +-val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) ++val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True ++ (ensures (fun res -> res == Spec.Kyber.v_H input)) + + val v_PRF (v_LEN: usize) (input: t_Slice u8) +- : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) +- +-val v_XOFx4 (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) +- : Prims.Pure (t_Array (t_Array u8 (sz 840)) v_K) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (t_Array u8 v_LEN) Prims.l_True ++ (ensures (fun res -> res == Spec.Kyber.v_PRF v_LEN input)) ++ ++val v_XOFx4 (v_K: usize{v v_K >= 2 /\ v v_K <= 4}) (input: t_Array (t_Array u8 (sz 34)) v_K) ++ : Prims.Pure (t_Array (t_Array u8 (sz 840)) v_K) Prims.l_True ++ (ensures (fun res -> ++ (forall i. i < v v_K ==> Seq.index res i == Spec.Kyber.v_XOF (sz 840) (Seq.index input i)))) +diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst +--- extraction/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-22 11:01:52 +@@ -1,5 +1,5 @@ + module Libcrux.Kem.Kyber.Ind_cpa +-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" ++#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" + open Core + open FStar.Mul + +@@ -37,33 +37,37 @@ in -+ assert (Seq.slice out 0 (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p)) `Seq.equal` private_key); -+ assert (Seq.slice out (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p)) -+ (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p)) `Seq.equal` public_key); -+ assert (Seq.slice out (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! -+ Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p)) -+ (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! -+ Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p +! -+ Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE)) -+ `Seq.equal` Libcrux.Kem.Kyber.Hash_functions.v_H public_key); -+ assert (Seq.slice out (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! -+ Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p +! -+ Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE)) -+ (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! -+ Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p +! -+ Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE +! -+ Spec.Kyber.v_SHARED_SECRET_SIZE)) -+ == implicit_rejection_value); -+ lemma_slice_append_4 out private_key public_key (Libcrux.Kem.Kyber.Hash_functions.v_H public_key) implicit_rejection_value; out --let decapsulate -+let decapsulate #p - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) -- (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) +-let sample_ring_element_cbd ++unfold let acc_t (v_K v_ETA:usize) = (u8 & t_Array u8 (sz 33) & t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (pow2 (v v_ETA) - 1)) v_K) ++unfold let inv_t v_K v_ETA = acc_t v_K v_ETA -> usize -> Type ++ ++let wfZero: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = ++ (Libcrux.Kem.Kyber.Arithmetic.cast_poly_b #1 #3328 Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO) ++ ++let etaZero (v_ETA:usize{v v_ETA >= 1 /\ v v_ETA < pow2 31}): Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_ETA) = ++ (Libcrux.Kem.Kyber.Arithmetic.cast_poly_b #1 #(v v_ETA) Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO) ++ ++let sample_vector_cbd (#p:Spec.Kyber.params) + (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) +- (prf_input: t_Array u8 (sz 33)) +- (domain_separator: u8) - = -+ (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = -+ let orig_secret_key = secret_key.f_value in - let ind_cpa_secret_key, secret_key:(t_Slice u8 & t_Slice u8) = - Libcrux.Kem.Kyber.Types.impl_12__split_at v_SECRET_KEY_SIZE secret_key v_CPA_SECRET_KEY_SIZE - in -@@ -123,8 +151,12 @@ - let ind_cpa_public_key_hash, implicit_rejection_value:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at secret_key Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE - in -+ assert (ind_cpa_secret_key == slice orig_secret_key (sz 0) v_CPA_SECRET_KEY_SIZE); -+ assert (ind_cpa_public_key == slice orig_secret_key v_CPA_SECRET_KEY_SIZE (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE)); -+ assert (ind_cpa_public_key_hash == slice orig_secret_key (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE) (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE)); -+ assert (implicit_rejection_value == slice orig_secret_key (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE) (length orig_secret_key)); - let decrypted:t_Array u8 (sz 32) = -- Libcrux.Kem.Kyber.Ind_cpa.decrypt v_K -+ Libcrux.Kem.Kyber.Ind_cpa.decrypt #p v_K - v_CIPHERTEXT_SIZE - v_C1_SIZE - v_VECTOR_U_COMPRESSION_FACTOR -@@ -152,6 +184,9 @@ - <: - t_Slice u8) - in -+ lemma_slice_append to_hash decrypted ind_cpa_public_key_hash; -+ assert (decrypted == Spec.Kyber.ind_cpa_decrypt p ind_cpa_secret_key ciphertext.f_value); -+ assert (to_hash == concat decrypted ind_cpa_public_key_hash); - let hashed:t_Array u8 (sz 64) = - Libcrux.Kem.Kyber.Hash_functions.v_G (Rust_primitives.unsize to_hash <: t_Slice u8) - in -@@ -159,6 +194,10 @@ - Core.Slice.impl__split_at (Rust_primitives.unsize hashed <: t_Slice u8) - Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE - in -+ assert ((shared_secret,pseudorandomness) == split hashed Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE); -+ assert (length implicit_rejection_value = v_SECRET_KEY_SIZE -! v_CPA_SECRET_KEY_SIZE -! v_PUBLIC_KEY_SIZE -! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE); -+ assert (length implicit_rejection_value = Spec.Kyber.v_SHARED_SECRET_SIZE); -+ assert (Spec.Kyber.v_SHARED_SECRET_SIZE <=. Spec.Kyber.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE p); - let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8 - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = - Libcrux.Kem.Kyber.Ind_cpa.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE -@@ -180,11 +219,14 @@ - <: - t_Slice u8) - in -+ lemma_slice_append to_hash implicit_rejection_value ciphertext.f_value; - let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) = - Libcrux.Kem.Kyber.Hash_functions.v_PRF (sz 32) (Rust_primitives.unsize to_hash <: t_Slice u8) +- let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K ++ (prf_input: t_Array u8 (sz 33)) domain_separator = ++ let error_1_:t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (pow2 (v v_ETA2) - 1)) v_K = ++ Rust_primitives.Hax.repeat (etaZero (sz (pow2 (v v_ETA2) - 1))) v_K in -+ assert (implicit_rejection_shared_secret == Spec.Kyber.v_J to_hash); -+ assert (Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE); - let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = -- Libcrux.Kem.Kyber.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE -+ Libcrux.Kem.Kyber.Ind_cpa.encrypt #p v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE ind_cpa_public_key decrypted - pseudorandomness -@@ -194,16 +236,18 @@ - (Core.Convert.f_as_ref ciphertext <: t_Slice u8) - (Rust_primitives.unsize expected_ciphertext <: t_Slice u8) +- let domain_separator, error_1_, prf_input:(u8 & +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array u8 (sz 33)) = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ ++ let orig_domain_separator = domain_separator in ++ [@ inline_let] ++ let inv : inv_t v_K v_ETA2 = fun (acc:acc_t v_K v_ETA2) (i:usize) -> ++ let (domain_separator,prf_input,error_1_) = acc in ++ if (i >=. sz 0 && i <=. v_K) ++ then ++ domain_separator = orig_domain_separator +! (mk_int #u8_inttype (v i)) ++ else true in ++ let (domain_separator, prf_input, error_1_):acc_t v_K (v_ETA2) = ++ Rust_primitives.Iterators.foldi_range #_ #(acc_t v_K (v_ETA2)) #inv { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) +- (domain_separator, error_1_, prf_input +- <: +- (u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array u8 (sz 33)) +- ) ++ (domain_separator, prf_input, error_1_) + (fun temp_0_ i -> +- let domain_separator, error_1_, prf_input:(u8 & +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array u8 (sz 33)) = ++ let domain_separator, prf_input, error_1_:acc_t v_K (v_ETA2) = + temp_0_ + in + let i:usize = i in +@@ -77,49 +81,46 @@ + Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA2_RANDOMNESS_SIZE + (Rust_primitives.unsize prf_input <: t_Slice u8) + in +- let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = ++ let error_1_:t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (pow2 (v v_ETA2) - 1)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize error_1_ + i +- (Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA2 ++ (Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution #p v_ETA2 + (Rust_primitives.unsize prf_output <: t_Slice u8) + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) ++ Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (pow2 (v v_ETA2) - 1)) + in +- domain_separator, error_1_, prf_input +- <: +- (u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array u8 (sz 33))) ++ domain_separator, prf_input, error_1_) in -+ let res = - Libcrux.Kem.Kyber.Constant_time_ops.select_shared_secret_in_constant_time shared_secret - (Rust_primitives.unsize implicit_rejection_shared_secret <: t_Slice u8) - selector -+ in -+ res +- let hax_temp_output:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = error_1_ in ++ let hax_temp_output:t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (pow2 (v v_ETA2) - 1)) v_K = error_1_ in ++ admit(); //P-F + prf_input, domain_separator, hax_temp_output + <: +- (t_Array u8 (sz 33) & u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) ++ (t_Array u8 (sz 33) & u8 & t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_ETA2)) v_K) --let encapsulate -+let encapsulate #p - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) -- (randomness: t_Array u8 (sz 32)) +-let sample_vector_cbd_then_ntt ++#push-options "--split_queries no --z3rlimit 300" ++let sample_vector_cbd_then_ntt (#p:Spec.Kyber.params) + (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) +- (prf_input: t_Array u8 (sz 33)) +- (domain_separator: u8) - = -+ (randomness: t_Array u8 (sz 32)) = - let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = - Libcrux.Kem.Kyber.Ind_cpa.into_padded_array (sz 64) - (Rust_primitives.unsize randomness <: t_Slice u8) -@@ -234,6 +278,10 @@ - <: - t_Slice u8) - in -+ assert (Seq.slice to_hash 0 (v Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE) == randomness); -+ lemma_slice_append to_hash randomness (Spec.Kyber.v_H public_key.f_value); -+ assert (to_hash == concat randomness (Spec.Kyber.v_H public_key.f_value)); -+ - let hashed:t_Array u8 (sz 64) = - Libcrux.Kem.Kyber.Hash_functions.v_G (Rust_primitives.unsize to_hash <: t_Slice u8) - in -@@ -242,7 +290,7 @@ - Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +- let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K ++ (prf_input: t_Array u8 (sz 33)) domain_separator = ++ let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = ++ Rust_primitives.Hax.repeat (wfZero) v_K in - let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = -- Libcrux.Kem.Kyber.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE -+ Libcrux.Kem.Kyber.Ind_cpa.encrypt #p v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE - (Rust_primitives.unsize (Libcrux.Kem.Kyber.Types.impl_18__as_slice v_PUBLIC_KEY_SIZE -@@ -252,32 +300,26 @@ - <: - t_Slice u8) randomness pseudorandomness +- let domain_separator, prf_input, re_as_ntt:(u8 & t_Array u8 (sz 33) & +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ ++ let orig_domain_separator = domain_separator in ++ [@ inline_let] ++ let inv: (u8 & t_Array u8 (sz 33) & t_Array (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) v_K) -> usize -> Type = fun acc i -> ++ let (domain_separator,prf_input,re_as_ntt) = acc in ++ if (i >=. sz 0 && i <=. v_K) ++ then ++ domain_separator = orig_domain_separator +! (mk_int #u8_inttype (v i)) ++ else true in ++ let (domain_separator, prf_input, re_as_ntt):(u8 & t_Array u8 (sz 33) & t_Array (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) v_K)= ++ Rust_primitives.Iterators.foldi_range #_ #_ #inv { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) +- (domain_separator, prf_input, re_as_ntt +- <: +- (u8 & t_Array u8 (sz 33) & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) +- ) ++ (domain_separator, prf_input, re_as_ntt) + (fun temp_0_ i -> + let domain_separator, prf_input, re_as_ntt:(u8 & t_Array u8 (sz 33) & +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) = ++ t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) = + temp_0_ + in + let i:usize = i in +@@ -133,64 +134,74 @@ + Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA_RANDOMNESS_SIZE + (Rust_primitives.unsize prf_input <: t_Slice u8) + in +- let r:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA ++ let r:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (pow2 (v v_ETA) - 1) = ++ Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution #p v_ETA + (Rust_primitives.unsize prf_output <: t_Slice u8) + in +- let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = ++ let r:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 7 = ++ Libcrux.Kem.Kyber.Arithmetic.cast_poly_b r in ++ let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re_as_ntt + i + (Libcrux.Kem.Kyber.Ntt.ntt_binomially_sampled_ring_element r + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) ++ Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) + in + domain_separator, prf_input, re_as_ntt + <: + (u8 & t_Array u8 (sz 33) & +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)) ++ t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K)) in -- let shared_secret:t_Array u8 (sz 32) = -- match Core.Convert.f_try_into shared_secret with -- | Core.Result.Result_Ok shared_secret -> shared_secret -- | Core.Result.Result_Err _ -> -- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "explicit panic" -- <: -- Rust_primitives.Hax.t_Never) -- in -- Core.Convert.f_into ciphertext, shared_secret -+ Core.Convert.f_into ciphertext, -+ Core.Result.impl__unwrap (Core.Convert.f_try_into shared_secret -+ <: -+ Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) ++ admit(); //P-F + re_as_ntt, domain_separator <: - (Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) +- (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & u8) ++ (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K & u8) --let validate_public_key -+#push-options "--z3rlimit 100" -+let validate_public_key #p - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = -- let pk:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = -- Libcrux.Kem.Kyber.Ind_cpa.deserialize_public_key v_K -+ let pk:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = -+ Libcrux.Kem.Kyber.Ind_cpa.deserialize_public_key #p v_K - (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } - <: -- Core.Ops.Range.t_RangeTo usize ] +-let compress_then_serialize_u +- (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize) +- (input: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) +- = ++ ++let compress_then_serialize_u #p v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN input = + let out:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in ++ let orig_out = out in ++ let acc_t = t_Array u8 v_OUT_LEN in ++ [@ inline_let] ++ let inv = fun (acc:acc_t) (i:usize) -> True in + let out:t_Array u8 v_OUT_LEN = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Iter.Traits.Collect.f_into_iter input +- <: +- Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate +- (Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)) - <: -- t_Slice u8) -+ Core.Ops.Range.t_RangeTo usize ]) - in - let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = -- Libcrux.Kem.Kyber.Ind_cpa.serialize_public_key v_K -+ Libcrux.Kem.Kyber.Ind_cpa.serialize_public_key #p v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - pk -@@ -288,12 +330,12 @@ - t_Slice u8) +- Core.Iter.Adapters.Enumerate.t_Enumerate +- (Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)) ++ Rust_primitives.Iterators.foldi_slice #Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement #acc_t #inv ++ input + out + (fun out temp_1_ -> + let out:t_Array u8 v_OUT_LEN = out in +- let i, re:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = temp_1_ in ++ let i, re:(usize & Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) = temp_1_ in ++ assert (i <. v_K); ++ assert (v i + 1 <= v v_K); ++ assert (v i * (v v_OUT_LEN / v v_K) < v v_OUT_LEN); ++ assert (((v i + 1) * (v v_OUT_LEN / v v_K)) <= v v_OUT_LEN); ++ assert (v_OUT_LEN /! v_K == Spec.Kyber.v_C1_BLOCK_SIZE p); ++ assert (range (v i * v (Spec.Kyber.v_C1_BLOCK_SIZE p)) usize_inttype); ++ assert (range ((v i + 1) * v (Spec.Kyber.v_C1_BLOCK_SIZE p)) usize_inttype); ++ assert ((Core.Ops.Range.impl_index_range_slice u8 usize_inttype).in_range out ++ { ++ Core.Ops.Range.f_start = i *! Spec.Kyber.v_C1_BLOCK_SIZE p <: usize; ++ Core.Ops.Range.f_end ++ = ++ (i +! sz 1 <: usize) *! Spec.Kyber.v_C1_BLOCK_SIZE p <: usize ++ }); ++ assert (((i +! sz 1 <: usize) *! Spec.Kyber.v_C1_BLOCK_SIZE p) -! (i *! Spec.Kyber.v_C1_BLOCK_SIZE p) == Spec.Kyber.v_C1_BLOCK_SIZE p); + Rust_primitives.Hax.Monomorphized_update_at.update_at_range out + ({ +- Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize; +- Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize ++ Core.Ops.Range.f_start = i *! Spec.Kyber.v_C1_BLOCK_SIZE p <: usize; ++ Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! Spec.Kyber.v_C1_BLOCK_SIZE p <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice (out.[ { +- Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize; ++ Core.Ops.Range.f_start = i *! Spec.Kyber.v_C1_BLOCK_SIZE p <: usize; + Core.Ops.Range.f_end + = +- (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize +- } +- <: +- Core.Ops.Range.t_Range usize ] ++ (i +! sz 1 <: usize) *! Spec.Kyber.v_C1_BLOCK_SIZE p <: usize ++ } ] + <: + t_Slice u8) +- (Rust_primitives.unsize (Libcrux.Kem.Kyber.Serialize.compress_then_serialize_ring_element_u ++ (Rust_primitives.unsize (Libcrux.Kem.Kyber.Serialize.compress_then_serialize_ring_element_u #p + v_COMPRESSION_FACTOR + v_BLOCK_LEN + re +@@ -203,146 +214,168 @@ + <: + t_Array u8 v_OUT_LEN) in - public_key =. public_key_serialized -+#pop-options ++ admit();//P-F + out --let generate_keypair -+let generate_keypair #p - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) -- (randomness: t_Array u8 (sz 64)) +-let deserialize_then_decompress_u +- (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) +- (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - = -+ (randomness: t_Array u8 (sz 64)) = - let ind_cpa_keypair_randomness:t_Slice u8 = - randomness.[ { - Core.Ops.Range.f_start = sz 0; -@@ -311,7 +353,7 @@ - in - let ind_cpa_private_key, public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE & - t_Array u8 v_PUBLIC_KEY_SIZE) = -- Libcrux.Kem.Kyber.Ind_cpa.generate_keypair v_K -+ Libcrux.Kem.Kyber.Ind_cpa.generate_keypair #p v_K - v_CPA_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE - v_BYTES_PER_RING_ELEMENT -@@ -320,7 +362,7 @@ - ind_cpa_keypair_randomness +- let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K ++#push-options "--split_queries always" ++let deserialize_then_decompress_u (#p:Spec.Kyber.params) ++ (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR: usize) ++ (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) = ++ let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = ++ Rust_primitives.Hax.repeat wfZero v_K in - let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE = -- serialize_kem_secret_key v_PRIVATE_KEY_SIZE -+ serialize_kem_secret_key #p v_PRIVATE_KEY_SIZE - (Rust_primitives.unsize ind_cpa_private_key <: t_Slice u8) - (Rust_primitives.unsize public_key <: t_Slice u8) - implicit_rejection_value -@@ -333,3 +375,4 @@ - v_PUBLIC_KEY_SIZE - private_key - (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) -+ -diff -ruN extraction/Libcrux.Kem.Kyber.fsti extraction-edited/Libcrux.Kem.Kyber.fsti ---- extraction/Libcrux.Kem.Kyber.fsti 2024-02-20 10:46:13.819093804 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.fsti 2024-02-20 10:46:13.888092415 +0100 -@@ -10,36 +10,84 @@ - Libcrux.Kem.Kyber.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE +! - Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE - --val serialize_kem_secret_key -+val serialize_kem_secret_key (#p:Spec.Kyber.params) - (v_SERIALIZED_KEY_LEN: usize) - (private_key public_key implicit_rejection_value: t_Slice u8) -- : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) Prims.l_True (fun _ -> Prims.l_True) -+ : Pure (t_Array u8 v_SERIALIZED_KEY_LEN) -+ (requires (length private_key == Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p /\ -+ length public_key == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ -+ length implicit_rejection_value == Spec.Kyber.v_SHARED_SECRET_SIZE /\ -+ v_SERIALIZED_KEY_LEN == Spec.Kyber.v_SECRET_KEY_SIZE p)) -+ (ensures (fun res -> res == -+ Seq.append private_key ( -+ Seq.append public_key ( -+ Seq.append (Libcrux.Kem.Kyber.Hash_functions.v_H public_key) implicit_rejection_value)))) - --val decapsulate -+val decapsulate (#p:Spec.Kyber.params) - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) -- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -+ : Pure (t_Array u8 (sz 32)) -+ (requires ( p == (let open Spec.Kyber in {v_RANK = v_K; v_ETA1; v_ETA2; v_VECTOR_U_COMPRESSION_FACTOR; v_VECTOR_V_COMPRESSION_FACTOR}) /\ -+ Spec.Kyber.valid_params p /\ -+ v_ETA1_RANDOMNESS_SIZE == Spec.Kyber.v_ETA1_RANDOMNESS_SIZE p /\ -+ v_ETA2_RANDOMNESS_SIZE == Spec.Kyber.v_ETA2_RANDOMNESS_SIZE p /\ -+ v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.Kyber.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE p /\ -+ v_SECRET_KEY_SIZE == Spec.Kyber.v_SECRET_KEY_SIZE p /\ -+ v_CPA_SECRET_KEY_SIZE == Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p /\ -+ v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ -+ v_CIPHERTEXT_SIZE == Spec.Kyber.v_CPA_PKE_CIPHERTEXT_SIZE p /\ -+ v_C1_SIZE == Spec.Kyber.v_C1_SIZE p /\ -+ v_C1_BLOCK_SIZE == Spec.Kyber.v_C1_BLOCK_SIZE p /\ -+ v_C2_SIZE == Spec.Kyber.v_C2_SIZE p /\ -+ v_T_AS_NTT_ENCODED_SIZE = Spec.Kyber.v_T_AS_NTT_ENCODED_SIZE p -+ )) -+ (ensures (fun res -> -+ res == Spec.Kyber.ind_cca_decapsulate p secret_key.f_value ciphertext.f_value)) - --val encapsulate -+val encapsulate (#p:Spec.Kyber.params) - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (randomness: t_Array u8 (sz 32)) -- : Prims.Pure (Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) -- Prims.l_True -- (fun _ -> Prims.l_True) -+ : Pure (Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) -+ (requires (p == (let open Spec.Kyber in {v_RANK = v_K; v_ETA1; v_ETA2; v_VECTOR_U_COMPRESSION_FACTOR; v_VECTOR_V_COMPRESSION_FACTOR}) /\ -+ Spec.Kyber.valid_params p /\ -+ v_ETA1_RANDOMNESS_SIZE == Spec.Kyber.v_ETA1_RANDOMNESS_SIZE p /\ -+ v_ETA2_RANDOMNESS_SIZE == Spec.Kyber.v_ETA2_RANDOMNESS_SIZE p /\ -+ v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ -+ v_CIPHERTEXT_SIZE == Spec.Kyber.v_CPA_PKE_CIPHERTEXT_SIZE p /\ -+ v_C1_SIZE == Spec.Kyber.v_C1_SIZE p /\ -+ v_C2_SIZE == Spec.Kyber.v_C2_SIZE p /\ -+ v_T_AS_NTT_ENCODED_SIZE = Spec.Kyber.v_T_AS_NTT_ENCODED_SIZE p /\ -+ v_VECTOR_U_BLOCK_LEN == Spec.Kyber.v_C1_BLOCK_SIZE p -+ )) - --val validate_public_key -+ (ensures (fun (ct,ss) -> -+ (ct.f_value,ss) == Spec.Kyber.ind_cca_encapsulate p public_key.f_value randomness)) -+ -+val validate_public_key (#p:Spec.Kyber.params) - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) -- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -+ : Prims.Pure bool -+ (requires (v_K == p.v_RANK /\ -+ v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ -+ v_RANKED_BYTES_PER_RING_ELEMENT == Spec.Kyber.v_RANKED_BYTES_PER_RING_ELEMENT p -+ )) -+ (ensures (fun _ -> Prims.l_True)) - --val generate_keypair -+val generate_keypair (#p:Spec.Kyber.params) - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) -- : Prims.Pure (Libcrux.Kem.Kyber.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) -- Prims.l_True -- (fun _ -> Prims.l_True) -+ : Pure (Libcrux.Kem.Kyber.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) -+ (requires (v_K == p.v_RANK /\ v_ETA1 == p.v_ETA1 /\ -+ v_ETA1_RANDOMNESS_SIZE == Spec.Kyber.v_ETA1_RANDOMNESS_SIZE p /\ -+ v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ -+ v_CPA_PRIVATE_KEY_SIZE == Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p /\ -+ v_PRIVATE_KEY_SIZE == Spec.Kyber.v_SECRET_KEY_SIZE p /\ -+ v_BYTES_PER_RING_ELEMENT == Spec.Kyber.v_RANKED_BYTES_PER_RING_ELEMENT p -+ )) -+ (ensures (fun kp -> -+ (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.ind_cca_generate_keypair p randomness)) -diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fst extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst ---- extraction/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-20 10:46:13.831093562 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-20 10:46:13.858093019 +0100 -@@ -3,13 +3,23 @@ - open Core - open FStar.Mul - --let v_G (input: t_Slice u8) = Libcrux.Digest.sha3_512_ input -+let v_G (input: t_Slice u8) = -+ let res = Libcrux.Digest.sha3_512_ input in -+ admit(); // We assume that sha3_512 correctly implements G -+ res - --let v_H (input: t_Slice u8) = Libcrux.Digest.sha3_256_ input -+let v_H (input: t_Slice u8) = -+ let res = Libcrux.Digest.sha3_256_ input in -+ admit(); // We assume that sha3_512 correctly implements H -+ res - --let v_PRF (v_LEN: usize) (input: t_Slice u8) = Libcrux.Digest.shake256 v_LEN input -+let v_PRF (v_LEN: usize) (input: t_Slice u8) = -+ let res = Libcrux.Digest.shake256 v_LEN input in -+ admit(); // We assume that sha3_512 correctly implements H -+ res - --let v_XOFx4 (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = -+let v_XOFx4 v_K (input: t_Array (t_Array u8 (sz 34)) v_K) = -+ assert (v v_K >= 2); - let out:t_Array (t_Array u8 (sz 840)) v_K = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 840) <: t_Array u8 (sz 840)) v_K - in -@@ -56,6 +66,7 @@ - in - out - | 3uy -> -+ assert (v (cast v_K <: u8) = 3); - let d0, d1, d2, _:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & - t_Array u8 (sz 840)) = - Libcrux.Digest.shake128x4 (sz 840) -@@ -75,6 +86,7 @@ - in - out - | 4uy -> -+ assert (v (cast v_K <: u8) = 4); - let d0, d1, d2, d3:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & - t_Array u8 (sz 840)) = - Libcrux.Digest.shake128x4 (sz 840) -@@ -100,4 +112,5 @@ - in - out - in -- out -+ admit(); // We assume that shake128x4 correctly implements XOFx4 -+ out -diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti ---- extraction/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-20 10:46:13.791094367 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-20 10:46:13.893092315 +0100 -@@ -3,12 +3,17 @@ - open Core - open FStar.Mul - --val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) -+val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True -+ (ensures (fun res -> res == Spec.Kyber.v_G input)) - --val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -+val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True -+ (ensures (fun res -> res == Spec.Kyber.v_H input)) - - val v_PRF (v_LEN: usize) (input: t_Slice u8) -- : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) -- --val v_XOFx4 (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) -- : Prims.Pure (t_Array (t_Array u8 (sz 840)) v_K) Prims.l_True (fun _ -> Prims.l_True) -+ : Prims.Pure (t_Array u8 v_LEN) Prims.l_True -+ (ensures (fun res -> res == Spec.Kyber.v_PRF v_LEN input)) -+ -+val v_XOFx4 (v_K: usize{v v_K >= 2 /\ v v_K <= 4}) (input: t_Array (t_Array u8 (sz 34)) v_K) -+ : Prims.Pure (t_Array (t_Array u8 (sz 840)) v_K) Prims.l_True -+ (ensures (fun res -> -+ (forall i. i < v v_K ==> Seq.index res i == Spec.Kyber.v_XOF (sz 840) (Seq.index input i)))) -diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst ---- extraction/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-20 10:46:13.797094247 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-20 10:46:13.891092355 +0100 -@@ -1,5 +1,5 @@ - module Libcrux.Kem.Kyber.Ind_cpa --#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -+#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" - open Core - open FStar.Mul - -@@ -37,33 +37,37 @@ - in - out - --let sample_ring_element_cbd -+unfold let acc_t (v_K v_ETA:usize) = (u8 & t_Array u8 (sz 33) & t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (pow2 (v v_ETA) - 1)) v_K) -+unfold let inv_t v_K v_ETA = acc_t v_K v_ETA -> usize -> Type -+ -+let wfZero: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ (Libcrux.Kem.Kyber.Arithmetic.cast_poly_b #1 #3328 Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO) -+ -+let etaZero (v_ETA:usize{v v_ETA >= 1 /\ v v_ETA < pow2 31}): Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_ETA) = -+ (Libcrux.Kem.Kyber.Arithmetic.cast_poly_b #1 #(v v_ETA) Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO) -+ -+let sample_vector_cbd (#p:Spec.Kyber.params) - (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) -- (prf_input: t_Array u8 (sz 33)) -- (domain_separator: u8) -- = -- let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = -- Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K -- in -- let domain_separator, error_1_, prf_input:(u8 & -- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & -- t_Array u8 (sz 33)) = -- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ -+ (prf_input: t_Array u8 (sz 33)) domain_separator = -+ let error_1_:t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (pow2 (v v_ETA2) - 1)) v_K = -+ Rust_primitives.Hax.repeat (etaZero (sz (pow2 (v v_ETA2) - 1))) v_K -+ in -+ let orig_domain_separator = domain_separator in -+ [@ inline_let] -+ let inv : inv_t v_K v_ETA2 = fun (acc:acc_t v_K v_ETA2) (i:usize) -> -+ let (domain_separator,prf_input,error_1_) = acc in -+ if (i >=. sz 0 && i <=. v_K) -+ then -+ domain_separator = orig_domain_separator +! (mk_int #u8_inttype (v i)) -+ else true in -+ let (domain_separator, prf_input, error_1_):acc_t v_K (v_ETA2) = -+ Rust_primitives.Iterators.foldi_range #_ #(acc_t v_K (v_ETA2)) #inv { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = v_K - } -- <: -- Core.Ops.Range.t_Range usize) -- <: -- Core.Ops.Range.t_Range usize) -- (domain_separator, error_1_, prf_input -- <: -- (u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array u8 (sz 33)) -- ) -+ (domain_separator, prf_input, error_1_) - (fun temp_0_ i -> -- let domain_separator, error_1_, prf_input:(u8 & -- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & -- t_Array u8 (sz 33)) = -+ let domain_separator, prf_input, error_1_:acc_t v_K (v_ETA2) = - temp_0_ - in - let i:usize = i in -@@ -77,49 +81,46 @@ - Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA2_RANDOMNESS_SIZE - (Rust_primitives.unsize prf_input <: t_Slice u8) - in -- let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = -+ let error_1_:t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (pow2 (v v_ETA2) - 1)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize error_1_ - i -- (Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA2 -+ (Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution #p v_ETA2 - (Rust_primitives.unsize prf_output <: t_Slice u8) - <: -- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -+ Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (pow2 (v v_ETA2) - 1)) - in -- domain_separator, error_1_, prf_input -- <: -- (u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & -- t_Array u8 (sz 33))) -+ domain_separator, prf_input, error_1_) - in -- let hax_temp_output:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = error_1_ in -+ let hax_temp_output:t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (pow2 (v v_ETA2) - 1)) v_K = error_1_ in -+ admit(); //P-F - prf_input, domain_separator, hax_temp_output - <: -- (t_Array u8 (sz 33) & u8 & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) -+ (t_Array u8 (sz 33) & u8 & t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_ETA2)) v_K) - --let sample_vector_cbd_then_ntt -+#push-options "--split_queries no --z3rlimit 300" -+let sample_vector_cbd_then_ntt (#p:Spec.Kyber.params) - (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) -- (prf_input: t_Array u8 (sz 33)) -- (domain_separator: u8) -- = -- let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = -- Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K -- in -- let domain_separator, prf_input, re_as_ntt:(u8 & t_Array u8 (sz 33) & -- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) = -- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ -+ (prf_input: t_Array u8 (sz 33)) domain_separator = -+ let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = -+ Rust_primitives.Hax.repeat (wfZero) v_K -+ in -+ let orig_domain_separator = domain_separator in -+ [@ inline_let] -+ let inv: (u8 & t_Array u8 (sz 33) & t_Array (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) v_K) -> usize -> Type = fun acc i -> -+ let (domain_separator,prf_input,re_as_ntt) = acc in -+ if (i >=. sz 0 && i <=. v_K) -+ then -+ domain_separator = orig_domain_separator +! (mk_int #u8_inttype (v i)) -+ else true in -+ let (domain_separator, prf_input, re_as_ntt):(u8 & t_Array u8 (sz 33) & t_Array (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) v_K)= -+ Rust_primitives.Iterators.foldi_range #_ #_ #inv { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = v_K - } -- <: -- Core.Ops.Range.t_Range usize) -- <: -- Core.Ops.Range.t_Range usize) -- (domain_separator, prf_input, re_as_ntt -- <: -- (u8 & t_Array u8 (sz 33) & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) -- ) -+ (domain_separator, prf_input, re_as_ntt) - (fun temp_0_ i -> - let domain_separator, prf_input, re_as_ntt:(u8 & t_Array u8 (sz 33) & -- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) = -+ t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) = - temp_0_ - in - let i:usize = i in -@@ -133,64 +134,74 @@ - Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA_RANDOMNESS_SIZE - (Rust_primitives.unsize prf_input <: t_Slice u8) - in -- let r:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = -- Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA -+ let r:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (pow2 (v v_ETA) - 1) = -+ Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution #p v_ETA - (Rust_primitives.unsize prf_output <: t_Slice u8) - in -- let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = -+ let r:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 7 = -+ Libcrux.Kem.Kyber.Arithmetic.cast_poly_b r in -+ let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re_as_ntt - i - (Libcrux.Kem.Kyber.Ntt.ntt_binomially_sampled_ring_element r - <: -- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -+ Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) - in - domain_separator, prf_input, re_as_ntt - <: - (u8 & t_Array u8 (sz 33) & -- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)) -+ t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K)) - in -+ admit(); //P-F - re_as_ntt, domain_separator - <: -- (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & u8) -+ (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K & u8) - --let compress_then_serialize_u -- (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize) -- (input: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) -- = -+ -+let compress_then_serialize_u #p v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN input = - let out:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in -+ let orig_out = out in -+ let acc_t = t_Array u8 v_OUT_LEN in -+ [@ inline_let] -+ let inv = fun (acc:acc_t) (i:usize) -> True in - let out:t_Array u8 v_OUT_LEN = -- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate -- (Core.Iter.Traits.Collect.f_into_iter input -- <: -- Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) -- <: -- Core.Iter.Adapters.Enumerate.t_Enumerate -- (Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)) -- <: -- Core.Iter.Adapters.Enumerate.t_Enumerate -- (Core.Array.Iter.t_IntoIter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)) -+ Rust_primitives.Iterators.foldi_slice #Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement #acc_t #inv -+ input - out - (fun out temp_1_ -> - let out:t_Array u8 v_OUT_LEN = out in -- let i, re:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = temp_1_ in -+ let i, re:(usize & Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) = temp_1_ in -+ assert (i <. v_K); -+ assert (v i + 1 <= v v_K); -+ assert (v i * (v v_OUT_LEN / v v_K) < v v_OUT_LEN); -+ assert (((v i + 1) * (v v_OUT_LEN / v v_K)) <= v v_OUT_LEN); -+ assert (v_OUT_LEN /! v_K == Spec.Kyber.v_C1_BLOCK_SIZE p); -+ assert (range (v i * v (Spec.Kyber.v_C1_BLOCK_SIZE p)) usize_inttype); -+ assert (range ((v i + 1) * v (Spec.Kyber.v_C1_BLOCK_SIZE p)) usize_inttype); -+ assert ((Core.Ops.Range.impl_index_range_slice u8 usize_inttype).in_range out -+ { -+ Core.Ops.Range.f_start = i *! Spec.Kyber.v_C1_BLOCK_SIZE p <: usize; -+ Core.Ops.Range.f_end -+ = -+ (i +! sz 1 <: usize) *! Spec.Kyber.v_C1_BLOCK_SIZE p <: usize -+ }); -+ assert (((i +! sz 1 <: usize) *! Spec.Kyber.v_C1_BLOCK_SIZE p) -! (i *! Spec.Kyber.v_C1_BLOCK_SIZE p) == Spec.Kyber.v_C1_BLOCK_SIZE p); - Rust_primitives.Hax.Monomorphized_update_at.update_at_range out - ({ -- Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize; -- Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize -+ Core.Ops.Range.f_start = i *! Spec.Kyber.v_C1_BLOCK_SIZE p <: usize; -+ Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! Spec.Kyber.v_C1_BLOCK_SIZE p <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice (out.[ { -- Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize; -+ Core.Ops.Range.f_start = i *! Spec.Kyber.v_C1_BLOCK_SIZE p <: usize; - Core.Ops.Range.f_end - = -- (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize -- } -- <: -- Core.Ops.Range.t_Range usize ] -+ (i +! sz 1 <: usize) *! Spec.Kyber.v_C1_BLOCK_SIZE p <: usize -+ } ] - <: - t_Slice u8) -- (Rust_primitives.unsize (Libcrux.Kem.Kyber.Serialize.compress_then_serialize_ring_element_u -+ (Rust_primitives.unsize (Libcrux.Kem.Kyber.Serialize.compress_then_serialize_ring_element_u #p - v_COMPRESSION_FACTOR - v_BLOCK_LEN - re -@@ -203,146 +214,168 @@ - <: - t_Array u8 v_OUT_LEN) - in -+ admit();//P-F - out - --let deserialize_then_decompress_u -- (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) -- (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) -- = -- let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = -- Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K -- in - let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate - (Core.Slice.impl__chunks_exact (Rust_primitives.unsize ciphertext <: t_Slice u8) - ((Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! -+#push-options "--split_queries always" -+let deserialize_then_decompress_u (#p:Spec.Kyber.params) -+ (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR: usize) -+ (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) = -+ let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = -+ Rust_primitives.Hax.repeat wfZero v_K -+ in + let acc_t1 = t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K in + [@ inline_let] + let inv = fun (acc:acc_t1) (i:usize) -> True in @@ -2345,7 +1952,12 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem -let deserialize_public_key (v_K: usize) (public_key: t_Slice u8) = - let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = - Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K -- in ++#push-options "--z3rlimit 200" ++let deserialize_public_key (#p:Spec.Kyber.params) ++ (v_K: usize) (public_key: t_Slice u8) = ++ let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = ++ Rust_primitives.Hax.repeat wfZero v_K + in - let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate - (Core.Slice.impl__chunks_exact public_key @@ -2356,12 +1968,6 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem - Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) - <: - Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) -+#push-options "--z3rlimit 200" -+let deserialize_public_key (#p:Spec.Kyber.params) -+ (v_K: usize) (public_key: t_Slice u8) = -+ let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = -+ Rust_primitives.Hax.repeat wfZero v_K -+ in + let acc_t = t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K in + [@ inline_let] + let inv = fun (acc:acc_t) (i:usize) -> True in @@ -2389,11 +1995,18 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem + t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) in - tt_as_ntt -- ++ admit(); //P-F ++ tt_as_ntt ++#pop-options + -let deserialize_secret_key (v_K: usize) (secret_key: t_Slice u8) = - let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = - Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K -- in ++#push-options "--split_queries always" ++let deserialize_secret_key (#p:Spec.Kyber.params) (v_K: usize) (secret_key: t_Slice u8) = ++ let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = ++ Rust_primitives.Hax.repeat wfZero v_K + in - let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate - (Core.Slice.impl__chunks_exact secret_key @@ -2404,15 +2017,6 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem - Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) - <: - Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) -+ admit(); //P-F -+ tt_as_ntt -+#pop-options -+ -+#push-options "--split_queries always" -+let deserialize_secret_key (#p:Spec.Kyber.params) (v_K: usize) (secret_key: t_Slice u8) = -+ let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = -+ Rust_primitives.Hax.repeat wfZero v_K -+ in + let acc_t = t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K in + [@ inline_let] + let inv = fun (acc:acc_t) (i:usize) -> True in @@ -2486,15 +2090,14 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem + Libcrux.Kem.Kyber.Matrix.compute_message #p v_K v secret_as_ntt u_as_ntt in - Libcrux.Kem.Kyber.Serialize.compress_then_serialize_message message -- ++ let res = Libcrux.Kem.Kyber.Serialize.compress_then_serialize_message message in ++ res ++#pop-options + -let encrypt - (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: t_Slice u8) -+ let res = Libcrux.Kem.Kyber.Serialize.compress_then_serialize_message message in -+ res -+#pop-options -+ +#push-options "--z3rlimit 200" +let encrypt #p + v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE @@ -2723,8 +2326,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem + res + diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti ---- extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-20 10:46:13.834093502 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-20 10:46:13.881092556 +0100 +--- extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-22 11:01:52 @@ -1,80 +1,151 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -2795,16 +2398,6 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Ke - : Prims.Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) - Prims.l_True - (fun _ -> Prims.l_True) -- --val deserialize_public_key (v_K: usize) (public_key: t_Slice u8) -- : Prims.Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) -- Prims.l_True -- (fun _ -> Prims.l_True) -- --val deserialize_secret_key (v_K: usize) (secret_key: t_Slice u8) -- : Prims.Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) -- Prims.l_True -- (fun _ -> Prims.l_True) + : Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) + (requires v_K == p.v_RANK /\ + v_CIPHERTEXT_SIZE == Spec.Kyber.v_CPA_PKE_CIPHERTEXT_SIZE p /\ @@ -2813,7 +2406,11 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Ke + (ensures fun res -> + Libcrux.Kem.Kyber.Arithmetic.to_spec_vector_b #p res == + Spec.Kyber.(vector_ntt (decode_then_decompress_u p (Seq.slice ciphertext 0 (v (Spec.Kyber.v_C1_SIZE p)))))) -+ + +-val deserialize_public_key (v_K: usize) (public_key: t_Slice u8) +- : Prims.Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) +- Prims.l_True +- (fun _ -> Prims.l_True) +val deserialize_public_key (#p:Spec.Kyber.params) + (v_K: usize) (public_key: t_Array u8 (Spec.Kyber.v_T_AS_NTT_ENCODED_SIZE p)) + : Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) @@ -2832,6 +2429,11 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Ke + Spec.Kyber.vector_decode_12 #p secret_key) + +-val deserialize_secret_key (v_K: usize) (secret_key: t_Slice u8) +- : Prims.Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) +- Prims.l_True +- (fun _ -> Prims.l_True) +- -val decrypt +val decrypt (#p:Spec.Kyber.params) (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: @@ -2848,9 +2450,9 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Ke + v_V_COMPRESSION_FACTOR == p.v_VECTOR_V_COMPRESSION_FACTOR)) + (ensures (fun res -> + res == Spec.Kyber.ind_cpa_decrypt p secret_key ciphertext)) -+ -val encrypt ++ +val encrypt (#p:Spec.Kyber.params) (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) @@ -2926,8 +2528,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Ke + + diff -ruN extraction/Libcrux.Kem.Kyber.Kyber1024.fst extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst ---- extraction/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-20 10:46:13.821093764 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-20 10:46:13.842093341 +0100 +--- extraction/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-22 11:01:52 @@ -7,19 +7,19 @@ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1568)) @@ -2961,8 +2563,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber1024.fst extraction-edited/Libcrux.K (sz 3168) (sz 1568) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber512.fst extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst ---- extraction/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-20 10:46:13.789094408 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-20 10:46:13.863092918 +0100 +--- extraction/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-22 11:01:52 @@ -7,19 +7,19 @@ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 768)) @@ -2996,8 +2598,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber512.fst extraction-edited/Libcrux.Ke (sz 1632) (sz 800) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fst extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst ---- extraction/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-20 10:46:13.792094347 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-20 10:46:13.861092959 +0100 +--- extraction/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-22 11:01:52 @@ -7,19 +7,19 @@ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1088)) @@ -3031,8 +2633,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fst extraction-edited/Libcrux.Ke (sz 2400) (sz 1184) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fsti extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti ---- extraction/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-20 10:46:13.813093925 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-20 10:46:13.850093180 +0100 +--- extraction/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-22 11:01:52 @@ -74,14 +74,15 @@ val decapsulate (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) @@ -3058,8 +2660,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fsti extraction-edited/Libcrux.K - (fun _ -> Prims.l_True) + (ensures (fun kp -> (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.kyber768_generate_keypair randomness)) diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem.Kyber.Matrix.fst ---- extraction/Libcrux.Kem.Kyber.Matrix.fst 2024-02-20 10:46:13.800094186 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-02-20 10:46:13.897092234 +0100 +--- extraction/Libcrux.Kem.Kyber.Matrix.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-02-22 11:01:52 @@ -3,192 +3,188 @@ open Core open FStar.Mul @@ -3071,7 +2673,18 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. - = - let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = - Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K -- in ++open Libcrux.Kem.Kyber.Arithmetic ++ ++let op_Array_Access (x:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) (i:usize{v i < 256}): i32 = ++ x.f_coefficients.[i] ++ ++ ++#push-options "--ifuel 0 --z3rlimit 700" ++let compute_As_plus_e v_K matrix_A s_as_ntt error_as_ntt = ++ let wfZero: wfPolynomialRingElement = (Libcrux.Kem.Kyber.Arithmetic.cast_poly_b #1 #3328 Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO) in ++ let result:t_Array wfPolynomialRingElement v_K = ++ Rust_primitives.Hax.repeat wfZero v_K + in - let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate - (Core.Slice.impl__iter (Rust_primitives.unsize matrix_A @@ -3087,18 +2700,6 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. - <: - Core.Iter.Adapters.Enumerate.t_Enumerate - (Core.Slice.Iter.t_Iter (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))) -+open Libcrux.Kem.Kyber.Arithmetic -+ -+let op_Array_Access (x:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) (i:usize{v i < 256}): i32 = -+ x.f_coefficients.[i] -+ -+ -+#push-options "--ifuel 0 --z3rlimit 700" -+let compute_As_plus_e v_K matrix_A s_as_ntt error_as_ntt = -+ let wfZero: wfPolynomialRingElement = (Libcrux.Kem.Kyber.Arithmetic.cast_poly_b #1 #3328 Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO) in -+ let result:t_Array wfPolynomialRingElement v_K = -+ Rust_primitives.Hax.repeat wfZero v_K -+ in + [@ inline_let] + let inv0 = fun (acc:t_Array wfPolynomialRingElement v_K) (i:usize) -> + (v i <= v v_K) /\ @@ -3268,8 +2869,6 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. } <: - Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement))) -- in -- result + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K*3328)) in + assert ((result.[i]).f_coefficients.[j] == resultij); + assert(inv2 result (j +! sz 1)); @@ -3281,7 +2880,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + assert (forall (j:usize). (v j >= v i + 1 /\ v j < v v_K) ==> derefine_poly_b result.[j] == derefine_poly_b orig_result.[j]); + assume (inv0 result (i +! sz 1)); + result) -+ in + in +- result + admit(); //P-F + result +#pop-options @@ -3297,15 +2897,15 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. +let compute_message #p v_K m_v secret_as_ntt u_as_ntt = + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328) = + Libcrux.Kem.Kyber.Arithmetic.cast_poly_b Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO -+ in + in +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + let acc_t = Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328) in + [@ inline_let] + let inv = fun (acc:acc_t) (i:usize) -> + (v i <= v v_K) /\ + (poly_range #(v v_K * 3328) acc (v i * 3328)) - in -- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = -- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ ++ in + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328) = + Rust_primitives.Iterators.foldi_range #_ #acc_t #inv { Core.Ops.Range.f_start = sz 0; @@ -3424,14 +3024,13 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. - = - let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = - Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO -- in -- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = -- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ +#push-options "--ifuel 0 --z3rlimit 100" +let compute_ring_element_v v_K tt_as_ntt r_as_ntt error_2_ message = + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328) = + Libcrux.Kem.Kyber.Arithmetic.cast_poly_b Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO -+ in + in +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + [@ inline_let] + let inv = fun (acc:t_PolynomialRingElement_b (v v_K * 3328)) (i:usize) -> + (v i <= 256) /\ @@ -3552,7 +3151,12 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. - = - let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = - Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K -- in ++ (a_as_ntt: t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) v_K) ++ (r_as_ntt error_1_: t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) = ++ let wfZero: wfPolynomialRingElement = (Libcrux.Kem.Kyber.Arithmetic.cast_poly_b #1 #3328 Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO) in ++ let result:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = ++ Rust_primitives.Hax.repeat wfZero v_K + in - let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate - (Core.Slice.impl__iter (Rust_primitives.unsize a_as_ntt @@ -3568,12 +3172,6 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. - <: - Core.Iter.Adapters.Enumerate.t_Enumerate - (Core.Slice.Iter.t_Iter (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))) -+ (a_as_ntt: t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) v_K) -+ (r_as_ntt error_1_: t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) = -+ let wfZero: wfPolynomialRingElement = (Libcrux.Kem.Kyber.Arithmetic.cast_poly_b #1 #3328 Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO) in -+ let result:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = -+ Rust_primitives.Hax.repeat wfZero v_K -+ in + let acc_t = t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K in + [@ inline_let] + let inv0 = fun (acc:t_Array wfPolynomialRingElement v_K) (i:usize) -> @@ -3664,7 +3262,16 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. - (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) - <: - Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -- in ++ (Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K resulti) ++ in ++ [@ inline_let] ++ let inv2 = fun (acc:t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64*v v_K * 3328)) v_K) (inner:usize) -> ++ (v inner <= 256) /\ ++ (forall (j:usize). (v j < v i /\ v j < v v_K) ==> acc.[j] == orig_result_cast.[j]) /\ ++ (forall (j:usize). (v j > v i /\ v j < v v_K) ==> acc.[j] == orig_result_cast.[j]) /\ ++ (forall (j:usize). (v j < v inner) ==> (i32_range (acc.[i] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64*v v_K * 3328)).f_coefficients.[j] 3328)) ++ // And all indexes above v inner are unchanged from result1 + in - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end @@ -3675,16 +3282,6 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. - Core.Ops.Range.t_Range usize) - <: - Core.Ops.Range.t_Range usize) -+ (Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K resulti) -+ in -+ [@ inline_let] -+ let inv2 = fun (acc:t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64*v v_K * 3328)) v_K) (inner:usize) -> -+ (v inner <= 256) /\ -+ (forall (j:usize). (v j < v i /\ v j < v v_K) ==> acc.[j] == orig_result_cast.[j]) /\ -+ (forall (j:usize). (v j > v i /\ v j < v v_K) ==> acc.[j] == orig_result_cast.[j]) /\ -+ (forall (j:usize). (v j < v inner) ==> (i32_range (acc.[i] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64*v v_K * 3328)).f_coefficients.[j] 3328)) -+ // And all indexes above v inner are unchanged from result1 -+ in + assert (forall (j:usize). (v j < v i /\ v j < v v_K) ==> result.[j] == orig_result_cast.[j]); + assert (forall (j:usize). (v j > v i /\ v j < v v_K) ==> result.[j] == orig_result_cast.[j]); + assert (inv2 result (sz 0)); @@ -3850,8 +3447,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + admit(); //P-F v_A_transpose diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fsti extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti ---- extraction/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-20 10:46:13.807094045 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-20 10:46:13.880092576 +0100 +--- extraction/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-22 11:01:52 @@ -3,39 +3,71 @@ open Core open FStar.Mul @@ -3877,9 +3474,9 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fsti extraction-edited/Libcrux.Kem + (to_spec_matrix_b #p matrix_A) + (to_spec_vector_b #p s_as_ntt) + (to_spec_vector_b #p error_as_ntt)) -+ -val compute_message ++ +val compute_message (#p:Spec.Kyber.params) (v_K: usize) - (v: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) @@ -3928,11 +3525,6 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fsti extraction-edited/Libcrux.Kem - : Prims.Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) - Prims.l_True - (fun _ -> Prims.l_True) -- --val sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool) -- : Prims.Pure (t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K) -- Prims.l_True -- (fun _ -> Prims.l_True) + (a_as_ntt: t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) v_K) + (r_as_ntt error_1_: t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) + : Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) @@ -3943,7 +3535,11 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fsti extraction-edited/Libcrux.Kem + let e_spec = Libcrux.Kem.Kyber.Arithmetic.to_spec_vector_b #p error_1_ in + let res_spec = Libcrux.Kem.Kyber.Arithmetic.to_spec_vector_b #p res in + res_spec == Spec.Kyber.(vector_add (vector_inv_ntt (matrix_vector_mul a_spec r_spec)) e_spec)) -+ + +-val sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool) +- : Prims.Pure (t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K) +- Prims.l_True +- (fun _ -> Prims.l_True) + + +val sample_matrix_A (#p:Spec.Kyber.params) (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool) @@ -3954,8 +3550,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fsti extraction-edited/Libcrux.Kem + if transpose then Libcrux.Kem.Kyber.Arithmetic.to_spec_matrix_b #p res == matrix_A + else Libcrux.Kem.Kyber.Arithmetic.to_spec_matrix_b #p res == Spec.Kyber.matrix_transpose matrix_A) diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyber.Ntt.fst ---- extraction/Libcrux.Kem.Kyber.Ntt.fst 2024-02-20 10:46:13.809094005 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-02-20 10:46:13.855093079 +0100 +--- extraction/Libcrux.Kem.Kyber.Ntt.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-02-22 11:01:52 @@ -1,56 +1,130 @@ module Libcrux.Kem.Kyber.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -3971,13 +3567,12 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb - Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((a0 *! b1 <: i32) +! (a1 *! b0 <: i32) <: i32) - <: - (i32 & i32) -- + -let invert_ntt_at_layer - (zeta_i: usize) - (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) - (layer: usize) - = -+ +let v_ZETAS_TIMES_MONTGOMERY_R = + let list : list (i32_b 1664) = + [ @@ -4635,9 +4230,9 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = down_cast_poly_b #(6*3328+11207) #3328 re in + re +#pop-options -+ -let ntt_multiply (lhs rhs: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = ++ +#push-options "--z3rlimit 100" +let ntt_multiply lhs rhs = let _:Prims.unit = () <: Prims.unit in @@ -4886,8 +4481,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + down_cast_poly_b #(8*3328) #3328 re +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti ---- extraction/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-20 10:46:13.812093945 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-20 10:46:13.838093421 +0100 +--- extraction/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-22 11:01:52 @@ -2,223 +2,80 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -4912,34 +4507,20 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Ky - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 128); - Rust_primitives.Hax.array_of_list list -- ++val v_ZETAS_TIMES_MONTGOMERY_R: x:t_Array (i32_b 1664) (sz 128){v (x.[sz 1] <: i32) == -758} + -val ntt_multiply_binomials: (i32 & i32) -> (i32 & i32) -> zeta: i32 - -> Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) -- ++val ntt_multiply_binomials (a:wfFieldElement&wfFieldElement) (b: wfFieldElement&wfFieldElement) (zeta: i32_b 1664) : ++ Pure (wfFieldElement & wfFieldElement) ++ (requires True) ++ (ensures (fun _ -> True)) + -val invert_ntt_at_layer - (zeta_i: usize) - (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) - (layer: usize) - : Prims.Pure (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -- Prims.l_True -- (fun _ -> Prims.l_True) -- --val invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement -- Prims.l_True -- (fun _ -> Prims.l_True) -+val v_ZETAS_TIMES_MONTGOMERY_R: x:t_Array (i32_b 1664) (sz 128){v (x.[sz 1] <: i32) == -758} - --val ntt_at_layer -- (zeta_i: usize) -- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -- (layer v__initial_coefficient_bound: usize) -- : Prims.Pure (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -+val ntt_multiply_binomials (a:wfFieldElement&wfFieldElement) (b: wfFieldElement&wfFieldElement) (zeta: i32_b 1664) : -+ Pure (wfFieldElement & wfFieldElement) -+ (requires True) -+ (ensures (fun _ -> True)) -+ +val invert_ntt_at_layer (#v_K:usize{v v_K >= 1 /\ v v_K <= 4}) + (#b:nat{b <= v v_K * 3328 * 64}) + (zeta_i: usize{v zeta_i >= 1 /\ v zeta_i <= 128}) @@ -4953,15 +4534,21 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Ky - (fun _ -> Prims.l_True) + (fun x -> let (zeta_fin,re) = x in v zeta_fin == pow2 (7 - v layer)) --val ntt_at_layer_3_ -- (zeta_i: usize) -- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -- (layer: usize) -- : Prims.Pure (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +-val invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement +- Prims.l_True +- (fun _ -> Prims.l_True) +val invert_ntt_montgomery (v_K: usize{v v_K >= 1 /\ v v_K <= 4}) + (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328)) + : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64 * v v_K * 3328) -+ + +-val ntt_at_layer +- (zeta_i: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- (layer v__initial_coefficient_bound: usize) +- : Prims.Pure (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- Prims.l_True +- (fun _ -> Prims.l_True) +val ntt_at_layer + (#b:nat{b <= 31175}) + (zeta_i: usize{v zeta_i < 128}) @@ -4973,7 +4560,12 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Ky + : Pure (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (3328+b)) + (requires True) + (ensures fun (zeta_i, result) -> v zeta_i == pow2 (8 - v layer) - 1) -+ + +-val ntt_at_layer_3_ +- (zeta_i: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- (layer: usize) +- : Prims.Pure (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +val ntt_at_layer_3_ (#b:nat) + (zeta_i: usize{v zeta_i < 128}) + (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b b) @@ -5001,7 +4593,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Ky + : Prims.Pure (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (3328+b)) Prims.l_True - (fun _ -> Prims.l_True) -- ++ (ensures fun (zeta_i,result) -> v zeta_i == pow2 (8 - v layer) - 1) + -val ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) - : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement - (requires @@ -5055,7 +4648,11 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Ky - bool) - <: - bool)) -- ++val ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 7) ++ : Prims.Pure (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) ++ (requires True) ++ (ensures (fun _ -> True)) + -val ntt_multiply (lhs rhs: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) - : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement - (requires @@ -5106,13 +4703,7 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Ky - bool) - <: - bool)) -+ (ensures fun (zeta_i,result) -> v zeta_i == pow2 (8 - v layer) - 1) - -+val ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 7) -+ : Prims.Pure (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) -+ (requires True) -+ (ensures (fun _ -> True)) -+ +- +val ntt_multiply (lhs: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328) + (rhs: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328) + : Prims.Pure (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328) @@ -5180,8 +4771,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Ky + (ensures fun _ -> True) + diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Kem.Kyber.Sampling.fst ---- extraction/Libcrux.Kem.Kyber.Sampling.fst 2024-02-20 10:46:13.832093542 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-02-20 10:46:13.887092436 +0100 +--- extraction/Libcrux.Kem.Kyber.Sampling.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-02-22 11:01:52 @@ -3,27 +3,34 @@ open Core open FStar.Mul @@ -5594,8 +5185,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Ke + out +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fsti extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti ---- extraction/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-20 10:46:13.803094126 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-20 10:46:13.895092274 +0100 +--- extraction/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-22 11:01:52 @@ -3,77 +3,37 @@ open Core open FStar.Mul @@ -5696,8 +5287,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fsti extraction-edited/Libcrux.K +// (ensures fun result -> (forall i. v (result.f_coefficients.[i]) >= 0)) + diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.Kem.Kyber.Serialize.fst ---- extraction/Libcrux.Kem.Kyber.Serialize.fst 2024-02-20 10:46:13.818093824 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-02-20 10:46:13.845093281 +0100 +--- extraction/Libcrux.Kem.Kyber.Serialize.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-02-22 11:01:52 @@ -1,8 +1,15 @@ module Libcrux.Kem.Kyber.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -5836,14 +5427,13 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K let coefficient1:i32 = cast (byte &. 15uy <: u8) <: i32 in let coefficient2:i32 = cast ((byte >>! 4l <: u8) &. 15uy <: u8) <: i32 in - coefficient1, coefficient2 <: (i32 & i32) -- --let decompress_coefficients_5_ (byte1 byte2 byte3 byte4 byte5: i32) = + lemma_get_bit_bounded' coefficient1 4; + lemma_get_bit_bounded' coefficient2 4; + bit_vec_equal_intro_principle (); + coefficient1, coefficient2 +#pop-options -+ + +-let decompress_coefficients_5_ (byte1 byte2 byte3 byte4 byte5: i32) = +#push-options "--z3rlimit 400" +[@@"opaque_to_smt"] +let decompress_coefficients_5_ byte1 byte2 byte3 byte4 byte5 = @@ -7174,8 +6764,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K +#pop-options + diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fsti extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti ---- extraction/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-20 10:46:13.798094227 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-20 10:46:13.883092516 +0100 +--- extraction/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-22 11:01:52 @@ -2,118 +2,188 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -7183,294 +6773,673 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fsti extraction-edited/Libcrux. +open MkSeq +open BitVecEq - val compress_coefficients_10_ (coefficient1 coefficient2 coefficient3 coefficient4: i32) -- : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) -+ : Prims.Pure (u8 & u8 & u8 & u8 & u8) + val compress_coefficients_10_ (coefficient1 coefficient2 coefficient3 coefficient4: i32) +- : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (u8 & u8 & u8 & u8 & u8) ++ (requires True) ++ (ensures fun tuple -> ++ int_t_array_bitwise_eq' ++ (create4 (coefficient1, coefficient2, coefficient3, coefficient4)) 10 ++ (create5 tuple) 8 ++ ) + + val compress_coefficients_11_ + (coefficient1 coefficient2 coefficient3 coefficient4 coefficient5 coefficient6 coefficient7 coefficient8: +- i32) ++ int_t_d i32_inttype 11) + : Prims.Pure (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) +- Prims.l_True +- (fun _ -> Prims.l_True) ++ (requires True) ++ (ensures fun tuple -> ++ int_t_array_bitwise_eq' ++ (create8 (coefficient1, coefficient2, coefficient3, coefficient4, coefficient5, coefficient6, coefficient7, coefficient8)) 11 ++ (create11 tuple) 8 ++ ) + +-val compress_coefficients_3_ (coefficient1 coefficient2: u16) +- : Prims.Pure (u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) ++val compress_coefficients_3_ (coefficient1 coefficient2: int_t_d u16_inttype 12) ++ : Prims.Pure (u8 & u8 & u8) ++ (requires True) ++ (ensures fun tuple -> ++ int_t_array_bitwise_eq' ++ (create2 (coefficient1, coefficient2)) 12 ++ (create3 tuple) 8 ++ ) + + val compress_coefficients_5_ +- (coefficient2 coefficient1 coefficient4 coefficient3 coefficient5 coefficient7 coefficient6 coefficient8: +- u8) +- : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) ++ (coefficient2 coefficient1 coefficient4 coefficient3 coefficient5 coefficient7 coefficient6 coefficient8: int_t_d u8_inttype 5) ++ : Prims.Pure (u8 & u8 & u8 & u8 & u8) ++ (requires True) ++ (ensures fun tuple -> ++ int_t_array_bitwise_eq' ++ (create8 (coefficient1, coefficient2, coefficient3, coefficient4, coefficient5, coefficient6, coefficient7, coefficient8)) 5 ++ (create5 tuple) 8 ++ ) + +-val decompress_coefficients_10_ (byte2 byte1 byte3 byte4 byte5: i32) +- : Prims.Pure (i32 & i32 & i32 & i32) Prims.l_True (fun _ -> Prims.l_True) ++private unfold type i32_d = int_t_d i32_inttype ++val decompress_coefficients_10_ (byte2 byte1 byte3 byte4 byte5: int_t_d i32_inttype 8) ++ : Prims.Pure (i32_d 10 & i32_d 10 & i32_d 10 & i32_d 10) ++ (requires True) ++ (ensures fun (r1, r2, r3, r4) -> ++ int_t_array_bitwise_eq' ++ (create5 (byte1, byte2, byte3, byte4, byte5)) 8 ++ (create4 #i32 (r1, r2, r3, r4)) 10 ++ ) + + val decompress_coefficients_11_ +- (byte2 byte1 byte3 byte5 byte4 byte6 byte7 byte9 byte8 byte10 byte11: i32) +- : Prims.Pure (i32 & i32 & i32 & i32 & i32 & i32 & i32 & i32) +- Prims.l_True +- (fun _ -> Prims.l_True) ++ (byte2 byte1 byte3 byte5 byte4 byte6 byte7 byte9 byte8 byte10 byte11: int_t_d i32_inttype 8) ++ : Prims.Pure (i32_d 11 & i32_d 11 & i32_d 11 & i32_d 11 & i32_d 11 & i32_d 11 & i32_d 11 & i32_d 11) ++ (requires True) ++ (ensures fun (r1, r2, r3, r4, r5, r6, r7, r8) -> ++ int_t_array_bitwise_eq' ++ (create11 #i32 (byte1, byte2, byte3, byte4, byte5, byte6, byte7, byte8, byte9, byte10, byte11)) 8 ++ (create8 #i32 (r1, r2, r3, r4, r5, r6, r7, r8)) 11 ++ ) + + val decompress_coefficients_4_ (byte: u8) +- : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (i32_d 4 & i32_d 4) ++ (requires True) ++ (ensures fun (r1, r2) -> ++ int_t_array_bitwise_eq' ++ (create1 byte) 8 ++ (create2 #i32 (r1, r2)) 4 ++ ) + +-val decompress_coefficients_5_ (byte1 byte2 byte3 byte4 byte5: i32) +- : Prims.Pure (i32 & i32 & i32 & i32 & i32 & i32 & i32 & i32) +- Prims.l_True +- (fun _ -> Prims.l_True) ++val decompress_coefficients_5_ (byte1 byte2 byte3 byte4 byte5: int_t_d i32_inttype 8) ++ : Prims.Pure (i32_d 5 & i32_d 5 & i32_d 5 & i32_d 5 & i32_d 5 & i32_d 5 & i32_d 5 & i32_d 5) ++ (requires True) ++ (ensures fun (r1, r2, r3, r4, r5, r6, r7, r8) -> ++ int_t_array_bitwise_eq' ++ (create5 #i32 (byte1, byte2, byte3, byte4, byte5)) 8 ++ (create8 #i32 (r1, r2, r3, r4, r5, r6, r7, r8)) 5 ++ ) + + val compress_then_serialize_10_ +- (v_OUT_LEN: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) ++ (v_OUT_LEN: usize {v v_OUT_LEN >= 320}) ++ (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) + : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + + val compress_then_serialize_11_ +- (v_OUT_LEN: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) ++ (v_OUT_LEN: usize {v v_OUT_LEN >= 352}) ++ (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) + : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + + val compress_then_serialize_4_ +- (v_OUT_LEN: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) ++ (v_OUT_LEN: usize {v v_OUT_LEN >= 128}) ++ (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) + : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + + val compress_then_serialize_5_ +- (v_OUT_LEN: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) ++ (v_OUT_LEN: usize {v v_OUT_LEN >= 160}) ++ (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) + : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + +-val compress_then_serialize_message (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) ++val compress_then_serialize_message (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) ++ : Pure (t_Array u8 (sz 32)) + (requires True) -+ (ensures fun tuple -> -+ int_t_array_bitwise_eq' -+ (create4 (coefficient1, coefficient2, coefficient3, coefficient4)) 10 -+ (create5 tuple) 8 -+ ) ++ (ensures (fun res -> ++ res == Spec.Kyber.compress_then_encode_message (Libcrux.Kem.Kyber.Arithmetic.to_spec_poly_b re))) - val compress_coefficients_11_ - (coefficient1 coefficient2 coefficient3 coefficient4 coefficient5 coefficient6 coefficient7 coefficient8: -- i32) -+ int_t_d i32_inttype 11) - : Prims.Pure (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) + val compress_then_serialize_ring_element_u +- (v_COMPRESSION_FACTOR v_OUT_LEN: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) ++ (#p:Spec.Kyber.params) ++ (v_COMPRESSION_FACTOR: usize {v v_COMPRESSION_FACTOR == 10 \/ v v_COMPRESSION_FACTOR == 11}) ++ (v_OUT_LEN: usize { v v_OUT_LEN = 32 * v v_COMPRESSION_FACTOR }) ++ (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) ++ : t_Array u8 v_OUT_LEN ++ ++val compress_then_serialize_ring_element_v (#p:Spec.Kyber.params) ++ (v_COMPRESSION_FACTOR: usize {v_COMPRESSION_FACTOR = sz 4 || v_COMPRESSION_FACTOR = sz 5}) ++ (v_OUT_LEN: usize {v v_OUT_LEN = 32 * v v_COMPRESSION_FACTOR}) ++ (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) ++ : Pure (t_Array u8 v_OUT_LEN) ++ (requires True) ++ (ensures (fun res -> ++ res == ++ Spec.Kyber.compress_then_encode_v p ++ (Libcrux.Kem.Kyber.Arithmetic.to_spec_poly_b re))) + +-val compress_then_serialize_ring_element_v +- (v_COMPRESSION_FACTOR v_OUT_LEN: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) +- +-val deserialize_then_decompress_10_ (serialized: t_Slice u8) +- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement ++val deserialize_then_decompress_10_ (serialized: t_Slice u8 {Seq.length serialized == 320}) ++ : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement + Prims.l_True + (fun _ -> Prims.l_True) + +-val deserialize_then_decompress_11_ (serialized: t_Slice u8) +- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement ++val deserialize_then_decompress_11_ (serialized: t_Slice u8 {Seq.length serialized == 352}) ++ : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement + Prims.l_True + (fun _ -> Prims.l_True) + +-val deserialize_then_decompress_4_ (serialized: t_Slice u8) +- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement ++val deserialize_then_decompress_4_ (serialized: t_Slice u8 {Seq.length serialized == 128}) ++ : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement + Prims.l_True + (fun _ -> Prims.l_True) + +-val deserialize_then_decompress_5_ (serialized: t_Slice u8) +- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement ++val deserialize_then_decompress_5_ ++ (serialized: t_Slice u8 {Seq.length serialized == 160}) ++ : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement + Prims.l_True + (fun _ -> Prims.l_True) + + val deserialize_then_decompress_message (serialized: t_Array u8 (sz 32)) +- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement - Prims.l_True - (fun _ -> Prims.l_True) -- --val compress_coefficients_3_ (coefficient1 coefficient2: u16) -- : Prims.Pure (u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Pure (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) + (requires True) -+ (ensures fun tuple -> -+ int_t_array_bitwise_eq' -+ (create8 (coefficient1, coefficient2, coefficient3, coefficient4, coefficient5, coefficient6, coefficient7, coefficient8)) 11 -+ (create11 tuple) 8 -+ ) -+ -+val compress_coefficients_3_ (coefficient1 coefficient2: int_t_d u16_inttype 12) -+ : Prims.Pure (u8 & u8 & u8) -+ (requires True) -+ (ensures fun tuple -> -+ int_t_array_bitwise_eq' -+ (create2 (coefficient1, coefficient2)) 12 -+ (create3 tuple) 8 -+ ) ++ (ensures fun res -> ++ Libcrux.Kem.Kyber.Arithmetic.to_spec_poly_b res == ++ Spec.Kyber.decode_then_decompress_message serialized) - val compress_coefficients_5_ -- (coefficient2 coefficient1 coefficient4 coefficient3 coefficient5 coefficient7 coefficient6 coefficient8: -- u8) -- : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) -- --val decompress_coefficients_10_ (byte2 byte1 byte3 byte4 byte5: i32) -- : Prims.Pure (i32 & i32 & i32 & i32) Prims.l_True (fun _ -> Prims.l_True) -+ (coefficient2 coefficient1 coefficient4 coefficient3 coefficient5 coefficient7 coefficient6 coefficient8: int_t_d u8_inttype 5) -+ : Prims.Pure (u8 & u8 & u8 & u8 & u8) + val deserialize_then_decompress_ring_element_u + (v_COMPRESSION_FACTOR: usize) +- (serialized: t_Slice u8) +- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement +- Prims.l_True +- (fun _ -> Prims.l_True) ++ (serialized: t_Slice u8 { ++ match v v_COMPRESSION_FACTOR with ++ | 10 -> Seq.length serialized == 320 ++ | 11 -> Seq.length serialized == 352 ++ | _ -> False ++ }) ++ : Pure (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) ++ (requires v_COMPRESSION_FACTOR = sz 10 || v_COMPRESSION_FACTOR = sz 11) ++ (ensures fun _ -> True) + +-val deserialize_then_decompress_ring_element_v +- (v_COMPRESSION_FACTOR: usize) ++val deserialize_then_decompress_ring_element_v (#p:Spec.Kyber.params) ++ (v_COMPRESSION_FACTOR: usize {v v_COMPRESSION_FACTOR == 4 \/ v v_COMPRESSION_FACTOR == 5}) + (serialized: t_Slice u8) +- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement +- Prims.l_True +- (fun _ -> Prims.l_True) ++ : Pure (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) ++ (requires (p.v_VECTOR_V_COMPRESSION_FACTOR == v_COMPRESSION_FACTOR /\ ++ length serialized == Spec.Kyber.v_C2_SIZE p)) ++ (ensures fun res -> Libcrux.Kem.Kyber.Arithmetic.to_spec_poly_b res ++ == Spec.Kyber.decode_then_decompress_v p serialized) + + val deserialize_to_uncompressed_ring_element (serialized: t_Slice u8) +- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement +- Prims.l_True +- (fun _ -> Prims.l_True) ++ : Pure (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) ++ (requires (length serialized == Spec.Kyber.v_BYTES_PER_RING_ELEMENT)) ++ (ensures fun _ -> True) + +-val serialize_uncompressed_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- : Prims.Pure (t_Array u8 (sz 384)) Prims.l_True (fun _ -> Prims.l_True) ++val serialize_uncompressed_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) ++ : Pure (t_Array u8 (sz 384)) + (requires True) -+ (ensures fun tuple -> -+ int_t_array_bitwise_eq' -+ (create8 (coefficient1, coefficient2, coefficient3, coefficient4, coefficient5, coefficient6, coefficient7, coefficient8)) 5 -+ (create5 tuple) 8 -+ ) ++ (ensures (fun res -> ++ let coefficients: t_Array _ (sz 256) = Spec.Kyber.map' Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative re.f_coefficients in ++ int_t_array_bitwise_eq res 8 coefficients 12 ++ )) +diff -ruN extraction/Libcrux.Kem.Kyber.Types.fst extraction-edited/Libcrux.Kem.Kyber.Types.fst +--- extraction/Libcrux.Kem.Kyber.Types.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-02-22 11:01:52 +@@ -50,7 +50,9 @@ + let impl_6__len (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) : usize = v_SIZE + + let impl_6__split_at (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) (mid: usize) +- : (t_Slice u8 & t_Slice u8) = ++ : Pure (t_Slice u8 & t_Slice u8) ++ (requires (mid <=. v_SIZE)) ++ (ensures (fun (x,y) -> Seq.length x == v mid /\ Seq.length y == v (v_SIZE -! mid))) = + Core.Slice.impl__split_at (Rust_primitives.unsize self.f_value <: t_Slice u8) mid + + type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } +@@ -100,7 +102,9 @@ + let impl_12__len (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) : usize = v_SIZE + + let impl_12__split_at (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) (mid: usize) +- : (t_Slice u8 & t_Slice u8) = ++ : Pure (t_Slice u8 & t_Slice u8) ++ (requires (mid <=. v_SIZE)) ++ (ensures (fun (x,y) -> Seq.length x == v mid /\ Seq.length y == v (v_SIZE -! mid))) = + Core.Slice.impl__split_at (Rust_primitives.unsize self.f_value <: t_Slice u8) mid + + type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } +@@ -150,7 +154,9 @@ + let impl_18__len (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) : usize = v_SIZE + + let impl_18__split_at (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) (mid: usize) +- : (t_Slice u8 & t_Slice u8) = ++ : Pure (t_Slice u8 & t_Slice u8) ++ (requires (mid <=. v_SIZE)) ++ (ensures (fun (x,y) -> Seq.length x == v mid /\ Seq.length y == v (v_SIZE -! mid))) = + Core.Slice.impl__split_at (Rust_primitives.unsize self.f_value <: t_Slice u8) mid + + type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { +diff -ruN extraction/Libcrux.Kem.Kyber.fst extraction-edited/Libcrux.Kem.Kyber.fst +--- extraction/Libcrux.Kem.Kyber.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.fst 2024-02-22 11:01:52 +@@ -1,12 +1,29 @@ + module Libcrux.Kem.Kyber +-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" ++#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" + open Core + open FStar.Mul + +-let serialize_kem_secret_key ++let update_at_range_lemma #n ++ (s: t_Slice 't) ++ (i: Core.Ops.Range.t_Range (int_t n) {(Core.Ops.Range.impl_index_range_slice 't n).in_range s i}) ++ (x: t_Slice 't) ++ : Lemma ++ (requires (Seq.length x == v i.f_end - v i.f_start)) ++ (ensures ( ++ let s' = Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x in ++ let len = v i.f_start in ++ forall (i: nat). i < len ==> Seq.index s i == Seq.index s' i ++ )) ++ [SMTPat (Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x)] ++ = let s' = Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x in ++ let len = v i.f_start in ++ introduce forall (i:nat {i < len}). Seq.index s i == Seq.index s' i ++ with (assert ( Seq.index (Seq.slice s 0 len) i == Seq.index s i ++ /\ Seq.index (Seq.slice s' 0 len) i == Seq.index s' i )) + -+private unfold type i32_d = int_t_d i32_inttype -+val decompress_coefficients_10_ (byte2 byte1 byte3 byte4 byte5: int_t_d i32_inttype 8) -+ : Prims.Pure (i32_d 10 & i32_d 10 & i32_d 10 & i32_d 10) -+ (requires True) -+ (ensures fun (r1, r2, r3, r4) -> -+ int_t_array_bitwise_eq' -+ (create5 (byte1, byte2, byte3, byte4, byte5)) 8 -+ (create4 #i32 (r1, r2, r3, r4)) 10 -+ ) ++let serialize_kem_secret_key #p + (v_SERIALIZED_KEY_LEN: usize) +- (private_key public_key implicit_rejection_value: t_Slice u8) +- = ++ (private_key public_key implicit_rejection_value: t_Slice u8) = + let out:t_Array u8 v_SERIALIZED_KEY_LEN = Rust_primitives.Hax.repeat 0uy v_SERIALIZED_KEY_LEN in + let pointer:usize = sz 0 in + let out:t_Array u8 v_SERIALIZED_KEY_LEN = +@@ -55,6 +72,8 @@ + t_Slice u8) + in + let pointer:usize = pointer +! (Core.Slice.impl__len public_key <: usize) in ++ let h_public_key = (Rust_primitives.unsize (Libcrux.Kem.Kyber.Hash_functions.v_H public_key) ++ <: t_Slice u8) in + let out:t_Array u8 v_SERIALIZED_KEY_LEN = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range out + ({ +@@ -70,16 +89,7 @@ + pointer +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE <: usize + } + <: +- Core.Ops.Range.t_Range usize ] +- <: +- t_Slice u8) +- (Rust_primitives.unsize (Libcrux.Kem.Kyber.Hash_functions.v_H public_key +- <: +- t_Array u8 (sz 32)) +- <: +- t_Slice u8) +- <: +- t_Slice u8) ++ Core.Ops.Range.t_Range usize ]) h_public_key) + in + let pointer:usize = pointer +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE in + let out:t_Array u8 v_SERIALIZED_KEY_LEN = +@@ -106,14 +116,32 @@ + <: + t_Slice u8) + in ++ assert (Seq.slice out 0 (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p)) `Seq.equal` private_key); ++ assert (Seq.slice out (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p)) ++ (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p)) `Seq.equal` public_key); ++ assert (Seq.slice out (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! ++ Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p)) ++ (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! ++ Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p +! ++ Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE)) ++ `Seq.equal` Libcrux.Kem.Kyber.Hash_functions.v_H public_key); ++ assert (Seq.slice out (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! ++ Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p +! ++ Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE)) ++ (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! ++ Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p +! ++ Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE +! ++ Spec.Kyber.v_SHARED_SECRET_SIZE)) ++ == implicit_rejection_value); ++ lemma_slice_append_4 out private_key public_key (Libcrux.Kem.Kyber.Hash_functions.v_H public_key) implicit_rejection_value; + out - val decompress_coefficients_11_ -- (byte2 byte1 byte3 byte5 byte4 byte6 byte7 byte9 byte8 byte10 byte11: i32) -- : Prims.Pure (i32 & i32 & i32 & i32 & i32 & i32 & i32 & i32) -- Prims.l_True -- (fun _ -> Prims.l_True) -+ (byte2 byte1 byte3 byte5 byte4 byte6 byte7 byte9 byte8 byte10 byte11: int_t_d i32_inttype 8) -+ : Prims.Pure (i32_d 11 & i32_d 11 & i32_d 11 & i32_d 11 & i32_d 11 & i32_d 11 & i32_d 11 & i32_d 11) -+ (requires True) -+ (ensures fun (r1, r2, r3, r4, r5, r6, r7, r8) -> -+ int_t_array_bitwise_eq' -+ (create11 #i32 (byte1, byte2, byte3, byte4, byte5, byte6, byte7, byte8, byte9, byte10, byte11)) 8 -+ (create8 #i32 (r1, r2, r3, r4, r5, r6, r7, r8)) 11 -+ ) +-let decapsulate ++let decapsulate #p + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) +- (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) +- = ++ (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = ++ let orig_secret_key = secret_key.f_value in + let ind_cpa_secret_key, secret_key:(t_Slice u8 & t_Slice u8) = + Libcrux.Kem.Kyber.Types.impl_12__split_at v_SECRET_KEY_SIZE secret_key v_CPA_SECRET_KEY_SIZE + in +@@ -123,8 +151,12 @@ + let ind_cpa_public_key_hash, implicit_rejection_value:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at secret_key Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE + in ++ assert (ind_cpa_secret_key == slice orig_secret_key (sz 0) v_CPA_SECRET_KEY_SIZE); ++ assert (ind_cpa_public_key == slice orig_secret_key v_CPA_SECRET_KEY_SIZE (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE)); ++ assert (ind_cpa_public_key_hash == slice orig_secret_key (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE) (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE)); ++ assert (implicit_rejection_value == slice orig_secret_key (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE) (length orig_secret_key)); + let decrypted:t_Array u8 (sz 32) = +- Libcrux.Kem.Kyber.Ind_cpa.decrypt v_K ++ Libcrux.Kem.Kyber.Ind_cpa.decrypt #p v_K + v_CIPHERTEXT_SIZE + v_C1_SIZE + v_VECTOR_U_COMPRESSION_FACTOR +@@ -152,6 +184,9 @@ + <: + t_Slice u8) + in ++ lemma_slice_append to_hash decrypted ind_cpa_public_key_hash; ++ assert (decrypted == Spec.Kyber.ind_cpa_decrypt p ind_cpa_secret_key ciphertext.f_value); ++ assert (to_hash == concat decrypted ind_cpa_public_key_hash); + let hashed:t_Array u8 (sz 64) = + Libcrux.Kem.Kyber.Hash_functions.v_G (Rust_primitives.unsize to_hash <: t_Slice u8) + in +@@ -159,6 +194,10 @@ + Core.Slice.impl__split_at (Rust_primitives.unsize hashed <: t_Slice u8) + Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE + in ++ assert ((shared_secret,pseudorandomness) == split hashed Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE); ++ assert (length implicit_rejection_value = v_SECRET_KEY_SIZE -! v_CPA_SECRET_KEY_SIZE -! v_PUBLIC_KEY_SIZE -! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE); ++ assert (length implicit_rejection_value = Spec.Kyber.v_SHARED_SECRET_SIZE); ++ assert (Spec.Kyber.v_SHARED_SECRET_SIZE <=. Spec.Kyber.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE p); + let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8 + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = + Libcrux.Kem.Kyber.Ind_cpa.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE +@@ -180,11 +219,14 @@ + <: + t_Slice u8) + in ++ lemma_slice_append to_hash implicit_rejection_value ciphertext.f_value; + let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) = + Libcrux.Kem.Kyber.Hash_functions.v_PRF (sz 32) (Rust_primitives.unsize to_hash <: t_Slice u8) + in ++ assert (implicit_rejection_shared_secret == Spec.Kyber.v_J to_hash); ++ assert (Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE); + let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = +- Libcrux.Kem.Kyber.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE ++ Libcrux.Kem.Kyber.Ind_cpa.encrypt #p v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE ind_cpa_public_key decrypted + pseudorandomness +@@ -194,16 +236,18 @@ + (Core.Convert.f_as_ref ciphertext <: t_Slice u8) + (Rust_primitives.unsize expected_ciphertext <: t_Slice u8) + in ++ let res = + Libcrux.Kem.Kyber.Constant_time_ops.select_shared_secret_in_constant_time shared_secret + (Rust_primitives.unsize implicit_rejection_shared_secret <: t_Slice u8) + selector ++ in ++ res - val decompress_coefficients_4_ (byte: u8) -- : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) -- --val decompress_coefficients_5_ (byte1 byte2 byte3 byte4 byte5: i32) -- : Prims.Pure (i32 & i32 & i32 & i32 & i32 & i32 & i32 & i32) -- Prims.l_True -- (fun _ -> Prims.l_True) -+ : Prims.Pure (i32_d 4 & i32_d 4) -+ (requires True) -+ (ensures fun (r1, r2) -> -+ int_t_array_bitwise_eq' -+ (create1 byte) 8 -+ (create2 #i32 (r1, r2)) 4 -+ ) +-let encapsulate ++let encapsulate #p + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) +- (randomness: t_Array u8 (sz 32)) +- = ++ (randomness: t_Array u8 (sz 32)) = + let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = + Libcrux.Kem.Kyber.Ind_cpa.into_padded_array (sz 64) + (Rust_primitives.unsize randomness <: t_Slice u8) +@@ -234,6 +278,10 @@ + <: + t_Slice u8) + in ++ assert (Seq.slice to_hash 0 (v Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE) == randomness); ++ lemma_slice_append to_hash randomness (Spec.Kyber.v_H public_key.f_value); ++ assert (to_hash == concat randomness (Spec.Kyber.v_H public_key.f_value)); + -+val decompress_coefficients_5_ (byte1 byte2 byte3 byte4 byte5: int_t_d i32_inttype 8) -+ : Prims.Pure (i32_d 5 & i32_d 5 & i32_d 5 & i32_d 5 & i32_d 5 & i32_d 5 & i32_d 5 & i32_d 5) -+ (requires True) -+ (ensures fun (r1, r2, r3, r4, r5, r6, r7, r8) -> -+ int_t_array_bitwise_eq' -+ (create5 #i32 (byte1, byte2, byte3, byte4, byte5)) 8 -+ (create8 #i32 (r1, r2, r3, r4, r5, r6, r7, r8)) 5 -+ ) - - val compress_then_serialize_10_ -- (v_OUT_LEN: usize) -- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -+ (v_OUT_LEN: usize {v v_OUT_LEN >= 320}) -+ (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) - : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + let hashed:t_Array u8 (sz 64) = + Libcrux.Kem.Kyber.Hash_functions.v_G (Rust_primitives.unsize to_hash <: t_Slice u8) + in +@@ -242,7 +290,7 @@ + Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE + in + let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = +- Libcrux.Kem.Kyber.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE ++ Libcrux.Kem.Kyber.Ind_cpa.encrypt #p v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN + v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + (Rust_primitives.unsize (Libcrux.Kem.Kyber.Types.impl_18__as_slice v_PUBLIC_KEY_SIZE +@@ -252,28 +300,26 @@ + <: + t_Slice u8) randomness pseudorandomness + in +- let shared_secret_array:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in +- let shared_secret_array:t_Array u8 (sz 32) = +- Core.Slice.impl__copy_from_slice shared_secret_array shared_secret +- in +- Core.Convert.f_into ciphertext, shared_secret_array ++ Core.Convert.f_into ciphertext, ++ Core.Result.impl__unwrap (Core.Convert.f_try_into shared_secret ++ <: ++ Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) + <: + (Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - val compress_then_serialize_11_ -- (v_OUT_LEN: usize) -- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -+ (v_OUT_LEN: usize {v v_OUT_LEN >= 352}) -+ (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) - : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) +-let validate_public_key ++#push-options "--z3rlimit 100" ++let validate_public_key #p + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = +- let pk:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- Libcrux.Kem.Kyber.Ind_cpa.deserialize_public_key v_K ++ let pk:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = ++ Libcrux.Kem.Kyber.Ind_cpa.deserialize_public_key #p v_K + (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } + <: +- Core.Ops.Range.t_RangeTo usize ] +- <: +- t_Slice u8) ++ Core.Ops.Range.t_RangeTo usize ]) + in + let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = +- Libcrux.Kem.Kyber.Ind_cpa.serialize_public_key v_K ++ Libcrux.Kem.Kyber.Ind_cpa.serialize_public_key #p v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + pk +@@ -284,12 +330,12 @@ + t_Slice u8) + in + public_key =. public_key_serialized ++#pop-options - val compress_then_serialize_4_ -- (v_OUT_LEN: usize) -- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -+ (v_OUT_LEN: usize {v v_OUT_LEN >= 128}) -+ (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) - : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) +-let generate_keypair ++let generate_keypair #p + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) +- (randomness: t_Array u8 (sz 64)) +- = ++ (randomness: t_Array u8 (sz 64)) = + let ind_cpa_keypair_randomness:t_Slice u8 = + randomness.[ { + Core.Ops.Range.f_start = sz 0; +@@ -307,7 +353,7 @@ + in + let ind_cpa_private_key, public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE & + t_Array u8 v_PUBLIC_KEY_SIZE) = +- Libcrux.Kem.Kyber.Ind_cpa.generate_keypair v_K ++ Libcrux.Kem.Kyber.Ind_cpa.generate_keypair #p v_K + v_CPA_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE + v_BYTES_PER_RING_ELEMENT +@@ -316,7 +362,7 @@ + ind_cpa_keypair_randomness + in + let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE = +- serialize_kem_secret_key v_PRIVATE_KEY_SIZE ++ serialize_kem_secret_key #p v_PRIVATE_KEY_SIZE + (Rust_primitives.unsize ind_cpa_private_key <: t_Slice u8) + (Rust_primitives.unsize public_key <: t_Slice u8) + implicit_rejection_value +@@ -329,3 +375,4 @@ + v_PUBLIC_KEY_SIZE + private_key + (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) ++ +diff -ruN extraction/Libcrux.Kem.Kyber.fsti extraction-edited/Libcrux.Kem.Kyber.fsti +--- extraction/Libcrux.Kem.Kyber.fsti 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.Kyber.fsti 2024-02-22 11:01:52 +@@ -10,36 +10,84 @@ + Libcrux.Kem.Kyber.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE +! + Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE - val compress_then_serialize_5_ -- (v_OUT_LEN: usize) -- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -+ (v_OUT_LEN: usize {v v_OUT_LEN >= 160}) -+ (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) - : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) +-val serialize_kem_secret_key ++val serialize_kem_secret_key (#p:Spec.Kyber.params) + (v_SERIALIZED_KEY_LEN: usize) + (private_key public_key implicit_rejection_value: t_Slice u8) +- : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) Prims.l_True (fun _ -> Prims.l_True) ++ : Pure (t_Array u8 v_SERIALIZED_KEY_LEN) ++ (requires (length private_key == Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p /\ ++ length public_key == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ ++ length implicit_rejection_value == Spec.Kyber.v_SHARED_SECRET_SIZE /\ ++ v_SERIALIZED_KEY_LEN == Spec.Kyber.v_SECRET_KEY_SIZE p)) ++ (ensures (fun res -> res == ++ Seq.append private_key ( ++ Seq.append public_key ( ++ Seq.append (Libcrux.Kem.Kyber.Hash_functions.v_H public_key) implicit_rejection_value)))) --val compress_then_serialize_message (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +-val decapsulate ++val decapsulate (#p:Spec.Kyber.params) + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -+val compress_then_serialize_message (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) + : Pure (t_Array u8 (sz 32)) -+ (requires True) -+ (ensures (fun res -> -+ res == Spec.Kyber.compress_then_encode_message (Libcrux.Kem.Kyber.Arithmetic.to_spec_poly_b re))) - - val compress_then_serialize_ring_element_u -- (v_COMPRESSION_FACTOR v_OUT_LEN: usize) -- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -- : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) -- --val compress_then_serialize_ring_element_v -- (v_COMPRESSION_FACTOR v_OUT_LEN: usize) -- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -- : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) -+ (#p:Spec.Kyber.params) -+ (v_COMPRESSION_FACTOR: usize {v v_COMPRESSION_FACTOR == 10 \/ v v_COMPRESSION_FACTOR == 11}) -+ (v_OUT_LEN: usize { v v_OUT_LEN = 32 * v v_COMPRESSION_FACTOR }) -+ (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) -+ : t_Array u8 v_OUT_LEN -+ -+val compress_then_serialize_ring_element_v (#p:Spec.Kyber.params) -+ (v_COMPRESSION_FACTOR: usize {v_COMPRESSION_FACTOR = sz 4 || v_COMPRESSION_FACTOR = sz 5}) -+ (v_OUT_LEN: usize {v v_OUT_LEN = 32 * v v_COMPRESSION_FACTOR}) -+ (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) -+ : Pure (t_Array u8 v_OUT_LEN) -+ (requires True) -+ (ensures (fun res -> -+ res == -+ Spec.Kyber.compress_then_encode_v p -+ (Libcrux.Kem.Kyber.Arithmetic.to_spec_poly_b re))) - --val deserialize_then_decompress_10_ (serialized: t_Slice u8) -- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement -+val deserialize_then_decompress_10_ (serialized: t_Slice u8 {Seq.length serialized == 320}) -+ : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement - Prims.l_True - (fun _ -> Prims.l_True) - --val deserialize_then_decompress_11_ (serialized: t_Slice u8) -- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement -+val deserialize_then_decompress_11_ (serialized: t_Slice u8 {Seq.length serialized == 352}) -+ : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement - Prims.l_True - (fun _ -> Prims.l_True) - --val deserialize_then_decompress_4_ (serialized: t_Slice u8) -- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement -+val deserialize_then_decompress_4_ (serialized: t_Slice u8 {Seq.length serialized == 128}) -+ : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement - Prims.l_True - (fun _ -> Prims.l_True) - --val deserialize_then_decompress_5_ (serialized: t_Slice u8) -- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement -+val deserialize_then_decompress_5_ -+ (serialized: t_Slice u8 {Seq.length serialized == 160}) -+ : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement - Prims.l_True - (fun _ -> Prims.l_True) - - val deserialize_then_decompress_message (serialized: t_Array u8 (sz 32)) -- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement -- Prims.l_True -- (fun _ -> Prims.l_True) -+ : Pure (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) -+ (requires True) -+ (ensures fun res -> -+ Libcrux.Kem.Kyber.Arithmetic.to_spec_poly_b res == -+ Spec.Kyber.decode_then_decompress_message serialized) ++ (requires ( p == (let open Spec.Kyber in {v_RANK = v_K; v_ETA1; v_ETA2; v_VECTOR_U_COMPRESSION_FACTOR; v_VECTOR_V_COMPRESSION_FACTOR}) /\ ++ Spec.Kyber.valid_params p /\ ++ v_ETA1_RANDOMNESS_SIZE == Spec.Kyber.v_ETA1_RANDOMNESS_SIZE p /\ ++ v_ETA2_RANDOMNESS_SIZE == Spec.Kyber.v_ETA2_RANDOMNESS_SIZE p /\ ++ v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.Kyber.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE p /\ ++ v_SECRET_KEY_SIZE == Spec.Kyber.v_SECRET_KEY_SIZE p /\ ++ v_CPA_SECRET_KEY_SIZE == Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p /\ ++ v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ ++ v_CIPHERTEXT_SIZE == Spec.Kyber.v_CPA_PKE_CIPHERTEXT_SIZE p /\ ++ v_C1_SIZE == Spec.Kyber.v_C1_SIZE p /\ ++ v_C1_BLOCK_SIZE == Spec.Kyber.v_C1_BLOCK_SIZE p /\ ++ v_C2_SIZE == Spec.Kyber.v_C2_SIZE p /\ ++ v_T_AS_NTT_ENCODED_SIZE = Spec.Kyber.v_T_AS_NTT_ENCODED_SIZE p ++ )) ++ (ensures (fun res -> ++ res == Spec.Kyber.ind_cca_decapsulate p secret_key.f_value ciphertext.f_value)) - val deserialize_then_decompress_ring_element_u - (v_COMPRESSION_FACTOR: usize) -- (serialized: t_Slice u8) -- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement +-val encapsulate ++val encapsulate (#p:Spec.Kyber.params) + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (randomness: t_Array u8 (sz 32)) +- : Prims.Pure (Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) -+ (serialized: t_Slice u8 { -+ match v v_COMPRESSION_FACTOR with -+ | 10 -> Seq.length serialized == 320 -+ | 11 -> Seq.length serialized == 352 -+ | _ -> False -+ }) -+ : Pure (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) -+ (requires v_COMPRESSION_FACTOR = sz 10 || v_COMPRESSION_FACTOR = sz 11) -+ (ensures fun _ -> True) ++ : Pure (Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) ++ (requires (p == (let open Spec.Kyber in {v_RANK = v_K; v_ETA1; v_ETA2; v_VECTOR_U_COMPRESSION_FACTOR; v_VECTOR_V_COMPRESSION_FACTOR}) /\ ++ Spec.Kyber.valid_params p /\ ++ v_ETA1_RANDOMNESS_SIZE == Spec.Kyber.v_ETA1_RANDOMNESS_SIZE p /\ ++ v_ETA2_RANDOMNESS_SIZE == Spec.Kyber.v_ETA2_RANDOMNESS_SIZE p /\ ++ v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ ++ v_CIPHERTEXT_SIZE == Spec.Kyber.v_CPA_PKE_CIPHERTEXT_SIZE p /\ ++ v_C1_SIZE == Spec.Kyber.v_C1_SIZE p /\ ++ v_C2_SIZE == Spec.Kyber.v_C2_SIZE p /\ ++ v_T_AS_NTT_ENCODED_SIZE = Spec.Kyber.v_T_AS_NTT_ENCODED_SIZE p /\ ++ v_VECTOR_U_BLOCK_LEN == Spec.Kyber.v_C1_BLOCK_SIZE p ++ )) --val deserialize_then_decompress_ring_element_v -- (v_COMPRESSION_FACTOR: usize) -+val deserialize_then_decompress_ring_element_v (#p:Spec.Kyber.params) -+ (v_COMPRESSION_FACTOR: usize {v v_COMPRESSION_FACTOR == 4 \/ v v_COMPRESSION_FACTOR == 5}) - (serialized: t_Slice u8) -- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement -- Prims.l_True -- (fun _ -> Prims.l_True) -+ : Pure (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) -+ (requires (p.v_VECTOR_V_COMPRESSION_FACTOR == v_COMPRESSION_FACTOR /\ -+ length serialized == Spec.Kyber.v_C2_SIZE p)) -+ (ensures fun res -> Libcrux.Kem.Kyber.Arithmetic.to_spec_poly_b res -+ == Spec.Kyber.decode_then_decompress_v p serialized) +-val validate_public_key ++ (ensures (fun (ct,ss) -> ++ (ct.f_value,ss) == Spec.Kyber.ind_cca_encapsulate p public_key.f_value randomness)) ++ ++val validate_public_key (#p:Spec.Kyber.params) + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) +- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure bool ++ (requires (v_K == p.v_RANK /\ ++ v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ ++ v_RANKED_BYTES_PER_RING_ELEMENT == Spec.Kyber.v_RANKED_BYTES_PER_RING_ELEMENT p ++ )) ++ (ensures (fun _ -> Prims.l_True)) - val deserialize_to_uncompressed_ring_element (serialized: t_Slice u8) -- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement +-val generate_keypair ++val generate_keypair (#p:Spec.Kyber.params) + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) +- : Prims.Pure (Libcrux.Kem.Kyber.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) -- --val serialize_uncompressed_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -- : Prims.Pure (t_Array u8 (sz 384)) Prims.l_True (fun _ -> Prims.l_True) -+ : Pure (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) -+ (requires (length serialized == Spec.Kyber.v_BYTES_PER_RING_ELEMENT)) -+ (ensures fun _ -> True) ++ : Pure (Libcrux.Kem.Kyber.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) ++ (requires (v_K == p.v_RANK /\ v_ETA1 == p.v_ETA1 /\ ++ v_ETA1_RANDOMNESS_SIZE == Spec.Kyber.v_ETA1_RANDOMNESS_SIZE p /\ ++ v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ ++ v_CPA_PRIVATE_KEY_SIZE == Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p /\ ++ v_PRIVATE_KEY_SIZE == Spec.Kyber.v_SECRET_KEY_SIZE p /\ ++ v_BYTES_PER_RING_ELEMENT == Spec.Kyber.v_RANKED_BYTES_PER_RING_ELEMENT p ++ )) ++ (ensures (fun kp -> ++ (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.ind_cca_generate_keypair p randomness)) +diff -ruN extraction/Libcrux.Kem.fst extraction-edited/Libcrux.Kem.fst +--- extraction/Libcrux.Kem.fst 1970-01-01 01:00:00 ++++ extraction-edited/Libcrux.Kem.fst 2024-02-22 11:01:52 +@@ -0,0 +1,6 @@ ++module Libcrux.Kem ++#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" ++open Core ++open FStar.Mul ++ + -+val serialize_uncompressed_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) -+ : Pure (t_Array u8 (sz 384)) -+ (requires True) -+ (ensures (fun res -> -+ let coefficients: t_Array _ (sz 256) = Spec.Kyber.map' Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative re.f_coefficients in -+ int_t_array_bitwise_eq res 8 coefficients 12 -+ )) -diff -ruN extraction/Libcrux.Kem.Kyber.Types.fst extraction-edited/Libcrux.Kem.Kyber.Types.fst ---- extraction/Libcrux.Kem.Kyber.Types.fst 2024-02-20 10:46:13.801094166 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-02-20 10:46:13.877092637 +0100 -@@ -50,7 +50,9 @@ - let impl_6__len (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) : usize = v_SIZE - - let impl_6__split_at (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) (mid: usize) -- : (t_Slice u8 & t_Slice u8) = -+ : Pure (t_Slice u8 & t_Slice u8) -+ (requires (mid <=. v_SIZE)) -+ (ensures (fun (x,y) -> Seq.length x == v mid /\ Seq.length y == v (v_SIZE -! mid))) = - Core.Slice.impl__split_at (Rust_primitives.unsize self.f_value <: t_Slice u8) mid - - type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } -@@ -100,7 +102,9 @@ - let impl_12__len (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) : usize = v_SIZE - - let impl_12__split_at (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) (mid: usize) -- : (t_Slice u8 & t_Slice u8) = -+ : Pure (t_Slice u8 & t_Slice u8) -+ (requires (mid <=. v_SIZE)) -+ (ensures (fun (x,y) -> Seq.length x == v mid /\ Seq.length y == v (v_SIZE -! mid))) = - Core.Slice.impl__split_at (Rust_primitives.unsize self.f_value <: t_Slice u8) mid - - type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } -@@ -150,7 +154,9 @@ - let impl_18__len (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) : usize = v_SIZE - - let impl_18__split_at (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) (mid: usize) -- : (t_Slice u8 & t_Slice u8) = -+ : Pure (t_Slice u8 & t_Slice u8) -+ (requires (mid <=. v_SIZE)) -+ (ensures (fun (x,y) -> Seq.length x == v mid /\ Seq.length y == v (v_SIZE -! mid))) = - Core.Slice.impl__split_at (Rust_primitives.unsize self.f_value <: t_Slice u8) mid - - type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { diff -ruN extraction/Libcrux_platform.Platform.fsti extraction-edited/Libcrux_platform.Platform.fsti ---- extraction/Libcrux_platform.Platform.fsti 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Libcrux_platform.Platform.fsti 2024-02-20 10:46:13.873092717 +0100 +--- extraction/Libcrux_platform.Platform.fsti 1970-01-01 01:00:00 ++++ extraction-edited/Libcrux_platform.Platform.fsti 2024-02-22 11:01:52 @@ -0,0 +1,20 @@ +module Libcrux_platform.Platform +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7493,8 +7462,8 @@ diff -ruN extraction/Libcrux_platform.Platform.fsti extraction-edited/Libcrux_pl + +val simd128_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction/MkSeq.fst extraction-edited/MkSeq.fst ---- extraction/MkSeq.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/MkSeq.fst 2024-02-20 10:46:13.841093361 +0100 +--- extraction/MkSeq.fst 1970-01-01 01:00:00 ++++ extraction-edited/MkSeq.fst 2024-02-22 11:01:52 @@ -0,0 +1,91 @@ +module MkSeq +open Core @@ -7588,8 +7557,8 @@ diff -ruN extraction/MkSeq.fst extraction-edited/MkSeq.fst + +%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff -ruN extraction/Spec.Kyber.fst extraction-edited/Spec.Kyber.fst ---- extraction/Spec.Kyber.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Spec.Kyber.fst 2024-02-20 10:46:13.884092496 +0100 +--- extraction/Spec.Kyber.fst 1970-01-01 01:00:00 ++++ extraction-edited/Spec.Kyber.fst 2024-02-22 11:01:52 @@ -0,0 +1,433 @@ +module Spec.Kyber +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" diff --git a/proofs/fstar/extraction-secret-independent.patch b/proofs/fstar/extraction-secret-independent.patch index 11e71ed88..d7b3bc1b8 100644 --- a/proofs/fstar/extraction-secret-independent.patch +++ b/proofs/fstar/extraction-secret-independent.patch @@ -1,6 +1,6 @@ diff -ruN extraction-edited/BitVecEq.fst extraction-secret-independent/BitVecEq.fst ---- extraction-edited/BitVecEq.fst 2024-02-20 10:46:13.853093120 +0100 -+++ extraction-secret-independent/BitVecEq.fst 1970-01-01 01:00:00.000000000 +0100 +--- extraction-edited/BitVecEq.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/BitVecEq.fst 1970-01-01 01:00:00 @@ -1,12 +0,0 @@ -module BitVecEq - @@ -15,8 +15,8 @@ diff -ruN extraction-edited/BitVecEq.fst extraction-secret-independent/BitVecEq. - - diff -ruN extraction-edited/BitVecEq.fsti extraction-secret-independent/BitVecEq.fsti ---- extraction-edited/BitVecEq.fsti 2024-02-20 10:46:13.894092295 +0100 -+++ extraction-secret-independent/BitVecEq.fsti 1970-01-01 01:00:00.000000000 +0100 +--- extraction-edited/BitVecEq.fsti 2024-02-22 11:01:52 ++++ extraction-secret-independent/BitVecEq.fsti 1970-01-01 01:00:00 @@ -1,294 +0,0 @@ -module BitVecEq -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -313,8 +313,8 @@ diff -ruN extraction-edited/BitVecEq.fsti extraction-secret-independent/BitVecEq - = admit () -*) diff -ruN extraction-edited/Libcrux.Digest.fsti extraction-secret-independent/Libcrux.Digest.fsti ---- extraction-edited/Libcrux.Digest.fsti 2024-02-20 10:46:13.890092375 +0100 -+++ extraction-secret-independent/Libcrux.Digest.fsti 2024-02-20 10:46:13.916091852 +0100 +--- extraction-edited/Libcrux.Digest.fsti 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Digest.fsti 2024-02-22 11:01:52 @@ -1,31 +1,41 @@ module Libcrux.Digest #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -326,28 +326,6 @@ diff -ruN extraction-edited/Libcrux.Digest.fsti extraction-secret-independent/Li - : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) - Prims.l_True - (fun _ -> Prims.l_True) -- --val sha3_256_ (payload: t_Slice u8) -- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -- --val sha3_512_ (payload: t_Slice u8) -- : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) -- --val shake128 (v_LEN: usize) (data: t_Slice u8) -- : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) -- --val shake256 (v_LEN: usize) (data: t_Slice u8) -- : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) -- --val shake128x4_portable (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) -- : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) -- Prims.l_True -- (fun _ -> Prims.l_True) -- --val shake128x4 (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) -- : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) -- Prims.l_True -- (fun _ -> Prims.l_True) +type t_Algorithm = + | Algorithm_Sha1 : t_Algorithm + | Algorithm_Sha224 : t_Algorithm @@ -360,7 +338,9 @@ diff -ruN extraction-edited/Libcrux.Digest.fsti extraction-secret-independent/Li + | Algorithm_Sha3_256_ : t_Algorithm + | Algorithm_Sha3_384_ : t_Algorithm + | Algorithm_Sha3_512_ : t_Algorithm -+ + +-val sha3_256_ (payload: t_Slice u8) +- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +let digest_size (mode: t_Algorithm) : usize = + match mode with + | Algorithm_Sha1 -> sz 20 @@ -374,19 +354,33 @@ diff -ruN extraction-edited/Libcrux.Digest.fsti extraction-secret-independent/Li + | Algorithm_Sha3_256_ -> sz 32 + | Algorithm_Sha3_384_ -> sz 48 + | Algorithm_Sha3_512_ -> sz 64 -+ + +-val sha3_512_ (payload: t_Slice u8) +- : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) +val sha3_256_ (payload: t_Slice u8) : t_Array u8 (sz 32) -+ + +-val shake128 (v_LEN: usize) (data: t_Slice u8) +- : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) +val sha3_512_ (payload: t_Slice u8) : t_Array u8 (sz 64) -+ + +-val shake256 (v_LEN: usize) (data: t_Slice u8) +- : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) +val shake128 (v_LEN: usize) (data: t_Slice u8) : t_Array u8 v_LEN -+ + +-val shake128x4_portable (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) +- : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) +- Prims.l_True +- (fun _ -> Prims.l_True) +val shake128x4 (v_LEN: usize) (data0: t_Slice u8) (data1: t_Slice u8) (data2: t_Slice u8) (data3: t_Slice u8): (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) -+ + +-val shake128x4 (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) +- : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) +- Prims.l_True +- (fun _ -> Prims.l_True) +val shake256 (v_LEN: usize) (data: t_Slice u8) : t_Array u8 v_LEN diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst ---- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-20 10:46:13.874092697 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-20 10:46:13.944091288 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-22 11:01:52 @@ -1,364 +1,81 @@ module Libcrux.Kem.Kyber.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -628,20 +622,20 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst extraction-secret-i - }; - res -#pop-options -- --let montgomery_multiply_sfe_by_fer fe fer = -- montgomery_reduce (mul_i32_b fe fer) + let c:i32 = k_times_modulus >>! v_MONTGOMERY_SHIFT in + let value_high:i32 = value >>! v_MONTGOMERY_SHIFT in + value_high -! c +-let montgomery_multiply_sfe_by_fer fe fer = +- montgomery_reduce (mul_i32_b fe fer) +let montgomery_multiply_sfe_by_fer (fe fer: i32) = montgomery_reduce (fe *! fer <: i32) --let to_standard_domain mfe = -- montgomery_reduce (mul_i32_b mfe (v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS <: i32_b 1353)) +let to_standard_domain (mfe: i32) = + montgomery_reduce (mfe *! v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS <: i32) +-let to_standard_domain mfe = +- montgomery_reduce (mul_i32_b mfe (v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS <: i32_b 1353)) +- -let to_unsigned_representative fe = +let to_unsigned_representative (fe: i32) = let _:Prims.unit = () <: Prims.unit in @@ -659,7 +653,10 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst extraction-secret-i - assert (v fe < 0 ==> v res == v fe + 3329); - assert (v fe >= 0 ==> v res == v fe); - res <: int_t_d u16_inttype 12 -- ++ cast (fe +! (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS &. (fe >>! 31l <: i32) <: i32) <: i32) ++ <: ++ u16 + -let derefine_poly_b #b x = - let r = createi (sz 256) (fun i -> (x.f_coefficients.[i] <: i32)) in - {f_coefficients = r} @@ -671,10 +668,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst extraction-secret-i -let derefine_matrix_b #v_K #b x = - let r = createi v_K (fun i -> derefine_vector_b #v_K #b x.[i]) in - r -+ cast (fe +! (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS &. (fe >>! 31l <: i32) <: i32) <: i32) -+ <: -+ u16 - +- -let cast_poly_b #b1 #b2 x = - let r = createi (sz 256) (fun i -> (x.f_coefficients.[i] <: i32_b b2)) in - let res = {f_coefficients = r} in @@ -791,8 +785,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst extraction-secret-i - - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-20 10:46:13.856093059 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-20 10:46:13.936091449 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-22 11:01:52 @@ -3,32 +3,10 @@ open Core open FStar.Mul @@ -841,13 +835,13 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret- let v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS: i32 = 1353l -let v_MONTGOMERY_SHIFT: u8 = 16uy -- --val v_MONTGOMERY_R: x:i32{v x = pow2 16 /\ x = 65536l} +let v_MONTGOMERY_SHIFT: pub_u8 = 16uy --val v_MONTGOMERY_R_INV: x:i32{v x >= 0 /\ v x < 3329 /\ (v x * v v_MONTGOMERY_R) % 3329 == 1 /\ x = 169l} +-val v_MONTGOMERY_R: x:i32{v x = pow2 16 /\ x = 65536l} +let v_MONTGOMERY_R: i32 = 1l <= 0 /\ v x < 3329 /\ (v x * v v_MONTGOMERY_R) % 3329 == 1 /\ x = 169l} +- -let int_to_spec_fe (m:int) : Spec.Kyber.field_element = - let m_v = m % v Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS in - assert (m_v > - v Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS); @@ -878,11 +872,21 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret- fun result -> let result:u32 = result in - v result = v value % pow2 (v n)) -- ++ v result < v (Core.Num.impl__u32__pow 2ul (Core.Convert.f_into n <: u32) <: u32)) + -//let barrett_pre (value:i32) = -// v value <= v v_BARRETT_R /\ v value >= - v v_BARRETT_R -// Appears to work up to +/- 2^28, but not at +/- 2^29 -+ v result < v (Core.Num.impl__u32__pow 2ul (Core.Convert.f_into n <: u32) <: u32)) ++val barrett_reduce (value: i32) ++ : Prims.Pure i32 ++ (requires ++ v (Core.Convert.f_from value <: i64) > v (Core.Ops.Arith.Neg.neg v_BARRETT_R <: i64) && ++ v (Core.Convert.f_from value <: i64) < v v_BARRETT_R) ++ (ensures ++ fun result -> ++ let result:i32 = result in ++ v result > v (Core.Ops.Arith.Neg.neg Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) && ++ v result < v Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS) -let barrett_post (value:i32) (result:i32) = - v result % v Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS = @@ -901,18 +905,29 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret- -val montgomery_reduce #b (value: i32_b b) - : Prims.Pure (i32_b (nat_div_ceil b (v v_MONTGOMERY_R) + 1665)) - (requires True) -+val barrett_reduce (value: i32) ++val montgomery_reduce (value: i32) + : Prims.Pure i32 + (requires -+ v (Core.Convert.f_from value <: i64) > v (Core.Ops.Arith.Neg.neg v_BARRETT_R <: i64) && -+ v (Core.Convert.f_from value <: i64) < v v_BARRETT_R) ++ v value >= ++ v ((Core.Ops.Arith.Neg.neg Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) *! ++ v_MONTGOMERY_R ++ <: ++ i32) && ++ v value <= v (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS *! v_MONTGOMERY_R <: i32)) (ensures fun result -> let result:i32 = result in - montgomery_post value result) -- -+ v result > v (Core.Ops.Arith.Neg.neg Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) && -+ v result < v Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS) ++ v result >= ++ v ((Core.Ops.Arith.Neg.neg (3l *! Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) <: i32 ++ ) /! ++ 2l ++ <: ++ i32) && ++ v result <= v ((3l *! Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) /! 2l <: i32)) + ++val montgomery_multiply_sfe_by_fer (fe fer: i32) ++ : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply_sfe_by_fer #b1 #b2 (fe:i32_b b1) (fer: i32_b b2) - : Pure (i32_b (nat_div_ceil (b1 * b2) (v v_MONTGOMERY_R) + 1665)) @@ -920,7 +935,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret- - (ensures (fun result -> - montgomery_post (mul_i32_b fe fer) (result))) - -- ++val to_standard_domain (mfe: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + -val to_standard_domain #b (mfe: i32_b b) - : Pure (i32_b (nat_div_ceil (b * 1353) (v v_MONTGOMERY_R) + 1665)) - (requires (b * 1353 < pow2_31)) @@ -931,31 +947,6 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret- -val to_unsigned_representative (fe: wfFieldElement) - : Prims.Pure (int_t_d u16_inttype 12) - (requires True) -+val montgomery_reduce (value: i32) -+ : Prims.Pure i32 -+ (requires -+ v value >= -+ v ((Core.Ops.Arith.Neg.neg Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) *! -+ v_MONTGOMERY_R -+ <: -+ i32) && -+ v value <= v (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS *! v_MONTGOMERY_R <: i32)) -+ (ensures -+ fun result -> -+ let result:i32 = result in -+ v result >= -+ v ((Core.Ops.Arith.Neg.neg (3l *! Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) <: i32 -+ ) /! -+ 2l -+ <: -+ i32) && -+ v result <= v ((3l *! Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) /! 2l <: i32)) -+ -+val montgomery_multiply_sfe_by_fer (fe fer: i32) -+ : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -+ -+val to_standard_domain (mfe: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -+ +val to_unsigned_representative (fe: i32) + : Prims.Pure u16 + (requires @@ -967,11 +958,16 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret- - v result == to_spec_fe fe /\ - result >=. 0us && - result <. (cast (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) <: u16)) -- ++ v result >= v 0us && ++ v result < v (cast (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) <: u16)) + -type t_PolynomialRingElement = { f_coefficients:t_Array (t_FieldElement) (sz 256) } -- ++type t_PolynomialRingElement = { f_coefficients:t_Array i32 (sz 256) } + -type t_PolynomialRingElement_b b = { f_coefficients:t_Array (i32_b b) (sz 256) } -- ++let impl__PolynomialRingElement__ZERO: t_PolynomialRingElement = ++ { f_coefficients = Rust_primitives.Hax.repeat 0l (sz 256) } <: t_PolynomialRingElement + -type wfPolynomialRingElement = t_PolynomialRingElement_b (v Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS - 1) - -val derefine_poly_b (#b1:nat) (x:t_PolynomialRingElement_b b1): @@ -1093,14 +1089,9 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret- - (ensures fun result -> - (forall i. v result.f_coefficients.[i] == v lhs.f_coefficients.[i] + v rhs.f_coefficients.[i])) - -+ v result >= v 0us && -+ v result < v (cast (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) <: u16)) - -+type t_PolynomialRingElement = { f_coefficients:t_Array i32 (sz 256) } - -+let impl__PolynomialRingElement__ZERO: t_PolynomialRingElement = -+ { f_coefficients = Rust_primitives.Hax.repeat 0l (sz 256) } <: t_PolynomialRingElement - +- +- +- +val add_to_ring_element (v_K: usize) (lhs rhs: t_PolynomialRingElement) + : Prims.Pure t_PolynomialRingElement + (requires @@ -1149,8 +1140,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret- + <: + bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fst extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst ---- extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-02-20 10:46:13.847093240 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst 2024-02-20 10:46:13.925091671 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst 2024-02-22 11:01:52 @@ -1,79 +1,39 @@ module Libcrux.Kem.Kyber.Compress -#set-options "--fuel 0 --ifuel 0 --z3rlimit 200" @@ -1159,12 +1150,27 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fst extraction-secret-ind open FStar.Mul -let compress_message_coefficient fe = -- let (shifted: i16):i16 = 1664s -! (cast (fe <: u16) <: i16) in ++let compress_ciphertext_coefficient (coefficient_bits: pub_u8) (fe: u16) = ++ let _:Prims.unit = () <: Prims.unit in ++ let _:Prims.unit = () <: Prims.unit in ++ let compressed:u64 = (cast (fe <: u16) <: u64) <>! 35l in ++ cast (Libcrux.Kem.Kyber.Arithmetic.get_n_least_significant_bits coefficient_bits ++ (cast (compressed <: u64) <: u32) ++ <: ++ u32) ++ <: ++ i32 ++ ++let compress_message_coefficient (fe: u16) = + let (shifted: i16):i16 = 1664s -! (cast (fe <: u16) <: i16) in - assert (v shifted == 1664 - v fe); -- let mask:i16 = shifted >>! 15l in + let mask:i16 = shifted >>! 15l in - assert (v mask = v shifted / pow2 15); - assert (if v shifted < 0 then mask = ones else mask = zero); -- let shifted_to_positive:i16 = mask ^. shifted in + let shifted_to_positive:i16 = mask ^. shifted in - logxor_lemma shifted mask; - assert (v shifted < 0 ==> v shifted_to_positive = v (lognot shifted)); - neg_equiv_lemma shifted; @@ -1174,7 +1180,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fst extraction-secret-ind - assert (v shifted >= 0 ==> mask ^. shifted = shifted); - assert (v shifted >= 0 ==> v shifted_to_positive = v shifted); - assert (shifted_to_positive >=. 0s); -- let shifted_positive_in_range:i16 = shifted_to_positive -! 832s in + let shifted_positive_in_range:i16 = shifted_to_positive -! 832s in - assert (1664 - v fe >= 0 ==> v shifted_positive_in_range == 832 - v fe); - assert (1664 - v fe < 0 ==> v shifted_positive_in_range == -2497 + v fe); - let r0 = shifted_positive_in_range >>! 15l in @@ -1189,9 +1195,10 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fst extraction-secret-ind - assert (v fe > 2496 ==> r1 = 0s); - assert (v res = v r1); - res -- ++ cast ((shifted_positive_in_range >>! 15l <: i16) &. 1s <: i16) <: u8 + -let compress_ciphertext_coefficient coefficient_bits fe = -+let compress_ciphertext_coefficient (coefficient_bits: pub_u8) (fe: u16) = ++let decompress_ciphertext_coefficient (coefficient_bits: pub_u8) (fe: i32) = let _:Prims.unit = () <: Prims.unit in let _:Prims.unit = () <: Prims.unit in - let compressed:u32 = (cast (fe <: u16) <: u32) <>! 35l in -+ cast (Libcrux.Kem.Kyber.Arithmetic.get_n_least_significant_bits coefficient_bits -+ (cast (compressed <: u64) <: u32) -+ <: -+ u32) - <: - i32 +- <: +- i32 - in - res - +- -#push-options "--z3rlimit 300" -let decompress_ciphertext_coefficient coefficient_bits fe = -+let compress_message_coefficient (fe: u16) = -+ let (shifted: i16):i16 = 1664s -! (cast (fe <: u16) <: i16) in -+ let mask:i16 = shifted >>! 15l in -+ let shifted_to_positive:i16 = mask ^. shifted in -+ let shifted_positive_in_range:i16 = shifted_to_positive -! 832s in -+ cast ((shifted_positive_in_range >>! 15l <: i16) &. 1s <: i16) <: u8 -+ -+let decompress_ciphertext_coefficient (coefficient_bits: pub_u8) (fe: i32) = - let _:Prims.unit = () <: Prims.unit in - let _:Prims.unit = () <: Prims.unit in +- let _:Prims.unit = () <: Prims.unit in +- let _:Prims.unit = () <: Prims.unit in - assert (v (1ul < -- let result:i32 = result in ++ v fe >= v 0l && ++ v fe < v (Core.Num.impl__i32__pow 2l (cast (coefficient_bits <: u8) <: u32) <: i32)) + (ensures + fun result -> + let result:i32 = result in - result >=. 0l && - result <. (Core.Num.impl__i32__pow 2l (cast (coefficient_bits <: u8) <: u32) <: i32)) -- ++ v result < v Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS) + -open Rust_primitives.Integers - -val decompress_ciphertext_coefficient @@ -1314,22 +1308,19 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fsti extraction-secret-in - (fe: int_t_d i32_inttype (v coefficient_bits)) - : Prims.Pure (Libcrux.Kem.Kyber.Arithmetic.i32_b (v Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS - 1)) - (requires True) -+ v fe >= v 0l && -+ v fe < v (Core.Num.impl__i32__pow 2l (cast (coefficient_bits <: u8) <: u32) <: i32)) - (ensures - fun result -> - let result:i32 = result in +- (ensures +- fun result -> +- let result:i32 = result in - result <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS) -+ v result < v Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS) - +- val decompress_message_coefficient (fe: i32) - : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.wfFieldElement - (requires fe =. 0l || fe =. 1l) - (fun result -> v result >= 0 /\ v result < 3329) + : Prims.Pure i32 (requires fe =. 0l || fe =. 1l) (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst ---- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-20 10:46:13.860092979 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-20 10:46:13.908092013 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-22 11:01:52 @@ -4,163 +4,61 @@ open FStar.Mul @@ -1518,8 +1509,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-s -#pop-options + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-20 10:46:13.876092657 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-20 10:46:13.939091389 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-22 11:01:52 @@ -20,26 +20,30 @@ val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) @@ -1562,8 +1553,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction- + let _:Prims.unit = temp_0_ in + result = rhs <: bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Conversions.fst extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst ---- extraction-edited/Libcrux.Kem.Kyber.Conversions.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst 2024-02-20 10:46:13.905092073 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Conversions.fst 1970-01-01 01:00:00 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst 2024-02-22 11:01:52 @@ -0,0 +1,87 @@ +module Libcrux.Kem.Kyber.Conversions +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1652,401 +1643,11 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Conversions.fst extraction-secret- + +let to_unsigned_representative (fe: i32) : u16 = + cast (fe +! ((fe >>! 15l <: i32) &. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32)) <: u16 -\ Pas de fin de ligne ร  la fin du fichier -diff -ruN extraction-edited/Libcrux.Kem.Kyber.fst extraction-secret-independent/Libcrux.Kem.Kyber.fst ---- extraction-edited/Libcrux.Kem.Kyber.fst 2024-02-20 10:46:13.851093160 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.fst 2024-02-20 10:46:13.922091731 +0100 -@@ -1,29 +1,12 @@ - module Libcrux.Kem.Kyber --#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -+#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" - open Core - open FStar.Mul - --let update_at_range_lemma #n -- (s: t_Slice 't) -- (i: Core.Ops.Range.t_Range (int_t n) {(Core.Ops.Range.impl_index_range_slice 't n).in_range s i}) -- (x: t_Slice 't) -- : Lemma -- (requires (Seq.length x == v i.f_end - v i.f_start)) -- (ensures ( -- let s' = Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x in -- let len = v i.f_start in -- forall (i: nat). i < len ==> Seq.index s i == Seq.index s' i -- )) -- [SMTPat (Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x)] -- = let s' = Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x in -- let len = v i.f_start in -- introduce forall (i:nat {i < len}). Seq.index s i == Seq.index s' i -- with (assert ( Seq.index (Seq.slice s 0 len) i == Seq.index s i -- /\ Seq.index (Seq.slice s' 0 len) i == Seq.index s' i )) -- --let serialize_kem_secret_key #p -+let serialize_kem_secret_key - (v_SERIALIZED_KEY_LEN: usize) -- (private_key public_key implicit_rejection_value: t_Slice u8) = -+ (private_key public_key implicit_rejection_value: t_Slice u8) -+ = - let out:t_Array u8 v_SERIALIZED_KEY_LEN = Rust_primitives.Hax.repeat 0uy v_SERIALIZED_KEY_LEN in - let pointer:usize = sz 0 in - let out:t_Array u8 v_SERIALIZED_KEY_LEN = -@@ -72,8 +55,6 @@ - t_Slice u8) - in - let pointer:usize = pointer +! (Core.Slice.impl__len public_key <: usize) in -- let h_public_key = (Rust_primitives.unsize (Libcrux.Kem.Kyber.Hash_functions.v_H public_key) -- <: t_Slice u8) in - let out:t_Array u8 v_SERIALIZED_KEY_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range out - ({ -@@ -89,7 +70,16 @@ - pointer +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE <: usize - } - <: -- Core.Ops.Range.t_Range usize ]) h_public_key) -+ Core.Ops.Range.t_Range usize ] -+ <: -+ t_Slice u8) -+ (Rust_primitives.unsize (Libcrux.Kem.Kyber.Hash_functions.v_H public_key -+ <: -+ t_Array u8 (sz 32)) -+ <: -+ t_Slice u8) -+ <: -+ t_Slice u8) - in - let pointer:usize = pointer +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE in - let out:t_Array u8 v_SERIALIZED_KEY_LEN = -@@ -116,32 +106,14 @@ - <: - t_Slice u8) - in -- assert (Seq.slice out 0 (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p)) `Seq.equal` private_key); -- assert (Seq.slice out (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p)) -- (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p)) `Seq.equal` public_key); -- assert (Seq.slice out (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! -- Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p)) -- (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! -- Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p +! -- Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE)) -- `Seq.equal` Libcrux.Kem.Kyber.Hash_functions.v_H public_key); -- assert (Seq.slice out (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! -- Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p +! -- Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE)) -- (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! -- Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p +! -- Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE +! -- Spec.Kyber.v_SHARED_SECRET_SIZE)) -- == implicit_rejection_value); -- lemma_slice_append_4 out private_key public_key (Libcrux.Kem.Kyber.Hash_functions.v_H public_key) implicit_rejection_value; - out - --let decapsulate #p -+let decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) -- (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) -- (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = -- let orig_secret_key = secret_key.f_value in -+ (secret_key: Libcrux.Kem.Kyber.Types.t_KyberPrivateKey v_SECRET_KEY_SIZE) -+ (ciphertext: Libcrux.Kem.Kyber.Types.t_KyberCiphertext v_CIPHERTEXT_SIZE) -+ = - let ind_cpa_secret_key, secret_key:(t_Slice u8 & t_Slice u8) = - Libcrux.Kem.Kyber.Types.impl_12__split_at v_SECRET_KEY_SIZE secret_key v_CPA_SECRET_KEY_SIZE - in -@@ -151,12 +123,8 @@ - let ind_cpa_public_key_hash, implicit_rejection_value:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at secret_key Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE - in -- assert (ind_cpa_secret_key == slice orig_secret_key (sz 0) v_CPA_SECRET_KEY_SIZE); -- assert (ind_cpa_public_key == slice orig_secret_key v_CPA_SECRET_KEY_SIZE (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE)); -- assert (ind_cpa_public_key_hash == slice orig_secret_key (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE) (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE)); -- assert (implicit_rejection_value == slice orig_secret_key (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE) (length orig_secret_key)); - let decrypted:t_Array u8 (sz 32) = -- Libcrux.Kem.Kyber.Ind_cpa.decrypt #p v_K -+ Libcrux.Kem.Kyber.Ind_cpa.decrypt v_K - v_CIPHERTEXT_SIZE - v_C1_SIZE - v_VECTOR_U_COMPRESSION_FACTOR -@@ -184,9 +152,6 @@ - <: - t_Slice u8) - in -- lemma_slice_append to_hash decrypted ind_cpa_public_key_hash; -- assert (decrypted == Spec.Kyber.ind_cpa_decrypt p ind_cpa_secret_key ciphertext.f_value); -- assert (to_hash == concat decrypted ind_cpa_public_key_hash); - let hashed:t_Array u8 (sz 64) = - Libcrux.Kem.Kyber.Hash_functions.v_G (Rust_primitives.unsize to_hash <: t_Slice u8) - in -@@ -194,10 +159,6 @@ - Core.Slice.impl__split_at (Rust_primitives.unsize hashed <: t_Slice u8) - Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE - in -- assert ((shared_secret,pseudorandomness) == split hashed Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE); -- assert (length implicit_rejection_value = v_SECRET_KEY_SIZE -! v_CPA_SECRET_KEY_SIZE -! v_PUBLIC_KEY_SIZE -! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE); -- assert (length implicit_rejection_value = Spec.Kyber.v_SHARED_SECRET_SIZE); -- assert (Spec.Kyber.v_SHARED_SECRET_SIZE <=. Spec.Kyber.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE p); - let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8 - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = - Libcrux.Kem.Kyber.Ind_cpa.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE -@@ -219,14 +180,11 @@ - <: - t_Slice u8) - in -- lemma_slice_append to_hash implicit_rejection_value ciphertext.f_value; - let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) = - Libcrux.Kem.Kyber.Hash_functions.v_PRF (sz 32) (Rust_primitives.unsize to_hash <: t_Slice u8) - in -- assert (implicit_rejection_shared_secret == Spec.Kyber.v_J to_hash); -- assert (Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE); - let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = -- Libcrux.Kem.Kyber.Ind_cpa.encrypt #p v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE -+ Libcrux.Kem.Kyber.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE ind_cpa_public_key decrypted - pseudorandomness -@@ -236,18 +194,16 @@ - (Core.Convert.f_as_ref ciphertext <: t_Slice u8) - (Rust_primitives.unsize expected_ciphertext <: t_Slice u8) - in -- let res = - Libcrux.Kem.Kyber.Constant_time_ops.select_shared_secret_in_constant_time shared_secret - (Rust_primitives.unsize implicit_rejection_shared_secret <: t_Slice u8) - selector -- in -- res - --let encapsulate #p -+let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) -- (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) -- (randomness: t_Array u8 (sz 32)) = -+ (public_key: Libcrux.Kem.Kyber.Types.t_KyberPublicKey v_PUBLIC_KEY_SIZE) -+ (randomness: t_Array u8 (sz 32)) -+ = - let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = - Libcrux.Kem.Kyber.Ind_cpa.into_padded_array (sz 64) - (Rust_primitives.unsize randomness <: t_Slice u8) -@@ -278,10 +234,6 @@ - <: - t_Slice u8) - in -- assert (Seq.slice to_hash 0 (v Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE) == randomness); -- lemma_slice_append to_hash randomness (Spec.Kyber.v_H public_key.f_value); -- assert (to_hash == concat randomness (Spec.Kyber.v_H public_key.f_value)); -- - let hashed:t_Array u8 (sz 64) = - Libcrux.Kem.Kyber.Hash_functions.v_G (Rust_primitives.unsize to_hash <: t_Slice u8) - in -@@ -290,7 +242,7 @@ - Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE - in - let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = -- Libcrux.Kem.Kyber.Ind_cpa.encrypt #p v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE -+ Libcrux.Kem.Kyber.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE - (Rust_primitives.unsize (Libcrux.Kem.Kyber.Types.impl_18__as_slice v_PUBLIC_KEY_SIZE -@@ -300,42 +252,23 @@ - <: - t_Slice u8) randomness pseudorandomness - in -- Core.Convert.f_into ciphertext, -- Core.Result.impl__unwrap (Core.Convert.f_try_into shared_secret -- <: -- Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) -- <: -- (Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) -- --#push-options "--z3rlimit 100" --let validate_public_key #p -- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) -- (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) -- = -- let pk:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = -- Libcrux.Kem.Kyber.Ind_cpa.deserialize_public_key #p v_K -- (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } -+ let shared_secret:t_Array u8 (sz 32) = -+ match Core.Convert.f_try_into shared_secret with -+ | Core.Result.Result_Ok shared_secret -> shared_secret -+ | Core.Result.Result_Err _ -> -+ Rust_primitives.Hax.never_to_any (Core.Panicking.panic "explicit panic" - <: -- Core.Ops.Range.t_RangeTo usize ]) -+ Rust_primitives.Hax.t_Never) - in -- let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = -- Libcrux.Kem.Kyber.Ind_cpa.serialize_public_key #p v_K -- v_RANKED_BYTES_PER_RING_ELEMENT -- v_PUBLIC_KEY_SIZE -- pk -- (public_key.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } -- <: -- Core.Ops.Range.t_RangeFrom usize ] -- <: -- t_Slice u8) -- in -- public_key =. public_key_serialized --#pop-options -+ Core.Convert.f_into ciphertext, shared_secret -+ <: -+ (Libcrux.Kem.Kyber.Types.t_KyberCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - --let generate_keypair #p -+let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) -- (randomness: t_Array u8 (sz 64)) = -+ (randomness: t_Array u8 (sz 64)) -+ = - let ind_cpa_keypair_randomness:t_Slice u8 = - randomness.[ { - Core.Ops.Range.f_start = sz 0; -@@ -353,7 +286,7 @@ - in - let ind_cpa_private_key, public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE & - t_Array u8 v_PUBLIC_KEY_SIZE) = -- Libcrux.Kem.Kyber.Ind_cpa.generate_keypair #p v_K -+ Libcrux.Kem.Kyber.Ind_cpa.generate_keypair v_K - v_CPA_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE - v_BYTES_PER_RING_ELEMENT -@@ -362,17 +295,16 @@ - ind_cpa_keypair_randomness - in - let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE = -- serialize_kem_secret_key #p v_PRIVATE_KEY_SIZE -+ serialize_kem_secret_key v_PRIVATE_KEY_SIZE - (Rust_primitives.unsize ind_cpa_private_key <: t_Slice u8) - (Rust_primitives.unsize public_key <: t_Slice u8) - implicit_rejection_value - in -- let (private_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE):Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey -+ let (private_key: Libcrux.Kem.Kyber.Types.t_KyberPrivateKey v_PRIVATE_KEY_SIZE):Libcrux.Kem.Kyber.Types.t_KyberPrivateKey - v_PRIVATE_KEY_SIZE = - Core.Convert.f_from secret_key_serialized - in - Libcrux.Kem.Kyber.Types.impl__from v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE - private_key -- (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) -- -+ (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_KyberPublicKey v_PUBLIC_KEY_SIZE) -diff -ruN extraction-edited/Libcrux.Kem.Kyber.fsti extraction-secret-independent/Libcrux.Kem.Kyber.fsti ---- extraction-edited/Libcrux.Kem.Kyber.fsti 2024-02-20 10:46:13.888092415 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.fsti 2024-02-20 10:46:13.930091570 +0100 -@@ -4,90 +4,37 @@ - open FStar.Mul - - unfold --let t_MlKemSharedSecret = t_Array u8 (sz 32) -+let t_KyberSharedSecret = t_Array u8 (sz 32) - - let v_KEY_GENERATION_SEED_SIZE: usize = - Libcrux.Kem.Kyber.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE +! - Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE - --val serialize_kem_secret_key (#p:Spec.Kyber.params) -+val serialize_kem_secret_key - (v_SERIALIZED_KEY_LEN: usize) - (private_key public_key implicit_rejection_value: t_Slice u8) -- : Pure (t_Array u8 v_SERIALIZED_KEY_LEN) -- (requires (length private_key == Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p /\ -- length public_key == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ -- length implicit_rejection_value == Spec.Kyber.v_SHARED_SECRET_SIZE /\ -- v_SERIALIZED_KEY_LEN == Spec.Kyber.v_SECRET_KEY_SIZE p)) -- (ensures (fun res -> res == -- Seq.append private_key ( -- Seq.append public_key ( -- Seq.append (Libcrux.Kem.Kyber.Hash_functions.v_H public_key) implicit_rejection_value)))) -+ : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) Prims.l_True (fun _ -> Prims.l_True) - --val decapsulate (#p:Spec.Kyber.params) -+val decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) -- (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) -- (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) -- : Pure (t_Array u8 (sz 32)) -- (requires ( p == (let open Spec.Kyber in {v_RANK = v_K; v_ETA1; v_ETA2; v_VECTOR_U_COMPRESSION_FACTOR; v_VECTOR_V_COMPRESSION_FACTOR}) /\ -- Spec.Kyber.valid_params p /\ -- v_ETA1_RANDOMNESS_SIZE == Spec.Kyber.v_ETA1_RANDOMNESS_SIZE p /\ -- v_ETA2_RANDOMNESS_SIZE == Spec.Kyber.v_ETA2_RANDOMNESS_SIZE p /\ -- v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.Kyber.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE p /\ -- v_SECRET_KEY_SIZE == Spec.Kyber.v_SECRET_KEY_SIZE p /\ -- v_CPA_SECRET_KEY_SIZE == Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p /\ -- v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ -- v_CIPHERTEXT_SIZE == Spec.Kyber.v_CPA_PKE_CIPHERTEXT_SIZE p /\ -- v_C1_SIZE == Spec.Kyber.v_C1_SIZE p /\ -- v_C1_BLOCK_SIZE == Spec.Kyber.v_C1_BLOCK_SIZE p /\ -- v_C2_SIZE == Spec.Kyber.v_C2_SIZE p /\ -- v_T_AS_NTT_ENCODED_SIZE = Spec.Kyber.v_T_AS_NTT_ENCODED_SIZE p -- )) -- (ensures (fun res -> -- res == Spec.Kyber.ind_cca_decapsulate p secret_key.f_value ciphertext.f_value)) -+ (secret_key: Libcrux.Kem.Kyber.Types.t_KyberPrivateKey v_SECRET_KEY_SIZE) -+ (ciphertext: Libcrux.Kem.Kyber.Types.t_KyberCiphertext v_CIPHERTEXT_SIZE) -+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - --val encapsulate (#p:Spec.Kyber.params) -+val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) -- (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) -+ (public_key: Libcrux.Kem.Kyber.Types.t_KyberPublicKey v_PUBLIC_KEY_SIZE) - (randomness: t_Array u8 (sz 32)) -- : Pure (Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) -- (requires (p == (let open Spec.Kyber in {v_RANK = v_K; v_ETA1; v_ETA2; v_VECTOR_U_COMPRESSION_FACTOR; v_VECTOR_V_COMPRESSION_FACTOR}) /\ -- Spec.Kyber.valid_params p /\ -- v_ETA1_RANDOMNESS_SIZE == Spec.Kyber.v_ETA1_RANDOMNESS_SIZE p /\ -- v_ETA2_RANDOMNESS_SIZE == Spec.Kyber.v_ETA2_RANDOMNESS_SIZE p /\ -- v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ -- v_CIPHERTEXT_SIZE == Spec.Kyber.v_CPA_PKE_CIPHERTEXT_SIZE p /\ -- v_C1_SIZE == Spec.Kyber.v_C1_SIZE p /\ -- v_C2_SIZE == Spec.Kyber.v_C2_SIZE p /\ -- v_T_AS_NTT_ENCODED_SIZE = Spec.Kyber.v_T_AS_NTT_ENCODED_SIZE p /\ -- v_VECTOR_U_BLOCK_LEN == Spec.Kyber.v_C1_BLOCK_SIZE p -- )) -- -- (ensures (fun (ct,ss) -> -- (ct.f_value,ss) == Spec.Kyber.ind_cca_encapsulate p public_key.f_value randomness)) -- --val validate_public_key (#p:Spec.Kyber.params) -- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) -- (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) -- : Prims.Pure bool -- (requires (v_K == p.v_RANK /\ -- v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ -- v_RANKED_BYTES_PER_RING_ELEMENT == Spec.Kyber.v_RANKED_BYTES_PER_RING_ELEMENT p -- )) -- (ensures (fun _ -> Prims.l_True)) -+ : Prims.Pure (Libcrux.Kem.Kyber.Types.t_KyberCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) -+ Prims.l_True -+ (fun _ -> Prims.l_True) - --val generate_keypair (#p:Spec.Kyber.params) -+val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) -- : Pure (Libcrux.Kem.Kyber.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) -- (requires (v_K == p.v_RANK /\ v_ETA1 == p.v_ETA1 /\ -- v_ETA1_RANDOMNESS_SIZE == Spec.Kyber.v_ETA1_RANDOMNESS_SIZE p /\ -- v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ -- v_CPA_PRIVATE_KEY_SIZE == Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p /\ -- v_PRIVATE_KEY_SIZE == Spec.Kyber.v_SECRET_KEY_SIZE p /\ -- v_BYTES_PER_RING_ELEMENT == Spec.Kyber.v_RANKED_BYTES_PER_RING_ELEMENT p -- )) -- (ensures (fun kp -> -- (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.ind_cca_generate_keypair p randomness)) -+ : Prims.Pure (Libcrux.Kem.Kyber.Types.t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) -+ Prims.l_True -+ (fun _ -> Prims.l_True) -diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst ---- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-20 10:46:13.858093019 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-20 10:46:13.929091590 +0100 -@@ -3,28 +3,18 @@ +\ No newline at end of file +diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst +--- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-22 11:01:52 +@@ -3,28 +3,18 @@ open Core open FStar.Mul @@ -2113,8 +1714,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst extraction-secr - out + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-20 10:46:13.893092315 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-20 10:46:13.906092053 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-22 11:01:52 @@ -3,17 +3,12 @@ open Core open FStar.Mul @@ -2140,8 +1741,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-sec +val v_XOFx4 (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) + : Prims.Pure (t_Array (t_Array u8 (sz 840)) v_K) Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Helper.fst extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst ---- extraction-edited/Libcrux.Kem.Kyber.Helper.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst 2024-02-20 10:46:13.937091429 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Helper.fst 1970-01-01 01:00:00 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst 2024-02-22 11:01:52 @@ -0,0 +1,6 @@ +module Libcrux.Kem.Kyber.Helper +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -2150,8 +1751,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Helper.fst extraction-secret-indep + + diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst ---- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-20 10:46:13.891092355 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-20 10:46:13.933091510 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-22 11:01:52 @@ -1,5 +1,5 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -2178,7 +1779,12 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - (prf_input: t_Array u8 (sz 33)) domain_separator = - let error_1_:t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (pow2 (v v_ETA2) - 1)) v_K = - Rust_primitives.Hax.repeat (etaZero (sz (pow2 (v v_ETA2) - 1))) v_K -- in ++ (prf_input: t_Array u8 (sz 33)) ++ (domain_separator: u8) ++ = ++ let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = ++ Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K + in - let orig_domain_separator = domain_separator in - [@ inline_let] - let inv : inv_t v_K v_ETA2 = fun (acc:acc_t v_K v_ETA2) (i:usize) -> @@ -2189,12 +1795,6 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - else true in - let (domain_separator, prf_input, error_1_):acc_t v_K (v_ETA2) = - Rust_primitives.Iterators.foldi_range #_ #(acc_t v_K (v_ETA2)) #inv { -+ (prf_input: t_Array u8 (sz 33)) -+ (domain_separator: u8) -+ = -+ let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = -+ Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K -+ in + let domain_separator, error_1_, prf_input:(u8 & + t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + t_Array u8 (sz 33)) = @@ -2255,7 +1855,12 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - (prf_input: t_Array u8 (sz 33)) domain_separator = - let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = - Rust_primitives.Hax.repeat (wfZero) v_K -- in ++ (prf_input: t_Array u8 (sz 33)) ++ (domain_separator: u8) ++ = ++ let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = ++ Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K + in - let orig_domain_separator = domain_separator in - [@ inline_let] - let inv: (u8 & t_Array u8 (sz 33) & t_Array (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) v_K) -> usize -> Type = fun acc i -> @@ -2266,12 +1871,6 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - else true in - let (domain_separator, prf_input, re_as_ntt):(u8 & t_Array u8 (sz 33) & t_Array (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) v_K)= - Rust_primitives.Iterators.foldi_range #_ #_ #inv { -+ (prf_input: t_Array u8 (sz 33)) -+ (domain_separator: u8) -+ = -+ let re_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = -+ Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K -+ in + let domain_separator, prf_input, re_as_ntt:(u8 & t_Array u8 (sz 33) & + t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ @@ -2325,9 +1924,9 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde re_as_ntt, domain_separator <: - (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K & u8) -- + (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & u8) +- -let compress_then_serialize_u #p v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN input = +let compress_then_serialize_u + (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize) @@ -2411,7 +2010,13 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) = - let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = - Rust_primitives.Hax.repeat wfZero v_K -- in ++let deserialize_then_decompress_u ++ (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) ++ (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) ++ = ++ let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = ++ Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K + in - let acc_t1 = t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K in - [@ inline_let] - let inv = fun (acc:acc_t1) (i:usize) -> True in @@ -2419,13 +2024,6 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - { Core.Ops.Range.f_end = v_VECTOR_U_ENCODED_SIZE } <: Core.Ops.Range.t_RangeTo usize ] in - assert (length sl == v_VECTOR_U_ENCODED_SIZE); - let chunk_len = ((Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! -+let deserialize_then_decompress_u -+ (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) -+ (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) -+ = -+ let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = -+ Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K -+ in + let u_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate + (Core.Slice.impl__chunks_exact (Rust_primitives.unsize ciphertext <: t_Slice u8) @@ -2486,7 +2084,10 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - (v_K: usize) (public_key: t_Slice u8) = - let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = - Rust_primitives.Hax.repeat wfZero v_K -- in ++let deserialize_public_key (v_K: usize) (public_key: t_Slice u8) = ++ let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = ++ Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K + in - let acc_t = t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K in - [@ inline_let] - let inv = fun (acc:acc_t) (i:usize) -> True in @@ -2495,10 +2096,6 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - Rust_primitives.Iterators.foldi_chunks_exact #u8 #acc_t #inv - public_key - chunk_len -+let deserialize_public_key (v_K: usize) (public_key: t_Slice u8) = -+ let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = -+ Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K -+ in + let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate + (Core.Slice.impl__chunks_exact public_key @@ -2530,12 +2127,16 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - admit(); //P-F - tt_as_ntt -#pop-options -- ++ tt_as_ntt + -#push-options "--split_queries always" -let deserialize_secret_key (#p:Spec.Kyber.params) (v_K: usize) (secret_key: t_Slice u8) = - let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = - Rust_primitives.Hax.repeat wfZero v_K -- in ++let deserialize_secret_key (v_K: usize) (secret_key: t_Slice u8) = ++ let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = ++ Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K + in - let acc_t = t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K in - [@ inline_let] - let inv = fun (acc:acc_t) (i:usize) -> True in @@ -2548,12 +2149,6 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - Rust_primitives.Iterators.foldi_chunks_exact #u8 #acc_t #inv - sl - chunk_len -+ tt_as_ntt -+ -+let deserialize_secret_key (v_K: usize) (secret_key: t_Slice u8) = -+ let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = -+ Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K -+ in + let secret_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate + (Core.Slice.impl__chunks_exact secret_key @@ -2627,13 +2222,12 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - let res = Libcrux.Kem.Kyber.Serialize.compress_then_serialize_message message in - res -#pop-options -- ++ Libcrux.Kem.Kyber.Serialize.compress_then_serialize_message message + -#push-options "--z3rlimit 200" -let encrypt #p - v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE - public_key -+ Libcrux.Kem.Kyber.Serialize.compress_then_serialize_message message -+ +let encrypt + (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) @@ -2866,8 +2460,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - res - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-20 10:46:13.881092556 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-20 10:46:13.903092113 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-22 11:01:52 @@ -1,151 +1,80 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -2943,7 +2537,10 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-secret-ind - (ensures fun res -> - Libcrux.Kem.Kyber.Arithmetic.to_spec_vector_b #p res == - Spec.Kyber.(vector_ntt (decode_then_decompress_u p (Seq.slice ciphertext 0 (v (Spec.Kyber.v_C1_SIZE p)))))) -- ++ : Prims.Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) ++ Prims.l_True ++ (fun _ -> Prims.l_True) + -val deserialize_public_key (#p:Spec.Kyber.params) - (v_K: usize) (public_key: t_Array u8 (Spec.Kyber.v_T_AS_NTT_ENCODED_SIZE p)) - : Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) @@ -2961,21 +2558,17 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-secret-ind - Libcrux.Kem.Kyber.Arithmetic.to_spec_vector_b #p res == - Spec.Kyber.vector_decode_12 #p secret_key) - -+ : Prims.Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) -+ Prims.l_True -+ (fun _ -> Prims.l_True) -+ +val deserialize_public_key (v_K: usize) (public_key: t_Slice u8) + : Prims.Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) + Prims.l_True + (fun _ -> Prims.l_True) -+ + +-val decrypt (#p:Spec.Kyber.params) +val deserialize_secret_key (v_K: usize) (secret_key: t_Slice u8) + : Prims.Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) + Prims.l_True + (fun _ -> Prims.l_True) - --val decrypt (#p:Spec.Kyber.params) ++ +val decrypt (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: usize) @@ -2990,9 +2583,9 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-secret-ind - v_V_COMPRESSION_FACTOR == p.v_VECTOR_V_COMPRESSION_FACTOR)) - (ensures (fun res -> - res == Spec.Kyber.ind_cpa_decrypt p secret_key ciphertext)) -- + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +- -val encrypt (#p:Spec.Kyber.params) +val encrypt (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: @@ -3069,8 +2662,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-secret-ind + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-20 10:46:13.842093341 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-20 10:46:13.914091892 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-22 11:01:52 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -3119,8 +2712,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst extraction-secret-in (sz 3168) (sz 1568) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-02-20 10:46:13.844093301 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-02-20 10:46:13.926091651 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-02-22 11:01:52 @@ -63,32 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_1024_ @@ -3166,8 +2759,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti extraction-secret-i Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-20 10:46:13.863092918 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-20 10:46:13.949091188 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-22 11:01:52 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -3216,8 +2809,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst extraction-secret-ind (sz 1632) (sz 800) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti 2024-02-20 10:46:13.839093401 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti 2024-02-20 10:46:13.912091932 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti 2024-02-22 11:01:52 @@ -63,32 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_512_ @@ -3263,8 +2856,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti extraction-secret-in Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-20 10:46:13.861092959 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-20 10:46:13.943091308 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-22 11:01:52 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -3313,8 +2906,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst extraction-secret-ind (sz 2400) (sz 1184) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-20 10:46:13.850093180 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-20 10:46:13.918091812 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-22 11:01:52 @@ -63,33 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_768_ @@ -3346,13 +2939,13 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti extraction-secret-in + (public_key: Libcrux.Kem.Kyber.Types.t_KyberPublicKey (sz 1184)) (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) -- Prims.l_True ++ : Prims.Pure (Libcrux.Kem.Kyber.Types.t_KyberCiphertext (sz 1088) & t_Array u8 (sz 32)) + Prims.l_True - (ensures (fun (ct,ss)-> (ct.f_value,ss) == Spec.Kyber.kyber768_encapsulate public_key.f_value randomness)) - -val validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184))) -+ : Prims.Pure (Libcrux.Kem.Kyber.Types.t_KyberCiphertext (sz 1088) & t_Array u8 (sz 32)) - Prims.l_True +- Prims.l_True (fun _ -> Prims.l_True) -val generate_key_pair (randomness: t_Array u8 (sz 64)) @@ -3363,8 +2956,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti extraction-secret-in - (ensures (fun kp -> (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.kyber768_generate_keypair randomness)) + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst ---- extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-02-20 10:46:13.897092234 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst 2024-02-20 10:46:13.921091751 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst 2024-02-22 11:01:52 @@ -3,418 +3,432 @@ open Core open FStar.Mul @@ -3380,7 +2973,14 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep - let wfZero: wfPolynomialRingElement = (Libcrux.Kem.Kyber.Arithmetic.cast_poly_b #1 #3328 Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO) in - let result:t_Array wfPolynomialRingElement v_K = - Rust_primitives.Hax.repeat wfZero v_K -- in ++let compute_As_plus_e ++ (v_K: usize) ++ (matrix_A: t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K) ++ (s_as_ntt error_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) ++ = ++ let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = ++ Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K + in - [@ inline_let] - let inv0 = fun (acc:t_Array wfPolynomialRingElement v_K) (i:usize) -> - (v i <= v v_K) /\ @@ -3390,14 +2990,6 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep - let result:t_Array wfPolynomialRingElement v_K = - Rust_primitives.Iterators.foldi_slice #(t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) #(t_Array wfPolynomialRingElement v_K) #inv0 - matrix_A -+let compute_As_plus_e -+ (v_K: usize) -+ (matrix_A: t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K) -+ (s_as_ntt error_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) -+ = -+ let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = -+ Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K -+ in + let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate + (Core.Slice.impl__iter (Rust_primitives.unsize matrix_A @@ -3583,24 +3175,17 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep - assert (forall (j:usize). (v j >= v i + 1 /\ v j < v v_K) ==> derefine_poly_b result.[j] == derefine_poly_b orig_result.[j]); - assume (inv0 result (i +! sz 1)); - result) -- in ++ Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement))) + in - admit(); //P-F - result -#pop-options -+ Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement))) -+ in + result -#push-options "--ifuel 0 --z3rlimit 100" -let compute_message #p v_K m_v secret_as_ntt u_as_ntt = - let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328) = - Libcrux.Kem.Kyber.Arithmetic.cast_poly_b Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO -- in -- let acc_t = Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328) in -- [@ inline_let] -- let inv = fun (acc:acc_t) (i:usize) -> -- (v i <= v v_K) /\ -- (poly_range #(v v_K * 3328) acc (v i * 3328)) +let compute_message + (v_K: usize) + (v: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) @@ -3609,6 +3194,12 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO in +- let acc_t = Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328) in +- [@ inline_let] +- let inv = fun (acc:acc_t) (i:usize) -> +- (v i <= v v_K) /\ +- (poly_range #(v v_K * 3328) acc (v i * 3328)) +- in - let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328) = - Rust_primitives.Iterators.foldi_range #_ #acc_t #inv { + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = @@ -3726,13 +3317,6 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep -let compute_ring_element_v v_K tt_as_ntt r_as_ntt error_2_ message = - let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328) = - Libcrux.Kem.Kyber.Arithmetic.cast_poly_b Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO -- in -- [@ inline_let] -- let inv = fun (acc:t_PolynomialRingElement_b (v v_K * 3328)) (i:usize) -> -- (v i <= 256) /\ -- (poly_range acc (v i * 3328)) in -- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328) = -- Rust_primitives.Iterators.foldi_range #_ #_ #inv ({ +let compute_ring_element_v + (v_K: usize) + (tt_as_ntt r_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) @@ -3740,7 +3324,13 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep + = + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO -+ in + in +- [@ inline_let] +- let inv = fun (acc:t_PolynomialRingElement_b (v v_K * 3328)) (i:usize) -> +- (v i <= 256) /\ +- (poly_range acc (v i * 3328)) in +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328) = +- Rust_primitives.Iterators.foldi_range #_ #_ #inv ({ + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; @@ -3857,7 +3447,12 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep - let wfZero: wfPolynomialRingElement = (Libcrux.Kem.Kyber.Arithmetic.cast_poly_b #1 #3328 Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO) in - let result:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = - Rust_primitives.Hax.repeat wfZero v_K -- in ++ (a_as_ntt: t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K) ++ (r_as_ntt error_1_: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) ++ = ++ let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = ++ Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K + in - let acc_t = t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K in - [@ inline_let] - let inv0 = fun (acc:t_Array wfPolynomialRingElement v_K) (i:usize) -> @@ -3867,12 +3462,6 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep - let result:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = - Rust_primitives.Iterators.foldi_slice #(t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) #acc_t #inv0 - a_as_ntt -+ (a_as_ntt: t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K) -+ (r_as_ntt error_1_: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) -+ = -+ let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = -+ Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K -+ in + let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate + (Core.Slice.impl__iter (Rust_primitives.unsize a_as_ntt @@ -3974,7 +3563,11 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep - (forall (j:usize). (v j > v i /\ v j < v v_K) ==> acc.[j] == orig_result_cast.[j]) /\ - (forall (j:usize). (v j < v inner) ==> (i32_range (acc.[i] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64*v v_K * 3328)).f_coefficients.[j] 3328)) - // And all indexes above v inner are unchanged from result1 -- in ++ (Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K ++ (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) ++ <: ++ Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + in - assert (forall (j:usize). (v j < v i /\ v j < v v_K) ==> result.[j] == orig_result_cast.[j]); - assert (forall (j:usize). (v j > v i /\ v j < v v_K) ==> result.[j] == orig_result_cast.[j]); - assert (inv2 result (sz 0)); @@ -3983,11 +3576,6 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - } -+ (Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K -+ (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -+ <: -+ Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -+ in + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end @@ -4173,8 +3761,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep - admit(); //P-F v_A_transpose diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-20 10:46:13.880092576 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-20 10:46:13.940091369 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-22 11:01:52 @@ -3,71 +3,39 @@ open Core open FStar.Mul @@ -4195,13 +3783,13 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti extraction-secret-inde - (to_spec_matrix_b #p matrix_A) - (to_spec_vector_b #p s_as_ntt) - (to_spec_vector_b #p error_as_ntt)) -- + (matrix_A: t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K) + (s_as_ntt error_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) + : Prims.Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) + Prims.l_True + (fun _ -> Prims.l_True) +- -val compute_message (#p:Spec.Kyber.params) +val compute_message (v_K: usize) @@ -4256,7 +3844,12 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti extraction-secret-inde - let e_spec = Libcrux.Kem.Kyber.Arithmetic.to_spec_vector_b #p error_1_ in - let res_spec = Libcrux.Kem.Kyber.Arithmetic.to_spec_vector_b #p res in - res_spec == Spec.Kyber.(vector_add (vector_inv_ntt (matrix_vector_mul a_spec r_spec)) e_spec)) -- ++ (a_as_ntt: t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K) ++ (r_as_ntt error_1_: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) ++ : Prims.Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) ++ Prims.l_True ++ (fun _ -> Prims.l_True) + - - -val sample_matrix_A (#p:Spec.Kyber.params) (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool) @@ -4266,19 +3859,13 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti extraction-secret-inde - let matrix_A = Spec.Kyber.sample_matrix_A #p (Seq.slice seed 0 32) in - if transpose then Libcrux.Kem.Kyber.Arithmetic.to_spec_matrix_b #p res == matrix_A - else Libcrux.Kem.Kyber.Arithmetic.to_spec_matrix_b #p res == Spec.Kyber.matrix_transpose matrix_A) -+ (a_as_ntt: t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K) -+ (r_as_ntt error_1_: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) -+ : Prims.Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) -+ Prims.l_True -+ (fun _ -> Prims.l_True) -+ +val sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool) + : Prims.Pure (t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K) + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fst extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst ---- extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-02-20 10:46:13.855093079 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst 2024-02-20 10:46:13.928091610 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst 2024-02-22 11:01:52 @@ -1,130 +1,56 @@ module Libcrux.Kem.Kyber.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -4286,7 +3873,15 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fst extraction-secret-independ open Core open FStar.Mul -- ++let ntt_multiply_binomials (a0, a1: (i32 & i32)) (b0, b1: (i32 & i32)) (zeta: i32) = ++ Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((a0 *! b0 <: i32) +! ++ ((Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a1 *! b1 <: i32) <: i32) *! zeta <: i32) ++ <: ++ i32), ++ Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((a0 *! b1 <: i32) +! (a1 *! b0 <: i32) <: i32) ++ <: ++ (i32 & i32) + -let v_ZETAS_TIMES_MONTGOMERY_R = - let list : list (i32_b 1664) = - [ @@ -4356,15 +3951,6 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fst extraction-secret-independ - -#push-options "--ifuel 0 --z3rlimit 1200" -let invert_ntt_at_layer #v_K #b zeta_i re layer = -+let ntt_multiply_binomials (a0, a1: (i32 & i32)) (b0, b1: (i32 & i32)) (zeta: i32) = -+ Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((a0 *! b0 <: i32) +! -+ ((Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a1 *! b1 <: i32) <: i32) *! zeta <: i32) -+ <: -+ i32), -+ Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((a0 *! b1 <: i32) +! (a1 *! b0 <: i32) <: i32) -+ <: -+ (i32 & i32) -+ +let invert_ntt_at_layer + (zeta_i: usize) + (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) @@ -4599,7 +4185,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fst extraction-secret-independ in - re -#pop-options -- ++ re + -#push-options "--z3rlimit 500" -val mul_zeta_red2 (#b:nat{b <= 31175}) - (zeta_i:usize{v zeta_i >= 0 /\ v zeta_i <= 63} ) @@ -4617,8 +4204,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fst extraction-secret-independ - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) in - red -#pop-options -+ re - +- -#push-options "--ifuel 0 --z3rlimit 5000" -let ntt_at_layer #b zeta_i re layer initial_coefficient_bound = - let step = sz 1 < (i32 & i32) -> zeta: i32 -+ -> Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) -+ -+val invert_ntt_at_layer -+ (zeta_i: usize) -+ (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -+ (layer: usize) -+ : Prims.Pure (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -+ Prims.l_True -+ (fun _ -> Prims.l_True) -+ -+val invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -+ : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement -+ Prims.l_True -+ (fun _ -> Prims.l_True) -val ntt_multiply_binomials (a:wfFieldElement&wfFieldElement) (b: wfFieldElement&wfFieldElement) (zeta: i32_b 1664) : - Pure (wfFieldElement & wfFieldElement) - (requires True) - (ensures (fun _ -> True)) -- ++val ntt_multiply_binomials: (i32 & i32) -> (i32 & i32) -> zeta: i32 ++ -> Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) + -val invert_ntt_at_layer (#v_K:usize{v v_K >= 1 /\ v v_K <= 4}) - (#b:nat{b <= v v_K * 3328 * 64}) - (zeta_i: usize{v zeta_i >= 1 /\ v zeta_i <= 128}) @@ -5267,10 +4839,10 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-indepen - v zeta_i == pow2 (8 - v layer) /\ - b == v v_K * 3328 * pow2(v layer - 1)}) - : Prims.Pure (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (2*b)) -+val ntt_at_layer ++val invert_ntt_at_layer + (zeta_i: usize) + (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -+ (layer initial_coefficient_bound: usize) ++ (layer: usize) + : Prims.Pure (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) Prims.l_True - (fun x -> let (zeta_fin,re) = x in v zeta_fin == pow2 (7 - v layer)) @@ -5279,7 +4851,11 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-indepen -val invert_ntt_montgomery (v_K: usize{v v_K >= 1 /\ v v_K <= 4}) - (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328)) - : Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64 * v v_K * 3328) -- ++val invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) ++ : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement ++ Prims.l_True ++ (fun _ -> Prims.l_True) + -val ntt_at_layer - (#b:nat{b <= 31175}) - (zeta_i: usize{v zeta_i < 128}) @@ -5291,7 +4867,14 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-indepen - : Pure (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (3328+b)) - (requires True) - (ensures fun (zeta_i, result) -> v zeta_i == pow2 (8 - v layer) - 1) -- ++val ntt_at_layer ++ (zeta_i: usize) ++ (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) ++ (layer initial_coefficient_bound: usize) ++ : Prims.Pure (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) ++ Prims.l_True ++ (fun _ -> Prims.l_True) + -val ntt_at_layer_3_ (#b:nat) - (zeta_i: usize{v zeta_i < 128}) - (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b b) @@ -5325,7 +4908,11 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-indepen Prims.l_True - (ensures fun (zeta_i,result) -> v zeta_i == pow2 (8 - v layer) - 1) + (fun _ -> Prims.l_True) -+ + +-val ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 7) +- : Prims.Pure (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) +- (requires True) +- (ensures (fun _ -> True)) +val ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + (requires @@ -5379,7 +4966,13 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-indepen + bool) + <: + bool)) -+ + +-val ntt_multiply (lhs: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328) +- (rhs: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328) +- : Prims.Pure (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328) +- (requires True) +- (ensures (fun _ -> True)) +- +val ntt_multiply (lhs rhs: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + (requires @@ -5431,18 +5024,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-indepen + bool) + <: + bool)) - --val ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 7) -- : Prims.Pure (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) -- (requires True) -- (ensures (fun _ -> True)) -- --val ntt_multiply (lhs: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328) -- (rhs: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328) -- : Prims.Pure (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328) -- (requires True) -- (ensures (fun _ -> True)) -- ++ val ntt_vector_u (v_VECTOR_U_COMPRESSION_FACTOR: usize) - (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328) @@ -5504,8 +5086,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-indepen + <: + bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fst extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst ---- extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-02-20 10:46:13.887092436 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst 2024-02-20 10:46:13.902092134 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst 2024-02-22 11:01:52 @@ -3,34 +3,27 @@ open Core open FStar.Mul @@ -5942,8 +5524,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fst extraction-secret-ind -#pop-options + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-20 10:46:13.895092274 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-20 10:46:13.935091469 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-22 11:01:52 @@ -3,37 +3,77 @@ open Core open FStar.Mul @@ -6044,8 +5626,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti extraction-secret-in + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fst extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst ---- extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-02-20 10:46:13.845093281 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst 2024-02-20 10:46:13.919091791 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst 2024-02-22 11:01:52 @@ -1,15 +1,8 @@ module Libcrux.Kem.Kyber.Serialize -#set-options "--fuel 0 --ifuel 0 --z3rlimit 50 --retry 3" @@ -6188,12 +5770,11 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fst extraction-secret-in - bit_vec_equal_intro_principle (); - coefficient1, coefficient2 -#pop-options -- ++ coefficient1, coefficient2 <: (i32 & i32) + -#push-options "--z3rlimit 400" -[@@"opaque_to_smt"] -let decompress_coefficients_5_ byte1 byte2 byte3 byte4 byte5 = -+ coefficient1, coefficient2 <: (i32 & i32) -+ +let decompress_coefficients_5_ (byte1 byte2 byte3 byte4 byte5: i32) = let coefficient1:i32 = byte1 &. 31l in let coefficient2:i32 = ((byte2 &. 3l <: i32) <>! 5l <: i32) in @@ -6219,7 +5800,9 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fst extraction-secret-in coefficient7, coefficient8 -#pop-options -- ++ <: ++ (i32 & i32 & i32 & i32 & i32 & i32 & i32 & i32) + -let cast_bound_lemma - #t #u - (n: int_t t) @@ -6246,9 +5829,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fst extraction-secret-in -#pop-options - -#restart-solver -+ <: -+ (i32 & i32 & i32 & i32 & i32 & i32 & i32 & i32) - +- -#push-options "--fuel 0 --ifuel 1 --query_stats --z3rlimit 100" -[@@"opaque_to_smt"] let compress_then_serialize_10_ @@ -7529,8 +7110,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fst extraction-secret-in -#pop-options - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-20 10:46:13.883092516 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-20 10:46:13.910091973 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-22 11:01:52 @@ -2,188 +2,118 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -7559,7 +7140,9 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-i - (create8 (coefficient1, coefficient2, coefficient3, coefficient4, coefficient5, coefficient6, coefficient7, coefficient8)) 11 - (create11 tuple) 8 - ) -- ++ Prims.l_True ++ (fun _ -> Prims.l_True) + -val compress_coefficients_3_ (coefficient1 coefficient2: int_t_d u16_inttype 12) - : Prims.Pure (u8 & u8 & u8) - (requires True) @@ -7568,9 +7151,6 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-i - (create2 (coefficient1, coefficient2)) 12 - (create3 tuple) 8 - ) -+ Prims.l_True -+ (fun _ -> Prims.l_True) -+ +val compress_coefficients_3_ (coefficient1 coefficient2: u16) + : Prims.Pure (u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) @@ -7583,7 +7163,10 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-i - (create8 (coefficient1, coefficient2, coefficient3, coefficient4, coefficient5, coefficient6, coefficient7, coefficient8)) 5 - (create5 tuple) 8 - ) -- ++ (coefficient2 coefficient1 coefficient4 coefficient3 coefficient5 coefficient7 coefficient6 coefficient8: ++ u8) ++ : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) + -private unfold type i32_d = int_t_d i32_inttype -val decompress_coefficients_10_ (byte2 byte1 byte3 byte4 byte5: int_t_d i32_inttype 8) - : Prims.Pure (i32_d 10 & i32_d 10 & i32_d 10 & i32_d 10) @@ -7593,10 +7176,6 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-i - (create5 (byte1, byte2, byte3, byte4, byte5)) 8 - (create4 #i32 (r1, r2, r3, r4)) 10 - ) -+ (coefficient2 coefficient1 coefficient4 coefficient3 coefficient5 coefficient7 coefficient6 coefficient8: -+ u8) -+ : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) -+ +val decompress_coefficients_10_ (byte2 byte1 byte3 byte4 byte5: i32) + : Prims.Pure (i32 & i32 & i32 & i32) Prims.l_True (fun _ -> Prims.l_True) @@ -7622,7 +7201,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-i - (create1 byte) 8 - (create2 #i32 (r1, r2)) 4 - ) -- ++ : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) + -val decompress_coefficients_5_ (byte1 byte2 byte3 byte4 byte5: int_t_d i32_inttype 8) - : Prims.Pure (i32_d 5 & i32_d 5 & i32_d 5 & i32_d 5 & i32_d 5 & i32_d 5 & i32_d 5 & i32_d 5) - (requires True) @@ -7631,8 +7211,6 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-i - (create5 #i32 (byte1, byte2, byte3, byte4, byte5)) 8 - (create8 #i32 (r1, r2, r3, r4, r5, r6, r7, r8)) 5 - ) -+ : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) -+ +val decompress_coefficients_5_ (byte1 byte2 byte3 byte4 byte5: i32) + : Prims.Pure (i32 & i32 & i32 & i32 & i32 & i32 & i32 & i32) + Prims.l_True @@ -7689,19 +7267,19 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-i - (requires True) - (ensures (fun res -> - res == -- Spec.Kyber.compress_then_encode_v p -- (Libcrux.Kem.Kyber.Arithmetic.to_spec_poly_b re))) -+ (v_COMPRESSION_FACTOR v_OUT_LEN: usize) -+ (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) -+ : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) -+ -+val compress_then_serialize_ring_element_v +- Spec.Kyber.compress_then_encode_v p +- (Libcrux.Kem.Kyber.Arithmetic.to_spec_poly_b re))) + (v_COMPRESSION_FACTOR v_OUT_LEN: usize) + (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) -val deserialize_then_decompress_10_ (serialized: t_Slice u8 {Seq.length serialized == 320}) - : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement ++val compress_then_serialize_ring_element_v ++ (v_COMPRESSION_FACTOR v_OUT_LEN: usize) ++ (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) ++ : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) ++ +val deserialize_then_decompress_10_ (serialized: t_Slice u8) + : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement Prims.l_True @@ -7773,7 +7351,10 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-i - : Pure (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) - (requires (length serialized == Spec.Kyber.v_BYTES_PER_RING_ELEMENT)) - (ensures fun _ -> True) -- ++ : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement ++ Prims.l_True ++ (fun _ -> Prims.l_True) + -val serialize_uncompressed_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) - : Pure (t_Array u8 (sz 384)) - (requires True) @@ -7781,15 +7362,11 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-i - let coefficients: t_Array _ (sz 256) = Spec.Kyber.map' Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative re.f_coefficients in - int_t_array_bitwise_eq res 8 coefficients 12 - )) -+ : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement -+ Prims.l_True -+ (fun _ -> Prims.l_True) -+ +val serialize_uncompressed_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + : Prims.Pure (t_Array u8 (sz 384)) Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Types.fst extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst ---- extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-02-20 10:46:13.877092637 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst 2024-02-20 10:46:13.915091872 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst 2024-02-22 11:01:52 @@ -3,31 +3,31 @@ open Core open FStar.Mul @@ -8001,72 +7578,454 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Types.fst extraction-secret-indepe + : (t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at (Rust_primitives.unsize self.f_value <: t_Slice u8) mid --type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { -- f_sk:t_MlKemPrivateKey v_PRIVATE_KEY_SIZE; -- f_pk:t_MlKemPublicKey v_PUBLIC_KEY_SIZE -+type t_KyberKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { -+ f_sk:t_KyberPrivateKey v_PRIVATE_KEY_SIZE; -+ f_pk:t_KyberPublicKey v_PUBLIC_KEY_SIZE - } +-type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { +- f_sk:t_MlKemPrivateKey v_PRIVATE_KEY_SIZE; +- f_pk:t_MlKemPublicKey v_PUBLIC_KEY_SIZE ++type t_KyberKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { ++ f_sk:t_KyberPrivateKey v_PRIVATE_KEY_SIZE; ++ f_pk:t_KyberPublicKey v_PUBLIC_KEY_SIZE + } + + let impl__from + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) +- (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) +- (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) +- : t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = +- { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE ++ (sk: t_KyberPrivateKey v_PRIVATE_KEY_SIZE) ++ (pk: t_KyberPublicKey v_PUBLIC_KEY_SIZE) ++ : t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = ++ { f_sk = sk; f_pk = pk } <: t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE + + let impl__new + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (sk: t_Array u8 v_PRIVATE_KEY_SIZE) + (pk: t_Array u8 v_PUBLIC_KEY_SIZE) +- : t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = ++ : t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = + { f_sk = Core.Convert.f_into sk; f_pk = Core.Convert.f_into pk } + <: +- t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE ++ t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE + + let impl__pk + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) +- (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) ++ (self: t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + : t_Array u8 v_PUBLIC_KEY_SIZE = impl_18__as_slice v_PUBLIC_KEY_SIZE self.f_pk + + let impl__private_key + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) +- (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) +- : t_MlKemPrivateKey v_PRIVATE_KEY_SIZE = self.f_sk ++ (self: t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) ++ : t_KyberPrivateKey v_PRIVATE_KEY_SIZE = self.f_sk + + let impl__public_key + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) +- (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) +- : t_MlKemPublicKey v_PUBLIC_KEY_SIZE = self.f_pk ++ (self: t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) ++ : t_KyberPublicKey v_PUBLIC_KEY_SIZE = self.f_pk + + let impl__sk + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) +- (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) ++ (self: t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + : t_Array u8 v_PRIVATE_KEY_SIZE = impl_12__as_slice v_PRIVATE_KEY_SIZE self.f_sk +diff -ruN extraction-edited/Libcrux.Kem.Kyber.fst extraction-secret-independent/Libcrux.Kem.Kyber.fst +--- extraction-edited/Libcrux.Kem.Kyber.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.fst 2024-02-22 11:01:52 +@@ -1,29 +1,12 @@ + module Libcrux.Kem.Kyber +-#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" ++#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" + open Core + open FStar.Mul + +-let update_at_range_lemma #n +- (s: t_Slice 't) +- (i: Core.Ops.Range.t_Range (int_t n) {(Core.Ops.Range.impl_index_range_slice 't n).in_range s i}) +- (x: t_Slice 't) +- : Lemma +- (requires (Seq.length x == v i.f_end - v i.f_start)) +- (ensures ( +- let s' = Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x in +- let len = v i.f_start in +- forall (i: nat). i < len ==> Seq.index s i == Seq.index s' i +- )) +- [SMTPat (Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x)] +- = let s' = Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x in +- let len = v i.f_start in +- introduce forall (i:nat {i < len}). Seq.index s i == Seq.index s' i +- with (assert ( Seq.index (Seq.slice s 0 len) i == Seq.index s i +- /\ Seq.index (Seq.slice s' 0 len) i == Seq.index s' i )) +- +-let serialize_kem_secret_key #p ++let serialize_kem_secret_key + (v_SERIALIZED_KEY_LEN: usize) +- (private_key public_key implicit_rejection_value: t_Slice u8) = ++ (private_key public_key implicit_rejection_value: t_Slice u8) ++ = + let out:t_Array u8 v_SERIALIZED_KEY_LEN = Rust_primitives.Hax.repeat 0uy v_SERIALIZED_KEY_LEN in + let pointer:usize = sz 0 in + let out:t_Array u8 v_SERIALIZED_KEY_LEN = +@@ -72,8 +55,6 @@ + t_Slice u8) + in + let pointer:usize = pointer +! (Core.Slice.impl__len public_key <: usize) in +- let h_public_key = (Rust_primitives.unsize (Libcrux.Kem.Kyber.Hash_functions.v_H public_key) +- <: t_Slice u8) in + let out:t_Array u8 v_SERIALIZED_KEY_LEN = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range out + ({ +@@ -89,7 +70,16 @@ + pointer +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE <: usize + } + <: +- Core.Ops.Range.t_Range usize ]) h_public_key) ++ Core.Ops.Range.t_Range usize ] ++ <: ++ t_Slice u8) ++ (Rust_primitives.unsize (Libcrux.Kem.Kyber.Hash_functions.v_H public_key ++ <: ++ t_Array u8 (sz 32)) ++ <: ++ t_Slice u8) ++ <: ++ t_Slice u8) + in + let pointer:usize = pointer +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE in + let out:t_Array u8 v_SERIALIZED_KEY_LEN = +@@ -116,32 +106,14 @@ + <: + t_Slice u8) + in +- assert (Seq.slice out 0 (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p)) `Seq.equal` private_key); +- assert (Seq.slice out (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p)) +- (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p)) `Seq.equal` public_key); +- assert (Seq.slice out (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! +- Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p)) +- (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! +- Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p +! +- Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE)) +- `Seq.equal` Libcrux.Kem.Kyber.Hash_functions.v_H public_key); +- assert (Seq.slice out (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! +- Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p +! +- Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE)) +- (v #usize_inttype (Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p +! +- Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p +! +- Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE +! +- Spec.Kyber.v_SHARED_SECRET_SIZE)) +- == implicit_rejection_value); +- lemma_slice_append_4 out private_key public_key (Libcrux.Kem.Kyber.Hash_functions.v_H public_key) implicit_rejection_value; + out + +-let decapsulate #p ++let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) +- (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) +- (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = +- let orig_secret_key = secret_key.f_value in ++ (secret_key: Libcrux.Kem.Kyber.Types.t_KyberPrivateKey v_SECRET_KEY_SIZE) ++ (ciphertext: Libcrux.Kem.Kyber.Types.t_KyberCiphertext v_CIPHERTEXT_SIZE) ++ = + let ind_cpa_secret_key, secret_key:(t_Slice u8 & t_Slice u8) = + Libcrux.Kem.Kyber.Types.impl_12__split_at v_SECRET_KEY_SIZE secret_key v_CPA_SECRET_KEY_SIZE + in +@@ -151,12 +123,8 @@ + let ind_cpa_public_key_hash, implicit_rejection_value:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at secret_key Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE + in +- assert (ind_cpa_secret_key == slice orig_secret_key (sz 0) v_CPA_SECRET_KEY_SIZE); +- assert (ind_cpa_public_key == slice orig_secret_key v_CPA_SECRET_KEY_SIZE (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE)); +- assert (ind_cpa_public_key_hash == slice orig_secret_key (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE) (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE)); +- assert (implicit_rejection_value == slice orig_secret_key (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE) (length orig_secret_key)); + let decrypted:t_Array u8 (sz 32) = +- Libcrux.Kem.Kyber.Ind_cpa.decrypt #p v_K ++ Libcrux.Kem.Kyber.Ind_cpa.decrypt v_K + v_CIPHERTEXT_SIZE + v_C1_SIZE + v_VECTOR_U_COMPRESSION_FACTOR +@@ -184,9 +152,6 @@ + <: + t_Slice u8) + in +- lemma_slice_append to_hash decrypted ind_cpa_public_key_hash; +- assert (decrypted == Spec.Kyber.ind_cpa_decrypt p ind_cpa_secret_key ciphertext.f_value); +- assert (to_hash == concat decrypted ind_cpa_public_key_hash); + let hashed:t_Array u8 (sz 64) = + Libcrux.Kem.Kyber.Hash_functions.v_G (Rust_primitives.unsize to_hash <: t_Slice u8) + in +@@ -194,10 +159,6 @@ + Core.Slice.impl__split_at (Rust_primitives.unsize hashed <: t_Slice u8) + Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE + in +- assert ((shared_secret,pseudorandomness) == split hashed Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE); +- assert (length implicit_rejection_value = v_SECRET_KEY_SIZE -! v_CPA_SECRET_KEY_SIZE -! v_PUBLIC_KEY_SIZE -! Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE); +- assert (length implicit_rejection_value = Spec.Kyber.v_SHARED_SECRET_SIZE); +- assert (Spec.Kyber.v_SHARED_SECRET_SIZE <=. Spec.Kyber.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE p); + let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8 + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = + Libcrux.Kem.Kyber.Ind_cpa.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE +@@ -219,14 +180,11 @@ + <: + t_Slice u8) + in +- lemma_slice_append to_hash implicit_rejection_value ciphertext.f_value; + let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) = + Libcrux.Kem.Kyber.Hash_functions.v_PRF (sz 32) (Rust_primitives.unsize to_hash <: t_Slice u8) + in +- assert (implicit_rejection_shared_secret == Spec.Kyber.v_J to_hash); +- assert (Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE); + let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = +- Libcrux.Kem.Kyber.Ind_cpa.encrypt #p v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE ++ Libcrux.Kem.Kyber.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE ind_cpa_public_key decrypted + pseudorandomness +@@ -236,18 +194,16 @@ + (Core.Convert.f_as_ref ciphertext <: t_Slice u8) + (Rust_primitives.unsize expected_ciphertext <: t_Slice u8) + in +- let res = + Libcrux.Kem.Kyber.Constant_time_ops.select_shared_secret_in_constant_time shared_secret + (Rust_primitives.unsize implicit_rejection_shared_secret <: t_Slice u8) + selector +- in +- res + +-let encapsulate #p ++let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) +- (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) +- (randomness: t_Array u8 (sz 32)) = ++ (public_key: Libcrux.Kem.Kyber.Types.t_KyberPublicKey v_PUBLIC_KEY_SIZE) ++ (randomness: t_Array u8 (sz 32)) ++ = + let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = + Libcrux.Kem.Kyber.Ind_cpa.into_padded_array (sz 64) + (Rust_primitives.unsize randomness <: t_Slice u8) +@@ -278,10 +234,6 @@ + <: + t_Slice u8) + in +- assert (Seq.slice to_hash 0 (v Libcrux.Kem.Kyber.Constants.v_H_DIGEST_SIZE) == randomness); +- lemma_slice_append to_hash randomness (Spec.Kyber.v_H public_key.f_value); +- assert (to_hash == concat randomness (Spec.Kyber.v_H public_key.f_value)); +- + let hashed:t_Array u8 (sz 64) = + Libcrux.Kem.Kyber.Hash_functions.v_G (Rust_primitives.unsize to_hash <: t_Slice u8) + in +@@ -290,7 +242,7 @@ + Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE + in + let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = +- Libcrux.Kem.Kyber.Ind_cpa.encrypt #p v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE ++ Libcrux.Kem.Kyber.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN + v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + (Rust_primitives.unsize (Libcrux.Kem.Kyber.Types.impl_18__as_slice v_PUBLIC_KEY_SIZE +@@ -300,42 +252,23 @@ + <: + t_Slice u8) randomness pseudorandomness + in +- Core.Convert.f_into ciphertext, +- Core.Result.impl__unwrap (Core.Convert.f_try_into shared_secret +- <: +- Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) +- <: +- (Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) +- +-#push-options "--z3rlimit 100" +-let validate_public_key #p +- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) +- (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) +- = +- let pk:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = +- Libcrux.Kem.Kyber.Ind_cpa.deserialize_public_key #p v_K +- (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } ++ let shared_secret:t_Array u8 (sz 32) = ++ match Core.Convert.f_try_into shared_secret with ++ | Core.Result.Result_Ok shared_secret -> shared_secret ++ | Core.Result.Result_Err _ -> ++ Rust_primitives.Hax.never_to_any (Core.Panicking.panic "explicit panic" + <: +- Core.Ops.Range.t_RangeTo usize ]) ++ Rust_primitives.Hax.t_Never) + in +- let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = +- Libcrux.Kem.Kyber.Ind_cpa.serialize_public_key #p v_K +- v_RANKED_BYTES_PER_RING_ELEMENT +- v_PUBLIC_KEY_SIZE +- pk +- (public_key.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } +- <: +- Core.Ops.Range.t_RangeFrom usize ] +- <: +- t_Slice u8) +- in +- public_key =. public_key_serialized +-#pop-options ++ Core.Convert.f_into ciphertext, shared_secret ++ <: ++ (Libcrux.Kem.Kyber.Types.t_KyberCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + +-let generate_keypair #p ++let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) +- (randomness: t_Array u8 (sz 64)) = ++ (randomness: t_Array u8 (sz 64)) ++ = + let ind_cpa_keypair_randomness:t_Slice u8 = + randomness.[ { + Core.Ops.Range.f_start = sz 0; +@@ -353,7 +286,7 @@ + in + let ind_cpa_private_key, public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE & + t_Array u8 v_PUBLIC_KEY_SIZE) = +- Libcrux.Kem.Kyber.Ind_cpa.generate_keypair #p v_K ++ Libcrux.Kem.Kyber.Ind_cpa.generate_keypair v_K + v_CPA_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE + v_BYTES_PER_RING_ELEMENT +@@ -362,17 +295,16 @@ + ind_cpa_keypair_randomness + in + let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE = +- serialize_kem_secret_key #p v_PRIVATE_KEY_SIZE ++ serialize_kem_secret_key v_PRIVATE_KEY_SIZE + (Rust_primitives.unsize ind_cpa_private_key <: t_Slice u8) + (Rust_primitives.unsize public_key <: t_Slice u8) + implicit_rejection_value + in +- let (private_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE):Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey ++ let (private_key: Libcrux.Kem.Kyber.Types.t_KyberPrivateKey v_PRIVATE_KEY_SIZE):Libcrux.Kem.Kyber.Types.t_KyberPrivateKey + v_PRIVATE_KEY_SIZE = + Core.Convert.f_from secret_key_serialized + in + Libcrux.Kem.Kyber.Types.impl__from v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE + private_key +- (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) +- ++ (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_KyberPublicKey v_PUBLIC_KEY_SIZE) +diff -ruN extraction-edited/Libcrux.Kem.Kyber.fsti extraction-secret-independent/Libcrux.Kem.Kyber.fsti +--- extraction-edited/Libcrux.Kem.Kyber.fsti 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.fsti 2024-02-22 11:01:52 +@@ -4,90 +4,37 @@ + open FStar.Mul - let impl__from - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) -- (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) -- (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) -- : t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = -- { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE -+ (sk: t_KyberPrivateKey v_PRIVATE_KEY_SIZE) -+ (pk: t_KyberPublicKey v_PUBLIC_KEY_SIZE) -+ : t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = -+ { f_sk = sk; f_pk = pk } <: t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE + unfold +-let t_MlKemSharedSecret = t_Array u8 (sz 32) ++let t_KyberSharedSecret = t_Array u8 (sz 32) - let impl__new - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (sk: t_Array u8 v_PRIVATE_KEY_SIZE) - (pk: t_Array u8 v_PUBLIC_KEY_SIZE) -- : t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = -+ : t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = - { f_sk = Core.Convert.f_into sk; f_pk = Core.Convert.f_into pk } - <: -- t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE -+ t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE + let v_KEY_GENERATION_SEED_SIZE: usize = + Libcrux.Kem.Kyber.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE +! + Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE - let impl__pk - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) -- (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) -+ (self: t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - : t_Array u8 v_PUBLIC_KEY_SIZE = impl_18__as_slice v_PUBLIC_KEY_SIZE self.f_pk +-val serialize_kem_secret_key (#p:Spec.Kyber.params) ++val serialize_kem_secret_key + (v_SERIALIZED_KEY_LEN: usize) + (private_key public_key implicit_rejection_value: t_Slice u8) +- : Pure (t_Array u8 v_SERIALIZED_KEY_LEN) +- (requires (length private_key == Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p /\ +- length public_key == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ +- length implicit_rejection_value == Spec.Kyber.v_SHARED_SECRET_SIZE /\ +- v_SERIALIZED_KEY_LEN == Spec.Kyber.v_SECRET_KEY_SIZE p)) +- (ensures (fun res -> res == +- Seq.append private_key ( +- Seq.append public_key ( +- Seq.append (Libcrux.Kem.Kyber.Hash_functions.v_H public_key) implicit_rejection_value)))) ++ : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) Prims.l_True (fun _ -> Prims.l_True) - let impl__private_key - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) -- (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) -- : t_MlKemPrivateKey v_PRIVATE_KEY_SIZE = self.f_sk -+ (self: t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) -+ : t_KyberPrivateKey v_PRIVATE_KEY_SIZE = self.f_sk +-val decapsulate (#p:Spec.Kyber.params) ++val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) +- (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) +- (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) +- : Pure (t_Array u8 (sz 32)) +- (requires ( p == (let open Spec.Kyber in {v_RANK = v_K; v_ETA1; v_ETA2; v_VECTOR_U_COMPRESSION_FACTOR; v_VECTOR_V_COMPRESSION_FACTOR}) /\ +- Spec.Kyber.valid_params p /\ +- v_ETA1_RANDOMNESS_SIZE == Spec.Kyber.v_ETA1_RANDOMNESS_SIZE p /\ +- v_ETA2_RANDOMNESS_SIZE == Spec.Kyber.v_ETA2_RANDOMNESS_SIZE p /\ +- v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.Kyber.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE p /\ +- v_SECRET_KEY_SIZE == Spec.Kyber.v_SECRET_KEY_SIZE p /\ +- v_CPA_SECRET_KEY_SIZE == Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p /\ +- v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ +- v_CIPHERTEXT_SIZE == Spec.Kyber.v_CPA_PKE_CIPHERTEXT_SIZE p /\ +- v_C1_SIZE == Spec.Kyber.v_C1_SIZE p /\ +- v_C1_BLOCK_SIZE == Spec.Kyber.v_C1_BLOCK_SIZE p /\ +- v_C2_SIZE == Spec.Kyber.v_C2_SIZE p /\ +- v_T_AS_NTT_ENCODED_SIZE = Spec.Kyber.v_T_AS_NTT_ENCODED_SIZE p +- )) +- (ensures (fun res -> +- res == Spec.Kyber.ind_cca_decapsulate p secret_key.f_value ciphertext.f_value)) ++ (secret_key: Libcrux.Kem.Kyber.Types.t_KyberPrivateKey v_SECRET_KEY_SIZE) ++ (ciphertext: Libcrux.Kem.Kyber.Types.t_KyberCiphertext v_CIPHERTEXT_SIZE) ++ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - let impl__public_key - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) -- (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) -- : t_MlKemPublicKey v_PUBLIC_KEY_SIZE = self.f_pk -+ (self: t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) -+ : t_KyberPublicKey v_PUBLIC_KEY_SIZE = self.f_pk +-val encapsulate (#p:Spec.Kyber.params) ++val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) +- (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) ++ (public_key: Libcrux.Kem.Kyber.Types.t_KyberPublicKey v_PUBLIC_KEY_SIZE) + (randomness: t_Array u8 (sz 32)) +- : Pure (Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) +- (requires (p == (let open Spec.Kyber in {v_RANK = v_K; v_ETA1; v_ETA2; v_VECTOR_U_COMPRESSION_FACTOR; v_VECTOR_V_COMPRESSION_FACTOR}) /\ +- Spec.Kyber.valid_params p /\ +- v_ETA1_RANDOMNESS_SIZE == Spec.Kyber.v_ETA1_RANDOMNESS_SIZE p /\ +- v_ETA2_RANDOMNESS_SIZE == Spec.Kyber.v_ETA2_RANDOMNESS_SIZE p /\ +- v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ +- v_CIPHERTEXT_SIZE == Spec.Kyber.v_CPA_PKE_CIPHERTEXT_SIZE p /\ +- v_C1_SIZE == Spec.Kyber.v_C1_SIZE p /\ +- v_C2_SIZE == Spec.Kyber.v_C2_SIZE p /\ +- v_T_AS_NTT_ENCODED_SIZE = Spec.Kyber.v_T_AS_NTT_ENCODED_SIZE p /\ +- v_VECTOR_U_BLOCK_LEN == Spec.Kyber.v_C1_BLOCK_SIZE p +- )) ++ : Prims.Pure (Libcrux.Kem.Kyber.Types.t_KyberCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) ++ Prims.l_True ++ (fun _ -> Prims.l_True) - let impl__sk - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) -- (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) -+ (self: t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - : t_Array u8 v_PRIVATE_KEY_SIZE = impl_12__as_slice v_PRIVATE_KEY_SIZE self.f_sk -diff -ruN extraction-edited/Libcrux_platform.fsti extraction-secret-independent/Libcrux_platform.fsti ---- extraction-edited/Libcrux_platform.fsti 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-secret-independent/Libcrux_platform.fsti 2024-02-20 10:46:13.923091711 +0100 -@@ -0,0 +1,4 @@ -+module Libcrux_platform -+#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -+ -+val simd256_support : unit -> bool +- (ensures (fun (ct,ss) -> +- (ct.f_value,ss) == Spec.Kyber.ind_cca_encapsulate p public_key.f_value randomness)) +- +-val validate_public_key (#p:Spec.Kyber.params) +- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) +- (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) +- : Prims.Pure bool +- (requires (v_K == p.v_RANK /\ +- v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ +- v_RANKED_BYTES_PER_RING_ELEMENT == Spec.Kyber.v_RANKED_BYTES_PER_RING_ELEMENT p +- )) +- (ensures (fun _ -> Prims.l_True)) +- +-val generate_keypair (#p:Spec.Kyber.params) ++val generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) +- : Pure (Libcrux.Kem.Kyber.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) +- (requires (v_K == p.v_RANK /\ v_ETA1 == p.v_ETA1 /\ +- v_ETA1_RANDOMNESS_SIZE == Spec.Kyber.v_ETA1_RANDOMNESS_SIZE p /\ +- v_PUBLIC_KEY_SIZE == Spec.Kyber.v_CPA_PKE_PUBLIC_KEY_SIZE p /\ +- v_CPA_PRIVATE_KEY_SIZE == Spec.Kyber.v_CPA_PKE_SECRET_KEY_SIZE p /\ +- v_PRIVATE_KEY_SIZE == Spec.Kyber.v_SECRET_KEY_SIZE p /\ +- v_BYTES_PER_RING_ELEMENT == Spec.Kyber.v_RANKED_BYTES_PER_RING_ELEMENT p +- )) +- (ensures (fun kp -> +- (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.ind_cca_generate_keypair p randomness)) ++ : Prims.Pure (Libcrux.Kem.Kyber.Types.t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) ++ Prims.l_True ++ (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux_platform.Platform.fsti extraction-secret-independent/Libcrux_platform.Platform.fsti ---- extraction-edited/Libcrux_platform.Platform.fsti 2024-02-20 10:46:13.873092717 +0100 -+++ extraction-secret-independent/Libcrux_platform.Platform.fsti 1970-01-01 01:00:00.000000000 +0100 +--- extraction-edited/Libcrux_platform.Platform.fsti 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux_platform.Platform.fsti 1970-01-01 01:00:00 @@ -1,20 +0,0 @@ -module Libcrux_platform.Platform -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -8088,9 +8047,17 @@ diff -ruN extraction-edited/Libcrux_platform.Platform.fsti extraction-secret-ind -val sha256_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) - -val simd128_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +diff -ruN extraction-edited/Libcrux_platform.fsti extraction-secret-independent/Libcrux_platform.fsti +--- extraction-edited/Libcrux_platform.fsti 1970-01-01 01:00:00 ++++ extraction-secret-independent/Libcrux_platform.fsti 2024-02-22 11:01:52 +@@ -0,0 +1,4 @@ ++module Libcrux_platform ++#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" ++ ++val simd256_support : unit -> bool diff -ruN extraction-edited/MkSeq.fst extraction-secret-independent/MkSeq.fst ---- extraction-edited/MkSeq.fst 2024-02-20 10:46:13.841093361 +0100 -+++ extraction-secret-independent/MkSeq.fst 1970-01-01 01:00:00.000000000 +0100 +--- extraction-edited/MkSeq.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/MkSeq.fst 1970-01-01 01:00:00 @@ -1,91 +0,0 @@ -module MkSeq -open Core @@ -8184,8 +8151,8 @@ diff -ruN extraction-edited/MkSeq.fst extraction-secret-independent/MkSeq.fst - -%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff -ruN extraction-edited/Spec.Kyber.fst extraction-secret-independent/Spec.Kyber.fst ---- extraction-edited/Spec.Kyber.fst 2024-02-20 10:46:13.884092496 +0100 -+++ extraction-secret-independent/Spec.Kyber.fst 1970-01-01 01:00:00.000000000 +0100 +--- extraction-edited/Spec.Kyber.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Spec.Kyber.fst 1970-01-01 01:00:00 @@ -1,433 +0,0 @@ -module Spec.Kyber -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst index 68bfa171d..6ef903d58 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst @@ -277,15 +277,11 @@ let encapsulate <: t_Slice u8) randomness pseudorandomness in - let shared_secret:t_Array u8 (sz 32) = - match Core.Convert.f_try_into shared_secret with - | Core.Result.Result_Ok shared_secret -> shared_secret - | Core.Result.Result_Err _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "explicit panic" - <: - Rust_primitives.Hax.t_Never) + let shared_secret_array:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let shared_secret_array:t_Array u8 (sz 32) = + Core.Slice.impl__copy_from_slice shared_secret_array shared_secret in - Core.Convert.f_into ciphertext, shared_secret + Core.Convert.f_into ciphertext, shared_secret_array <: (Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) diff --git a/src/kem/kyber.rs b/src/kem/kyber.rs index df5b6d8b8..49d2acaa7 100644 --- a/src/kem/kyber.rs +++ b/src/kem/kyber.rs @@ -81,7 +81,7 @@ pub(super) fn validate_public_key< PUBLIC_KEY_SIZE, >(pk, &public_key[RANKED_BYTES_PER_RING_ELEMENT..]); - public_key == &public_key_serialized + *public_key == public_key_serialized } pub(super) fn generate_keypair< @@ -154,11 +154,9 @@ pub(super) fn encapsulate< ETA2_RANDOMNESS_SIZE, >(public_key.as_slice(), randomness, pseudorandomness); - let shared_secret = match shared_secret.try_into() { - Ok(shared_secret) => shared_secret, - Err(_) => panic!(), - }; - (ciphertext.into(), shared_secret) + let mut shared_secret_array = [0u8; constants::SHARED_SECRET_SIZE]; + shared_secret_array.copy_from_slice(shared_secret); + (ciphertext.into(), shared_secret_array) } pub(super) fn decapsulate< diff --git a/src/kem/kyber/kyber768.rs b/src/kem/kyber/kyber768.rs index 9d35dbb8c..9a146e90e 100644 --- a/src/kem/kyber/kyber768.rs +++ b/src/kem/kyber/kyber768.rs @@ -122,9 +122,10 @@ pub fn decapsulate( mod tests { use rand_core::{OsRng, RngCore}; - use crate::kem::kyber::kyber768::validate_public_key; - - use super::{kyber768::generate_key_pair, KEY_GENERATION_SEED_SIZE}; + use super::{ + kyber768::{generate_key_pair, validate_public_key}, + KEY_GENERATION_SEED_SIZE, + }; #[test] fn pk_validation() { From 9c6985bd85b46be7eb6ce61ec4e19ffc12dec1e9 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 20 Feb 2024 20:46:57 +0100 Subject: [PATCH 08/28] enabling the incremental (nblocks) API for Shake128 (scalar) in Kyber --- src/hacl/sha3.rs | 1 + src/kem/kyber/hash_functions.rs | 41 +++++++++++---------------------- src/kem/kyber/sampling.rs | 1 + 3 files changed, 16 insertions(+), 27 deletions(-) diff --git a/src/hacl/sha3.rs b/src/hacl/sha3.rs index a7bd3eda9..f8747b80e 100644 --- a/src/hacl/sha3.rs +++ b/src/hacl/sha3.rs @@ -373,3 +373,4 @@ pub mod incremental_x4 { } } } + diff --git a/src/kem/kyber/hash_functions.rs b/src/kem/kyber/hash_functions.rs index fe889bb1d..5b5d1380c 100644 --- a/src/kem/kyber/hash_functions.rs +++ b/src/kem/kyber/hash_functions.rs @@ -31,24 +31,12 @@ pub(crate) struct XofState { #[cfg(not(simd256))] #[inline(always)] pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { - let mut out_vec : Vec = Vec::new(); + let mut states = + core::array::from_fn(|_| shake128_init(); for i in 0..K { - let mut st = shake128_init(); - shake128_absorb_final(&mut st,&input[i]); - out_vec.push(st); + shake128_absorb_final(&mut states[i],&input[i]); } - match out_vec.try_into() { - Ok(states) => XofState{states}, - Err(_) => panic!(), - } - - // The following does not work with Eurydice because of "from_fn" - // let mut out : [Shake128State; K] = - // core::array::from_fn(|_| Shake128State::new()); - // for i in 0..K { - // out[i].absorb_final(&input[i]); - // } - // out + XofState{states} } #[cfg(not(simd256))] @@ -63,7 +51,6 @@ pub(crate) fn XOF_squeeze_three_blocks( out } -#[cfg(not(simd256))] #[inline(always)] pub(crate) fn XOF_squeeze_block(xof_state: &mut XofState) -> [[u8; 168]; K] { let mut out: [[u8; 168]; K] = [[0; 168]; K]; @@ -81,11 +68,11 @@ type XofState = X4(crate::digest::Shake128StateX4); #[cfg(simd256)] #[inline(always)] pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { - let mut out : crate::digest::Shake128StateX4 = crate::digest::Shake128StateX4::new(); + let mut state : Shake128StateX4 = shake128_init_x4(); match K { - 2 => {out.absorb_final(input[0],input[1],input[0],input[0]);out} - 3 => {out.absorb_final(input[0],input[1],input[2],input[0]);out} - 4 => {out.absorb_final(input[0],input[1],input[2],input[3]);out} + 2 => {shake128_absorb_final_x4(&mut state,input[0],input[1],input[0],input[0]);state} + 3 => {shake128_absorb_final_x4(&mut state,input[0],input[1],input[2],input[0]);state} + 4 => {shake128_absorb_final_x4(&mut state,input[0],input[1],input[2],input[3]);state} _ => {unreachable!()} } } @@ -98,9 +85,9 @@ pub(crate) fn XOF_squeeze_three_blocks( let mut output = [[0; 168 * 3]; K]; let mut tmp = [[0; 168 * 3]; 2]; match K { - 2 => {state.squeeze_nblocks(&mut output[0],&mut output[1],&mut tmp[0],&mut tmp[1]); output} - 3 => {state.squeeze_nblocks(&mut output[0],&mut output[1],&mut output[2],&mut tmp[1]); output} - 4 => {state.squeeze_nblocks(&mut output[0],&mut output[1],&mut output[2],&mut output[3]); output} + 2 => {shake128_squeeze_nblocks_x4(&mut state,&mut output[0],&mut output[1],&mut tmp[0],&mut tmp[1]); output} + 3 => {shake128_squeeze_nblocks_x4(&mut state,&mut output[0],&mut output[1],&mut output[2],&mut tmp[1]); output} + 4 => {shake128_squeeze_nblocks_x4(&mut state,&mut output[0],&mut output[1],&mut output[2],&mut output[3]); output} _ => {unreachable!()} } } @@ -111,9 +98,9 @@ pub(crate) fn XOF_squeeze_block(state: &mut XofState) -> [[u8 let mut out: [[u8; 168]; K] = [[0; 168]; K]; let mut tmp = [[0; 168 * 3]; 2]; match K { - 2 => {state.squeeze_nblocks(&mut output[0],&mut output[1],&mut tmp[0],&mut tmp[1]); output} - 3 => {state.squeeze_nblocks(&mut output[0],&mut output[1],&mut output[2],&mut tmp[0]); output} - 4 => {state.squeeze_nblocks(&mut output[0],&mut output[1],&mut output[2],&mut output[3]); output} + 2 => {shake128_squeeze_nblocks_x4(&mut state,&mut output[0],&mut output[1],&mut tmp[0],&mut tmp[1]); output} + 3 => {shake128_squeeze_nblocks_x4(&mut state,&mut output[0],&mut output[1],&mut output[2],&mut tmp[1]); output} + 4 => {shake128_squeeze_nblocks_x4(&mut state,&mut output[0],&mut output[1],&mut output[2],&mut output[3]); output} _ => {unreachable!()} } } diff --git a/src/kem/kyber/sampling.rs b/src/kem/kyber/sampling.rs index 2202f8a42..8cb28376b 100644 --- a/src/kem/kyber/sampling.rs +++ b/src/kem/kyber/sampling.rs @@ -101,6 +101,7 @@ pub fn sample_from_xof(seeds: [[u8; 34]; K]) -> [PolynomialRingE out } + /// Given a series of uniformly random bytes in `randomness`, for some number `eta`, /// the `sample_from_binomial_distribution_{eta}` functions sample /// a ring element from a binomial distribution centered at 0 that uses two sets From 652f579265b057196d019b160a4d373dab910059 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 21 Feb 2024 10:54:15 +0100 Subject: [PATCH 09/28] sort imports to work with kyber-crate.sh --- src/kem/kyber/sampling.rs | 1 - 1 file changed, 1 deletion(-) diff --git a/src/kem/kyber/sampling.rs b/src/kem/kyber/sampling.rs index 8cb28376b..2202f8a42 100644 --- a/src/kem/kyber/sampling.rs +++ b/src/kem/kyber/sampling.rs @@ -101,7 +101,6 @@ pub fn sample_from_xof(seeds: [[u8; 34]; K]) -> [PolynomialRingE out } - /// Given a series of uniformly random bytes in `randomness`, for some number `eta`, /// the `sample_from_binomial_distribution_{eta}` functions sample /// a ring element from a binomial distribution centered at 0 that uses two sets From 5cf2b9db7b2b3a878b9827736131ba9070c972e7 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Thu, 22 Feb 2024 17:13:46 +0100 Subject: [PATCH 10/28] added SIMD - wip - and passing hax --- proofs/fstar/extraction/Libcrux.Digest.fsti | 1 - src/hacl/sha3.rs | 1 - src/kem/kyber/hash_functions.rs | 1 + 3 files changed, 1 insertion(+), 2 deletions(-) diff --git a/proofs/fstar/extraction/Libcrux.Digest.fsti b/proofs/fstar/extraction/Libcrux.Digest.fsti index ff6b336ff..96326373f 100644 --- a/proofs/fstar/extraction/Libcrux.Digest.fsti +++ b/proofs/fstar/extraction/Libcrux.Digest.fsti @@ -14,7 +14,6 @@ val shake256 (v_LEN: usize) (data: t_Slice u8) type t_Shake128State - val shake128_absorb_final (st: t_Shake128State) (data: t_Slice u8) : Prims.Pure t_Shake128State Prims.l_True (fun _ -> Prims.l_True) diff --git a/src/hacl/sha3.rs b/src/hacl/sha3.rs index f8747b80e..a7bd3eda9 100644 --- a/src/hacl/sha3.rs +++ b/src/hacl/sha3.rs @@ -373,4 +373,3 @@ pub mod incremental_x4 { } } } - diff --git a/src/kem/kyber/hash_functions.rs b/src/kem/kyber/hash_functions.rs index 5b5d1380c..8d07dcac0 100644 --- a/src/kem/kyber/hash_functions.rs +++ b/src/kem/kyber/hash_functions.rs @@ -51,6 +51,7 @@ pub(crate) fn XOF_squeeze_three_blocks( out } +#[cfg(not(simd256))] #[inline(always)] pub(crate) fn XOF_squeeze_block(xof_state: &mut XofState) -> [[u8; 168]; K] { let mut out: [[u8; 168]; K] = [[0; 168]; K]; From 511c50c3dd3abbb65042d26e9d273963458b3b1b Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 23 Feb 2024 11:30:56 +0100 Subject: [PATCH 11/28] hand edits to work around hax bug --- hax-driver.py | 1 + proofs/fstar/extraction/Libcrux.Digest.fsti | 1 + .../Libcrux.Kem.Kyber.Hash_functions.fst | 66 ++++--- .../extraction/Libcrux.Kem.Kyber.Sampling.fst | 16 +- src/digest.rs | 47 +++-- src/hacl/sha3.rs | 168 ++++++++++-------- src/kem/kyber/hash_functions.rs | 131 ++++++++++---- 7 files changed, 263 insertions(+), 167 deletions(-) diff --git a/hax-driver.py b/hax-driver.py index dbda01f8c..d2aa6e198 100755 --- a/hax-driver.py +++ b/hax-driver.py @@ -136,6 +136,7 @@ def shell(command, expect=0, cwd=None, env={}): # remove this when https://github.com/hacspec/hax/issues/465 is # closed) shell(["rm", "-f", "./sys/platform/proofs/fstar/extraction/*.fst"]) + elif options.kyber_specification: shell( cargo_hax_into diff --git a/proofs/fstar/extraction/Libcrux.Digest.fsti b/proofs/fstar/extraction/Libcrux.Digest.fsti index 96326373f..ff6b336ff 100644 --- a/proofs/fstar/extraction/Libcrux.Digest.fsti +++ b/proofs/fstar/extraction/Libcrux.Digest.fsti @@ -14,6 +14,7 @@ val shake256 (v_LEN: usize) (data: t_Slice u8) type t_Shake128State + val shake128_absorb_final (st: t_Shake128State) (data: t_Slice u8) : Prims.Pure t_Shake128State Prims.l_True (fun _ -> Prims.l_True) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst index 3929551a4..a9c22ab57 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst @@ -10,11 +10,13 @@ let v_H (input: t_Slice u8) = Libcrux.Digest.sha3_256_ input let v_PRF (v_LEN: usize) (input: t_Slice u8) = Libcrux.Digest.shake256 v_LEN input let v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = - let (out_vec: Alloc.Vec.t_Vec Libcrux.Digest.t_Shake128State Alloc.Alloc.t_Global):Alloc.Vec.t_Vec - Libcrux.Digest.t_Shake128State Alloc.Alloc.t_Global = - Alloc.Vec.impl__new () + let states:t_Array Libcrux.Digest.t_Shake128State v_K = + Core.Array.from_fn v_K + (fun temp_0_ -> + let _:usize = temp_0_ in + Libcrux.Digest.shake128_init () <: Libcrux.Digest.t_Shake128State) in - let out_vec:Alloc.Vec.t_Vec Libcrux.Digest.t_Shake128State Alloc.Alloc.t_Global = + let states:t_Array Libcrux.Digest.t_Shake128State v_K = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_K @@ -23,34 +25,26 @@ let v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = Core.Ops.Range.t_Range usize) <: Core.Ops.Range.t_Range usize) - out_vec - (fun out_vec i -> - let out_vec:Alloc.Vec.t_Vec Libcrux.Digest.t_Shake128State Alloc.Alloc.t_Global = - out_vec - in + states + (fun states i -> + let states:t_Array Libcrux.Digest.t_Shake128State v_K = states in let i:usize = i in - let st:Libcrux.Digest.t_Shake128State = Libcrux.Digest.shake128_init () in - let st:Libcrux.Digest.t_Shake128State = - Libcrux.Digest.shake128_absorb_final st - (Rust_primitives.unsize (input.[ i ] <: t_Array u8 (sz 34)) <: t_Slice u8) - in - let out_vec:Alloc.Vec.t_Vec Libcrux.Digest.t_Shake128State Alloc.Alloc.t_Global = - Alloc.Vec.impl_1__push out_vec st - in - out_vec) + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize states + i + (Libcrux.Digest.shake128_absorb_final (states.[ i ] <: Libcrux.Digest.t_Shake128State) + (Rust_primitives.unsize (input.[ i ] <: t_Array u8 (sz 34)) <: t_Slice u8) + <: + Libcrux.Digest.t_Shake128State) + <: + t_Array Libcrux.Digest.t_Shake128State v_K) in - match Core.Convert.f_try_into out_vec with - | Core.Result.Result_Ok states -> { f_states = states } <: t_XofState v_K - | Core.Result.Result_Err _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "explicit panic" - <: - Rust_primitives.Hax.t_Never) + { f_states = states } <: t_XofState v_K let v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState v_K) = - let (out: t_Array (t_Array u8 (sz 168)) v_K):t_Array (t_Array u8 (sz 168)) v_K = + let (block: t_Array (t_Array u8 (sz 168)) v_K):t_Array (t_Array u8 (sz 168)) v_K = Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 168) <: t_Array u8 (sz 168)) v_K in - let out, xof_state:(t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) = + let block, xof_state:(t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_K @@ -59,9 +53,9 @@ let v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState v_K) = Core.Ops.Range.t_Range usize) <: Core.Ops.Range.t_Range usize) - (out, xof_state <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K)) + (block, xof_state <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K)) (fun temp_0_ i -> - let out, xof_state:(t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) = temp_0_ in + let block, xof_state:(t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) = temp_0_ in let i:usize = i in let tmp0, out:(Libcrux.Digest.t_Shake128State & t_Array u8 (sz 168)) = Libcrux.Digest.shake128_squeeze_nblocks (sz 168) @@ -79,18 +73,18 @@ let v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState v_K) = in let hoist21:t_Array u8 (sz 168) = out in let hoist22:t_Array (t_Array u8 (sz 168)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out i hoist21 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize block i hoist21 in hoist22, xof_state <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K)) in - let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in + let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = block in xof_state, hax_temp_output <: (t_XofState v_K & t_Array (t_Array u8 (sz 168)) v_K) let v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState v_K) = - let out:t_Array (t_Array u8 (sz 504)) v_K = + let blocks:t_Array (t_Array u8 (sz 504)) v_K = Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 504) <: t_Array u8 (sz 504)) v_K in - let out, xof_state:(t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) = + let blocks, xof_state:(t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_K @@ -99,9 +93,9 @@ let v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState v_K) = Core.Ops.Range.t_Range usize) <: Core.Ops.Range.t_Range usize) - (out, xof_state <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K)) + (blocks, xof_state <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K)) (fun temp_0_ i -> - let out, xof_state:(t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) = temp_0_ in + let blocks, xof_state:(t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) = temp_0_ in let i:usize = i in let tmp0, out:(Libcrux.Digest.t_Shake128State & t_Array u8 (sz 504)) = Libcrux.Digest.shake128_squeeze_nblocks (sz 504) @@ -119,9 +113,9 @@ let v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState v_K) = in let hoist23:t_Array u8 (sz 504) = out in let hoist24:t_Array (t_Array u8 (sz 504)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out i hoist23 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize blocks i hoist23 in hoist24, xof_state <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K)) in - let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in + let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = blocks in xof_state, hax_temp_output <: (t_XofState v_K & t_Array (t_Array u8 (sz 504)) v_K) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst index c0c6ae69b..74c2f2915 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst @@ -317,20 +317,20 @@ let sample_from_xof (v_K: usize) (seeds: t_Array (t_Array u8 (sz 34)) v_K) = let xof_states:Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K = Libcrux.Kem.Kyber.Hash_functions.v_XOF_absorb v_K seeds in - let tmp0, out:(Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K & t_Array (t_Array u8 (sz 504)) v_K + let tmp0, out1:(Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K & t_Array (t_Array u8 (sz 504)) v_K ) = Libcrux.Kem.Kyber.Hash_functions.v_XOF_squeeze_three_blocks v_K xof_states in let xof_states:Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K = tmp0 in - let randomness:t_Array (t_Array u8 (sz 504)) v_K = out in - let tmp0, tmp1, out:(t_Array usize v_K & + let randomness:t_Array (t_Array u8 (sz 504)) v_K = out1 in + let tmp0, tmp1, out2:(t_Array usize v_K & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & bool) = sample_from_uniform_distribution_next v_K (sz 504) randomness sampled_coefficients out in let sampled_coefficients:t_Array usize v_K = tmp0 in let out:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = tmp1 in - let done:bool = out in + let done:bool = out2 in let done, out, sampled_coefficients, xof_states:(bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array usize v_K & @@ -354,20 +354,20 @@ let sample_from_xof (v_K: usize) (seeds: t_Array (t_Array u8 (sz 34)) v_K) = Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K) = temp_0_ in - let tmp0, out:(Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K & + let tmp0, out1:(Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K & t_Array (t_Array u8 (sz 168)) v_K) = Libcrux.Kem.Kyber.Hash_functions.v_XOF_squeeze_block v_K xof_states in let xof_states:Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K = tmp0 in - let randomness:t_Array (t_Array u8 (sz 168)) v_K = out in - let tmp0, tmp1, out:(t_Array usize v_K & + let randomness:t_Array (t_Array u8 (sz 168)) v_K = out1 in + let tmp0, tmp1, out2:(t_Array usize v_K & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & bool) = sample_from_uniform_distribution_next v_K (sz 168) randomness sampled_coefficients out in let sampled_coefficients:t_Array usize v_K = tmp0 in let out:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = tmp1 in - let hoist25:bool = out in + let hoist25:bool = out2 in let done:bool = hoist25 in done, out, sampled_coefficients, xof_states <: diff --git a/src/digest.rs b/src/digest.rs index 735528c4c..6b2ab548e 100644 --- a/src/digest.rs +++ b/src/digest.rs @@ -24,7 +24,6 @@ use crate::hacl::{ use libcrux_platform::{simd128_support, simd256_support}; - #[derive(Debug)] pub enum Error { InvalidStateFinished, @@ -370,18 +369,20 @@ pub struct Shake128State(sha3::incremental::Shake128State); pub fn shake128_init() -> Shake128State { Shake128State(sha3::incremental::Shake128State::new()) -} +} -pub fn shake128_absorb_nblocks(st:&mut Shake128State,data:&[u8]) { +pub fn shake128_absorb_nblocks(st: &mut Shake128State, data: &[u8]) { st.0.absorb_nblocks(data); -} +} -pub fn shake128_absorb_final(st:&mut Shake128State,data:&[u8]) { +pub fn shake128_absorb_final(st: &mut Shake128State, data: &[u8]) { st.0.absorb_final(data); -} +} -pub fn shake128_squeeze_nblocks(st:&mut Shake128State) -> [u8;OUTPUT_BYTES] { - st.0.squeeze_nblocks() +pub fn shake128_squeeze_nblocks( + st: &mut Shake128State, +) -> [u8; OUTPUT_BYTES] { + st.0.squeeze_nblocks() } /// SHAKE 128 Incremental API (SIMD) @@ -391,20 +392,34 @@ pub struct Shake128StateX4(sha3::incremental_x4::Shake128StateX4); #[cfg(simd256)] pub fn shake128_init_x4() -> Shake128StateX4 { Shake128StateX4(sha3::incremental_x4::Shake128StateX4::new()) -} +} #[cfg(simd256)] -pub fn shake128_absorb_nblocks_x4(st:&mut Shake128StateX4,data0:&[u8],data1:&[u8],data2:&[u8],data3:&[u8]) { - st.0.absorb_nblocks(data0,data1,data2,data3); -} +pub fn shake128_absorb_nblocks_x4( + st: &mut Shake128StateX4, + data0: &[u8], + data1: &[u8], + data2: &[u8], + data3: &[u8], +) { + st.0.absorb_nblocks(data0, data1, data2, data3); +} #[cfg(simd256)] -pub fn shake128_absorb_final_x4(st:&mut Shake128StateX4,data0:&[u8],data1:&[u8],data2:&[u8],data3:&[u8]) { - st.0.absorb_final(data0,data1,data2,data3); -} +pub fn shake128_absorb_final_x4( + st: &mut Shake128StateX4, + data0: &[u8], + data1: &[u8], + data2: &[u8], + data3: &[u8], +) { + st.0.absorb_final(data0, data1, data2, data3); +} #[cfg(simd256)] -pub fn shake128_squeeze_nblocks_x4(st:&mut Shake128StateX4) -> [[u8;OUTPUT_BYTES];4] { +pub fn shake128_squeeze_nblocks_x4( + st: &mut Shake128StateX4, +) -> [[u8; OUTPUT_BYTES]; 4] { st.0.squeeze_nblocks() } diff --git a/src/hacl/sha3.rs b/src/hacl/sha3.rs index a7bd3eda9..cf9db1189 100644 --- a/src/hacl/sha3.rs +++ b/src/hacl/sha3.rs @@ -233,15 +233,14 @@ pub mod x4 { /// TODO: This module should not be public, see: https://github.com/cryspen/libcrux/issues/157 pub mod incremental { use libcrux_hacl::{ - Hacl_Hash_SHA3_Scalar_shake128_absorb_nblocks, - Hacl_Hash_SHA3_Scalar_shake128_absorb_final, - Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks, - Hacl_Hash_SHA3_Scalar_state_free, Hacl_Hash_SHA3_Scalar_state_malloc, + Hacl_Hash_SHA3_Scalar_shake128_absorb_final, Hacl_Hash_SHA3_Scalar_shake128_absorb_nblocks, + Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks, Hacl_Hash_SHA3_Scalar_state_free, + Hacl_Hash_SHA3_Scalar_state_malloc, }; /// SHAKE 128 /// - + /// Handle to internal SHAKE 129 state pub struct Shake128State { state: *mut u64, @@ -298,78 +297,95 @@ pub mod incremental { #[cfg(simd256)] pub mod incremental_x4 { - use libcrux_hacl::{ - Hacl_Hash_SHA3_Simd256_shake128_absorb_final, Hacl_Hash_SHA3_Simd256_shake128_absorb_nblocks, Hacl_Hash_SHA3_Simd256_shake128_squeeze_nblocks, Hacl_Hash_SHA3_Simd256_state_free, Hacl_Hash_SHA3_Simd256_state_malloc, Lib_IntVector_Intrinsics_vec256 - }; - - /// SHAKE 128 - /// - - /// Handle to internal SHAKE 129 state - pub struct Shake128State { - state: *mut Lib_IntVector_Intrinsics_vec256, + use libcrux_hacl::{ + Hacl_Hash_SHA3_Simd256_shake128_absorb_final, + Hacl_Hash_SHA3_Simd256_shake128_absorb_nblocks, + Hacl_Hash_SHA3_Simd256_shake128_squeeze_nblocks, Hacl_Hash_SHA3_Simd256_state_free, + Hacl_Hash_SHA3_Simd256_state_malloc, Lib_IntVector_Intrinsics_vec256, + }; + + /// SHAKE 128 + /// + + /// Handle to internal SHAKE 129 state + pub struct Shake128State { + state: *mut Lib_IntVector_Intrinsics_vec256, + } + + impl Shake128StateX4 { + pub fn new() -> Self { + let state = Self { + state: unsafe { Hacl_Hash_SHA3_Simd256_state_malloc() }, + }; + + state } - - impl Shake128StateX4 { - pub fn new() -> Self { - let state = Self { - state: unsafe { Hacl_Hash_SHA3_Simd256_state_malloc() }, - }; - - state - } - - pub fn absorb_nblocks(&mut self, input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) { - debug_assert!(input0.len() == input1.len() && input0.len() == input2.len() && input0.len() == input3.len()); - debug_assert!(input0.len() % 168 == 0); - - unsafe { - Hacl_Hash_SHA3_Scimd256_shake128_absorb_nblocks( - self.state, - input0.as_ptr() as _, - input1.as_ptr() as _, - input2.as_ptr() as _, - input3.as_ptr() as _, - input0.len() as u32, - ) - }; - } - - pub fn absorb_final(&mut self, input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) { - debug_assert!(input0.len() == input1.len() && input0.len() == input2.len() && input0.len() == input3.len()); - debug_assert!(input0.len() < 168); - - unsafe { - Hacl_Hash_SHA3_Simd256_shake128_absorb_final( - self.state, - input0.as_ptr() as _, - input1.as_ptr() as _, - input2.as_ptr() as _, - input3.as_ptr() as _, - input0.len() as u32, - ) - }; - } - pub fn squeeze_nblocks(&mut self) -> [[u8; OUTPUT_BYTES];4] { - debug_assert!(OUTPUT_BYTES % 168 == 0); - let mut output = [[0u8; OUTPUT_BYTES];4]; - unsafe { - Hacl_Hash_SHA3_Simd256_shake128_squeeze_nblocks( - self.state, - output[0].as_mut_ptr(), - output[1].as_mut_ptr(), - output[2].as_mut_ptr(), - output[3].as_mut_ptr(), - OUTPUT_BYTES as u32, - ) - }; - - output - } + + pub fn absorb_nblocks( + &mut self, + input0: &[u8], + input1: &[u8], + input2: &[u8], + input3: &[u8], + ) { + debug_assert!( + input0.len() == input1.len() + && input0.len() == input2.len() + && input0.len() == input3.len() + ); + debug_assert!(input0.len() % 168 == 0); + + unsafe { + Hacl_Hash_SHA3_Scimd256_shake128_absorb_nblocks( + self.state, + input0.as_ptr() as _, + input1.as_ptr() as _, + input2.as_ptr() as _, + input3.as_ptr() as _, + input0.len() as u32, + ) + }; } - impl Drop for Shake128StateX4 { - fn drop(&mut self) { - unsafe { Hacl_Hash_SHA3_Simd256_state_free(self.state) } - } + + pub fn absorb_final(&mut self, input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) { + debug_assert!( + input0.len() == input1.len() + && input0.len() == input2.len() + && input0.len() == input3.len() + ); + debug_assert!(input0.len() < 168); + + unsafe { + Hacl_Hash_SHA3_Simd256_shake128_absorb_final( + self.state, + input0.as_ptr() as _, + input1.as_ptr() as _, + input2.as_ptr() as _, + input3.as_ptr() as _, + input0.len() as u32, + ) + }; } + pub fn squeeze_nblocks(&mut self) -> [[u8; OUTPUT_BYTES]; 4] { + debug_assert!(OUTPUT_BYTES % 168 == 0); + let mut output = [[0u8; OUTPUT_BYTES]; 4]; + unsafe { + Hacl_Hash_SHA3_Simd256_shake128_squeeze_nblocks( + self.state, + output[0].as_mut_ptr(), + output[1].as_mut_ptr(), + output[2].as_mut_ptr(), + output[3].as_mut_ptr(), + OUTPUT_BYTES as u32, + ) + }; + + output + } + } + impl Drop for Shake128StateX4 { + fn drop(&mut self) { + unsafe { Hacl_Hash_SHA3_Simd256_state_free(self.state) } + } + } } diff --git a/src/kem/kyber/hash_functions.rs b/src/kem/kyber/hash_functions.rs index 8d07dcac0..c014ea90d 100644 --- a/src/kem/kyber/hash_functions.rs +++ b/src/kem/kyber/hash_functions.rs @@ -1,13 +1,15 @@ #![allow(non_snake_case)] -use digest::{Shake128State,shake128_init,shake128_absorb_final,shake128_squeeze_nblocks}; +use digest::{shake128_absorb_final, shake128_init, shake128_squeeze_nblocks, Shake128State}; #[cfg(simd256)] -use digest::{Shake128StateX4,shake128_init_x4,shake128_absorb_final_x4,shake128_squeeze_nblocks_x4}; +use digest::{ + shake128_absorb_final_x4, shake128_init_x4, shake128_squeeze_nblocks_x4, Shake128StateX4, +}; // use libcrux_platform::simd256_support; use crate::digest::{self, digest_size, Algorithm}; -use super::constants::{H_DIGEST_SIZE}; +use super::constants::H_DIGEST_SIZE; pub(crate) fn G(input: &[u8]) -> [u8; digest_size(Algorithm::Sha3_512)] { digest::sha3_512(input) @@ -24,19 +26,18 @@ pub(crate) fn PRF(input: &[u8]) -> [u8; LEN] { // The following API uses the repeated squeeze API // The first version uses Scalar SHAKE 128 #[cfg(not(simd256))] -pub(crate) struct XofState { - states: [Shake128State; K] +pub(crate) struct XofState { + states: [Shake128State; K], } #[cfg(not(simd256))] #[inline(always)] pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { - let mut states = - core::array::from_fn(|_| shake128_init(); + let mut states = core::array::from_fn(|_| shake128_init()); for i in 0..K { - shake128_absorb_final(&mut states[i],&input[i]); + shake128_absorb_final(&mut states[i], &input[i]); } - XofState{states} + XofState { states } } #[cfg(not(simd256))] @@ -44,37 +45,48 @@ pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { pub(crate) fn XOF_squeeze_three_blocks( xof_state: &mut XofState, ) -> [[u8; 168 * 3]; K] { - let mut out = [[0; 168 * 3]; K]; + let mut blocks = [[0; 168 * 3]; K]; for i in 0..K { - out[i] = shake128_squeeze_nblocks(&mut xof_state.states[i]); + blocks[i] = shake128_squeeze_nblocks(&mut xof_state.states[i]); } - out + blocks } #[cfg(not(simd256))] #[inline(always)] pub(crate) fn XOF_squeeze_block(xof_state: &mut XofState) -> [[u8; 168]; K] { - let mut out: [[u8; 168]; K] = [[0; 168]; K]; + let mut block: [[u8; 168]; K] = [[0; 168]; K]; for i in 0..K { - out[i] = shake128_squeeze_nblocks(&mut xof_state.states[i]); + block[i] = shake128_squeeze_nblocks(&mut xof_state.states[i]); } - out + block } // The following API uses the repeated squeeze API // The second version uses SIMD256 SHAKE 128 #[cfg(simd256)] -type XofState = X4(crate::digest::Shake128StateX4); +type XofState = X4(crate::digest::Shake128StateX4); #[cfg(simd256)] #[inline(always)] pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { - let mut state : Shake128StateX4 = shake128_init_x4(); + let mut state: Shake128StateX4 = shake128_init_x4(); match K { - 2 => {shake128_absorb_final_x4(&mut state,input[0],input[1],input[0],input[0]);state} - 3 => {shake128_absorb_final_x4(&mut state,input[0],input[1],input[2],input[0]);state} - 4 => {shake128_absorb_final_x4(&mut state,input[0],input[1],input[2],input[3]);state} - _ => {unreachable!()} + 2 => { + shake128_absorb_final_x4(&mut state, input[0], input[1], input[0], input[0]); + state + } + 3 => { + shake128_absorb_final_x4(&mut state, input[0], input[1], input[2], input[0]); + state + } + 4 => { + shake128_absorb_final_x4(&mut state, input[0], input[1], input[2], input[3]); + state + } + _ => { + unreachable!() + } } } @@ -86,23 +98,80 @@ pub(crate) fn XOF_squeeze_three_blocks( let mut output = [[0; 168 * 3]; K]; let mut tmp = [[0; 168 * 3]; 2]; match K { - 2 => {shake128_squeeze_nblocks_x4(&mut state,&mut output[0],&mut output[1],&mut tmp[0],&mut tmp[1]); output} - 3 => {shake128_squeeze_nblocks_x4(&mut state,&mut output[0],&mut output[1],&mut output[2],&mut tmp[1]); output} - 4 => {shake128_squeeze_nblocks_x4(&mut state,&mut output[0],&mut output[1],&mut output[2],&mut output[3]); output} - _ => {unreachable!()} + 2 => { + shake128_squeeze_nblocks_x4( + &mut state, + &mut output[0], + &mut output[1], + &mut tmp[0], + &mut tmp[1], + ); + output + } + 3 => { + shake128_squeeze_nblocks_x4( + &mut state, + &mut output[0], + &mut output[1], + &mut output[2], + &mut tmp[1], + ); + output + } + 4 => { + shake128_squeeze_nblocks_x4( + &mut state, + &mut output[0], + &mut output[1], + &mut output[2], + &mut output[3], + ); + output + } + _ => { + unreachable!() + } } } #[cfg(simd256)] #[inline(always)] pub(crate) fn XOF_squeeze_block(state: &mut XofState) -> [[u8; 168]; K] { - let mut out: [[u8; 168]; K] = [[0; 168]; K]; + let mut output: [[u8; 168]; K] = [[0; 168]; K]; let mut tmp = [[0; 168 * 3]; 2]; match K { - 2 => {shake128_squeeze_nblocks_x4(&mut state,&mut output[0],&mut output[1],&mut tmp[0],&mut tmp[1]); output} - 3 => {shake128_squeeze_nblocks_x4(&mut state,&mut output[0],&mut output[1],&mut output[2],&mut tmp[1]); output} - 4 => {shake128_squeeze_nblocks_x4(&mut state,&mut output[0],&mut output[1],&mut output[2],&mut output[3]); output} - _ => {unreachable!()} + 2 => { + shake128_squeeze_nblocks_x4( + &mut state, + &mut output[0], + &mut output[1], + &mut tmp[0], + &mut tmp[1], + ); + output + } + 3 => { + shake128_squeeze_nblocks_x4( + &mut state, + &mut output[0], + &mut output[1], + &mut output[2], + &mut tmp[1], + ); + output + } + 4 => { + shake128_squeeze_nblocks_x4( + &mut state, + &mut output[0], + &mut output[1], + &mut output[2], + &mut output[3], + ); + output + } + _ => { + unreachable!() + } } } - From b56defadda88615878121202437ef943da023320 Mon Sep 17 00:00:00 2001 From: Karthik Bhargavan Date: Sat, 24 Feb 2024 10:25:08 +0100 Subject: [PATCH 12/28] linux testing --- src/hacl/sha3.rs | 15 ++-- src/kem/kyber/hash_functions.rs | 95 +++++++++------------ sys/hacl/c/include/Hacl_Hash_SHA3_Simd256.h | 4 +- sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c | 9 +- sys/pqclean/src/bindings.rs | 2 +- 5 files changed, 59 insertions(+), 66 deletions(-) diff --git a/src/hacl/sha3.rs b/src/hacl/sha3.rs index cf9db1189..c231f3bbf 100644 --- a/src/hacl/sha3.rs +++ b/src/hacl/sha3.rs @@ -308,12 +308,13 @@ pub mod incremental_x4 { /// /// Handle to internal SHAKE 129 state - pub struct Shake128State { + pub struct Shake128StateX4 { state: *mut Lib_IntVector_Intrinsics_vec256, } impl Shake128StateX4 { pub fn new() -> Self { + println!("allocating shake128statex4 state"); let state = Self { state: unsafe { Hacl_Hash_SHA3_Simd256_state_malloc() }, }; @@ -330,13 +331,13 @@ pub mod incremental_x4 { ) { debug_assert!( input0.len() == input1.len() - && input0.len() == input2.len() - && input0.len() == input3.len() + && input0.len() == input2.len() + && input0.len() == input3.len() ); debug_assert!(input0.len() % 168 == 0); unsafe { - Hacl_Hash_SHA3_Scimd256_shake128_absorb_nblocks( + Hacl_Hash_SHA3_Simd256_shake128_absorb_nblocks( self.state, input0.as_ptr() as _, input1.as_ptr() as _, @@ -348,10 +349,11 @@ pub mod incremental_x4 { } pub fn absorb_final(&mut self, input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) { + println!("absorbing shake128statex4 state"); debug_assert!( input0.len() == input1.len() - && input0.len() == input2.len() - && input0.len() == input3.len() + && input0.len() == input2.len() + && input0.len() == input3.len() ); debug_assert!(input0.len() < 168); @@ -385,6 +387,7 @@ pub mod incremental_x4 { } impl Drop for Shake128StateX4 { fn drop(&mut self) { + println!("dropping shake128statex4 state"); unsafe { Hacl_Hash_SHA3_Simd256_state_free(self.state) } } } diff --git a/src/kem/kyber/hash_functions.rs b/src/kem/kyber/hash_functions.rs index c014ea90d..b6fc37d6c 100644 --- a/src/kem/kyber/hash_functions.rs +++ b/src/kem/kyber/hash_functions.rs @@ -1,5 +1,6 @@ #![allow(non_snake_case)] +#[cfg(not(simd256))] use digest::{shake128_absorb_final, shake128_init, shake128_squeeze_nblocks, Shake128State}; #[cfg(simd256)] use digest::{ @@ -65,7 +66,9 @@ pub(crate) fn XOF_squeeze_block(xof_state: &mut XofState) -> // The following API uses the repeated squeeze API // The second version uses SIMD256 SHAKE 128 #[cfg(simd256)] -type XofState = X4(crate::digest::Shake128StateX4); +pub(crate) struct XofState { + state: crate::digest::Shake128StateX4 +} #[cfg(simd256)] #[inline(always)] @@ -73,21 +76,19 @@ pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { let mut state: Shake128StateX4 = shake128_init_x4(); match K { 2 => { - shake128_absorb_final_x4(&mut state, input[0], input[1], input[0], input[0]); - state + shake128_absorb_final_x4(&mut state, &input[0], &input[1], &input[0], &input[0]); } 3 => { - shake128_absorb_final_x4(&mut state, input[0], input[1], input[2], input[0]); - state + shake128_absorb_final_x4(&mut state, &input[0], &input[1], &input[2], &input[0]); } 4 => { - shake128_absorb_final_x4(&mut state, input[0], input[1], input[2], input[3]); - state + shake128_absorb_final_x4(&mut state, &input[0], &input[1], &input[2], &input[3]); } _ => { unreachable!() } } + XofState {state} } #[cfg(simd256)] @@ -96,82 +97,70 @@ pub(crate) fn XOF_squeeze_three_blocks( state: &mut XofState, ) -> [[u8; 168 * 3]; K] { let mut output = [[0; 168 * 3]; K]; - let mut tmp = [[0; 168 * 3]; 2]; match K { 2 => { - shake128_squeeze_nblocks_x4( - &mut state, - &mut output[0], - &mut output[1], - &mut tmp[0], - &mut tmp[1], + let tmp = shake128_squeeze_nblocks_x4( + &mut state.state ); - output + output[0] = tmp[0]; + output[1] = tmp[1]; } 3 => { - shake128_squeeze_nblocks_x4( - &mut state, - &mut output[0], - &mut output[1], - &mut output[2], - &mut tmp[1], + let tmp = shake128_squeeze_nblocks_x4( + &mut state.state ); - output + output[0] = tmp[0]; + output[1] = tmp[1]; + output[2] = tmp[2]; } 4 => { - shake128_squeeze_nblocks_x4( - &mut state, - &mut output[0], - &mut output[1], - &mut output[2], - &mut output[3], - ); - output + let tmp = shake128_squeeze_nblocks_x4( + &mut state.state + ); + output[0] = tmp[0]; + output[1] = tmp[1]; + output[2] = tmp[2]; + output[3] = tmp[3]; } _ => { unreachable!() } } + output } #[cfg(simd256)] #[inline(always)] pub(crate) fn XOF_squeeze_block(state: &mut XofState) -> [[u8; 168]; K] { let mut output: [[u8; 168]; K] = [[0; 168]; K]; - let mut tmp = [[0; 168 * 3]; 2]; match K { 2 => { - shake128_squeeze_nblocks_x4( - &mut state, - &mut output[0], - &mut output[1], - &mut tmp[0], - &mut tmp[1], + let tmp = shake128_squeeze_nblocks_x4( + &mut state.state ); - output + output[0] = tmp[0]; + output[1] = tmp[1]; } 3 => { - shake128_squeeze_nblocks_x4( - &mut state, - &mut output[0], - &mut output[1], - &mut output[2], - &mut tmp[1], + let tmp = shake128_squeeze_nblocks_x4( + &mut state.state ); - output + output[0] = tmp[0]; + output[1] = tmp[1]; + output[2] = tmp[2]; } 4 => { - shake128_squeeze_nblocks_x4( - &mut state, - &mut output[0], - &mut output[1], - &mut output[2], - &mut output[3], - ); - output + let tmp = shake128_squeeze_nblocks_x4( + &mut state.state + ); + output[0] = tmp[0]; + output[1] = tmp[1]; + output[2] = tmp[2]; + output[3] = tmp[3]; } _ => { unreachable!() } } + output } diff --git a/sys/hacl/c/include/Hacl_Hash_SHA3_Simd256.h b/sys/hacl/c/include/Hacl_Hash_SHA3_Simd256.h index 302094a43..f38bf7cbb 100644 --- a/sys/hacl/c/include/Hacl_Hash_SHA3_Simd256.h +++ b/sys/hacl/c/include/Hacl_Hash_SHA3_Simd256.h @@ -141,12 +141,12 @@ Hacl_Hash_SHA3_Simd256_sha3_512( /** Allocate quadruple state buffer (200-bytes for each) */ -uint64_t *Hacl_Hash_SHA3_Simd256_state_malloc(void); +Lib_IntVector_Intrinsics_vec256 *Hacl_Hash_SHA3_Simd256_state_malloc(void); /** Free quadruple state buffer */ -void Hacl_Hash_SHA3_Simd256_state_free(uint64_t *s); +void Hacl_Hash_SHA3_Simd256_state_free(Lib_IntVector_Intrinsics_vec256 *s); /** Absorb number of blocks of 4 input buffers and write the output states diff --git a/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c b/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c index 9046f3dbe..8baad8f19 100644 --- a/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c +++ b/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c @@ -9917,13 +9917,13 @@ Hacl_Hash_SHA3_Simd256_sha3_512( memcpy(b36 + 64U - remOut, hbuf + 768U, remOut * sizeof (uint8_t)); } -uint64_t *Hacl_Hash_SHA3_Simd256_state_malloc(void) +Lib_IntVector_Intrinsics_vec256 *Hacl_Hash_SHA3_Simd256_state_malloc(void) { - uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(100U, sizeof (uint64_t)); + Lib_IntVector_Intrinsics_vec256 *buf = (Lib_IntVector_Intrinsics_vec256 *)KRML_HOST_CALLOC(25U, sizeof (Lib_IntVector_Intrinsics_vec256)); return buf; } -void Hacl_Hash_SHA3_Simd256_state_free(uint64_t *s) +void Hacl_Hash_SHA3_Simd256_state_free(Lib_IntVector_Intrinsics_vec256 *s) { KRML_HOST_FREE(s); } @@ -10623,7 +10623,8 @@ Hacl_Hash_SHA3_Simd256_shake128_absorb_final( ws[31U] = ws310; for (uint32_t i = 0U; i < 25U; i++) { - state[i] = Lib_IntVector_Intrinsics_vec256_xor(state[i], ws[i]); + Lib_IntVector_Intrinsics_vec256 tmp = Lib_IntVector_Intrinsics_vec256_xor(state[i], ws[i]); + state[i] = tmp; } uint8_t b04[256U] = { 0U }; uint8_t b14[256U] = { 0U }; diff --git a/sys/pqclean/src/bindings.rs b/sys/pqclean/src/bindings.rs index d50f83289..59a2d73d9 100644 --- a/sys/pqclean/src/bindings.rs +++ b/sys/pqclean/src/bindings.rs @@ -1,4 +1,4 @@ -/* automatically generated by rust-bindgen 0.69.2 */ +/* automatically generated by rust-bindgen 0.69.1 */ pub const SHAKE128_RATE: u32 = 168; pub const SHAKE256_RATE: u32 = 136; From 4acdf817dd97ee3166d61b0cdc29b7af51a62464 Mon Sep 17 00:00:00 2001 From: Karthik Bhargavan Date: Sat, 24 Feb 2024 12:52:55 +0100 Subject: [PATCH 13/28] aligned malloc and initialization --- sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c b/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c index 8baad8f19..91fe6695b 100644 --- a/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c +++ b/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c @@ -9919,13 +9919,16 @@ Hacl_Hash_SHA3_Simd256_sha3_512( Lib_IntVector_Intrinsics_vec256 *Hacl_Hash_SHA3_Simd256_state_malloc(void) { - Lib_IntVector_Intrinsics_vec256 *buf = (Lib_IntVector_Intrinsics_vec256 *)KRML_HOST_CALLOC(25U, sizeof (Lib_IntVector_Intrinsics_vec256)); + Lib_IntVector_Intrinsics_vec256 *buf = (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32,25U * sizeof (Lib_IntVector_Intrinsics_vec256)); + for (int i = 0; i < 25; i++){ + buf[i] = Lib_IntVector_Intrinsics_vec256_zero; + } return buf; } void Hacl_Hash_SHA3_Simd256_state_free(Lib_IntVector_Intrinsics_vec256 *s) { - KRML_HOST_FREE(s); + KRML_ALIGNED_FREE(s); } void From 7dd3040f62b6d97afd76439b063e6aec21f0693e Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Wed, 28 Feb 2024 07:37:20 +0100 Subject: [PATCH 14/28] tested on mac --- src/digest.rs | 208 +++++++++++++++++++++++++++++++- src/kem/kyber/hash_functions.rs | 159 ++++++++---------------- src/kem/kyber/sampling.rs | 8 +- 3 files changed, 259 insertions(+), 116 deletions(-) diff --git a/src/digest.rs b/src/digest.rs index 6b2ab548e..4065f7167 100644 --- a/src/digest.rs +++ b/src/digest.rs @@ -364,7 +364,7 @@ pub fn shake128(data: &[u8]) -> [u8; LEN] { sha3::shake128(data) } -/// SHAKE 128 Incremental API (Scalar) +/// SHAKE 128 Incremental API (Scalar - SIMD X4) pub struct Shake128State(sha3::incremental::Shake128State); pub fn shake128_init() -> Shake128State { @@ -387,13 +387,24 @@ pub fn shake128_squeeze_nblocks( /// SHAKE 128 Incremental API (SIMD) #[cfg(simd256)] -pub struct Shake128StateX4(sha3::incremental_x4::Shake128StateX4); +pub struct Shake128StateX4(sha3::incremental::Shake128StateX4); + +#[cfg(not(simd256))] +pub struct Shake128StateX4([sha3::incremental::Shake128State;4]); #[cfg(simd256)] pub fn shake128_init_x4() -> Shake128StateX4 { Shake128StateX4(sha3::incremental_x4::Shake128StateX4::new()) } +#[cfg(not(simd256))] +pub fn shake128_init_x4() -> Shake128StateX4 { + Shake128StateX4([sha3::incremental::Shake128State::new(), + sha3::incremental::Shake128State::new(), + sha3::incremental::Shake128State::new(), + sha3::incremental::Shake128State::new()]) +} + #[cfg(simd256)] pub fn shake128_absorb_nblocks_x4( st: &mut Shake128StateX4, @@ -405,6 +416,20 @@ pub fn shake128_absorb_nblocks_x4( st.0.absorb_nblocks(data0, data1, data2, data3); } +#[cfg(not(simd256))] +pub fn shake128_absorb_nblocks_x4( + st: &mut Shake128StateX4, + data0: &[u8], + data1: &[u8], + data2: &[u8], + data3: &[u8], +) { + st.0[0].absorb_nblocks(data0); + st.0[1].absorb_nblocks(data1); + st.0[2].absorb_nblocks(data2); + st.0[3].absorb_nblocks(data3); +} + #[cfg(simd256)] pub fn shake128_absorb_final_x4( st: &mut Shake128StateX4, @@ -416,6 +441,20 @@ pub fn shake128_absorb_final_x4( st.0.absorb_final(data0, data1, data2, data3); } +#[cfg(not(simd256))] +pub fn shake128_absorb_final_x4( + st: &mut Shake128StateX4, + data0: &[u8], + data1: &[u8], + data2: &[u8], + data3: &[u8], +) { + st.0[0].absorb_final(data0); + st.0[1].absorb_final(data1); + st.0[2].absorb_final(data2); + st.0[3].absorb_final(data3); +} + #[cfg(simd256)] pub fn shake128_squeeze_nblocks_x4( st: &mut Shake128StateX4, @@ -423,6 +462,171 @@ pub fn shake128_squeeze_nblocks_x4( st.0.squeeze_nblocks() } +#[cfg(not(simd256))] +pub fn shake128_squeeze_nblocks_x4( + st: &mut Shake128StateX4, +) -> [[u8; OUTPUT_BYTES]; 4] { + let out0: [u8; OUTPUT_BYTES] = st.0[0].squeeze_nblocks(); + let out1: [u8; OUTPUT_BYTES] = st.0[1].squeeze_nblocks(); + let out2: [u8; OUTPUT_BYTES] = st.0[2].squeeze_nblocks(); + let out3: [u8; OUTPUT_BYTES] = st.0[3].squeeze_nblocks(); + [out0,out1,out2,out3] +} + +/// SHAKE 128 Incremental API (SIMD) +#[cfg(simd256)] +pub struct Shake128StateX2(sha3::incremental::Shake128StateX4); + +#[cfg(not(simd256))] +pub struct Shake128StateX2([sha3::incremental::Shake128State;2]); + +#[cfg(simd256)] +pub fn shake128_init_x2() -> Shake128StateX2 { + Shake128StateX2(sha3::incremental_x4::Shake128StateX4::new()) +} + +#[cfg(not(simd256))] +pub fn shake128_init_x2() -> Shake128StateX2 { + Shake128StateX2([sha3::incremental::Shake128State::new(), + sha3::incremental::Shake128State::new(), + ]) +} + +#[cfg(simd256)] +pub fn shake128_absorb_nblocks_x2( + st: &mut Shake128StateX2, + data0: &[u8], + data1: &[u8], +) { + st.0.absorb_nblocks(data0, data1, data0, data1); +} + +#[cfg(not(simd256))] +pub fn shake128_absorb_nblocks_x2( + st: &mut Shake128StateX2, + data0: &[u8], + data1: &[u8], +) { + st.0[0].absorb_nblocks(data0); + st.0[1].absorb_nblocks(data1); +} + +#[cfg(simd256)] +pub fn shake128_absorb_final_x2( + st: &mut Shake128StateX2, + data0: &[u8], + data1: &[u8], +) { + st.0.absorb_final(data0, data1, data0, data1); +} + +#[cfg(not(simd256))] +pub fn shake128_absorb_final_x2( + st: &mut Shake128StateX2, + data0: &[u8], + data1: &[u8], +) { + st.0[0].absorb_final(data0); + st.0[1].absorb_final(data1); +} + +#[cfg(simd256)] +pub fn shake128_squeeze_nblocks_x2( + st: &mut Shake128StateX2, +) -> [[u8; OUTPUT_BYTES]; 2] { + st.0.squeeze_nblocks()[0..1] +} + +#[cfg(not(simd256))] +pub fn shake128_squeeze_nblocks_x2( + st: &mut Shake128StateX2, +) -> [[u8; OUTPUT_BYTES]; 2] { + let out0: [u8; OUTPUT_BYTES] = st.0[0].squeeze_nblocks(); + let out1: [u8; OUTPUT_BYTES] = st.0[1].squeeze_nblocks(); + [out0,out1] +} + +/// SHAKE 128 Incremental API (SIMD) +#[cfg(simd256)] +pub struct Shake128StateX3(sha3::incremental::Shake128StateX4); + +#[cfg(not(simd256))] +pub struct Shake128StateX3([sha3::incremental::Shake128State;3]); + +#[cfg(simd256)] +pub fn shake128_init_x3() -> Shake128StateX3 { + Shake128StateX3(sha3::incremental_x4::Shake128StateX4::new()) +} + +#[cfg(not(simd256))] +pub fn shake128_init_x3() -> Shake128StateX3 { + Shake128StateX3([sha3::incremental::Shake128State::new(), + sha3::incremental::Shake128State::new(), + sha3::incremental::Shake128State::new(), + ]) +} + +#[cfg(simd256)] +pub fn shake128_absorb_nblocks_x3( + st: &mut Shake128StateX3, + data0: &[u8], + data1: &[u8], + data2: &[u8], +) { + st.0.absorb_nblocks(data0, data1, data2, data0); +} + +#[cfg(not(simd256))] +pub fn shake128_absorb_nblocks_x3( + st: &mut Shake128StateX3, + data0: &[u8], + data1: &[u8], + data2: &[u8], +) { + st.0[0].absorb_nblocks(data0); + st.0[1].absorb_nblocks(data1); + st.0[2].absorb_nblocks(data2); +} + +#[cfg(simd256)] +pub fn shake128_absorb_final_x3( + st: &mut Shake128StateX3, + data0: &[u8], + data1: &[u8], + data2: &[u8], +) { + st.0.absorb_final(data0, data1, data2, data0); +} + +#[cfg(not(simd256))] +pub fn shake128_absorb_final_x3( + st: &mut Shake128StateX3, + data0: &[u8], + data1: &[u8], + data2: &[u8], +) { + st.0[0].absorb_final(data0); + st.0[1].absorb_final(data1); + st.0[2].absorb_final(data2); +} + +#[cfg(simd256)] +pub fn shake128_squeeze_nblocks_x3( + st: &mut Shake128StateX3, +) -> [[u8; OUTPUT_BYTES]; 3] { + st.0.squeeze_nblocks()[0..2] +} + +#[cfg(not(simd256))] +pub fn shake128_squeeze_nblocks_x3( + st: &mut Shake128StateX3, +) -> [[u8; OUTPUT_BYTES]; 3] { + let out0: [u8; OUTPUT_BYTES] = st.0[0].squeeze_nblocks(); + let out1: [u8; OUTPUT_BYTES] = st.0[1].squeeze_nblocks(); + let out2: [u8; OUTPUT_BYTES] = st.0[2].squeeze_nblocks(); + [out0,out1,out2] +} + /// SHAKE 256 /// /// The caller must define the size of the output in the return type. diff --git a/src/kem/kyber/hash_functions.rs b/src/kem/kyber/hash_functions.rs index b6fc37d6c..36127b282 100644 --- a/src/kem/kyber/hash_functions.rs +++ b/src/kem/kyber/hash_functions.rs @@ -1,13 +1,5 @@ #![allow(non_snake_case)] -#[cfg(not(simd256))] -use digest::{shake128_absorb_final, shake128_init, shake128_squeeze_nblocks, Shake128State}; -#[cfg(simd256)] -use digest::{ - shake128_absorb_final_x4, shake128_init_x4, shake128_squeeze_nblocks_x4, Shake128StateX4, -}; -// use libcrux_platform::simd256_support; - use crate::digest::{self, digest_size, Algorithm}; use super::constants::H_DIGEST_SIZE; @@ -26,141 +18,86 @@ pub(crate) fn PRF(input: &[u8]) -> [u8; LEN] { // The following API uses the repeated squeeze API // The first version uses Scalar SHAKE 128 -#[cfg(not(simd256))] -pub(crate) struct XofState { - states: [Shake128State; K], -} - -#[cfg(not(simd256))] -#[inline(always)] -pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { - let mut states = core::array::from_fn(|_| shake128_init()); - for i in 0..K { - shake128_absorb_final(&mut states[i], &input[i]); - } - XofState { states } -} - -#[cfg(not(simd256))] -#[inline(always)] -pub(crate) fn XOF_squeeze_three_blocks( - xof_state: &mut XofState, -) -> [[u8; 168 * 3]; K] { - let mut blocks = [[0; 168 * 3]; K]; - for i in 0..K { - blocks[i] = shake128_squeeze_nblocks(&mut xof_state.states[i]); - } - blocks -} - -#[cfg(not(simd256))] -#[inline(always)] -pub(crate) fn XOF_squeeze_block(xof_state: &mut XofState) -> [[u8; 168]; K] { - let mut block: [[u8; 168]; K] = [[0; 168]; K]; - for i in 0..K { - block[i] = shake128_squeeze_nblocks(&mut xof_state.states[i]); - } - block -} - -// The following API uses the repeated squeeze API -// The second version uses SIMD256 SHAKE 128 -#[cfg(simd256)] -pub(crate) struct XofState { - state: crate::digest::Shake128StateX4 +pub(crate) enum XofState { + X2(digest::Shake128StateX2), + X3(digest::Shake128StateX3), + X4(digest::Shake128StateX4), } -#[cfg(simd256)] #[inline(always)] pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { - let mut state: Shake128StateX4 = shake128_init_x4(); match K { - 2 => { - shake128_absorb_final_x4(&mut state, &input[0], &input[1], &input[0], &input[0]); - } - 3 => { - shake128_absorb_final_x4(&mut state, &input[0], &input[1], &input[2], &input[0]); - } - 4 => { - shake128_absorb_final_x4(&mut state, &input[0], &input[1], &input[2], &input[3]); + 2 => {let mut state = digest::shake128_init_x2(); + digest::shake128_absorb_final_x2(&mut state, &input[0], &input[1]); + XofState::X2(state)}, + 3 => {let mut state = digest::shake128_init_x3(); + digest::shake128_absorb_final_x3(&mut state, &input[0], &input[1], &input[2]); + XofState::X3(state)}, + 4 => {let mut state = digest::shake128_init_x4(); + digest::shake128_absorb_final_x4(&mut state, &input[0], &input[1], &input[2], &input[3]); + XofState::X4(state)}, + _ => unreachable!() } - _ => { - unreachable!() - } - } - XofState {state} } -#[cfg(simd256)] #[inline(always)] pub(crate) fn XOF_squeeze_three_blocks( - state: &mut XofState, -) -> [[u8; 168 * 3]; K] { + xof_state: XofState, +) -> ([[u8; 168 * 3]; K],XofState) { let mut output = [[0; 168 * 3]; K]; - match K { - 2 => { - let tmp = shake128_squeeze_nblocks_x4( - &mut state.state - ); + match (K, xof_state) { + (2, XofState::X2(mut st)) => { + let tmp = digest::shake128_squeeze_nblocks_x2::<504>(&mut st); output[0] = tmp[0]; output[1] = tmp[1]; - } - 3 => { - let tmp = shake128_squeeze_nblocks_x4( - &mut state.state - ); + (output,XofState::X2(st)) + }, + (3, XofState::X3(mut st)) => { + let tmp = digest::shake128_squeeze_nblocks_x3::<504>(&mut st); output[0] = tmp[0]; output[1] = tmp[1]; output[2] = tmp[2]; - } - 4 => { - let tmp = shake128_squeeze_nblocks_x4( - &mut state.state - ); + (output,XofState::X3(st)) + }, + (4, XofState::X4(mut st)) => { + let tmp = digest::shake128_squeeze_nblocks_x4::<504>(&mut st); output[0] = tmp[0]; output[1] = tmp[1]; output[2] = tmp[2]; output[3] = tmp[3]; - } - _ => { - unreachable!() - } + (output,XofState::X4(st)) + }, + _ => unreachable!() } - output } -#[cfg(simd256)] #[inline(always)] -pub(crate) fn XOF_squeeze_block(state: &mut XofState) -> [[u8; 168]; K] { - let mut output: [[u8; 168]; K] = [[0; 168]; K]; - match K { - 2 => { - let tmp = shake128_squeeze_nblocks_x4( - &mut state.state - ); +pub(crate) fn XOF_squeeze_block( + xof_state: XofState, +) -> ([[u8; 168]; K],XofState) { + let mut output = [[0; 168]; K]; + match (K, xof_state) { + (2, XofState::X2(mut st)) => { + let tmp = digest::shake128_squeeze_nblocks_x2::<168>(&mut st); output[0] = tmp[0]; output[1] = tmp[1]; - } - 3 => { - let tmp = shake128_squeeze_nblocks_x4( - &mut state.state - ); + (output,XofState::X2(st)) + }, + (3, XofState::X3(mut st)) => { + let tmp = digest::shake128_squeeze_nblocks_x3::<168>(&mut st); output[0] = tmp[0]; output[1] = tmp[1]; output[2] = tmp[2]; - } - 4 => { - let tmp = shake128_squeeze_nblocks_x4( - &mut state.state - ); + (output,XofState::X3(st)) + }, + (4, XofState::X4(mut st)) => { + let tmp = digest::shake128_squeeze_nblocks_x4::<168>(&mut st); output[0] = tmp[0]; output[1] = tmp[1]; output[2] = tmp[2]; output[3] = tmp[3]; - } - _ => { - unreachable!() - } + (output,XofState::X4(st)) + }, + _ => unreachable!() } - output } diff --git a/src/kem/kyber/sampling.rs b/src/kem/kyber/sampling.rs index 2202f8a42..194a16c95 100644 --- a/src/kem/kyber/sampling.rs +++ b/src/kem/kyber/sampling.rs @@ -79,8 +79,9 @@ pub fn sample_from_xof(seeds: [[u8; 34]; K]) -> [PolynomialRingE let mut sampled_coefficients: [usize; K] = [0; K]; let mut out: [PolynomialRingElement; K] = [PolynomialRingElement::ZERO; K]; - let mut xof_states = XOF_absorb::(seeds); - let randomness = XOF_squeeze_three_blocks(&mut xof_states); + let mut xof_state = XOF_absorb::(seeds); + let (randomness,new_state) = XOF_squeeze_three_blocks(xof_state); + xof_state = new_state; let mut done = sample_from_uniform_distribution_next(randomness, &mut sampled_coefficients, &mut out); @@ -89,7 +90,8 @@ pub fn sample_from_xof(seeds: [[u8; 34]; K]) -> [PolynomialRingE // unlikely according to: // https://eprint.iacr.org/2023/708.pdf while !done { - let randomness = XOF_squeeze_block(&mut xof_states); + let (randomness, new_state) = XOF_squeeze_block(xof_state); + xof_state = new_state; done = sample_from_uniform_distribution_next(randomness, &mut sampled_coefficients, &mut out); } From 8b45a5ffa7a24dacbd4e0707578b621c963cacd8 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Wed, 28 Feb 2024 08:16:27 +0100 Subject: [PATCH 15/28] fix matching on K for hax --- src/kem/kyber/hash_functions.rs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/kem/kyber/hash_functions.rs b/src/kem/kyber/hash_functions.rs index 36127b282..d629e6d75 100644 --- a/src/kem/kyber/hash_functions.rs +++ b/src/kem/kyber/hash_functions.rs @@ -26,7 +26,7 @@ pub(crate) enum XofState { #[inline(always)] pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { - match K { + match K as u8 { 2 => {let mut state = digest::shake128_init_x2(); digest::shake128_absorb_final_x2(&mut state, &input[0], &input[1]); XofState::X2(state)}, @@ -45,7 +45,7 @@ pub(crate) fn XOF_squeeze_three_blocks( xof_state: XofState, ) -> ([[u8; 168 * 3]; K],XofState) { let mut output = [[0; 168 * 3]; K]; - match (K, xof_state) { + match (K as u8, xof_state) { (2, XofState::X2(mut st)) => { let tmp = digest::shake128_squeeze_nblocks_x2::<504>(&mut st); output[0] = tmp[0]; @@ -76,7 +76,7 @@ pub(crate) fn XOF_squeeze_block( xof_state: XofState, ) -> ([[u8; 168]; K],XofState) { let mut output = [[0; 168]; K]; - match (K, xof_state) { + match (K as u8, xof_state) { (2, XofState::X2(mut st)) => { let tmp = digest::shake128_squeeze_nblocks_x2::<168>(&mut st); output[0] = tmp[0]; From f96d03da22b197ebb9990e5167695e0c8436041d Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Wed, 28 Feb 2024 08:29:09 +0100 Subject: [PATCH 16/28] eurydice --- proofs/fstar/extraction/Libcrux.Digest.fsti | 40 ++- .../Libcrux.Kem.Kyber.Hash_functions.fst | 286 ++++++++++++------ .../Libcrux.Kem.Kyber.Hash_functions.fsti | 9 +- .../extraction/Libcrux.Kem.Kyber.Ind_cpa.fst | 172 +++++------ .../extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti | 16 +- .../Libcrux.Kem.Kyber.Kyber1024.fst | 28 +- .../Libcrux.Kem.Kyber.Kyber1024.fsti | 10 +- .../extraction/Libcrux.Kem.Kyber.Kyber512.fst | 28 +- .../Libcrux.Kem.Kyber.Kyber512.fsti | 10 +- .../extraction/Libcrux.Kem.Kyber.Kyber768.fst | 28 +- .../Libcrux.Kem.Kyber.Kyber768.fsti | 10 +- .../extraction/Libcrux.Kem.Kyber.Sampling.fst | 40 ++- proofs/fstar/extraction/Libcrux.Kem.Kyber.fst | 50 +-- .../fstar/extraction/Libcrux.Kem.Kyber.fsti | 10 +- src/kem/kyber/hash_functions.rs | 12 +- 15 files changed, 434 insertions(+), 315 deletions(-) diff --git a/proofs/fstar/extraction/Libcrux.Digest.fsti b/proofs/fstar/extraction/Libcrux.Digest.fsti index ff6b336ff..151a84907 100644 --- a/proofs/fstar/extraction/Libcrux.Digest.fsti +++ b/proofs/fstar/extraction/Libcrux.Digest.fsti @@ -12,13 +12,41 @@ val sha3_512_ (payload: t_Slice u8) val shake256 (v_LEN: usize) (data: t_Slice u8) : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) -type t_Shake128State +type t_Shake128StateX2 = +type t_Shake128StateX3 = -val shake128_absorb_final (st: t_Shake128State) (data: t_Slice u8) - : Prims.Pure t_Shake128State Prims.l_True (fun _ -> Prims.l_True) +type t_Shake128StateX4 = -val shake128_init: Prims.unit -> Prims.Pure t_Shake128State Prims.l_True (fun _ -> Prims.l_True) +val shake128_absorb_final_x2 (st: t_Shake128StateX2) (data0 data1: t_Slice u8) + : Prims.Pure t_Shake128StateX2 Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_nblocks (v_OUTPUT_BYTES: usize) (st: t_Shake128State) - : Prims.Pure (t_Shake128State & t_Array u8 v_OUTPUT_BYTES) Prims.l_True (fun _ -> Prims.l_True) +val shake128_absorb_final_x3 (st: t_Shake128StateX3) (data0 data1 data2: t_Slice u8) + : Prims.Pure t_Shake128StateX3 Prims.l_True (fun _ -> Prims.l_True) + +val shake128_absorb_final_x4 (st: t_Shake128StateX4) (data0 data1 data2 data3: t_Slice u8) + : Prims.Pure t_Shake128StateX4 Prims.l_True (fun _ -> Prims.l_True) + +val shake128_init_x2: Prims.unit + -> Prims.Pure t_Shake128StateX2 Prims.l_True (fun _ -> Prims.l_True) + +val shake128_init_x3: Prims.unit + -> Prims.Pure t_Shake128StateX3 Prims.l_True (fun _ -> Prims.l_True) + +val shake128_init_x4: Prims.unit + -> Prims.Pure t_Shake128StateX4 Prims.l_True (fun _ -> Prims.l_True) + +val shake128_squeeze_nblocks_x2 (v_OUTPUT_BYTES: usize) (st: t_Shake128StateX2) + : Prims.Pure (t_Shake128StateX2 & t_Array (t_Array u8 v_OUTPUT_BYTES) (sz 2)) + Prims.l_True + (fun _ -> Prims.l_True) + +val shake128_squeeze_nblocks_x3 (v_OUTPUT_BYTES: usize) (st: t_Shake128StateX3) + : Prims.Pure (t_Shake128StateX3 & t_Array (t_Array u8 v_OUTPUT_BYTES) (sz 3)) + Prims.l_True + (fun _ -> Prims.l_True) + +val shake128_squeeze_nblocks_x4 (v_OUTPUT_BYTES: usize) (st: t_Shake128StateX4) + : Prims.Pure (t_Shake128StateX4 & t_Array (t_Array u8 v_OUTPUT_BYTES) (sz 4)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst index a9c22ab57..b87b1ff40 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst @@ -10,112 +10,202 @@ let v_H (input: t_Slice u8) = Libcrux.Digest.sha3_256_ input let v_PRF (v_LEN: usize) (input: t_Slice u8) = Libcrux.Digest.shake256 v_LEN input let v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = - let states:t_Array Libcrux.Digest.t_Shake128State v_K = - Core.Array.from_fn v_K - (fun temp_0_ -> - let _:usize = temp_0_ in - Libcrux.Digest.shake128_init () <: Libcrux.Digest.t_Shake128State) - in - let states:t_Array Libcrux.Digest.t_Shake128State v_K = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = v_K - } - <: - Core.Ops.Range.t_Range usize) + match cast (v_K <: usize) <: u8 with + | 2uy -> + let state:Libcrux.Digest.t_Shake128StateX2 = Libcrux.Digest.shake128_init_x2 () in + let state:Libcrux.Digest.t_Shake128StateX2 = + Libcrux.Digest.shake128_absorb_final_x2 state + (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) + (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) + in + XofState_X2 state <: t_XofState v_K + | 3uy -> + let state:Libcrux.Digest.t_Shake128StateX3 = Libcrux.Digest.shake128_init_x3 () in + let state:Libcrux.Digest.t_Shake128StateX3 = + Libcrux.Digest.shake128_absorb_final_x3 state + (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) + (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) + (Rust_primitives.unsize (input.[ sz 2 ] <: t_Array u8 (sz 34)) <: t_Slice u8) + in + XofState_X3 state <: t_XofState v_K + | 4uy -> + let state:Libcrux.Digest.t_Shake128StateX4 = Libcrux.Digest.shake128_init_x4 () in + let state:Libcrux.Digest.t_Shake128StateX4 = + Libcrux.Digest.shake128_absorb_final_x4 state + (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) + (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) + (Rust_primitives.unsize (input.[ sz 2 ] <: t_Array u8 (sz 34)) <: t_Slice u8) + (Rust_primitives.unsize (input.[ sz 3 ] <: t_Array u8 (sz 34)) <: t_Slice u8) + in + XofState_X4 state <: t_XofState v_K + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + <: - Core.Ops.Range.t_Range usize) - states - (fun states i -> - let states:t_Array Libcrux.Digest.t_Shake128State v_K = states in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize states - i - (Libcrux.Digest.shake128_absorb_final (states.[ i ] <: Libcrux.Digest.t_Shake128State) - (Rust_primitives.unsize (input.[ i ] <: t_Array u8 (sz 34)) <: t_Slice u8) - <: - Libcrux.Digest.t_Shake128State) - <: - t_Array Libcrux.Digest.t_Shake128State v_K) - in - { f_states = states } <: t_XofState v_K + Rust_primitives.Hax.t_Never) let v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState v_K) = - let (block: t_Array (t_Array u8 (sz 168)) v_K):t_Array (t_Array u8 (sz 168)) v_K = + let output:t_Array (t_Array u8 (sz 168)) v_K = Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 168) <: t_Array u8 (sz 168)) v_K in - let block, xof_state:(t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = v_K - } - <: - Core.Ops.Range.t_Range usize) + match (cast (v_K <: usize) <: u8), xof_state <: (u8 & t_XofState v_K) with + | 2uy, XofState_X2 st -> + let tmp0, out:(Libcrux.Digest.t_Shake128StateX2 & t_Array (t_Array u8 (sz 168)) (sz 2)) = + Libcrux.Digest.shake128_squeeze_nblocks_x2 (sz 168) st + in + let st:Libcrux.Digest.t_Shake128StateX2 = tmp0 in + let tmp:t_Array (t_Array u8 (sz 168)) (sz 2) = out in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 0) + (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) + in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 1) + (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) + in + output, (XofState_X2 st <: t_XofState v_K) + <: + (t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) + | 3uy, XofState_X3 st -> + let tmp0, out:(Libcrux.Digest.t_Shake128StateX3 & t_Array (t_Array u8 (sz 168)) (sz 3)) = + Libcrux.Digest.shake128_squeeze_nblocks_x3 (sz 168) st + in + let st:Libcrux.Digest.t_Shake128StateX3 = tmp0 in + let tmp:t_Array (t_Array u8 (sz 168)) (sz 3) = out in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 0) + (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) + in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 1) + (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) + in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 2) + (tmp.[ sz 2 ] <: t_Array u8 (sz 168)) + in + output, (XofState_X3 st <: t_XofState v_K) + <: + (t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) + | 4uy, XofState_X4 st -> + let tmp0, out:(Libcrux.Digest.t_Shake128StateX4 & t_Array (t_Array u8 (sz 168)) (sz 4)) = + Libcrux.Digest.shake128_squeeze_nblocks_x4 (sz 168) st + in + let st:Libcrux.Digest.t_Shake128StateX4 = tmp0 in + let tmp:t_Array (t_Array u8 (sz 168)) (sz 4) = out in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 0) + (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) + in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 1) + (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) + in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 2) + (tmp.[ sz 2 ] <: t_Array u8 (sz 168)) + in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 3) + (tmp.[ sz 3 ] <: t_Array u8 (sz 168)) + in + output, (XofState_X4 st <: t_XofState v_K) + <: + (t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + <: - Core.Ops.Range.t_Range usize) - (block, xof_state <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K)) - (fun temp_0_ i -> - let block, xof_state:(t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) = temp_0_ in - let i:usize = i in - let tmp0, out:(Libcrux.Digest.t_Shake128State & t_Array u8 (sz 168)) = - Libcrux.Digest.shake128_squeeze_nblocks (sz 168) - (xof_state.f_states.[ i ] <: Libcrux.Digest.t_Shake128State) - in - let xof_state:t_XofState v_K = - { - xof_state with - f_states - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize xof_state.f_states i tmp0 - } - <: - t_XofState v_K - in - let hoist21:t_Array u8 (sz 168) = out in - let hoist22:t_Array (t_Array u8 (sz 168)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize block i hoist21 - in - hoist22, xof_state <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K)) - in - let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = block in - xof_state, hax_temp_output <: (t_XofState v_K & t_Array (t_Array u8 (sz 168)) v_K) + Rust_primitives.Hax.t_Never) let v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState v_K) = - let blocks:t_Array (t_Array u8 (sz 504)) v_K = + let output:t_Array (t_Array u8 (sz 504)) v_K = Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 504) <: t_Array u8 (sz 504)) v_K in - let blocks, xof_state:(t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = v_K - } - <: - Core.Ops.Range.t_Range usize) + match (cast (v_K <: usize) <: u8), xof_state <: (u8 & t_XofState v_K) with + | 2uy, XofState_X2 st -> + let tmp0, out:(Libcrux.Digest.t_Shake128StateX2 & t_Array (t_Array u8 (sz 504)) (sz 2)) = + Libcrux.Digest.shake128_squeeze_nblocks_x2 (sz 504) st + in + let st:Libcrux.Digest.t_Shake128StateX2 = tmp0 in + let tmp:t_Array (t_Array u8 (sz 504)) (sz 2) = out in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 0) + (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) + in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 1) + (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) + in + output, (XofState_X2 st <: t_XofState v_K) + <: + (t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) + | 3uy, XofState_X3 st -> + let tmp0, out:(Libcrux.Digest.t_Shake128StateX3 & t_Array (t_Array u8 (sz 504)) (sz 3)) = + Libcrux.Digest.shake128_squeeze_nblocks_x3 (sz 504) st + in + let st:Libcrux.Digest.t_Shake128StateX3 = tmp0 in + let tmp:t_Array (t_Array u8 (sz 504)) (sz 3) = out in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 0) + (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) + in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 1) + (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) + in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 2) + (tmp.[ sz 2 ] <: t_Array u8 (sz 504)) + in + output, (XofState_X3 st <: t_XofState v_K) + <: + (t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) + | 4uy, XofState_X4 st -> + let tmp0, out:(Libcrux.Digest.t_Shake128StateX4 & t_Array (t_Array u8 (sz 504)) (sz 4)) = + Libcrux.Digest.shake128_squeeze_nblocks_x4 (sz 504) st + in + let st:Libcrux.Digest.t_Shake128StateX4 = tmp0 in + let tmp:t_Array (t_Array u8 (sz 504)) (sz 4) = out in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 0) + (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) + in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 1) + (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) + in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 2) + (tmp.[ sz 2 ] <: t_Array u8 (sz 504)) + in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 3) + (tmp.[ sz 3 ] <: t_Array u8 (sz 504)) + in + output, (XofState_X4 st <: t_XofState v_K) + <: + (t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + <: - Core.Ops.Range.t_Range usize) - (blocks, xof_state <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K)) - (fun temp_0_ i -> - let blocks, xof_state:(t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) = temp_0_ in - let i:usize = i in - let tmp0, out:(Libcrux.Digest.t_Shake128State & t_Array u8 (sz 504)) = - Libcrux.Digest.shake128_squeeze_nblocks (sz 504) - (xof_state.f_states.[ i ] <: Libcrux.Digest.t_Shake128State) - in - let xof_state:t_XofState v_K = - { - xof_state with - f_states - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize xof_state.f_states i tmp0 - } - <: - t_XofState v_K - in - let hoist23:t_Array u8 (sz 504) = out in - let hoist24:t_Array (t_Array u8 (sz 504)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize blocks i hoist23 - in - hoist24, xof_state <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K)) - in - let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = blocks in - xof_state, hax_temp_output <: (t_XofState v_K & t_Array (t_Array u8 (sz 504)) v_K) + Rust_primitives.Hax.t_Never) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti index 472825a59..c1f70a2b1 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti @@ -10,17 +10,20 @@ val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun val v_PRF (v_LEN: usize) (input: t_Slice u8) : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) -type t_XofState (v_K: usize) = { f_states:t_Array Libcrux.Digest.t_Shake128State v_K } +type t_XofState (v_K: usize) = + | XofState_X2 : Libcrux.Digest.t_Shake128StateX2 -> t_XofState v_K + | XofState_X3 : Libcrux.Digest.t_Shake128StateX3 -> t_XofState v_K + | XofState_X4 : Libcrux.Digest.t_Shake128StateX4 -> t_XofState v_K val v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) : Prims.Pure (t_XofState v_K) Prims.l_True (fun _ -> Prims.l_True) val v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState v_K) - : Prims.Pure (t_XofState v_K & t_Array (t_Array u8 (sz 168)) v_K) + : Prims.Pure (t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) Prims.l_True (fun _ -> Prims.l_True) val v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState v_K) - : Prims.Pure (t_XofState v_K & t_Array (t_Array u8 (sz 504)) v_K) + : Prims.Pure (t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) Prims.l_True (fun _ -> Prims.l_True) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst index 748683122..263bd0153 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fst @@ -334,6 +334,92 @@ let decrypt in Libcrux.Kem.Kyber.Serialize.compress_then_serialize_message message +let encrypt + (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: t_Slice u8) + (message: t_Array u8 (sz 32)) + (randomness: t_Slice u8) + = + let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + deserialize_public_key v_K + (public_key.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE } + <: + Core.Ops.Range.t_RangeTo usize ] + <: + t_Slice u8) + in + let seed:t_Slice u8 = + public_key.[ { Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + in + let v_A_transpose:t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K = + Libcrux.Kem.Kyber.Matrix.sample_matrix_A v_K + (into_padded_array (sz 34) seed <: t_Array u8 (sz 34)) + false + in + let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = into_padded_array (sz 33) randomness in + let r_as_ntt, domain_separator:(t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & + u8) = + sample_vector_cbd_then_ntt v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE prf_input 0uy + in + let tmp0, tmp1, out:(t_Array u8 (sz 33) & u8 & + t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) = + sample_ring_element_cbd v_K v_ETA2_RANDOMNESS_SIZE v_ETA2 prf_input domain_separator + in + let prf_input:t_Array u8 (sz 33) = tmp0 in + let domain_separator:u8 = tmp1 in + let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = out in + let prf_input:t_Array u8 (sz 33) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_input (sz 32) domain_separator + in + let (prf_output: t_Array u8 v_ETA2_RANDOMNESS_SIZE):t_Array u8 v_ETA2_RANDOMNESS_SIZE = + Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA2_RANDOMNESS_SIZE + (Rust_primitives.unsize prf_input <: t_Slice u8) + in + let error_2_:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA2 + (Rust_primitives.unsize prf_output <: t_Slice u8) + in + let u:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + Libcrux.Kem.Kyber.Matrix.compute_vector_u v_K v_A_transpose r_as_ntt error_1_ + in + let message_as_ring_element:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + Libcrux.Kem.Kyber.Serialize.deserialize_then_decompress_message message + in + let v:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + Libcrux.Kem.Kyber.Matrix.compute_ring_element_v v_K + tt_as_ntt + r_as_ntt + error_2_ + message_as_ring_element + in + let c1:t_Array u8 v_C1_LEN = + compress_then_serialize_u v_K v_C1_LEN v_U_COMPRESSION_FACTOR v_BLOCK_LEN u + in + let c2:t_Array u8 v_C2_LEN = + Libcrux.Kem.Kyber.Serialize.compress_then_serialize_ring_element_v v_V_COMPRESSION_FACTOR + v_C2_LEN + v + in + let (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE):t_Array u8 v_CIPHERTEXT_SIZE = + into_padded_array v_CIPHERTEXT_SIZE (Rust_primitives.unsize c1 <: t_Slice u8) + in + let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from ciphertext + ({ Core.Ops.Range.f_start = v_C1_LEN } <: Core.Ops.Range.t_RangeFrom usize) + (Core.Slice.impl__copy_from_slice (ciphertext.[ { Core.Ops.Range.f_start = v_C1_LEN } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + (Core.Array.impl_23__as_slice v_C2_LEN c2 <: t_Slice u8) + <: + t_Slice u8) + in + ciphertext + let serialize_secret_key (v_K v_OUT_LEN: usize) (key: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) @@ -443,92 +529,6 @@ let serialize_public_key in public_key_serialized -let encrypt - (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: t_Slice u8) - (message: t_Array u8 (sz 32)) - (randomness: t_Slice u8) - = - let tt_as_ntt:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = - deserialize_public_key v_K - (public_key.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE } - <: - Core.Ops.Range.t_RangeTo usize ] - <: - t_Slice u8) - in - let seed:t_Slice u8 = - public_key.[ { Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - in - let v_A_transpose:t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K = - Libcrux.Kem.Kyber.Matrix.sample_matrix_A v_K - (into_padded_array (sz 34) seed <: t_Array u8 (sz 34)) - false - in - let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = into_padded_array (sz 33) randomness in - let r_as_ntt, domain_separator:(t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & - u8) = - sample_vector_cbd_then_ntt v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE prf_input 0uy - in - let tmp0, tmp1, out:(t_Array u8 (sz 33) & u8 & - t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) = - sample_ring_element_cbd v_K v_ETA2_RANDOMNESS_SIZE v_ETA2 prf_input domain_separator - in - let prf_input:t_Array u8 (sz 33) = tmp0 in - let domain_separator:u8 = tmp1 in - let error_1_:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = out in - let prf_input:t_Array u8 (sz 33) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_input (sz 32) domain_separator - in - let (prf_output: t_Array u8 v_ETA2_RANDOMNESS_SIZE):t_Array u8 v_ETA2_RANDOMNESS_SIZE = - Libcrux.Kem.Kyber.Hash_functions.v_PRF v_ETA2_RANDOMNESS_SIZE - (Rust_primitives.unsize prf_input <: t_Slice u8) - in - let error_2_:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = - Libcrux.Kem.Kyber.Sampling.sample_from_binomial_distribution v_ETA2 - (Rust_primitives.unsize prf_output <: t_Slice u8) - in - let u:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = - Libcrux.Kem.Kyber.Matrix.compute_vector_u v_K v_A_transpose r_as_ntt error_1_ - in - let message_as_ring_element:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = - Libcrux.Kem.Kyber.Serialize.deserialize_then_decompress_message message - in - let v:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = - Libcrux.Kem.Kyber.Matrix.compute_ring_element_v v_K - tt_as_ntt - r_as_ntt - error_2_ - message_as_ring_element - in - let c1:t_Array u8 v_C1_LEN = - compress_then_serialize_u v_K v_C1_LEN v_U_COMPRESSION_FACTOR v_BLOCK_LEN u - in - let c2:t_Array u8 v_C2_LEN = - Libcrux.Kem.Kyber.Serialize.compress_then_serialize_ring_element_v v_V_COMPRESSION_FACTOR - v_C2_LEN - v - in - let (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE):t_Array u8 v_CIPHERTEXT_SIZE = - into_padded_array v_CIPHERTEXT_SIZE (Rust_primitives.unsize c1 <: t_Slice u8) - in - let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from ciphertext - ({ Core.Ops.Range.f_start = v_C1_LEN } <: Core.Ops.Range.t_RangeFrom usize) - (Core.Slice.impl__copy_from_slice (ciphertext.[ { Core.Ops.Range.f_start = v_C1_LEN } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - (Core.Array.impl_23__as_slice v_C2_LEN c2 <: t_Slice u8) - <: - t_Slice u8) - in - ciphertext - let generate_keypair (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti index f476d9657..81393a922 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti @@ -52,6 +52,14 @@ val decrypt (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +val encrypt + (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: t_Slice u8) + (message: t_Array u8 (sz 32)) + (randomness: t_Slice u8) + : Prims.Pure (t_Array u8 v_CIPHERTEXT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + val serialize_secret_key (v_K v_OUT_LEN: usize) (key: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) @@ -63,14 +71,6 @@ val serialize_public_key (seed_for_a: t_Slice u8) : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) -val encrypt - (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: t_Slice u8) - (message: t_Array u8 (sz 32)) - (randomness: t_Slice u8) - : Prims.Pure (t_Array u8 v_CIPHERTEXT_SIZE) Prims.l_True (fun _ -> Prims.l_True) - val generate_keypair (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fst index 998e32e1e..87276fe9b 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fst @@ -3,6 +3,20 @@ module Libcrux.Kem.Kyber.Kyber1024 open Core open FStar.Mul +let decapsulate + (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux.Kem.Kyber.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) (sz 1536) (sz 1408) + (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) secret_key ciphertext + +let encapsulate + (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux.Kem.Kyber.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) + (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) = if Libcrux.Kem.Kyber.validate_public_key (sz 4) @@ -18,20 +32,6 @@ let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (s <: Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) -let decapsulate - (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 3168)) - (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1568)) - = - Libcrux.Kem.Kyber.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) (sz 1536) (sz 1408) - (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) secret_key ciphertext - -let encapsulate - (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux.Kem.Kyber.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) - (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness - let generate_key_pair (randomness: t_Array u8 (sz 64)) = Libcrux.Kem.Kyber.generate_keypair (sz 4) (sz 1536) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fsti index 6d46bf638..fafa6c85a 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber1024.fsti @@ -71,11 +71,6 @@ let t_MlKem1024PrivateKey = Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 3168) unfold let t_MlKem1024PublicKey = Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568) -val validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568))) - Prims.l_True - (fun _ -> Prims.l_True) - val decapsulate (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1568)) @@ -88,6 +83,11 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) +val validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568))) + Prims.l_True + (fun _ -> Prims.l_True) + val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux.Kem.Kyber.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) Prims.l_True diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fst index 02548a5b5..f86ddb2c0 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fst @@ -3,6 +3,20 @@ module Libcrux.Kem.Kyber.Kyber512 open Core open FStar.Mul +let decapsulate + (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux.Kem.Kyber.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) (sz 768) (sz 640) + (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) secret_key ciphertext + +let encapsulate + (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux.Kem.Kyber.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) + (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) = if Libcrux.Kem.Kyber.validate_public_key (sz 2) @@ -18,20 +32,6 @@ let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (s <: Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) -let decapsulate - (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 1632)) - (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 768)) - = - Libcrux.Kem.Kyber.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) (sz 768) (sz 640) - (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) secret_key ciphertext - -let encapsulate - (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux.Kem.Kyber.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) - (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness - let generate_key_pair (randomness: t_Array u8 (sz 64)) = Libcrux.Kem.Kyber.generate_keypair (sz 2) (sz 768) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fsti index 0220c80d7..33108ba19 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber512.fsti @@ -71,11 +71,6 @@ let t_MlKem512PrivateKey = Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 1632) unfold let t_MlKem512PublicKey = Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800) -val validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800))) - Prims.l_True - (fun _ -> Prims.l_True) - val decapsulate (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 768)) @@ -88,6 +83,11 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) +val validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800))) + Prims.l_True + (fun _ -> Prims.l_True) + val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux.Kem.Kyber.Types.t_MlKemKeyPair (sz 1632) (sz 800)) Prims.l_True diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fst index 62208cfc6..7b7edf6d7 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fst @@ -3,6 +3,20 @@ module Libcrux.Kem.Kyber.Kyber768 open Core open FStar.Mul +let decapsulate + (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux.Kem.Kyber.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) (sz 1152) (sz 960) + (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) secret_key ciphertext + +let encapsulate + (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux.Kem.Kyber.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960) (sz 128) (sz 10) + (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) = if Libcrux.Kem.Kyber.validate_public_key (sz 3) @@ -18,20 +32,6 @@ let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (s <: Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) -let decapsulate - (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) - (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1088)) - = - Libcrux.Kem.Kyber.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) (sz 1152) (sz 960) - (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) secret_key ciphertext - -let encapsulate - (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux.Kem.Kyber.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960) (sz 128) (sz 10) - (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness - let generate_key_pair (randomness: t_Array u8 (sz 64)) = Libcrux.Kem.Kyber.generate_keypair (sz 3) (sz 1152) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fsti index 6f9f11070..5f68851e0 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Kyber768.fsti @@ -71,11 +71,6 @@ let t_MlKem768PrivateKey = Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400) unfold let t_MlKem768PublicKey = Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184) -val validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184))) - Prims.l_True - (fun _ -> Prims.l_True) - val decapsulate (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1088)) @@ -88,6 +83,11 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) +val validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184))) + Prims.l_True + (fun _ -> Prims.l_True) + val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux.Kem.Kyber.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) Prims.l_True diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst index 74c2f2915..092e9aca2 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst @@ -314,62 +314,60 @@ let sample_from_xof (v_K: usize) (seeds: t_Array (t_Array u8 (sz 34)) v_K) = Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K in - let xof_states:Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K = + let xof_state:Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K = Libcrux.Kem.Kyber.Hash_functions.v_XOF_absorb v_K seeds in - let tmp0, out1:(Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K & t_Array (t_Array u8 (sz 504)) v_K - ) = - Libcrux.Kem.Kyber.Hash_functions.v_XOF_squeeze_three_blocks v_K xof_states + let randomness, new_state:(t_Array (t_Array u8 (sz 504)) v_K & + Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K) = + Libcrux.Kem.Kyber.Hash_functions.v_XOF_squeeze_three_blocks v_K xof_state in - let xof_states:Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K = tmp0 in - let randomness:t_Array (t_Array u8 (sz 504)) v_K = out1 in - let tmp0, tmp1, out2:(t_Array usize v_K & + let xof_state:Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K = new_state in + let tmp0, tmp1, out:(t_Array usize v_K & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & bool) = sample_from_uniform_distribution_next v_K (sz 504) randomness sampled_coefficients out in let sampled_coefficients:t_Array usize v_K = tmp0 in let out:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = tmp1 in - let done:bool = out2 in - let done, out, sampled_coefficients, xof_states:(bool & + let done:bool = out in + let done, out, sampled_coefficients, xof_state:(bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array usize v_K & Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K) = Rust_primitives.f_while_loop (fun temp_0_ -> - let done, out, sampled_coefficients, xof_states:(bool & + let done, out, sampled_coefficients, xof_state:(bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array usize v_K & Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K) = temp_0_ in ~.done <: bool) - (done, out, sampled_coefficients, xof_states + (done, out, sampled_coefficients, xof_state <: (bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array usize v_K & Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K)) (fun temp_0_ -> - let done, out, sampled_coefficients, xof_states:(bool & + let done, out, sampled_coefficients, xof_state:(bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array usize v_K & Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K) = temp_0_ in - let tmp0, out1:(Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K & - t_Array (t_Array u8 (sz 168)) v_K) = - Libcrux.Kem.Kyber.Hash_functions.v_XOF_squeeze_block v_K xof_states + let randomness, new_state:(t_Array (t_Array u8 (sz 168)) v_K & + Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K) = + Libcrux.Kem.Kyber.Hash_functions.v_XOF_squeeze_block v_K xof_state in - let xof_states:Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K = tmp0 in - let randomness:t_Array (t_Array u8 (sz 168)) v_K = out1 in - let tmp0, tmp1, out2:(t_Array usize v_K & + let xof_state:Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K = new_state in + let tmp0, tmp1, out:(t_Array usize v_K & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & bool) = sample_from_uniform_distribution_next v_K (sz 168) randomness sampled_coefficients out in let sampled_coefficients:t_Array usize v_K = tmp0 in let out:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = tmp1 in - let hoist25:bool = out2 in - let done:bool = hoist25 in - done, out, sampled_coefficients, xof_states + let hoist21:bool = out in + let done:bool = hoist21 in + done, out, sampled_coefficients, xof_state <: (bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array usize v_K & diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst index 6ef903d58..f252a83d4 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.fst @@ -108,31 +108,6 @@ let serialize_kem_secret_key in out -let validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - let pk:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = - Libcrux.Kem.Kyber.Ind_cpa.deserialize_public_key v_K - (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } - <: - Core.Ops.Range.t_RangeTo usize ] - <: - t_Slice u8) - in - let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - Libcrux.Kem.Kyber.Ind_cpa.serialize_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - pk - (public_key.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - in - public_key =. public_key_serialized - let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -285,6 +260,31 @@ let encapsulate <: (Libcrux.Kem.Kyber.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + let pk:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + Libcrux.Kem.Kyber.Ind_cpa.deserialize_public_key v_K + (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } + <: + Core.Ops.Range.t_RangeTo usize ] + <: + t_Slice u8) + in + let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + Libcrux.Kem.Kyber.Ind_cpa.serialize_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + pk + (public_key.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + in + public_key =. public_key_serialized + let generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.fsti index 0e9ad2744..45e259a23 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.fsti @@ -15,11 +15,6 @@ val serialize_kem_secret_key (private_key public_key implicit_rejection_value: t_Slice u8) : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) Prims.l_True (fun _ -> Prims.l_True) -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) - val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -36,6 +31,11 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + val generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) diff --git a/src/kem/kyber/hash_functions.rs b/src/kem/kyber/hash_functions.rs index d629e6d75..212656ea1 100644 --- a/src/kem/kyber/hash_functions.rs +++ b/src/kem/kyber/hash_functions.rs @@ -18,14 +18,14 @@ pub(crate) fn PRF(input: &[u8]) -> [u8; LEN] { // The following API uses the repeated squeeze API // The first version uses Scalar SHAKE 128 -pub(crate) enum XofState { +pub(crate) enum XofState { X2(digest::Shake128StateX2), X3(digest::Shake128StateX3), X4(digest::Shake128StateX4), } #[inline(always)] -pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { +pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { match K as u8 { 2 => {let mut state = digest::shake128_init_x2(); digest::shake128_absorb_final_x2(&mut state, &input[0], &input[1]); @@ -42,8 +42,8 @@ pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { #[inline(always)] pub(crate) fn XOF_squeeze_three_blocks( - xof_state: XofState, -) -> ([[u8; 168 * 3]; K],XofState) { + xof_state: XofState, +) -> ([[u8; 168 * 3]; K],XofState) { let mut output = [[0; 168 * 3]; K]; match (K as u8, xof_state) { (2, XofState::X2(mut st)) => { @@ -73,8 +73,8 @@ pub(crate) fn XOF_squeeze_three_blocks( #[inline(always)] pub(crate) fn XOF_squeeze_block( - xof_state: XofState, -) -> ([[u8; 168]; K],XofState) { + xof_state: XofState, +) -> ([[u8; 168]; K],XofState) { let mut output = [[0; 168]; K]; match (K as u8, xof_state) { (2, XofState::X2(mut st)) => { From 7b77f639e4fcd7811089914f89a91175f89c4f61 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 28 Feb 2024 08:50:06 +0100 Subject: [PATCH 17/28] fixup kyber-crate.sh --- kyber-crate.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kyber-crate.sh b/kyber-crate.sh index d4684b8c5..028fc72ce 100755 --- a/kyber-crate.sh +++ b/kyber-crate.sh @@ -90,5 +90,6 @@ if [[ -n "$HACL_PACKAGES_HOME" ]]; then cp internal/*.h $HACL_PACKAGES_HOME/libcrux/include/internal/ cp *.h $HACL_PACKAGES_HOME/libcrux/include cp *.c $HACL_PACKAGES_HOME/libcrux/src +else + echo "Please set HACL_PACKAGES_HOME to the hacl-packages directory to copy the code over" 1>&2 fi -echo "Please set HACL_PACKAGES_HOME to the hacl-packages directory to copy the code over" 1>&2 From 0dc5d74bdcc2fbce12be9484e48e725710feeab0 Mon Sep 17 00:00:00 2001 From: Karthik Bhargavan Date: Wed, 28 Feb 2024 10:14:32 +0100 Subject: [PATCH 18/28] fixes for avx2/linux --- src/digest.rs | 21 +++++++++++++++------ src/hacl/sha3.rs | 4 +--- sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c | 5 ++--- 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/src/digest.rs b/src/digest.rs index 4065f7167..50c21fb49 100644 --- a/src/digest.rs +++ b/src/digest.rs @@ -387,14 +387,14 @@ pub fn shake128_squeeze_nblocks( /// SHAKE 128 Incremental API (SIMD) #[cfg(simd256)] -pub struct Shake128StateX4(sha3::incremental::Shake128StateX4); +pub struct Shake128StateX4(sha3::incremental_x4::Shake128StateX4); #[cfg(not(simd256))] pub struct Shake128StateX4([sha3::incremental::Shake128State;4]); #[cfg(simd256)] pub fn shake128_init_x4() -> Shake128StateX4 { - Shake128StateX4(sha3::incremental_x4::Shake128StateX4::new()) + Shake128StateX4(sha3::incremental_x4::Shake128StateX4::new()) } #[cfg(not(simd256))] @@ -475,7 +475,7 @@ pub fn shake128_squeeze_nblocks_x4( /// SHAKE 128 Incremental API (SIMD) #[cfg(simd256)] -pub struct Shake128StateX2(sha3::incremental::Shake128StateX4); +pub struct Shake128StateX2(sha3::incremental_x4::Shake128StateX4); #[cfg(not(simd256))] pub struct Shake128StateX2([sha3::incremental::Shake128State;2]); @@ -534,7 +534,11 @@ pub fn shake128_absorb_final_x2( pub fn shake128_squeeze_nblocks_x2( st: &mut Shake128StateX2, ) -> [[u8; OUTPUT_BYTES]; 2] { - st.0.squeeze_nblocks()[0..1] + let mut output = [[0u8;OUTPUT_BYTES];2]; + let tmp = st.0.squeeze_nblocks(); + output[0] = tmp[0]; + output[1] = tmp[1]; + output } #[cfg(not(simd256))] @@ -548,7 +552,7 @@ pub fn shake128_squeeze_nblocks_x2( /// SHAKE 128 Incremental API (SIMD) #[cfg(simd256)] -pub struct Shake128StateX3(sha3::incremental::Shake128StateX4); +pub struct Shake128StateX3(sha3::incremental_x4::Shake128StateX4); #[cfg(not(simd256))] pub struct Shake128StateX3([sha3::incremental::Shake128State;3]); @@ -614,7 +618,12 @@ pub fn shake128_absorb_final_x3( pub fn shake128_squeeze_nblocks_x3( st: &mut Shake128StateX3, ) -> [[u8; OUTPUT_BYTES]; 3] { - st.0.squeeze_nblocks()[0..2] + let mut output = [[0u8;OUTPUT_BYTES];3]; + let tmp = st.0.squeeze_nblocks(); + output[0] = tmp[0]; + output[1] = tmp[1]; + output[2] = tmp[2]; + output } #[cfg(not(simd256))] diff --git a/src/hacl/sha3.rs b/src/hacl/sha3.rs index c231f3bbf..044f607ef 100644 --- a/src/hacl/sha3.rs +++ b/src/hacl/sha3.rs @@ -314,7 +314,6 @@ pub mod incremental_x4 { impl Shake128StateX4 { pub fn new() -> Self { - println!("allocating shake128statex4 state"); let state = Self { state: unsafe { Hacl_Hash_SHA3_Simd256_state_malloc() }, }; @@ -349,7 +348,7 @@ pub mod incremental_x4 { } pub fn absorb_final(&mut self, input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) { - println!("absorbing shake128statex4 state"); + debug_assert!( input0.len() == input1.len() && input0.len() == input2.len() @@ -387,7 +386,6 @@ pub mod incremental_x4 { } impl Drop for Shake128StateX4 { fn drop(&mut self) { - println!("dropping shake128statex4 state"); unsafe { Hacl_Hash_SHA3_Simd256_state_free(self.state) } } } diff --git a/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c b/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c index 91fe6695b..76938112e 100644 --- a/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c +++ b/sys/hacl/c/src/Hacl_Hash_SHA3_Simd256.c @@ -9919,7 +9919,7 @@ Hacl_Hash_SHA3_Simd256_sha3_512( Lib_IntVector_Intrinsics_vec256 *Hacl_Hash_SHA3_Simd256_state_malloc(void) { - Lib_IntVector_Intrinsics_vec256 *buf = (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32,25U * sizeof (Lib_IntVector_Intrinsics_vec256)); + Lib_IntVector_Intrinsics_vec256 *buf = (Lib_IntVector_Intrinsics_vec256 *)KRML_ALIGNED_MALLOC(32, 25U * sizeof (Lib_IntVector_Intrinsics_vec256)); for (int i = 0; i < 25; i++){ buf[i] = Lib_IntVector_Intrinsics_vec256_zero; } @@ -10626,8 +10626,7 @@ Hacl_Hash_SHA3_Simd256_shake128_absorb_final( ws[31U] = ws310; for (uint32_t i = 0U; i < 25U; i++) { - Lib_IntVector_Intrinsics_vec256 tmp = Lib_IntVector_Intrinsics_vec256_xor(state[i], ws[i]); - state[i] = tmp; + state[i] = Lib_IntVector_Intrinsics_vec256_xor(state[i], ws[i]); } uint8_t b04[256U] = { 0U }; uint8_t b14[256U] = { 0U }; From e3361fa041f2de8bc01962c6ee8053d479e16923 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Wed, 28 Feb 2024 11:36:53 +0100 Subject: [PATCH 19/28] merged --- Cargo.toml | 2 +- proofs/fstar/extraction/Libcrux.Digest.fsti | 6 +-- .../Libcrux.Kem.Kyber.Hash_functions.fst | 38 +++++++------------ .../Libcrux.Kem.Kyber.Hash_functions.fsti | 18 ++++----- .../extraction/Libcrux.Kem.Kyber.Sampling.fst | 28 +++++++------- src/digest.rs | 7 ++++ 6 files changed, 47 insertions(+), 52 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index a9fbcfd09..fb18859de 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -47,7 +47,7 @@ wasm-bindgen = { version = "0.2.87", optional = true } # When using the hax toolchain, we have more dependencies. # This is only required when doing proofs. [target.'cfg(hax)'.dependencies] -hax-lib-macros = { version = "0.1.0-pre.1", git = "https://github.com/hacspec/hax" } +hax-lib-macros = { version = "0.1.0-pre.1", git = "https://github.com/hacspec/hax", branch = "main" } hax-lib = { version = "0.1.0-pre.1", git = "https://github.com/hacspec/hax/", branch = "main" } [target.'cfg(all(not(target_os = "windows"), target_arch = "x86_64", libjade))'.dependencies] diff --git a/proofs/fstar/extraction/Libcrux.Digest.fsti b/proofs/fstar/extraction/Libcrux.Digest.fsti index 151a84907..4997246d1 100644 --- a/proofs/fstar/extraction/Libcrux.Digest.fsti +++ b/proofs/fstar/extraction/Libcrux.Digest.fsti @@ -12,11 +12,11 @@ val sha3_512_ (payload: t_Slice u8) val shake256 (v_LEN: usize) (data: t_Slice u8) : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) -type t_Shake128StateX2 = +val t_Shake128StateX2:Type -type t_Shake128StateX3 = +val t_Shake128StateX3:Type -type t_Shake128StateX4 = +val t_Shake128StateX4:Type val shake128_absorb_final_x2 (st: t_Shake128StateX2) (data0 data1: t_Slice u8) : Prims.Pure t_Shake128StateX2 Prims.l_True (fun _ -> Prims.l_True) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst index b87b1ff40..d0e2258fd 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst @@ -18,7 +18,7 @@ let v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) in - XofState_X2 state <: t_XofState v_K + XofState_X2 state <: t_XofState | 3uy -> let state:Libcrux.Digest.t_Shake128StateX3 = Libcrux.Digest.shake128_init_x3 () in let state:Libcrux.Digest.t_Shake128StateX3 = @@ -27,7 +27,7 @@ let v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) (Rust_primitives.unsize (input.[ sz 2 ] <: t_Array u8 (sz 34)) <: t_Slice u8) in - XofState_X3 state <: t_XofState v_K + XofState_X3 state <: t_XofState | 4uy -> let state:Libcrux.Digest.t_Shake128StateX4 = Libcrux.Digest.shake128_init_x4 () in let state:Libcrux.Digest.t_Shake128StateX4 = @@ -37,18 +37,18 @@ let v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = (Rust_primitives.unsize (input.[ sz 2 ] <: t_Array u8 (sz 34)) <: t_Slice u8) (Rust_primitives.unsize (input.[ sz 3 ] <: t_Array u8 (sz 34)) <: t_Slice u8) in - XofState_X4 state <: t_XofState v_K + XofState_X4 state <: t_XofState | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" <: Rust_primitives.Hax.t_Never) -let v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState v_K) = +let v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState) = let output:t_Array (t_Array u8 (sz 168)) v_K = Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 168) <: t_Array u8 (sz 168)) v_K in - match (cast (v_K <: usize) <: u8), xof_state <: (u8 & t_XofState v_K) with + match (cast (v_K <: usize) <: u8), xof_state <: (u8 & t_XofState) with | 2uy, XofState_X2 st -> let tmp0, out:(Libcrux.Digest.t_Shake128StateX2 & t_Array (t_Array u8 (sz 168)) (sz 2)) = Libcrux.Digest.shake128_squeeze_nblocks_x2 (sz 168) st @@ -65,9 +65,7 @@ let v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState v_K) = (sz 1) (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) in - output, (XofState_X2 st <: t_XofState v_K) - <: - (t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) + output, (XofState_X2 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) | 3uy, XofState_X3 st -> let tmp0, out:(Libcrux.Digest.t_Shake128StateX3 & t_Array (t_Array u8 (sz 168)) (sz 3)) = Libcrux.Digest.shake128_squeeze_nblocks_x3 (sz 168) st @@ -89,9 +87,7 @@ let v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState v_K) = (sz 2) (tmp.[ sz 2 ] <: t_Array u8 (sz 168)) in - output, (XofState_X3 st <: t_XofState v_K) - <: - (t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) + output, (XofState_X3 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) | 4uy, XofState_X4 st -> let tmp0, out:(Libcrux.Digest.t_Shake128StateX4 & t_Array (t_Array u8 (sz 168)) (sz 4)) = Libcrux.Digest.shake128_squeeze_nblocks_x4 (sz 168) st @@ -118,20 +114,18 @@ let v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState v_K) = (sz 3) (tmp.[ sz 3 ] <: t_Array u8 (sz 168)) in - output, (XofState_X4 st <: t_XofState v_K) - <: - (t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) + output, (XofState_X4 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" <: Rust_primitives.Hax.t_Never) -let v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState v_K) = +let v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState) = let output:t_Array (t_Array u8 (sz 504)) v_K = Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 504) <: t_Array u8 (sz 504)) v_K in - match (cast (v_K <: usize) <: u8), xof_state <: (u8 & t_XofState v_K) with + match (cast (v_K <: usize) <: u8), xof_state <: (u8 & t_XofState) with | 2uy, XofState_X2 st -> let tmp0, out:(Libcrux.Digest.t_Shake128StateX2 & t_Array (t_Array u8 (sz 504)) (sz 2)) = Libcrux.Digest.shake128_squeeze_nblocks_x2 (sz 504) st @@ -148,9 +142,7 @@ let v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState v_K) = (sz 1) (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) in - output, (XofState_X2 st <: t_XofState v_K) - <: - (t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) + output, (XofState_X2 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) | 3uy, XofState_X3 st -> let tmp0, out:(Libcrux.Digest.t_Shake128StateX3 & t_Array (t_Array u8 (sz 504)) (sz 3)) = Libcrux.Digest.shake128_squeeze_nblocks_x3 (sz 504) st @@ -172,9 +164,7 @@ let v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState v_K) = (sz 2) (tmp.[ sz 2 ] <: t_Array u8 (sz 504)) in - output, (XofState_X3 st <: t_XofState v_K) - <: - (t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) + output, (XofState_X3 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) | 4uy, XofState_X4 st -> let tmp0, out:(Libcrux.Digest.t_Shake128StateX4 & t_Array (t_Array u8 (sz 504)) (sz 4)) = Libcrux.Digest.shake128_squeeze_nblocks_x4 (sz 504) st @@ -201,9 +191,7 @@ let v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState v_K) = (sz 3) (tmp.[ sz 3 ] <: t_Array u8 (sz 504)) in - output, (XofState_X4 st <: t_XofState v_K) - <: - (t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) + output, (XofState_X4 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti index c1f70a2b1..d6e7723ea 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti @@ -10,20 +10,20 @@ val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun val v_PRF (v_LEN: usize) (input: t_Slice u8) : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) -type t_XofState (v_K: usize) = - | XofState_X2 : Libcrux.Digest.t_Shake128StateX2 -> t_XofState v_K - | XofState_X3 : Libcrux.Digest.t_Shake128StateX3 -> t_XofState v_K - | XofState_X4 : Libcrux.Digest.t_Shake128StateX4 -> t_XofState v_K +type t_XofState = + | XofState_X2 : Libcrux.Digest.t_Shake128StateX2 -> t_XofState + | XofState_X3 : Libcrux.Digest.t_Shake128StateX3 -> t_XofState + | XofState_X4 : Libcrux.Digest.t_Shake128StateX4 -> t_XofState val v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) - : Prims.Pure (t_XofState v_K) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure t_XofState Prims.l_True (fun _ -> Prims.l_True) -val v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState v_K) - : Prims.Pure (t_Array (t_Array u8 (sz 168)) v_K & t_XofState v_K) +val v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState) + : Prims.Pure (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) Prims.l_True (fun _ -> Prims.l_True) -val v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState v_K) - : Prims.Pure (t_Array (t_Array u8 (sz 504)) v_K & t_XofState v_K) +val v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState) + : Prims.Pure (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) Prims.l_True (fun _ -> Prims.l_True) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst index 092e9aca2..bbaecad87 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst @@ -314,64 +314,64 @@ let sample_from_xof (v_K: usize) (seeds: t_Array (t_Array u8 (sz 34)) v_K) = Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K in - let xof_state:Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K = + let xof_state:Libcrux.Kem.Kyber.Hash_functions.t_XofState = Libcrux.Kem.Kyber.Hash_functions.v_XOF_absorb v_K seeds in let randomness, new_state:(t_Array (t_Array u8 (sz 504)) v_K & - Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K) = + Libcrux.Kem.Kyber.Hash_functions.t_XofState) = Libcrux.Kem.Kyber.Hash_functions.v_XOF_squeeze_three_blocks v_K xof_state in - let xof_state:Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K = new_state in - let tmp0, tmp1, out:(t_Array usize v_K & + let xof_state:Libcrux.Kem.Kyber.Hash_functions.t_XofState = new_state in + let tmp0, tmp1, out1:(t_Array usize v_K & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & bool) = sample_from_uniform_distribution_next v_K (sz 504) randomness sampled_coefficients out in let sampled_coefficients:t_Array usize v_K = tmp0 in let out:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = tmp1 in - let done:bool = out in + let done:bool = out1 in let done, out, sampled_coefficients, xof_state:(bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array usize v_K & - Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K) = + Libcrux.Kem.Kyber.Hash_functions.t_XofState) = Rust_primitives.f_while_loop (fun temp_0_ -> let done, out, sampled_coefficients, xof_state:(bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array usize v_K & - Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K) = + Libcrux.Kem.Kyber.Hash_functions.t_XofState) = temp_0_ in ~.done <: bool) (done, out, sampled_coefficients, xof_state <: (bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array usize v_K & - Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K)) + Libcrux.Kem.Kyber.Hash_functions.t_XofState)) (fun temp_0_ -> let done, out, sampled_coefficients, xof_state:(bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array usize v_K & - Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K) = + Libcrux.Kem.Kyber.Hash_functions.t_XofState) = temp_0_ in let randomness, new_state:(t_Array (t_Array u8 (sz 168)) v_K & - Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K) = + Libcrux.Kem.Kyber.Hash_functions.t_XofState) = Libcrux.Kem.Kyber.Hash_functions.v_XOF_squeeze_block v_K xof_state in - let xof_state:Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K = new_state in - let tmp0, tmp1, out:(t_Array usize v_K & + let xof_state:Libcrux.Kem.Kyber.Hash_functions.t_XofState = new_state in + let tmp0, tmp1, out1:(t_Array usize v_K & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & bool) = sample_from_uniform_distribution_next v_K (sz 168) randomness sampled_coefficients out in let sampled_coefficients:t_Array usize v_K = tmp0 in let out:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = tmp1 in - let hoist21:bool = out in + let hoist21:bool = out1 in let done:bool = hoist21 in done, out, sampled_coefficients, xof_state <: (bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array usize v_K & - Libcrux.Kem.Kyber.Hash_functions.t_XofState v_K)) + Libcrux.Kem.Kyber.Hash_functions.t_XofState)) in let _:Prims.unit = () <: Prims.unit in out diff --git a/src/digest.rs b/src/digest.rs index 50c21fb49..0d4ca518c 100644 --- a/src/digest.rs +++ b/src/digest.rs @@ -365,6 +365,7 @@ pub fn shake128(data: &[u8]) -> [u8; LEN] { } /// SHAKE 128 Incremental API (Scalar - SIMD X4) +#[cfg_attr(hax, hax_lib_macros::opaque_type)] pub struct Shake128State(sha3::incremental::Shake128State); pub fn shake128_init() -> Shake128State { @@ -387,9 +388,11 @@ pub fn shake128_squeeze_nblocks( /// SHAKE 128 Incremental API (SIMD) #[cfg(simd256)] +#[cfg_attr(hax, hax_lib_macros::opaque_type)] pub struct Shake128StateX4(sha3::incremental_x4::Shake128StateX4); #[cfg(not(simd256))] +#[cfg_attr(hax, hax_lib_macros::opaque_type)] pub struct Shake128StateX4([sha3::incremental::Shake128State;4]); #[cfg(simd256)] @@ -475,9 +478,11 @@ pub fn shake128_squeeze_nblocks_x4( /// SHAKE 128 Incremental API (SIMD) #[cfg(simd256)] +#[cfg_attr(hax, hax_lib_macros::opaque_type)] pub struct Shake128StateX2(sha3::incremental_x4::Shake128StateX4); #[cfg(not(simd256))] +#[cfg_attr(hax, hax_lib_macros::opaque_type)] pub struct Shake128StateX2([sha3::incremental::Shake128State;2]); #[cfg(simd256)] @@ -552,9 +557,11 @@ pub fn shake128_squeeze_nblocks_x2( /// SHAKE 128 Incremental API (SIMD) #[cfg(simd256)] +#[cfg_attr(hax, hax_lib_macros::opaque_type)] pub struct Shake128StateX3(sha3::incremental_x4::Shake128StateX4); #[cfg(not(simd256))] +#[cfg_attr(hax, hax_lib_macros::opaque_type)] pub struct Shake128StateX3([sha3::incremental::Shake128State;3]); #[cfg(simd256)] From 9983cc23a0bd03f557b2c1d8f467924f2d21e0fc Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Thu, 29 Feb 2024 11:45:02 +0100 Subject: [PATCH 20/28] rust format --- src/digest.rs | 68 ++++++++++++++------------------- src/hacl/sha3.rs | 9 ++--- src/kem/kyber/hash_functions.rs | 62 ++++++++++++++++-------------- src/kem/kyber/sampling.rs | 2 +- 4 files changed, 67 insertions(+), 74 deletions(-) diff --git a/src/digest.rs b/src/digest.rs index 0d4ca518c..324498574 100644 --- a/src/digest.rs +++ b/src/digest.rs @@ -393,19 +393,21 @@ pub struct Shake128StateX4(sha3::incremental_x4::Shake128StateX4); #[cfg(not(simd256))] #[cfg_attr(hax, hax_lib_macros::opaque_type)] -pub struct Shake128StateX4([sha3::incremental::Shake128State;4]); +pub struct Shake128StateX4([sha3::incremental::Shake128State; 4]); #[cfg(simd256)] pub fn shake128_init_x4() -> Shake128StateX4 { - Shake128StateX4(sha3::incremental_x4::Shake128StateX4::new()) + Shake128StateX4(sha3::incremental_x4::Shake128StateX4::new()) } #[cfg(not(simd256))] pub fn shake128_init_x4() -> Shake128StateX4 { - Shake128StateX4([sha3::incremental::Shake128State::new(), - sha3::incremental::Shake128State::new(), - sha3::incremental::Shake128State::new(), - sha3::incremental::Shake128State::new()]) + Shake128StateX4([ + sha3::incremental::Shake128State::new(), + sha3::incremental::Shake128State::new(), + sha3::incremental::Shake128State::new(), + sha3::incremental::Shake128State::new(), + ]) } #[cfg(simd256)] @@ -473,7 +475,7 @@ pub fn shake128_squeeze_nblocks_x4( let out1: [u8; OUTPUT_BYTES] = st.0[1].squeeze_nblocks(); let out2: [u8; OUTPUT_BYTES] = st.0[2].squeeze_nblocks(); let out3: [u8; OUTPUT_BYTES] = st.0[3].squeeze_nblocks(); - [out0,out1,out2,out3] + [out0, out1, out2, out3] } /// SHAKE 128 Incremental API (SIMD) @@ -483,7 +485,7 @@ pub struct Shake128StateX2(sha3::incremental_x4::Shake128StateX4); #[cfg(not(simd256))] #[cfg_attr(hax, hax_lib_macros::opaque_type)] -pub struct Shake128StateX2([sha3::incremental::Shake128State;2]); +pub struct Shake128StateX2([sha3::incremental::Shake128State; 2]); #[cfg(simd256)] pub fn shake128_init_x2() -> Shake128StateX2 { @@ -492,45 +494,30 @@ pub fn shake128_init_x2() -> Shake128StateX2 { #[cfg(not(simd256))] pub fn shake128_init_x2() -> Shake128StateX2 { - Shake128StateX2([sha3::incremental::Shake128State::new(), - sha3::incremental::Shake128State::new(), - ]) + Shake128StateX2([ + sha3::incremental::Shake128State::new(), + sha3::incremental::Shake128State::new(), + ]) } #[cfg(simd256)] -pub fn shake128_absorb_nblocks_x2( - st: &mut Shake128StateX2, - data0: &[u8], - data1: &[u8], -) { +pub fn shake128_absorb_nblocks_x2(st: &mut Shake128StateX2, data0: &[u8], data1: &[u8]) { st.0.absorb_nblocks(data0, data1, data0, data1); } #[cfg(not(simd256))] -pub fn shake128_absorb_nblocks_x2( - st: &mut Shake128StateX2, - data0: &[u8], - data1: &[u8], -) { +pub fn shake128_absorb_nblocks_x2(st: &mut Shake128StateX2, data0: &[u8], data1: &[u8]) { st.0[0].absorb_nblocks(data0); st.0[1].absorb_nblocks(data1); } #[cfg(simd256)] -pub fn shake128_absorb_final_x2( - st: &mut Shake128StateX2, - data0: &[u8], - data1: &[u8], -) { +pub fn shake128_absorb_final_x2(st: &mut Shake128StateX2, data0: &[u8], data1: &[u8]) { st.0.absorb_final(data0, data1, data0, data1); } #[cfg(not(simd256))] -pub fn shake128_absorb_final_x2( - st: &mut Shake128StateX2, - data0: &[u8], - data1: &[u8], -) { +pub fn shake128_absorb_final_x2(st: &mut Shake128StateX2, data0: &[u8], data1: &[u8]) { st.0[0].absorb_final(data0); st.0[1].absorb_final(data1); } @@ -539,7 +526,7 @@ pub fn shake128_absorb_final_x2( pub fn shake128_squeeze_nblocks_x2( st: &mut Shake128StateX2, ) -> [[u8; OUTPUT_BYTES]; 2] { - let mut output = [[0u8;OUTPUT_BYTES];2]; + let mut output = [[0u8; OUTPUT_BYTES]; 2]; let tmp = st.0.squeeze_nblocks(); output[0] = tmp[0]; output[1] = tmp[1]; @@ -552,7 +539,7 @@ pub fn shake128_squeeze_nblocks_x2( ) -> [[u8; OUTPUT_BYTES]; 2] { let out0: [u8; OUTPUT_BYTES] = st.0[0].squeeze_nblocks(); let out1: [u8; OUTPUT_BYTES] = st.0[1].squeeze_nblocks(); - [out0,out1] + [out0, out1] } /// SHAKE 128 Incremental API (SIMD) @@ -562,7 +549,7 @@ pub struct Shake128StateX3(sha3::incremental_x4::Shake128StateX4); #[cfg(not(simd256))] #[cfg_attr(hax, hax_lib_macros::opaque_type)] -pub struct Shake128StateX3([sha3::incremental::Shake128State;3]); +pub struct Shake128StateX3([sha3::incremental::Shake128State; 3]); #[cfg(simd256)] pub fn shake128_init_x3() -> Shake128StateX3 { @@ -571,10 +558,11 @@ pub fn shake128_init_x3() -> Shake128StateX3 { #[cfg(not(simd256))] pub fn shake128_init_x3() -> Shake128StateX3 { - Shake128StateX3([sha3::incremental::Shake128State::new(), - sha3::incremental::Shake128State::new(), - sha3::incremental::Shake128State::new(), - ]) + Shake128StateX3([ + sha3::incremental::Shake128State::new(), + sha3::incremental::Shake128State::new(), + sha3::incremental::Shake128State::new(), + ]) } #[cfg(simd256)] @@ -625,7 +613,7 @@ pub fn shake128_absorb_final_x3( pub fn shake128_squeeze_nblocks_x3( st: &mut Shake128StateX3, ) -> [[u8; OUTPUT_BYTES]; 3] { - let mut output = [[0u8;OUTPUT_BYTES];3]; + let mut output = [[0u8; OUTPUT_BYTES]; 3]; let tmp = st.0.squeeze_nblocks(); output[0] = tmp[0]; output[1] = tmp[1]; @@ -640,7 +628,7 @@ pub fn shake128_squeeze_nblocks_x3( let out0: [u8; OUTPUT_BYTES] = st.0[0].squeeze_nblocks(); let out1: [u8; OUTPUT_BYTES] = st.0[1].squeeze_nblocks(); let out2: [u8; OUTPUT_BYTES] = st.0[2].squeeze_nblocks(); - [out0,out1,out2] + [out0, out1, out2] } /// SHAKE 256 diff --git a/src/hacl/sha3.rs b/src/hacl/sha3.rs index 044f607ef..d911d96db 100644 --- a/src/hacl/sha3.rs +++ b/src/hacl/sha3.rs @@ -330,8 +330,8 @@ pub mod incremental_x4 { ) { debug_assert!( input0.len() == input1.len() - && input0.len() == input2.len() - && input0.len() == input3.len() + && input0.len() == input2.len() + && input0.len() == input3.len() ); debug_assert!(input0.len() % 168 == 0); @@ -348,11 +348,10 @@ pub mod incremental_x4 { } pub fn absorb_final(&mut self, input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) { - debug_assert!( input0.len() == input1.len() - && input0.len() == input2.len() - && input0.len() == input3.len() + && input0.len() == input2.len() + && input0.len() == input3.len() ); debug_assert!(input0.len() < 168); diff --git a/src/kem/kyber/hash_functions.rs b/src/kem/kyber/hash_functions.rs index 212656ea1..4533b4f74 100644 --- a/src/kem/kyber/hash_functions.rs +++ b/src/kem/kyber/hash_functions.rs @@ -27,77 +27,83 @@ pub(crate) enum XofState { #[inline(always)] pub(crate) fn XOF_absorb(input: [[u8; 34]; K]) -> XofState { match K as u8 { - 2 => {let mut state = digest::shake128_init_x2(); - digest::shake128_absorb_final_x2(&mut state, &input[0], &input[1]); - XofState::X2(state)}, - 3 => {let mut state = digest::shake128_init_x3(); - digest::shake128_absorb_final_x3(&mut state, &input[0], &input[1], &input[2]); - XofState::X3(state)}, - 4 => {let mut state = digest::shake128_init_x4(); - digest::shake128_absorb_final_x4(&mut state, &input[0], &input[1], &input[2], &input[3]); - XofState::X4(state)}, - _ => unreachable!() + 2 => { + let mut state = digest::shake128_init_x2(); + digest::shake128_absorb_final_x2(&mut state, &input[0], &input[1]); + XofState::X2(state) } + 3 => { + let mut state = digest::shake128_init_x3(); + digest::shake128_absorb_final_x3(&mut state, &input[0], &input[1], &input[2]); + XofState::X3(state) + } + 4 => { + let mut state = digest::shake128_init_x4(); + digest::shake128_absorb_final_x4( + &mut state, &input[0], &input[1], &input[2], &input[3], + ); + XofState::X4(state) + } + _ => unreachable!(), + } } #[inline(always)] pub(crate) fn XOF_squeeze_three_blocks( xof_state: XofState, -) -> ([[u8; 168 * 3]; K],XofState) { +) -> ([[u8; 168 * 3]; K], XofState) { let mut output = [[0; 168 * 3]; K]; match (K as u8, xof_state) { (2, XofState::X2(mut st)) => { let tmp = digest::shake128_squeeze_nblocks_x2::<504>(&mut st); output[0] = tmp[0]; output[1] = tmp[1]; - (output,XofState::X2(st)) - }, + (output, XofState::X2(st)) + } (3, XofState::X3(mut st)) => { let tmp = digest::shake128_squeeze_nblocks_x3::<504>(&mut st); output[0] = tmp[0]; output[1] = tmp[1]; output[2] = tmp[2]; - (output,XofState::X3(st)) - }, + (output, XofState::X3(st)) + } (4, XofState::X4(mut st)) => { let tmp = digest::shake128_squeeze_nblocks_x4::<504>(&mut st); output[0] = tmp[0]; output[1] = tmp[1]; output[2] = tmp[2]; output[3] = tmp[3]; - (output,XofState::X4(st)) - }, - _ => unreachable!() + (output, XofState::X4(st)) + } + _ => unreachable!(), } } #[inline(always)] -pub(crate) fn XOF_squeeze_block( - xof_state: XofState, -) -> ([[u8; 168]; K],XofState) { +pub(crate) fn XOF_squeeze_block(xof_state: XofState) -> ([[u8; 168]; K], XofState) { let mut output = [[0; 168]; K]; match (K as u8, xof_state) { (2, XofState::X2(mut st)) => { let tmp = digest::shake128_squeeze_nblocks_x2::<168>(&mut st); output[0] = tmp[0]; output[1] = tmp[1]; - (output,XofState::X2(st)) - }, + (output, XofState::X2(st)) + } (3, XofState::X3(mut st)) => { let tmp = digest::shake128_squeeze_nblocks_x3::<168>(&mut st); output[0] = tmp[0]; output[1] = tmp[1]; output[2] = tmp[2]; - (output,XofState::X3(st)) - }, + (output, XofState::X3(st)) + } (4, XofState::X4(mut st)) => { let tmp = digest::shake128_squeeze_nblocks_x4::<168>(&mut st); output[0] = tmp[0]; output[1] = tmp[1]; output[2] = tmp[2]; output[3] = tmp[3]; - (output,XofState::X4(st)) - }, - _ => unreachable!() + (output, XofState::X4(st)) + } + _ => unreachable!(), } } diff --git a/src/kem/kyber/sampling.rs b/src/kem/kyber/sampling.rs index 194a16c95..59e3bc8c1 100644 --- a/src/kem/kyber/sampling.rs +++ b/src/kem/kyber/sampling.rs @@ -80,7 +80,7 @@ pub fn sample_from_xof(seeds: [[u8; 34]; K]) -> [PolynomialRingE let mut out: [PolynomialRingElement; K] = [PolynomialRingElement::ZERO; K]; let mut xof_state = XOF_absorb::(seeds); - let (randomness,new_state) = XOF_squeeze_three_blocks(xof_state); + let (randomness, new_state) = XOF_squeeze_three_blocks(xof_state); xof_state = new_state; let mut done = From c1f20583af3d872996f00561965ad884daa01574 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Thu, 29 Feb 2024 12:59:11 +0100 Subject: [PATCH 21/28] new patches --- proofs/fstar/extraction-edited.patch | 992 +++++++++++++----- .../fstar/extraction-secret-independent.patch | 128 +-- 2 files changed, 797 insertions(+), 323 deletions(-) diff --git a/proofs/fstar/extraction-edited.patch b/proofs/fstar/extraction-edited.patch index 364f5582c..32f75bffd 100644 --- a/proofs/fstar/extraction-edited.patch +++ b/proofs/fstar/extraction-edited.patch @@ -1,6 +1,6 @@ diff -ruN extraction/BitVecEq.fst extraction-edited/BitVecEq.fst --- extraction/BitVecEq.fst 1970-01-01 01:00:00 -+++ extraction-edited/BitVecEq.fst 2024-02-22 11:01:52 ++++ extraction-edited/BitVecEq.fst 2024-02-29 12:58:34 @@ -0,0 +1,12 @@ +module BitVecEq + @@ -16,7 +16,7 @@ diff -ruN extraction/BitVecEq.fst extraction-edited/BitVecEq.fst + diff -ruN extraction/BitVecEq.fsti extraction-edited/BitVecEq.fsti --- extraction/BitVecEq.fsti 1970-01-01 01:00:00 -+++ extraction-edited/BitVecEq.fsti 2024-02-22 11:01:52 ++++ extraction-edited/BitVecEq.fsti 2024-02-29 12:58:35 @@ -0,0 +1,294 @@ +module BitVecEq +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -312,62 +312,10 @@ diff -ruN extraction/BitVecEq.fsti extraction-edited/BitVecEq.fsti + (ensures int_arr_bitwise_eq_range arr1 d arr2 d (n_offset1 * d) (n_offset2 * d) bits) + = admit () +*) -diff -ruN extraction/Libcrux.Digest.fst extraction-edited/Libcrux.Digest.fst ---- extraction/Libcrux.Digest.fst 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Digest.fst 1970-01-01 01:00:00 -@@ -1,48 +0,0 @@ --module Libcrux.Digest --#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" --open Core --open FStar.Mul -- --let sha3_256_ (payload: t_Slice u8) = Libcrux.Hacl.Sha3.sha256 payload -- --let sha3_512_ (payload: t_Slice u8) = Libcrux.Hacl.Sha3.sha512 payload -- --let shake128 (v_LEN: usize) (data: t_Slice u8) = Libcrux.Hacl.Sha3.shake128 v_LEN data -- --let shake256 (v_LEN: usize) (data: t_Slice u8) = Libcrux.Hacl.Sha3.shake256 v_LEN data -- --let shake128x4_portable (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) = -- let input_len:usize = Core.Slice.impl__len data0 in -- let _:Prims.unit = -- if true -- then -- let _:Prims.unit = -- if -- ~.((input_len =. (Core.Slice.impl__len data1 <: usize) <: bool) && -- (input_len =. (Core.Slice.impl__len data2 <: usize) <: bool) && -- (input_len =. (Core.Slice.impl__len data3 <: usize) <: bool) && -- (input_len <=. (cast (Core.Num.impl__u32__MAX <: u32) <: usize) <: bool) && -- (v_LEN <=. (cast (Core.Num.impl__u32__MAX <: u32) <: usize) <: bool)) -- then -- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: input_len == data1.len() && input_len == data2.len() &&\\n input_len == data3.len() && input_len <= u32::MAX as usize &&\\n LEN <= u32::MAX as usize" -- -- <: -- Rust_primitives.Hax.t_Never) -- in -- () -- in -- let digest0:t_Array u8 v_LEN = Libcrux.Hacl.Sha3.shake128 v_LEN data0 in -- let digest1:t_Array u8 v_LEN = Libcrux.Hacl.Sha3.shake128 v_LEN data1 in -- let digest2:t_Array u8 v_LEN = Libcrux.Hacl.Sha3.shake128 v_LEN data2 in -- let digest3:t_Array u8 v_LEN = Libcrux.Hacl.Sha3.shake128 v_LEN data3 in -- digest0, digest1, digest2, digest3 -- <: -- (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) -- --let shake128x4_256_ (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) = -- shake128x4_portable v_LEN data0 data1 data2 data3 -- --let shake128x4 (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) = -- if Libcrux_platform.Platform.simd256_support () -- then shake128x4_256_ v_LEN data0 data1 data2 data3 -- else shake128x4_portable v_LEN data0 data1 data2 data3 diff -ruN extraction/Libcrux.Digest.fsti extraction-edited/Libcrux.Digest.fsti ---- extraction/Libcrux.Digest.fsti 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Digest.fsti 2024-02-22 11:01:52 -@@ -3,6 +3,11 @@ +--- extraction/Libcrux.Digest.fsti 2024-02-29 12:58:30 ++++ extraction-edited/Libcrux.Digest.fsti 2024-02-29 12:58:34 +@@ -3,50 +3,29 @@ open Core open FStar.Mul @@ -379,21 +327,60 @@ diff -ruN extraction/Libcrux.Digest.fsti extraction-edited/Libcrux.Digest.fsti val sha3_256_ (payload: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -@@ -16,11 +21,6 @@ + val sha3_512_ (payload: t_Slice u8) + : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) + ++val shake128 (v_LEN: usize) (data: t_Slice u8) ++ : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) ++ + val shake256 (v_LEN: usize) (data: t_Slice u8) : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) - val shake128x4_portable (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) -- : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) +-val t_Shake128StateX2:Type +- +-val t_Shake128StateX3:Type +- +-val t_Shake128StateX4:Type +- +-val shake128_absorb_final_x2 (st: t_Shake128StateX2) (data0 data1: t_Slice u8) +- : Prims.Pure t_Shake128StateX2 Prims.l_True (fun _ -> Prims.l_True) +- +-val shake128_absorb_final_x3 (st: t_Shake128StateX3) (data0 data1 data2: t_Slice u8) +- : Prims.Pure t_Shake128StateX3 Prims.l_True (fun _ -> Prims.l_True) +- +-val shake128_absorb_final_x4 (st: t_Shake128StateX4) (data0 data1 data2 data3: t_Slice u8) +- : Prims.Pure t_Shake128StateX4 Prims.l_True (fun _ -> Prims.l_True) +- +-val shake128_init_x2: Prims.unit +- -> Prims.Pure t_Shake128StateX2 Prims.l_True (fun _ -> Prims.l_True) +- +-val shake128_init_x3: Prims.unit +- -> Prims.Pure t_Shake128StateX3 Prims.l_True (fun _ -> Prims.l_True) +- +-val shake128_init_x4: Prims.unit +- -> Prims.Pure t_Shake128StateX4 Prims.l_True (fun _ -> Prims.l_True) +- +-val shake128_squeeze_nblocks_x2 (v_OUTPUT_BYTES: usize) (st: t_Shake128StateX2) +- : Prims.Pure (t_Shake128StateX2 & t_Array (t_Array u8 v_OUTPUT_BYTES) (sz 2)) ++val shake128x4_portable (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) ++ : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) + Prims.l_True + (fun _ -> Prims.l_True) + +-val shake128_squeeze_nblocks_x3 (v_OUTPUT_BYTES: usize) (st: t_Shake128StateX3) +- : Prims.Pure (t_Shake128StateX3 & t_Array (t_Array u8 v_OUTPUT_BYTES) (sz 3)) - Prims.l_True - (fun _ -> Prims.l_True) - --val shake128x4_256_ (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) +-val shake128_squeeze_nblocks_x4 (v_OUTPUT_BYTES: usize) (st: t_Shake128StateX4) +- : Prims.Pure (t_Shake128StateX4 & t_Array (t_Array u8 v_OUTPUT_BYTES) (sz 4)) ++val shake128x4 (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) ++ : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst ---- extraction/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-29 12:58:32 ++++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-29 12:58:35 @@ -1,81 +1,364 @@ module Libcrux.Kem.Kyber.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -799,8 +786,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux. + + diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti ---- extraction/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-29 12:58:29 ++++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-29 12:58:32 @@ -3,10 +3,32 @@ open Core open FStar.Mul @@ -1148,8 +1135,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux + + diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fst extraction-edited/Libcrux.Kem.Kyber.Compress.fst ---- extraction/Libcrux.Kem.Kyber.Compress.fst 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Compress.fst 2024-02-29 12:58:29 ++++ extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-02-29 12:58:32 @@ -1,39 +1,79 @@ module Libcrux.Kem.Kyber.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1253,8 +1240,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fst extraction-edited/Libcrux.Ke + res <: Libcrux.Kem.Kyber.Arithmetic.i32_b 3328 +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fsti extraction-edited/Libcrux.Kem.Kyber.Compress.fsti ---- extraction/Libcrux.Kem.Kyber.Compress.fsti 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Compress.fsti 2024-02-29 12:58:30 ++++ extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-02-29 12:58:34 @@ -3,8 +3,19 @@ open Core open FStar.Mul @@ -1320,8 +1307,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fsti extraction-edited/Libcrux.K + (requires fe =. 0l || fe =. 1l) + (fun result -> v result >= 0 /\ v result < 3329) diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst ---- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-29 12:58:28 ++++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-29 12:58:32 @@ -4,56 +4,163 @@ open FStar.Mul @@ -1507,8 +1494,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/L + ) +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti ---- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-29 12:58:32 ++++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-29 12:58:35 @@ -20,7 +20,8 @@ val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) @@ -1539,10 +1526,20 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-edited/ - result =. rhs <: bool)) + Hax_lib.implies (selector =. 0uy <: bool) (fun _ -> result =. lhs <: bool) && + Hax_lib.implies (selector <>. 0uy <: bool) (fun _ -> result =. rhs <: bool)) +diff -ruN extraction/Libcrux.Kem.Kyber.Constants.fsti extraction-edited/Libcrux.Kem.Kyber.Constants.fsti +--- extraction/Libcrux.Kem.Kyber.Constants.fsti 2024-02-29 12:58:31 ++++ extraction-edited/Libcrux.Kem.Kyber.Constants.fsti 2024-02-29 12:58:34 +@@ -17,4 +17,6 @@ + + let v_H_DIGEST_SIZE: usize = sz 32 + ++let v_REJECTION_SAMPLING_SEED_SIZE: usize = sz 168 *! sz 5 ++ + let v_SHARED_SECRET_SIZE: usize = sz 32 diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fst extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst ---- extraction/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-22 11:01:52 -@@ -3,13 +3,23 @@ +--- extraction/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-29 12:58:30 ++++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-29 12:58:33 +@@ -3,197 +3,114 @@ open Core open FStar.Mul @@ -1564,39 +1561,292 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fst extraction-edited/Libc + admit(); // We assume that sha3_512 correctly implements H + res --let v_XOFx4 (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = +-let v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = +- match cast (v_K <: usize) <: u8 with +- | 2uy -> +- let state:Libcrux.Digest.t_Shake128StateX2 = Libcrux.Digest.shake128_init_x2 () in +- let state:Libcrux.Digest.t_Shake128StateX2 = +- Libcrux.Digest.shake128_absorb_final_x2 state +- (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) +- (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) +- in +- XofState_X2 state <: t_XofState +- | 3uy -> +- let state:Libcrux.Digest.t_Shake128StateX3 = Libcrux.Digest.shake128_init_x3 () in +- let state:Libcrux.Digest.t_Shake128StateX3 = +- Libcrux.Digest.shake128_absorb_final_x3 state +- (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) +- (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) +- (Rust_primitives.unsize (input.[ sz 2 ] <: t_Array u8 (sz 34)) <: t_Slice u8) +- in +- XofState_X3 state <: t_XofState +- | 4uy -> +- let state:Libcrux.Digest.t_Shake128StateX4 = Libcrux.Digest.shake128_init_x4 () in +- let state:Libcrux.Digest.t_Shake128StateX4 = +- Libcrux.Digest.shake128_absorb_final_x4 state +- (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) +- (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) +- (Rust_primitives.unsize (input.[ sz 2 ] <: t_Array u8 (sz 34)) <: t_Slice u8) +- (Rust_primitives.unsize (input.[ sz 3 ] <: t_Array u8 (sz 34)) <: t_Slice u8) +- in +- XofState_X4 state <: t_XofState +- | _ -> +- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +- +- <: +- Rust_primitives.Hax.t_Never) +- +-let v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState) = +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 168) <: t_Array u8 (sz 168)) v_K +let v_XOFx4 v_K (input: t_Array (t_Array u8 (sz 34)) v_K) = + assert (v v_K >= 2); - let out:t_Array (t_Array u8 (sz 840)) v_K = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 840) <: t_Array u8 (sz 840)) v_K - in -@@ -56,6 +66,7 @@ - in - out - | 3uy -> ++ let out:t_Array (t_Array u8 (sz 840)) v_K = ++ Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 840) <: t_Array u8 (sz 840)) v_K + in +- match (cast (v_K <: usize) <: u8), xof_state <: (u8 & t_XofState) with +- | 2uy, XofState_X2 st -> +- let tmp0, out:(Libcrux.Digest.t_Shake128StateX2 & t_Array (t_Array u8 (sz 168)) (sz 2)) = +- Libcrux.Digest.shake128_squeeze_nblocks_x2 (sz 168) st +- in +- let st:Libcrux.Digest.t_Shake128StateX2 = tmp0 in +- let tmp:t_Array (t_Array u8 (sz 168)) (sz 2) = out in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 0) +- (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) +- in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 1) +- (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) +- in +- output, (XofState_X2 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) +- | 3uy, XofState_X3 st -> +- let tmp0, out:(Libcrux.Digest.t_Shake128StateX3 & t_Array (t_Array u8 (sz 168)) (sz 3)) = +- Libcrux.Digest.shake128_squeeze_nblocks_x3 (sz 168) st +- in +- let st:Libcrux.Digest.t_Shake128StateX3 = tmp0 in +- let tmp:t_Array (t_Array u8 (sz 168)) (sz 3) = out in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 0) +- (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) +- in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 1) +- (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) +- in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 2) +- (tmp.[ sz 2 ] <: t_Array u8 (sz 168)) +- in +- output, (XofState_X3 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) +- | 4uy, XofState_X4 st -> +- let tmp0, out:(Libcrux.Digest.t_Shake128StateX4 & t_Array (t_Array u8 (sz 168)) (sz 4)) = +- Libcrux.Digest.shake128_squeeze_nblocks_x4 (sz 168) st +- in +- let st:Libcrux.Digest.t_Shake128StateX4 = tmp0 in +- let tmp:t_Array (t_Array u8 (sz 168)) (sz 4) = out in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 0) +- (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) +- in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 1) +- (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) +- in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 2) +- (tmp.[ sz 2 ] <: t_Array u8 (sz 168)) +- in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 3) +- (tmp.[ sz 3 ] <: t_Array u8 (sz 168)) +- in +- output, (XofState_X4 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) +- | _ -> +- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +- +- <: +- Rust_primitives.Hax.t_Never) +- +-let v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState) = +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 504) <: t_Array u8 (sz 504)) v_K ++ let out:t_Array (t_Array u8 (sz 840)) v_K = ++ if ~.(Libcrux_platform.Platform.simd256_support () <: bool) ++ then ++ Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ ++ Core.Ops.Range.f_start = sz 0; ++ Core.Ops.Range.f_end = v_K ++ } ++ <: ++ Core.Ops.Range.t_Range usize) ++ <: ++ Core.Ops.Range.t_Range usize) ++ out ++ (fun out i -> ++ let out:t_Array (t_Array u8 (sz 840)) v_K = out in ++ let i:usize = i in ++ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out ++ i ++ (Libcrux.Digest.shake128 (sz 840) ++ (Rust_primitives.unsize (input.[ i ] <: t_Array u8 (sz 34)) <: t_Slice u8) ++ <: ++ t_Array u8 (sz 840)) ++ <: ++ t_Array (t_Array u8 (sz 840)) v_K) ++ else ++ let out:t_Array (t_Array u8 (sz 840)) v_K = ++ match cast (v_K <: usize) <: u8 with ++ | 2uy -> ++ let d0, d1, _, _:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & ++ t_Array u8 (sz 840)) = ++ Libcrux.Digest.shake128x4 (sz 840) ++ (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) ++ (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) ++ (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) ++ (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) ++ in ++ let out:t_Array (t_Array u8 (sz 840)) v_K = ++ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) d0 ++ in ++ let out:t_Array (t_Array u8 (sz 840)) v_K = ++ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) d1 ++ in ++ out ++ | 3uy -> + assert (v (cast v_K <: u8) = 3); - let d0, d1, d2, _:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & - t_Array u8 (sz 840)) = - Libcrux.Digest.shake128x4 (sz 840) -@@ -75,6 +86,7 @@ - in - out - | 4uy -> ++ let d0, d1, d2, _:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & ++ t_Array u8 (sz 840)) = ++ Libcrux.Digest.shake128x4 (sz 840) ++ (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) ++ (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) ++ (Rust_primitives.unsize (input.[ sz 2 ] <: t_Array u8 (sz 34)) <: t_Slice u8) ++ (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) ++ in ++ let out:t_Array (t_Array u8 (sz 840)) v_K = ++ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) d0 ++ in ++ let out:t_Array (t_Array u8 (sz 840)) v_K = ++ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) d1 ++ in ++ let out:t_Array (t_Array u8 (sz 840)) v_K = ++ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) d2 ++ in ++ out ++ | 4uy -> + assert (v (cast v_K <: u8) = 4); - let d0, d1, d2, d3:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & - t_Array u8 (sz 840)) = - Libcrux.Digest.shake128x4 (sz 840) -@@ -100,4 +112,5 @@ - in - out - in -- out ++ let d0, d1, d2, d3:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & ++ t_Array u8 (sz 840)) = ++ Libcrux.Digest.shake128x4 (sz 840) ++ (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) ++ (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) ++ (Rust_primitives.unsize (input.[ sz 2 ] <: t_Array u8 (sz 34)) <: t_Slice u8) ++ (Rust_primitives.unsize (input.[ sz 3 ] <: t_Array u8 (sz 34)) <: t_Slice u8) ++ in ++ let out:t_Array (t_Array u8 (sz 840)) v_K = ++ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) d0 ++ in ++ let out:t_Array (t_Array u8 (sz 840)) v_K = ++ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) d1 ++ in ++ let out:t_Array (t_Array u8 (sz 840)) v_K = ++ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) d2 ++ in ++ let out:t_Array (t_Array u8 (sz 840)) v_K = ++ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 3) d3 ++ in ++ out ++ | _ -> out ++ in ++ out + in +- match (cast (v_K <: usize) <: u8), xof_state <: (u8 & t_XofState) with +- | 2uy, XofState_X2 st -> +- let tmp0, out:(Libcrux.Digest.t_Shake128StateX2 & t_Array (t_Array u8 (sz 504)) (sz 2)) = +- Libcrux.Digest.shake128_squeeze_nblocks_x2 (sz 504) st +- in +- let st:Libcrux.Digest.t_Shake128StateX2 = tmp0 in +- let tmp:t_Array (t_Array u8 (sz 504)) (sz 2) = out in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 0) +- (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) +- in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 1) +- (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) +- in +- output, (XofState_X2 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) +- | 3uy, XofState_X3 st -> +- let tmp0, out:(Libcrux.Digest.t_Shake128StateX3 & t_Array (t_Array u8 (sz 504)) (sz 3)) = +- Libcrux.Digest.shake128_squeeze_nblocks_x3 (sz 504) st +- in +- let st:Libcrux.Digest.t_Shake128StateX3 = tmp0 in +- let tmp:t_Array (t_Array u8 (sz 504)) (sz 3) = out in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 0) +- (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) +- in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 1) +- (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) +- in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 2) +- (tmp.[ sz 2 ] <: t_Array u8 (sz 504)) +- in +- output, (XofState_X3 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) +- | 4uy, XofState_X4 st -> +- let tmp0, out:(Libcrux.Digest.t_Shake128StateX4 & t_Array (t_Array u8 (sz 504)) (sz 4)) = +- Libcrux.Digest.shake128_squeeze_nblocks_x4 (sz 504) st +- in +- let st:Libcrux.Digest.t_Shake128StateX4 = tmp0 in +- let tmp:t_Array (t_Array u8 (sz 504)) (sz 4) = out in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 0) +- (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) +- in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 1) +- (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) +- in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 2) +- (tmp.[ sz 2 ] <: t_Array u8 (sz 504)) +- in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 3) +- (tmp.[ sz 3 ] <: t_Array u8 (sz 504)) +- in +- output, (XofState_X4 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) +- | _ -> +- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +- +- <: +- Rust_primitives.Hax.t_Never) + admit(); // We assume that shake128x4 correctly implements XOFx4 + out diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti ---- extraction/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-22 11:01:52 -@@ -3,12 +3,17 @@ +--- extraction/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-29 12:58:30 ++++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-29 12:58:33 +@@ -3,27 +3,17 @@ open Core open FStar.Mul @@ -1611,8 +1861,23 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-edited/Lib val v_PRF (v_LEN: usize) (input: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) - --val v_XOFx4 (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) -- : Prims.Pure (t_Array (t_Array u8 (sz 840)) v_K) Prims.l_True (fun _ -> Prims.l_True) +-type t_XofState = +- | XofState_X2 : Libcrux.Digest.t_Shake128StateX2 -> t_XofState +- | XofState_X3 : Libcrux.Digest.t_Shake128StateX3 -> t_XofState +- | XofState_X4 : Libcrux.Digest.t_Shake128StateX4 -> t_XofState +- +-val v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) +- : Prims.Pure t_XofState Prims.l_True (fun _ -> Prims.l_True) +- +-val v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState) +- : Prims.Pure (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) +- Prims.l_True +- (fun _ -> Prims.l_True) +- +-val v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState) +- : Prims.Pure (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) +- Prims.l_True +- (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 v_LEN) Prims.l_True + (ensures (fun res -> res == Spec.Kyber.v_PRF v_LEN input)) + @@ -1621,8 +1886,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-edited/Lib + (ensures (fun res -> + (forall i. i < v v_K ==> Seq.index res i == Spec.Kyber.v_XOF (sz 840) (Seq.index input i)))) diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst ---- extraction/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-29 12:58:30 ++++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-29 12:58:34 @@ -1,5 +1,5 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -2326,8 +2591,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem + res + diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti ---- extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-29 12:58:32 ++++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-29 12:58:34 @@ -1,80 +1,151 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -2528,8 +2793,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Ke + + diff -ruN extraction/Libcrux.Kem.Kyber.Kyber1024.fst extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst ---- extraction/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-29 12:58:30 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-29 12:58:34 @@ -7,19 +7,19 @@ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1568)) @@ -2563,8 +2828,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber1024.fst extraction-edited/Libcrux.K (sz 3168) (sz 1568) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber512.fst extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst ---- extraction/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-29 12:58:31 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-29 12:58:34 @@ -7,19 +7,19 @@ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 768)) @@ -2598,8 +2863,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber512.fst extraction-edited/Libcrux.Ke (sz 1632) (sz 800) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fst extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst ---- extraction/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-29 12:58:29 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-29 12:58:32 @@ -7,19 +7,19 @@ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1088)) @@ -2633,8 +2898,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fst extraction-edited/Libcrux.Ke (sz 2400) (sz 1184) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fsti extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti ---- extraction/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-29 12:58:30 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-29 12:58:33 @@ -74,14 +74,15 @@ val decapsulate (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) @@ -2660,8 +2925,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fsti extraction-edited/Libcrux.K - (fun _ -> Prims.l_True) + (ensures (fun kp -> (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.kyber768_generate_keypair randomness)) diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem.Kyber.Matrix.fst ---- extraction/Libcrux.Kem.Kyber.Matrix.fst 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Matrix.fst 2024-02-29 12:58:29 ++++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-02-29 12:58:33 @@ -3,192 +3,188 @@ open Core open FStar.Mul @@ -3391,7 +3656,18 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. v_A_transpose in let i:usize = i in -@@ -496,11 +482,11 @@ +@@ -482,8 +468,8 @@ + in + seeds) + in +- let sampled:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- Libcrux.Kem.Kyber.Sampling.sample_from_xof v_K seeds ++ let xof_bytes:t_Array (t_Array u8 (sz 840)) v_K = ++ Libcrux.Kem.Kyber.Hash_functions.v_XOFx4 v_K seeds + in + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; +@@ -496,40 +482,46 @@ v_A_transpose (fun v_A_transpose j -> let v_A_transpose:t_Array @@ -3400,12 +3676,11 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. v_A_transpose in let j:usize = j in -- let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let sampled:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = - Libcrux.Kem.Kyber.Sampling.sample_from_uniform_distribution (xof_bytes.[ j ] - <: - t_Array u8 (sz 840)) -@@ -508,33 +494,34 @@ ++ Libcrux.Kem.Kyber.Sampling.sample_from_uniform_distribution (xof_bytes.[ j ] ++ <: ++ t_Array u8 (sz 840)) ++ in if transpose then let v_A_transpose:t_Array @@ -3419,7 +3694,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. - t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) + t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) i - sampled +- (sampled.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) ++ sampled <: - t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) + t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) @@ -3437,7 +3713,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. - t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) + t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) j - sampled +- (sampled.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) ++ sampled <: - t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) + t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) @@ -3447,8 +3724,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + admit(); //P-F v_A_transpose diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fsti extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti ---- extraction/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-29 12:58:32 ++++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-29 12:58:35 @@ -3,39 +3,71 @@ open Core open FStar.Mul @@ -3550,8 +3827,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fsti extraction-edited/Libcrux.Kem + if transpose then Libcrux.Kem.Kyber.Arithmetic.to_spec_matrix_b #p res == matrix_A + else Libcrux.Kem.Kyber.Arithmetic.to_spec_matrix_b #p res == Spec.Kyber.matrix_transpose matrix_A) diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyber.Ntt.fst ---- extraction/Libcrux.Kem.Kyber.Ntt.fst 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Ntt.fst 2024-02-29 12:58:30 ++++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-02-29 12:58:33 @@ -1,56 +1,130 @@ module Libcrux.Kem.Kyber.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -4481,8 +4758,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + down_cast_poly_b #(8*3328) #3328 re +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti ---- extraction/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-29 12:58:29 ++++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-29 12:58:33 @@ -2,223 +2,80 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -4771,19 +5048,18 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Ky + (ensures fun _ -> True) + diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Kem.Kyber.Sampling.fst ---- extraction/Libcrux.Kem.Kyber.Sampling.fst 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-02-22 11:01:52 -@@ -3,27 +3,34 @@ +--- extraction/Libcrux.Kem.Kyber.Sampling.fst 2024-02-29 12:58:29 ++++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-02-29 12:58:33 +@@ -3,22 +3,34 @@ open Core open FStar.Mul --let rejection_sampling_panic_with_diagnostic (_: Prims.unit) = +let rejection_sampling_panic_with_diagnostic () : Prims.unit = + admit(); // This should never be reachable - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "explicit panic" - <: - Rust_primitives.Hax.t_Never) - ++ Rust_primitives.Hax.never_to_any (Core.Panicking.panic "explicit panic" ++ <: ++ Rust_primitives.Hax.t_Never) ++ +#push-options "--ifuel 0 --z3rlimit 100" let sample_from_binomial_distribution_2_ (randomness: t_Slice u8) = - let (sampled: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement):Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement @@ -4821,7 +5097,7 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Ke let (random_bits_as_u32: u32):u32 = (((cast (byte_chunk.[ sz 0 ] <: u8) <: u32) |. ((cast (byte_chunk.[ sz 1 ] <: u8) <: u32) <>! outcome_set <: u32) &. 7ul <: u32) <: i32 -@@ -128,8 +173,22 @@ +@@ -123,8 +173,22 @@ <: i32 in @@ -5012,7 +5288,7 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Ke { sampled with Libcrux.Kem.Kyber.Arithmetic.f_coefficients -@@ -140,15 +199,18 @@ +@@ -135,15 +199,18 @@ (outcome_1_ -! outcome_2_ <: i32) } <: @@ -5032,60 +5308,79 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Ke match cast (v_ETA <: usize) <: u32 with | 2ul -> sample_from_binomial_distribution_2_ randomness | 3ul -> sample_from_binomial_distribution_3_ randomness -@@ -158,46 +220,62 @@ +@@ -153,225 +220,131 @@ <: Rust_primitives.Hax.t_Never) +-let sample_from_uniform_distribution_next +- (v_K v_N: usize) +- (randomness: t_Array (t_Array u8 v_N) v_K) +- (sampled_coefficients: t_Array usize v_K) +- (out: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) +- = +- let done:bool = true in +- let done, out, sampled_coefficients:(bool & +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K) = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ +- Core.Ops.Range.f_start = sz 0; +- Core.Ops.Range.f_end = v_K +- } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) +#push-options "--z3rlimit 50" - let sample_from_uniform_distribution (randomness: t_Array u8 (sz 840)) = - let (sampled_coefficients: usize):usize = sz 0 in -- let (out: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement):Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement ++let sample_from_uniform_distribution (randomness: t_Array u8 (sz 840)) = ++ let (sampled_coefficients: usize):usize = sz 0 in + let (out: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement):Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement - = -- Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO ++ = + Libcrux.Kem.Kyber.Arithmetic.cast_poly_b Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO - in - let done:bool = false in -- let done, out, sampled_coefficients:(bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & ++ in ++ let done:bool = false in + let acc_t = (bool & Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize) in + [@ inline_let] + let inv = fun (acc:acc_t) -> True in + let sl : t_Slice u8 = randomness in + let chunk_len = sz 3 in + let done, out, sampled_coefficients:(bool & Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & - usize) = -- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Slice.impl__chunks ( -- Rust_primitives.unsize randomness <: t_Slice u8) -- (sz 3) -- <: -- Core.Slice.Iter.t_Chunks u8) -- <: -- Core.Slice.Iter.t_Chunks u8) ++ usize) = + Rust_primitives.Iterators.fold_chunks_exact #u8 #acc_t #inv + sl + chunk_len (done, out, sampled_coefficients <: -- (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)) +- (bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array usize v_K +- )) +- (fun temp_0_ i -> + (bool & Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize)) - (fun temp_0_ bytes -> ++ (fun temp_0_ bytes -> let done, out, sampled_coefficients:(bool & -- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K) = + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & - usize) = ++ usize) = temp_0_ in -- let bytes:t_Slice u8 = bytes in +- let i:usize = i in +- let out, sampled_coefficients:(t_Array +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K) = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Slice.impl__chunks +- (Rust_primitives.unsize (randomness.[ i ] <: t_Array u8 v_N) <: t_Slice u8) +- (sz 3) +- <: +- Core.Slice.Iter.t_Chunks u8) + let bytes:t_Array u8 chunk_len = bytes in - if ~.done <: bool - then - let b1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in - let b2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in - let b3:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in ++ if ~.done <: bool ++ then ++ let b1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in ++ let b2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in ++ let b3:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in + assert(v b1 >= 0 /\ v b1 < pow2 8); + assert(v b2 >= 0 /\ v b2 < pow2 8); + assert(v b3 >= 0 /\ v b3 < pow2 8); - let d1:i32 = ((b2 &. 15l <: i32) <= v b1); + assert (v d1 >= 0); - let d2:i32 = (b3 <>! 4l <: i32) in -- let out, sampled_coefficients:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & ++ let d2:i32 = (b3 <>! 4l <: i32) in + logor_lemma (b3 <>! 4l <: i32); + assert (v d2 >= v b3 * pow2 4); + assert (v d2 >= 0); + let out, sampled_coefficients:(Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & - usize) = - if - d1 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS && - sampled_coefficients <. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - then -- let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = ++ usize) = ++ if ++ d1 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS && ++ sampled_coefficients <. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT ++ then + let out:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = - { - out with - Libcrux.Kem.Kyber.Arithmetic.f_coefficients -@@ -208,23 +286,23 @@ - d1 - } - <: -- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement ++ { ++ out with ++ Libcrux.Kem.Kyber.Arithmetic.f_coefficients ++ = ++ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out ++ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients ++ sampled_coefficients ++ d1 ++ } ++ <: + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement - in - out, sampled_coefficients +! sz 1 ++ in ++ out, sampled_coefficients +! sz 1 <: -- (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) +- Core.Slice.Iter.t_Chunks u8) +- (out, sampled_coefficients + (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize) - else - out, sampled_coefficients ++ else ++ out, sampled_coefficients <: -- (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) +- (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K)) +- (fun temp_0_ bytes -> +- let out, sampled_coefficients:(t_Array +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K) = +- temp_0_ +- in +- let bytes:t_Slice u8 = bytes in +- let b1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in +- let b2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in +- let b3:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in +- let d1:i32 = ((b2 &. 15l <: i32) <>! 4l <: i32) in +- let out, sampled_coefficients:(t_Array +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K) = +- if +- d1 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS && +- (sampled_coefficients.[ i ] <: usize) <. +- Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT +- then +- let out:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out +- i +- ({ +- (out.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) with +- Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (out.[ i ] +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- (sampled_coefficients.[ i ] <: usize) +- d1 +- <: +- t_Array i32 (sz 256) +- } +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- in +- out, +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_coefficients +- i +- ((sampled_coefficients.[ i ] <: usize) +! sz 1 <: usize) +- <: +- (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K) +- else +- out, sampled_coefficients +- <: +- (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K) +- in +- if +- d2 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS && +- (sampled_coefficients.[ i ] <: usize) <. +- Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT +- then +- let out:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out +- i +- ({ +- (out.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) with +- Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (out.[ i ] +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- (sampled_coefficients.[ i ] <: usize) +- d2 +- <: +- t_Array i32 (sz 256) +- } +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- in +- let sampled_coefficients:t_Array usize v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_coefficients +- i +- ((sampled_coefficients.[ i ] <: usize) +! sz 1 <: usize) +- in +- out, sampled_coefficients +- <: +- (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K) +- else +- out, sampled_coefficients +- <: +- (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K)) +- in +- if +- (sampled_coefficients.[ i ] <: usize) <. +- Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT +- then +- false, out, sampled_coefficients +- <: +- (bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K) + (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize) - in -- let out, sampled_coefficients:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & ++ in + let out, sampled_coefficients:(Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & - usize) = - if - d2 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS && - sampled_coefficients <. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - then -- let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = ++ usize) = ++ if ++ d2 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS && ++ sampled_coefficients <. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT ++ then + let out:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = - { - out with - Libcrux.Kem.Kyber.Arithmetic.f_coefficients -@@ -235,31 +313,31 @@ - d2 - } - <: -- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement ++ { ++ out with ++ Libcrux.Kem.Kyber.Arithmetic.f_coefficients ++ = ++ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out ++ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients ++ sampled_coefficients ++ d2 ++ } ++ <: + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement - in - let sampled_coefficients:usize = sampled_coefficients +! sz 1 in - out, sampled_coefficients - <: -- (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) ++ in ++ let sampled_coefficients:usize = sampled_coefficients +! sz 1 in ++ out, sampled_coefficients ++ <: + (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize) - else - out, sampled_coefficients - <: -- (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) ++ else ++ out, sampled_coefficients ++ <: + (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize) - in - if sampled_coefficients =. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - then - let done:bool = true in - done, out, sampled_coefficients - <: -- (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) ++ in ++ if sampled_coefficients =. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT ++ then ++ let done:bool = true in ++ done, out, sampled_coefficients ++ <: + (bool & Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize) - else - done, out, sampled_coefficients - <: -- (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) ++ else ++ done, out, sampled_coefficients ++ <: + (bool & Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize) else done, out, sampled_coefficients <: -- (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)) +- (bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K)) + (bool & Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize)) in - let _:Prims.unit = - if ~.done -@@ -268,4 +346,5 @@ - () +- let hax_temp_output:bool = done in +- sampled_coefficients, out, hax_temp_output +- <: +- (t_Array usize v_K & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & bool) +- +-let sample_from_xof (v_K: usize) (seeds: t_Array (t_Array u8 (sz 34)) v_K) = +- let (sampled_coefficients: t_Array usize v_K):t_Array usize v_K = +- Rust_primitives.Hax.repeat (sz 0) v_K ++ let _:Prims.unit = ++ if ~.done ++ then ++ let _:Prims.unit = rejection_sampling_panic_with_diagnostic () in ++ () in +- let (out: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K):t_Array +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K +- in +- let xof_state:Libcrux.Kem.Kyber.Hash_functions.t_XofState = +- Libcrux.Kem.Kyber.Hash_functions.v_XOF_absorb v_K seeds +- in +- let randomness, new_state:(t_Array (t_Array u8 (sz 504)) v_K & +- Libcrux.Kem.Kyber.Hash_functions.t_XofState) = +- Libcrux.Kem.Kyber.Hash_functions.v_XOF_squeeze_three_blocks v_K xof_state +- in +- let xof_state:Libcrux.Kem.Kyber.Hash_functions.t_XofState = new_state in +- let tmp0, tmp1, out1:(t_Array usize v_K & +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- bool) = +- sample_from_uniform_distribution_next v_K (sz 504) randomness sampled_coefficients out +- in +- let sampled_coefficients:t_Array usize v_K = tmp0 in +- let out:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = tmp1 in +- let done:bool = out1 in +- let done, out, sampled_coefficients, xof_state:(bool & +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K & +- Libcrux.Kem.Kyber.Hash_functions.t_XofState) = +- Rust_primitives.f_while_loop (fun temp_0_ -> +- let done, out, sampled_coefficients, xof_state:(bool & +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K & +- Libcrux.Kem.Kyber.Hash_functions.t_XofState) = +- temp_0_ +- in +- ~.done <: bool) +- (done, out, sampled_coefficients, xof_state +- <: +- (bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & t_Array usize v_K & +- Libcrux.Kem.Kyber.Hash_functions.t_XofState)) +- (fun temp_0_ -> +- let done, out, sampled_coefficients, xof_state:(bool & +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K & +- Libcrux.Kem.Kyber.Hash_functions.t_XofState) = +- temp_0_ +- in +- let randomness, new_state:(t_Array (t_Array u8 (sz 168)) v_K & +- Libcrux.Kem.Kyber.Hash_functions.t_XofState) = +- Libcrux.Kem.Kyber.Hash_functions.v_XOF_squeeze_block v_K xof_state +- in +- let xof_state:Libcrux.Kem.Kyber.Hash_functions.t_XofState = new_state in +- let tmp0, tmp1, out1:(t_Array usize v_K & +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- bool) = +- sample_from_uniform_distribution_next v_K (sz 168) randomness sampled_coefficients out +- in +- let sampled_coefficients:t_Array usize v_K = tmp0 in +- let out:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = tmp1 in +- let hoist21:bool = out1 in +- let done:bool = hoist21 in +- done, out, sampled_coefficients, xof_state +- <: +- (bool & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & +- t_Array usize v_K & +- Libcrux.Kem.Kyber.Hash_functions.t_XofState)) +- in let _:Prims.unit = () <: Prims.unit in - out + out +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fsti extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti ---- extraction/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-22 11:01:52 -@@ -3,77 +3,37 @@ +--- extraction/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-29 12:58:30 ++++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-29 12:58:33 +@@ -3,84 +3,37 @@ open Core open FStar.Mul --val rejection_sampling_panic_with_diagnostic: Prims.unit -- -> Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True) +open Libcrux.Kem.Kyber.Arithmetic - ++ val sample_from_binomial_distribution_2_ (randomness: t_Slice u8) - : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + : Prims.Pure (t_PolynomialRingElement_b 3) @@ -5277,18 +5740,29 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fsti extraction-edited/Libcrux.K + Libcrux.Kem.Kyber.Arithmetic.to_spec_poly_b result == + Spec.Kyber.sample_poly_binomial v_ETA randomness) - val sample_from_uniform_distribution (randomness: t_Array u8 (sz 840)) -- : Prims.Pure Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement +-val sample_from_uniform_distribution_next +- (v_K v_N: usize) +- (randomness: t_Array (t_Array u8 v_N) v_K) +- (sampled_coefficients: t_Array usize v_K) +- (out: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) +- : Prims.Pure +- (t_Array usize v_K & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K & bool) +- Prims.l_True +- (fun _ -> Prims.l_True) +- +-val sample_from_xof (v_K: usize) (seeds: t_Array (t_Array u8 (sz 34)) v_K) +- : Prims.Pure (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) - Prims.l_True - (fun _ -> Prims.l_True) ++val sample_from_uniform_distribution (randomness: t_Array u8 (sz 840)) + : Pure Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement + (requires True) + (ensures fun _ -> True) +// (ensures fun result -> (forall i. v (result.f_coefficients.[i]) >= 0)) + diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.Kem.Kyber.Serialize.fst ---- extraction/Libcrux.Kem.Kyber.Serialize.fst 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Serialize.fst 2024-02-29 12:58:29 ++++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-02-29 12:58:32 @@ -1,8 +1,15 @@ module Libcrux.Kem.Kyber.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -6764,8 +7238,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K +#pop-options + diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fsti extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti ---- extraction/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-29 12:58:32 ++++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-29 12:58:35 @@ -2,118 +2,188 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -7019,8 +7493,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fsti extraction-edited/Libcrux. + int_t_array_bitwise_eq res 8 coefficients 12 + )) diff -ruN extraction/Libcrux.Kem.Kyber.Types.fst extraction-edited/Libcrux.Kem.Kyber.Types.fst ---- extraction/Libcrux.Kem.Kyber.Types.fst 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.Types.fst 2024-02-29 12:58:30 ++++ extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-02-29 12:58:34 @@ -50,7 +50,9 @@ let impl_6__len (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) : usize = v_SIZE @@ -7055,8 +7529,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Types.fst extraction-edited/Libcrux.Kem.K type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { diff -ruN extraction/Libcrux.Kem.Kyber.fst extraction-edited/Libcrux.Kem.Kyber.fst ---- extraction/Libcrux.Kem.Kyber.fst 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.fst 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.fst 2024-02-29 12:58:29 ++++ extraction-edited/Libcrux.Kem.Kyber.fst 2024-02-29 12:58:32 @@ -1,12 +1,29 @@ module Libcrux.Kem.Kyber -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7326,8 +7800,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.fst extraction-edited/Libcrux.Kem.Kyber.f (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + diff -ruN extraction/Libcrux.Kem.Kyber.fsti extraction-edited/Libcrux.Kem.Kyber.fsti ---- extraction/Libcrux.Kem.Kyber.fsti 2024-02-22 11:01:52 -+++ extraction-edited/Libcrux.Kem.Kyber.fsti 2024-02-22 11:01:52 +--- extraction/Libcrux.Kem.Kyber.fsti 2024-02-29 12:58:29 ++++ extraction-edited/Libcrux.Kem.Kyber.fsti 2024-02-29 12:58:33 @@ -10,36 +10,84 @@ Libcrux.Kem.Kyber.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE +! Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE @@ -7429,7 +7903,7 @@ diff -ruN extraction/Libcrux.Kem.Kyber.fsti extraction-edited/Libcrux.Kem.Kyber. + (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.ind_cca_generate_keypair p randomness)) diff -ruN extraction/Libcrux.Kem.fst extraction-edited/Libcrux.Kem.fst --- extraction/Libcrux.Kem.fst 1970-01-01 01:00:00 -+++ extraction-edited/Libcrux.Kem.fst 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux.Kem.fst 2024-02-29 12:58:35 @@ -0,0 +1,6 @@ +module Libcrux.Kem +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7439,7 +7913,7 @@ diff -ruN extraction/Libcrux.Kem.fst extraction-edited/Libcrux.Kem.fst + diff -ruN extraction/Libcrux_platform.Platform.fsti extraction-edited/Libcrux_platform.Platform.fsti --- extraction/Libcrux_platform.Platform.fsti 1970-01-01 01:00:00 -+++ extraction-edited/Libcrux_platform.Platform.fsti 2024-02-22 11:01:52 ++++ extraction-edited/Libcrux_platform.Platform.fsti 2024-02-29 12:58:32 @@ -0,0 +1,20 @@ +module Libcrux_platform.Platform +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7463,7 +7937,7 @@ diff -ruN extraction/Libcrux_platform.Platform.fsti extraction-edited/Libcrux_pl +val simd128_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction/MkSeq.fst extraction-edited/MkSeq.fst --- extraction/MkSeq.fst 1970-01-01 01:00:00 -+++ extraction-edited/MkSeq.fst 2024-02-22 11:01:52 ++++ extraction-edited/MkSeq.fst 2024-02-29 12:58:35 @@ -0,0 +1,91 @@ +module MkSeq +open Core @@ -7558,7 +8032,7 @@ diff -ruN extraction/MkSeq.fst extraction-edited/MkSeq.fst +%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff -ruN extraction/Spec.Kyber.fst extraction-edited/Spec.Kyber.fst --- extraction/Spec.Kyber.fst 1970-01-01 01:00:00 -+++ extraction-edited/Spec.Kyber.fst 2024-02-22 11:01:52 ++++ extraction-edited/Spec.Kyber.fst 2024-02-29 12:58:33 @@ -0,0 +1,433 @@ +module Spec.Kyber +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" diff --git a/proofs/fstar/extraction-secret-independent.patch b/proofs/fstar/extraction-secret-independent.patch index d7b3bc1b8..8cdaac189 100644 --- a/proofs/fstar/extraction-secret-independent.patch +++ b/proofs/fstar/extraction-secret-independent.patch @@ -1,5 +1,5 @@ diff -ruN extraction-edited/BitVecEq.fst extraction-secret-independent/BitVecEq.fst ---- extraction-edited/BitVecEq.fst 2024-02-22 11:01:52 +--- extraction-edited/BitVecEq.fst 2024-02-29 12:58:34 +++ extraction-secret-independent/BitVecEq.fst 1970-01-01 01:00:00 @@ -1,12 +0,0 @@ -module BitVecEq @@ -15,7 +15,7 @@ diff -ruN extraction-edited/BitVecEq.fst extraction-secret-independent/BitVecEq. - - diff -ruN extraction-edited/BitVecEq.fsti extraction-secret-independent/BitVecEq.fsti ---- extraction-edited/BitVecEq.fsti 2024-02-22 11:01:52 +--- extraction-edited/BitVecEq.fsti 2024-02-29 12:58:35 +++ extraction-secret-independent/BitVecEq.fsti 1970-01-01 01:00:00 @@ -1,294 +0,0 @@ -module BitVecEq @@ -313,8 +313,8 @@ diff -ruN extraction-edited/BitVecEq.fsti extraction-secret-independent/BitVecEq - = admit () -*) diff -ruN extraction-edited/Libcrux.Digest.fsti extraction-secret-independent/Libcrux.Digest.fsti ---- extraction-edited/Libcrux.Digest.fsti 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Digest.fsti 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Digest.fsti 2024-02-29 12:58:34 ++++ extraction-secret-independent/Libcrux.Digest.fsti 2024-02-29 12:58:38 @@ -1,31 +1,41 @@ module Libcrux.Digest #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -379,8 +379,8 @@ diff -ruN extraction-edited/Libcrux.Digest.fsti extraction-secret-independent/Li - (fun _ -> Prims.l_True) +val shake256 (v_LEN: usize) (data: t_Slice u8) : t_Array u8 v_LEN diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst ---- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-29 12:58:35 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-29 12:58:39 @@ -1,364 +1,81 @@ module Libcrux.Kem.Kyber.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -785,8 +785,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst extraction-secret-i - - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-29 12:58:32 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-29 12:58:36 @@ -3,32 +3,10 @@ open Core open FStar.Mul @@ -1140,8 +1140,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret- + <: + bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fst extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst ---- extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-02-29 12:58:32 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst 2024-02-29 12:58:36 @@ -1,79 +1,39 @@ module Libcrux.Kem.Kyber.Compress -#set-options "--fuel 0 --ifuel 0 --z3rlimit 200" @@ -1246,8 +1246,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fst extraction-secret-ind + (Core.Ops.Arith.Neg.neg fe <: i32) &. + ((Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS +! 1l <: i32) /! 2l <: i32) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fsti 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-02-29 12:58:34 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fsti 2024-02-29 12:58:38 @@ -3,42 +3,44 @@ open Core open FStar.Mul @@ -1319,8 +1319,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fsti extraction-secret-in - (fun result -> v result >= 0 /\ v result < 3329) + : Prims.Pure i32 (requires fe =. 0l || fe =. 1l) (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst ---- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-29 12:58:32 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-29 12:58:35 @@ -4,163 +4,61 @@ open FStar.Mul @@ -1509,8 +1509,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-s -#pop-options + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-29 12:58:35 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-29 12:58:39 @@ -20,26 +20,30 @@ val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) @@ -1554,7 +1554,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction- + result = rhs <: bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Conversions.fst extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst --- extraction-edited/Libcrux.Kem.Kyber.Conversions.fst 1970-01-01 01:00:00 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst 2024-02-29 12:58:36 @@ -0,0 +1,87 @@ +module Libcrux.Kem.Kyber.Conversions +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1645,8 +1645,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Conversions.fst extraction-secret- + cast (fe +! ((fe >>! 15l <: i32) &. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32)) <: u16 \ No newline at end of file diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst ---- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-29 12:58:33 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-29 12:58:36 @@ -3,28 +3,18 @@ open Core open FStar.Mul @@ -1714,8 +1714,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst extraction-secr - out + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-29 12:58:33 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-29 12:58:37 @@ -3,17 +3,12 @@ open Core open FStar.Mul @@ -1742,7 +1742,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-sec + : Prims.Pure (t_Array (t_Array u8 (sz 840)) v_K) Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Helper.fst extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst --- extraction-edited/Libcrux.Kem.Kyber.Helper.fst 1970-01-01 01:00:00 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst 2024-02-29 12:58:39 @@ -0,0 +1,6 @@ +module Libcrux.Kem.Kyber.Helper +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1751,8 +1751,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Helper.fst extraction-secret-indep + + diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst ---- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-29 12:58:34 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-29 12:58:38 @@ -1,5 +1,5 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -2460,8 +2460,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - res - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-29 12:58:34 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-29 12:58:39 @@ -1,151 +1,80 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -2662,8 +2662,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-secret-ind + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-29 12:58:34 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-29 12:58:37 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -2712,8 +2712,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst extraction-secret-in (sz 3168) (sz 1568) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-02-29 12:58:34 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-02-29 12:58:38 @@ -63,32 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_1024_ @@ -2759,8 +2759,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti extraction-secret-i Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-29 12:58:34 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-29 12:58:38 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -2809,8 +2809,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst extraction-secret-ind (sz 1632) (sz 800) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti 2024-02-29 12:58:33 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti 2024-02-29 12:58:36 @@ -63,32 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_512_ @@ -2856,8 +2856,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti extraction-secret-in Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-29 12:58:32 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-29 12:58:35 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -2906,8 +2906,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst extraction-secret-ind (sz 2400) (sz 1184) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-29 12:58:33 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-29 12:58:37 @@ -63,33 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_768_ @@ -2956,8 +2956,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti extraction-secret-in - (ensures (fun kp -> (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.kyber768_generate_keypair randomness)) + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst ---- extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-02-29 12:58:33 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst 2024-02-29 12:58:36 @@ -3,418 +3,432 @@ open Core open FStar.Mul @@ -3761,8 +3761,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep - admit(); //P-F v_A_transpose diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-29 12:58:35 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-29 12:58:39 @@ -3,71 +3,39 @@ open Core open FStar.Mul @@ -3864,8 +3864,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti extraction-secret-inde + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fst extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst ---- extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-02-29 12:58:33 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst 2024-02-29 12:58:36 @@ -1,130 +1,56 @@ module Libcrux.Kem.Kyber.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -4795,8 +4795,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fst extraction-secret-independ -#pop-options + re diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-29 12:58:33 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-29 12:58:36 @@ -2,80 +2,224 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -5086,8 +5086,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-indepen + <: + bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fst extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst ---- extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-02-29 12:58:33 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst 2024-02-29 12:58:36 @@ -3,34 +3,27 @@ open Core open FStar.Mul @@ -5524,8 +5524,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fst extraction-secret-ind -#pop-options + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-29 12:58:33 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-29 12:58:36 @@ -3,37 +3,77 @@ open Core open FStar.Mul @@ -5626,8 +5626,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti extraction-secret-in + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fst extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst ---- extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-02-29 12:58:32 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst 2024-02-29 12:58:36 @@ -1,15 +1,8 @@ module Libcrux.Kem.Kyber.Serialize -#set-options "--fuel 0 --ifuel 0 --z3rlimit 50 --retry 3" @@ -7110,8 +7110,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fst extraction-secret-in -#pop-options - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-29 12:58:35 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-29 12:58:39 @@ -2,188 +2,118 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -7365,8 +7365,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-i +val serialize_uncompressed_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + : Prims.Pure (t_Array u8 (sz 384)) Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Types.fst extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst ---- extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-02-29 12:58:34 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst 2024-02-29 12:58:37 @@ -3,31 +3,31 @@ open Core open FStar.Mul @@ -7634,8 +7634,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Types.fst extraction-secret-indepe + (self: t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : t_Array u8 v_PRIVATE_KEY_SIZE = impl_12__as_slice v_PRIVATE_KEY_SIZE self.f_sk diff -ruN extraction-edited/Libcrux.Kem.Kyber.fst extraction-secret-independent/Libcrux.Kem.Kyber.fst ---- extraction-edited/Libcrux.Kem.Kyber.fst 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.fst 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.fst 2024-02-29 12:58:32 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.fst 2024-02-29 12:58:36 @@ -1,29 +1,12 @@ module Libcrux.Kem.Kyber -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -7914,8 +7914,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.fst extraction-secret-independent/ - + (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_KyberPublicKey v_PUBLIC_KEY_SIZE) diff -ruN extraction-edited/Libcrux.Kem.Kyber.fsti extraction-secret-independent/Libcrux.Kem.Kyber.fsti ---- extraction-edited/Libcrux.Kem.Kyber.fsti 2024-02-22 11:01:52 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.fsti 2024-02-22 11:01:52 +--- extraction-edited/Libcrux.Kem.Kyber.fsti 2024-02-29 12:58:33 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.fsti 2024-02-29 12:58:36 @@ -4,90 +4,37 @@ open FStar.Mul @@ -8024,7 +8024,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.fsti extraction-secret-independent + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux_platform.Platform.fsti extraction-secret-independent/Libcrux_platform.Platform.fsti ---- extraction-edited/Libcrux_platform.Platform.fsti 2024-02-22 11:01:52 +--- extraction-edited/Libcrux_platform.Platform.fsti 2024-02-29 12:58:32 +++ extraction-secret-independent/Libcrux_platform.Platform.fsti 1970-01-01 01:00:00 @@ -1,20 +0,0 @@ -module Libcrux_platform.Platform @@ -8049,14 +8049,14 @@ diff -ruN extraction-edited/Libcrux_platform.Platform.fsti extraction-secret-ind -val simd128_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux_platform.fsti extraction-secret-independent/Libcrux_platform.fsti --- extraction-edited/Libcrux_platform.fsti 1970-01-01 01:00:00 -+++ extraction-secret-independent/Libcrux_platform.fsti 2024-02-22 11:01:52 ++++ extraction-secret-independent/Libcrux_platform.fsti 2024-02-29 12:58:38 @@ -0,0 +1,4 @@ +module Libcrux_platform +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" + +val simd256_support : unit -> bool diff -ruN extraction-edited/MkSeq.fst extraction-secret-independent/MkSeq.fst ---- extraction-edited/MkSeq.fst 2024-02-22 11:01:52 +--- extraction-edited/MkSeq.fst 2024-02-29 12:58:35 +++ extraction-secret-independent/MkSeq.fst 1970-01-01 01:00:00 @@ -1,91 +0,0 @@ -module MkSeq @@ -8151,7 +8151,7 @@ diff -ruN extraction-edited/MkSeq.fst extraction-secret-independent/MkSeq.fst - -%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff -ruN extraction-edited/Spec.Kyber.fst extraction-secret-independent/Spec.Kyber.fst ---- extraction-edited/Spec.Kyber.fst 2024-02-22 11:01:52 +--- extraction-edited/Spec.Kyber.fst 2024-02-29 12:58:33 +++ extraction-secret-independent/Spec.Kyber.fst 1970-01-01 01:00:00 @@ -1,433 +0,0 @@ -module Spec.Kyber From fa602a60a5643b6dfcaf82feb591fc9fa70c414c Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 1 Mar 2024 08:46:51 +0100 Subject: [PATCH 22/28] improved C code generation by simplifying match in hash-functions --- src/kem/kyber/hash_functions.rs | 88 +++++++++++++++++++-------------- 1 file changed, 50 insertions(+), 38 deletions(-) diff --git a/src/kem/kyber/hash_functions.rs b/src/kem/kyber/hash_functions.rs index 4533b4f74..f8ff00e13 100644 --- a/src/kem/kyber/hash_functions.rs +++ b/src/kem/kyber/hash_functions.rs @@ -53,27 +53,33 @@ pub(crate) fn XOF_squeeze_three_blocks( xof_state: XofState, ) -> ([[u8; 168 * 3]; K], XofState) { let mut output = [[0; 168 * 3]; K]; - match (K as u8, xof_state) { - (2, XofState::X2(mut st)) => { - let tmp = digest::shake128_squeeze_nblocks_x2::<504>(&mut st); - output[0] = tmp[0]; - output[1] = tmp[1]; - (output, XofState::X2(st)) + match K as u8 { + 2 => { + if let XofState::X2(mut st) = xof_state { + let tmp = digest::shake128_squeeze_nblocks_x2::<504>(&mut st); + output[0] = tmp[0]; + output[1] = tmp[1]; + (output, XofState::X2(st)) + } else {unreachable!()} } - (3, XofState::X3(mut st)) => { - let tmp = digest::shake128_squeeze_nblocks_x3::<504>(&mut st); - output[0] = tmp[0]; - output[1] = tmp[1]; - output[2] = tmp[2]; - (output, XofState::X3(st)) + 3 => { + if let XofState::X3(mut st) = xof_state { + let tmp = digest::shake128_squeeze_nblocks_x3::<504>(&mut st); + output[0] = tmp[0]; + output[1] = tmp[1]; + output[2] = tmp[2]; + (output, XofState::X3(st)) + } else {unreachable!()} } - (4, XofState::X4(mut st)) => { - let tmp = digest::shake128_squeeze_nblocks_x4::<504>(&mut st); - output[0] = tmp[0]; - output[1] = tmp[1]; - output[2] = tmp[2]; - output[3] = tmp[3]; - (output, XofState::X4(st)) + 4 => { + if let XofState::X4(mut st) = xof_state { + let tmp = digest::shake128_squeeze_nblocks_x4::<504>(&mut st); + output[0] = tmp[0]; + output[1] = tmp[1]; + output[2] = tmp[2]; + output[3] = tmp[3]; + (output, XofState::X4(st)) + } else {unreachable!()} } _ => unreachable!(), } @@ -82,27 +88,33 @@ pub(crate) fn XOF_squeeze_three_blocks( #[inline(always)] pub(crate) fn XOF_squeeze_block(xof_state: XofState) -> ([[u8; 168]; K], XofState) { let mut output = [[0; 168]; K]; - match (K as u8, xof_state) { - (2, XofState::X2(mut st)) => { - let tmp = digest::shake128_squeeze_nblocks_x2::<168>(&mut st); - output[0] = tmp[0]; - output[1] = tmp[1]; - (output, XofState::X2(st)) + match K as u8 { + 2 => { + if let XofState::X2(mut st) = xof_state { + let tmp = digest::shake128_squeeze_nblocks_x2::<168>(&mut st); + output[0] = tmp[0]; + output[1] = tmp[1]; + (output, XofState::X2(st)) + } else {unreachable!()} } - (3, XofState::X3(mut st)) => { - let tmp = digest::shake128_squeeze_nblocks_x3::<168>(&mut st); - output[0] = tmp[0]; - output[1] = tmp[1]; - output[2] = tmp[2]; - (output, XofState::X3(st)) + 3 => { + if let XofState::X3(mut st) = xof_state { + let tmp = digest::shake128_squeeze_nblocks_x3::<168>(&mut st); + output[0] = tmp[0]; + output[1] = tmp[1]; + output[2] = tmp[2]; + (output, XofState::X3(st)) + } else {unreachable!()} } - (4, XofState::X4(mut st)) => { - let tmp = digest::shake128_squeeze_nblocks_x4::<168>(&mut st); - output[0] = tmp[0]; - output[1] = tmp[1]; - output[2] = tmp[2]; - output[3] = tmp[3]; - (output, XofState::X4(st)) + 4 => { + if let XofState::X4(mut st) = xof_state { + let tmp = digest::shake128_squeeze_nblocks_x4::<168>(&mut st); + output[0] = tmp[0]; + output[1] = tmp[1]; + output[2] = tmp[2]; + output[3] = tmp[3]; + (output, XofState::X4(st)) + } else {unreachable!()} } _ => unreachable!(), } From 1c534213a9ced38371168f218448c3f50daccff0 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 1 Mar 2024 09:24:17 +0100 Subject: [PATCH 23/28] recreated patches --- proofs/fstar/extraction-edited.patch | 120 ++++++++-------- .../fstar/extraction-secret-independent.patch | 128 +++++++++--------- proofs/fstar/patches.sh | 2 +- 3 files changed, 125 insertions(+), 125 deletions(-) diff --git a/proofs/fstar/extraction-edited.patch b/proofs/fstar/extraction-edited.patch index 32f75bffd..787911d86 100644 --- a/proofs/fstar/extraction-edited.patch +++ b/proofs/fstar/extraction-edited.patch @@ -1,6 +1,6 @@ diff -ruN extraction/BitVecEq.fst extraction-edited/BitVecEq.fst --- extraction/BitVecEq.fst 1970-01-01 01:00:00 -+++ extraction-edited/BitVecEq.fst 2024-02-29 12:58:34 ++++ extraction-edited/BitVecEq.fst 2024-03-01 09:24:06 @@ -0,0 +1,12 @@ +module BitVecEq + @@ -16,7 +16,7 @@ diff -ruN extraction/BitVecEq.fst extraction-edited/BitVecEq.fst + diff -ruN extraction/BitVecEq.fsti extraction-edited/BitVecEq.fsti --- extraction/BitVecEq.fsti 1970-01-01 01:00:00 -+++ extraction-edited/BitVecEq.fsti 2024-02-29 12:58:35 ++++ extraction-edited/BitVecEq.fsti 2024-03-01 09:24:06 @@ -0,0 +1,294 @@ +module BitVecEq +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -313,8 +313,8 @@ diff -ruN extraction/BitVecEq.fsti extraction-edited/BitVecEq.fsti + = admit () +*) diff -ruN extraction/Libcrux.Digest.fsti extraction-edited/Libcrux.Digest.fsti ---- extraction/Libcrux.Digest.fsti 2024-02-29 12:58:30 -+++ extraction-edited/Libcrux.Digest.fsti 2024-02-29 12:58:34 +--- extraction/Libcrux.Digest.fsti 2024-03-01 09:24:04 ++++ extraction-edited/Libcrux.Digest.fsti 2024-03-01 09:24:05 @@ -3,50 +3,29 @@ open Core open FStar.Mul @@ -379,8 +379,8 @@ diff -ruN extraction/Libcrux.Digest.fsti extraction-edited/Libcrux.Digest.fsti Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst ---- extraction/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-29 12:58:32 -+++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-29 12:58:35 +--- extraction/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 09:24:04 ++++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 09:24:06 @@ -1,81 +1,364 @@ module Libcrux.Kem.Kyber.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -786,8 +786,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux. + + diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti ---- extraction/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-29 12:58:29 -+++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-29 12:58:32 +--- extraction/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 09:24:03 ++++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 09:24:04 @@ -3,10 +3,32 @@ open Core open FStar.Mul @@ -1135,8 +1135,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux + + diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fst extraction-edited/Libcrux.Kem.Kyber.Compress.fst ---- extraction/Libcrux.Kem.Kyber.Compress.fst 2024-02-29 12:58:29 -+++ extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-02-29 12:58:32 +--- extraction/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 09:24:03 ++++ extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 09:24:04 @@ -1,39 +1,79 @@ module Libcrux.Kem.Kyber.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1240,8 +1240,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fst extraction-edited/Libcrux.Ke + res <: Libcrux.Kem.Kyber.Arithmetic.i32_b 3328 +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fsti extraction-edited/Libcrux.Kem.Kyber.Compress.fsti ---- extraction/Libcrux.Kem.Kyber.Compress.fsti 2024-02-29 12:58:30 -+++ extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-02-29 12:58:34 +--- extraction/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 09:24:04 ++++ extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 09:24:05 @@ -3,8 +3,19 @@ open Core open FStar.Mul @@ -1307,8 +1307,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fsti extraction-edited/Libcrux.K + (requires fe =. 0l || fe =. 1l) + (fun result -> v result >= 0 /\ v result < 3329) diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst ---- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-29 12:58:28 -+++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-29 12:58:32 +--- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 09:24:02 ++++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 09:24:04 @@ -4,56 +4,163 @@ open FStar.Mul @@ -1494,8 +1494,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/L + ) +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti ---- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-29 12:58:32 -+++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-29 12:58:35 +--- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 09:24:04 ++++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 09:24:06 @@ -20,7 +20,8 @@ val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) @@ -1527,8 +1527,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-edited/ + Hax_lib.implies (selector =. 0uy <: bool) (fun _ -> result =. lhs <: bool) && + Hax_lib.implies (selector <>. 0uy <: bool) (fun _ -> result =. rhs <: bool)) diff -ruN extraction/Libcrux.Kem.Kyber.Constants.fsti extraction-edited/Libcrux.Kem.Kyber.Constants.fsti ---- extraction/Libcrux.Kem.Kyber.Constants.fsti 2024-02-29 12:58:31 -+++ extraction-edited/Libcrux.Kem.Kyber.Constants.fsti 2024-02-29 12:58:34 +--- extraction/Libcrux.Kem.Kyber.Constants.fsti 2024-03-01 09:24:04 ++++ extraction-edited/Libcrux.Kem.Kyber.Constants.fsti 2024-03-01 09:24:06 @@ -17,4 +17,6 @@ let v_H_DIGEST_SIZE: usize = sz 32 @@ -1537,8 +1537,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constants.fsti extraction-edited/Libcrux. + let v_SHARED_SECRET_SIZE: usize = sz 32 diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fst extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst ---- extraction/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-29 12:58:30 -+++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-29 12:58:33 +--- extraction/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 09:24:03 ++++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 09:24:05 @@ -3,197 +3,114 @@ open Core open FStar.Mul @@ -1844,8 +1844,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fst extraction-edited/Libc + admit(); // We assume that shake128x4 correctly implements XOFx4 + out diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti ---- extraction/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-29 12:58:30 -+++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-29 12:58:33 +--- extraction/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 09:24:03 ++++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 09:24:05 @@ -3,27 +3,17 @@ open Core open FStar.Mul @@ -1886,8 +1886,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-edited/Lib + (ensures (fun res -> + (forall i. i < v v_K ==> Seq.index res i == Spec.Kyber.v_XOF (sz 840) (Seq.index input i)))) diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst ---- extraction/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-29 12:58:30 -+++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-29 12:58:34 +--- extraction/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 09:24:04 ++++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 09:24:05 @@ -1,5 +1,5 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -2591,8 +2591,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem + res + diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti ---- extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-29 12:58:32 -+++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-29 12:58:34 +--- extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 09:24:04 ++++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 09:24:06 @@ -1,80 +1,151 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -2793,8 +2793,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Ke + + diff -ruN extraction/Libcrux.Kem.Kyber.Kyber1024.fst extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst ---- extraction/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-29 12:58:30 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-29 12:58:34 +--- extraction/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 09:24:04 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 09:24:05 @@ -7,19 +7,19 @@ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1568)) @@ -2828,8 +2828,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber1024.fst extraction-edited/Libcrux.K (sz 3168) (sz 1568) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber512.fst extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst ---- extraction/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-29 12:58:31 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-29 12:58:34 +--- extraction/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 09:24:04 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 09:24:06 @@ -7,19 +7,19 @@ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 768)) @@ -2863,8 +2863,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber512.fst extraction-edited/Libcrux.Ke (sz 1632) (sz 800) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fst extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst ---- extraction/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-29 12:58:29 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-29 12:58:32 +--- extraction/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 09:24:03 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 09:24:04 @@ -7,19 +7,19 @@ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1088)) @@ -2898,8 +2898,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fst extraction-edited/Libcrux.Ke (sz 2400) (sz 1184) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fsti extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti ---- extraction/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-29 12:58:30 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-29 12:58:33 +--- extraction/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 09:24:03 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 09:24:05 @@ -74,14 +74,15 @@ val decapsulate (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) @@ -2925,8 +2925,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fsti extraction-edited/Libcrux.K - (fun _ -> Prims.l_True) + (ensures (fun kp -> (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.kyber768_generate_keypair randomness)) diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem.Kyber.Matrix.fst ---- extraction/Libcrux.Kem.Kyber.Matrix.fst 2024-02-29 12:58:29 -+++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-02-29 12:58:33 +--- extraction/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 09:24:03 ++++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 09:24:04 @@ -3,192 +3,188 @@ open Core open FStar.Mul @@ -3724,8 +3724,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + admit(); //P-F v_A_transpose diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fsti extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti ---- extraction/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-29 12:58:32 -+++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-29 12:58:35 +--- extraction/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 09:24:04 ++++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 09:24:06 @@ -3,39 +3,71 @@ open Core open FStar.Mul @@ -3827,8 +3827,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fsti extraction-edited/Libcrux.Kem + if transpose then Libcrux.Kem.Kyber.Arithmetic.to_spec_matrix_b #p res == matrix_A + else Libcrux.Kem.Kyber.Arithmetic.to_spec_matrix_b #p res == Spec.Kyber.matrix_transpose matrix_A) diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyber.Ntt.fst ---- extraction/Libcrux.Kem.Kyber.Ntt.fst 2024-02-29 12:58:30 -+++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-02-29 12:58:33 +--- extraction/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 09:24:03 ++++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 09:24:05 @@ -1,56 +1,130 @@ module Libcrux.Kem.Kyber.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -4758,8 +4758,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + down_cast_poly_b #(8*3328) #3328 re +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti ---- extraction/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-29 12:58:29 -+++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-29 12:58:33 +--- extraction/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 09:24:03 ++++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 09:24:04 @@ -2,223 +2,80 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -5048,8 +5048,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Ky + (ensures fun _ -> True) + diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Kem.Kyber.Sampling.fst ---- extraction/Libcrux.Kem.Kyber.Sampling.fst 2024-02-29 12:58:29 -+++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-02-29 12:58:33 +--- extraction/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 09:24:03 ++++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 09:24:04 @@ -3,22 +3,34 @@ open Core open FStar.Mul @@ -5650,8 +5650,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Ke + out +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fsti extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti ---- extraction/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-29 12:58:30 -+++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-29 12:58:33 +--- extraction/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 09:24:03 ++++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 09:24:05 @@ -3,84 +3,37 @@ open Core open FStar.Mul @@ -5761,8 +5761,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fsti extraction-edited/Libcrux.K +// (ensures fun result -> (forall i. v (result.f_coefficients.[i]) >= 0)) + diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.Kem.Kyber.Serialize.fst ---- extraction/Libcrux.Kem.Kyber.Serialize.fst 2024-02-29 12:58:29 -+++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-02-29 12:58:32 +--- extraction/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 09:24:03 ++++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 09:24:04 @@ -1,8 +1,15 @@ module Libcrux.Kem.Kyber.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7238,8 +7238,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K +#pop-options + diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fsti extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti ---- extraction/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-29 12:58:32 -+++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-29 12:58:35 +--- extraction/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 09:24:04 ++++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 09:24:06 @@ -2,118 +2,188 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -7493,8 +7493,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fsti extraction-edited/Libcrux. + int_t_array_bitwise_eq res 8 coefficients 12 + )) diff -ruN extraction/Libcrux.Kem.Kyber.Types.fst extraction-edited/Libcrux.Kem.Kyber.Types.fst ---- extraction/Libcrux.Kem.Kyber.Types.fst 2024-02-29 12:58:30 -+++ extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-02-29 12:58:34 +--- extraction/Libcrux.Kem.Kyber.Types.fst 2024-03-01 09:24:04 ++++ extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-03-01 09:24:05 @@ -50,7 +50,9 @@ let impl_6__len (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) : usize = v_SIZE @@ -7529,8 +7529,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Types.fst extraction-edited/Libcrux.Kem.K type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { diff -ruN extraction/Libcrux.Kem.Kyber.fst extraction-edited/Libcrux.Kem.Kyber.fst ---- extraction/Libcrux.Kem.Kyber.fst 2024-02-29 12:58:29 -+++ extraction-edited/Libcrux.Kem.Kyber.fst 2024-02-29 12:58:32 +--- extraction/Libcrux.Kem.Kyber.fst 2024-03-01 09:24:03 ++++ extraction-edited/Libcrux.Kem.Kyber.fst 2024-03-01 09:24:04 @@ -1,12 +1,29 @@ module Libcrux.Kem.Kyber -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7800,8 +7800,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.fst extraction-edited/Libcrux.Kem.Kyber.f (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + diff -ruN extraction/Libcrux.Kem.Kyber.fsti extraction-edited/Libcrux.Kem.Kyber.fsti ---- extraction/Libcrux.Kem.Kyber.fsti 2024-02-29 12:58:29 -+++ extraction-edited/Libcrux.Kem.Kyber.fsti 2024-02-29 12:58:33 +--- extraction/Libcrux.Kem.Kyber.fsti 2024-03-01 09:24:03 ++++ extraction-edited/Libcrux.Kem.Kyber.fsti 2024-03-01 09:24:04 @@ -10,36 +10,84 @@ Libcrux.Kem.Kyber.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE +! Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE @@ -7903,7 +7903,7 @@ diff -ruN extraction/Libcrux.Kem.Kyber.fsti extraction-edited/Libcrux.Kem.Kyber. + (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.ind_cca_generate_keypair p randomness)) diff -ruN extraction/Libcrux.Kem.fst extraction-edited/Libcrux.Kem.fst --- extraction/Libcrux.Kem.fst 1970-01-01 01:00:00 -+++ extraction-edited/Libcrux.Kem.fst 2024-02-29 12:58:35 ++++ extraction-edited/Libcrux.Kem.fst 2024-03-01 09:24:06 @@ -0,0 +1,6 @@ +module Libcrux.Kem +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7913,7 +7913,7 @@ diff -ruN extraction/Libcrux.Kem.fst extraction-edited/Libcrux.Kem.fst + diff -ruN extraction/Libcrux_platform.Platform.fsti extraction-edited/Libcrux_platform.Platform.fsti --- extraction/Libcrux_platform.Platform.fsti 1970-01-01 01:00:00 -+++ extraction-edited/Libcrux_platform.Platform.fsti 2024-02-29 12:58:32 ++++ extraction-edited/Libcrux_platform.Platform.fsti 2024-03-01 09:24:04 @@ -0,0 +1,20 @@ +module Libcrux_platform.Platform +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7937,7 +7937,7 @@ diff -ruN extraction/Libcrux_platform.Platform.fsti extraction-edited/Libcrux_pl +val simd128_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction/MkSeq.fst extraction-edited/MkSeq.fst --- extraction/MkSeq.fst 1970-01-01 01:00:00 -+++ extraction-edited/MkSeq.fst 2024-02-29 12:58:35 ++++ extraction-edited/MkSeq.fst 2024-03-01 09:24:06 @@ -0,0 +1,91 @@ +module MkSeq +open Core @@ -8032,7 +8032,7 @@ diff -ruN extraction/MkSeq.fst extraction-edited/MkSeq.fst +%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff -ruN extraction/Spec.Kyber.fst extraction-edited/Spec.Kyber.fst --- extraction/Spec.Kyber.fst 1970-01-01 01:00:00 -+++ extraction-edited/Spec.Kyber.fst 2024-02-29 12:58:33 ++++ extraction-edited/Spec.Kyber.fst 2024-03-01 09:24:05 @@ -0,0 +1,433 @@ +module Spec.Kyber +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" diff --git a/proofs/fstar/extraction-secret-independent.patch b/proofs/fstar/extraction-secret-independent.patch index 8cdaac189..53df8a230 100644 --- a/proofs/fstar/extraction-secret-independent.patch +++ b/proofs/fstar/extraction-secret-independent.patch @@ -1,5 +1,5 @@ diff -ruN extraction-edited/BitVecEq.fst extraction-secret-independent/BitVecEq.fst ---- extraction-edited/BitVecEq.fst 2024-02-29 12:58:34 +--- extraction-edited/BitVecEq.fst 2024-03-01 09:24:06 +++ extraction-secret-independent/BitVecEq.fst 1970-01-01 01:00:00 @@ -1,12 +0,0 @@ -module BitVecEq @@ -15,7 +15,7 @@ diff -ruN extraction-edited/BitVecEq.fst extraction-secret-independent/BitVecEq. - - diff -ruN extraction-edited/BitVecEq.fsti extraction-secret-independent/BitVecEq.fsti ---- extraction-edited/BitVecEq.fsti 2024-02-29 12:58:35 +--- extraction-edited/BitVecEq.fsti 2024-03-01 09:24:06 +++ extraction-secret-independent/BitVecEq.fsti 1970-01-01 01:00:00 @@ -1,294 +0,0 @@ -module BitVecEq @@ -313,8 +313,8 @@ diff -ruN extraction-edited/BitVecEq.fsti extraction-secret-independent/BitVecEq - = admit () -*) diff -ruN extraction-edited/Libcrux.Digest.fsti extraction-secret-independent/Libcrux.Digest.fsti ---- extraction-edited/Libcrux.Digest.fsti 2024-02-29 12:58:34 -+++ extraction-secret-independent/Libcrux.Digest.fsti 2024-02-29 12:58:38 +--- extraction-edited/Libcrux.Digest.fsti 2024-03-01 09:24:05 ++++ extraction-secret-independent/Libcrux.Digest.fsti 2024-03-01 09:24:08 @@ -1,31 +1,41 @@ module Libcrux.Digest #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -379,8 +379,8 @@ diff -ruN extraction-edited/Libcrux.Digest.fsti extraction-secret-independent/Li - (fun _ -> Prims.l_True) +val shake256 (v_LEN: usize) (data: t_Slice u8) : t_Array u8 v_LEN diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst ---- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-29 12:58:35 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-29 12:58:39 +--- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 09:24:06 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 09:24:08 @@ -1,364 +1,81 @@ module Libcrux.Kem.Kyber.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -785,8 +785,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst extraction-secret-i - - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-29 12:58:32 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-29 12:58:36 +--- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 09:24:04 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 09:24:07 @@ -3,32 +3,10 @@ open Core open FStar.Mul @@ -1140,8 +1140,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret- + <: + bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fst extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst ---- extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-02-29 12:58:32 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst 2024-02-29 12:58:36 +--- extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 09:24:04 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 09:24:07 @@ -1,79 +1,39 @@ module Libcrux.Kem.Kyber.Compress -#set-options "--fuel 0 --ifuel 0 --z3rlimit 200" @@ -1246,8 +1246,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fst extraction-secret-ind + (Core.Ops.Arith.Neg.neg fe <: i32) &. + ((Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS +! 1l <: i32) /! 2l <: i32) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-02-29 12:58:34 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fsti 2024-02-29 12:58:38 +--- extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 09:24:05 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 09:24:08 @@ -3,42 +3,44 @@ open Core open FStar.Mul @@ -1319,8 +1319,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fsti extraction-secret-in - (fun result -> v result >= 0 /\ v result < 3329) + : Prims.Pure i32 (requires fe =. 0l || fe =. 1l) (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst ---- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-29 12:58:32 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-29 12:58:35 +--- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 09:24:04 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 09:24:06 @@ -4,163 +4,61 @@ open FStar.Mul @@ -1509,8 +1509,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-s -#pop-options + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-29 12:58:35 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-29 12:58:39 +--- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 09:24:06 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 09:24:09 @@ -20,26 +20,30 @@ val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) @@ -1554,7 +1554,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction- + result = rhs <: bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Conversions.fst extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst --- extraction-edited/Libcrux.Kem.Kyber.Conversions.fst 1970-01-01 01:00:00 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst 2024-02-29 12:58:36 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst 2024-03-01 09:24:07 @@ -0,0 +1,87 @@ +module Libcrux.Kem.Kyber.Conversions +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1645,8 +1645,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Conversions.fst extraction-secret- + cast (fe +! ((fe >>! 15l <: i32) &. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32)) <: u16 \ No newline at end of file diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst ---- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-29 12:58:33 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-29 12:58:36 +--- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 09:24:05 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 09:24:07 @@ -3,28 +3,18 @@ open Core open FStar.Mul @@ -1714,8 +1714,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst extraction-secr - out + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-29 12:58:33 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-29 12:58:37 +--- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 09:24:05 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 09:24:07 @@ -3,17 +3,12 @@ open Core open FStar.Mul @@ -1742,7 +1742,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-sec + : Prims.Pure (t_Array (t_Array u8 (sz 840)) v_K) Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Helper.fst extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst --- extraction-edited/Libcrux.Kem.Kyber.Helper.fst 1970-01-01 01:00:00 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst 2024-02-29 12:58:39 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst 2024-03-01 09:24:09 @@ -0,0 +1,6 @@ +module Libcrux.Kem.Kyber.Helper +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1751,8 +1751,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Helper.fst extraction-secret-indep + + diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst ---- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-29 12:58:34 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-29 12:58:38 +--- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 09:24:05 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 09:24:08 @@ -1,5 +1,5 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -2460,8 +2460,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - res - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-29 12:58:34 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-29 12:58:39 +--- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 09:24:06 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 09:24:08 @@ -1,151 +1,80 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -2662,8 +2662,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-secret-ind + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-29 12:58:34 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-29 12:58:37 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 09:24:05 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 09:24:07 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -2712,8 +2712,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst extraction-secret-in (sz 3168) (sz 1568) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-02-29 12:58:34 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-02-29 12:58:38 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-03-01 09:24:05 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-03-01 09:24:08 @@ -63,32 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_1024_ @@ -2759,8 +2759,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti extraction-secret-i Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-29 12:58:34 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-29 12:58:38 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 09:24:06 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 09:24:08 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -2809,8 +2809,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst extraction-secret-ind (sz 1632) (sz 800) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti 2024-02-29 12:58:33 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti 2024-02-29 12:58:36 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti 2024-03-01 09:24:05 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti 2024-03-01 09:24:07 @@ -63,32 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_512_ @@ -2856,8 +2856,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti extraction-secret-in Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-29 12:58:32 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-29 12:58:35 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 09:24:04 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 09:24:06 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -2906,8 +2906,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst extraction-secret-ind (sz 2400) (sz 1184) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-29 12:58:33 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-29 12:58:37 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 09:24:05 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 09:24:07 @@ -63,33 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_768_ @@ -2956,8 +2956,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti extraction-secret-in - (ensures (fun kp -> (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.kyber768_generate_keypair randomness)) + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst ---- extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-02-29 12:58:33 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst 2024-02-29 12:58:36 +--- extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 09:24:04 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 09:24:07 @@ -3,418 +3,432 @@ open Core open FStar.Mul @@ -3761,8 +3761,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep - admit(); //P-F v_A_transpose diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-29 12:58:35 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-29 12:58:39 +--- extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 09:24:06 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 09:24:08 @@ -3,71 +3,39 @@ open Core open FStar.Mul @@ -3864,8 +3864,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti extraction-secret-inde + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fst extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst ---- extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-02-29 12:58:33 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst 2024-02-29 12:58:36 +--- extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 09:24:05 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 09:24:07 @@ -1,130 +1,56 @@ module Libcrux.Kem.Kyber.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -4795,8 +4795,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fst extraction-secret-independ -#pop-options + re diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-29 12:58:33 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-29 12:58:36 +--- extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 09:24:04 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 09:24:07 @@ -2,80 +2,224 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -5086,8 +5086,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-indepen + <: + bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fst extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst ---- extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-02-29 12:58:33 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst 2024-02-29 12:58:36 +--- extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 09:24:04 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 09:24:07 @@ -3,34 +3,27 @@ open Core open FStar.Mul @@ -5524,8 +5524,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fst extraction-secret-ind -#pop-options + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-29 12:58:33 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-29 12:58:36 +--- extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 09:24:05 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 09:24:07 @@ -3,37 +3,77 @@ open Core open FStar.Mul @@ -5626,8 +5626,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti extraction-secret-in + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fst extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst ---- extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-02-29 12:58:32 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst 2024-02-29 12:58:36 +--- extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 09:24:04 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 09:24:07 @@ -1,15 +1,8 @@ module Libcrux.Kem.Kyber.Serialize -#set-options "--fuel 0 --ifuel 0 --z3rlimit 50 --retry 3" @@ -7110,8 +7110,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fst extraction-secret-in -#pop-options - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-29 12:58:35 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-29 12:58:39 +--- extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 09:24:06 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 09:24:08 @@ -2,188 +2,118 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -7365,8 +7365,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-i +val serialize_uncompressed_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + : Prims.Pure (t_Array u8 (sz 384)) Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Types.fst extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst ---- extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-02-29 12:58:34 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst 2024-02-29 12:58:37 +--- extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-03-01 09:24:05 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst 2024-03-01 09:24:08 @@ -3,31 +3,31 @@ open Core open FStar.Mul @@ -7634,8 +7634,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Types.fst extraction-secret-indepe + (self: t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : t_Array u8 v_PRIVATE_KEY_SIZE = impl_12__as_slice v_PRIVATE_KEY_SIZE self.f_sk diff -ruN extraction-edited/Libcrux.Kem.Kyber.fst extraction-secret-independent/Libcrux.Kem.Kyber.fst ---- extraction-edited/Libcrux.Kem.Kyber.fst 2024-02-29 12:58:32 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.fst 2024-02-29 12:58:36 +--- extraction-edited/Libcrux.Kem.Kyber.fst 2024-03-01 09:24:04 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.fst 2024-03-01 09:24:07 @@ -1,29 +1,12 @@ module Libcrux.Kem.Kyber -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -7914,8 +7914,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.fst extraction-secret-independent/ - + (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_KyberPublicKey v_PUBLIC_KEY_SIZE) diff -ruN extraction-edited/Libcrux.Kem.Kyber.fsti extraction-secret-independent/Libcrux.Kem.Kyber.fsti ---- extraction-edited/Libcrux.Kem.Kyber.fsti 2024-02-29 12:58:33 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.fsti 2024-02-29 12:58:36 +--- extraction-edited/Libcrux.Kem.Kyber.fsti 2024-03-01 09:24:04 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.fsti 2024-03-01 09:24:07 @@ -4,90 +4,37 @@ open FStar.Mul @@ -8024,7 +8024,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.fsti extraction-secret-independent + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux_platform.Platform.fsti extraction-secret-independent/Libcrux_platform.Platform.fsti ---- extraction-edited/Libcrux_platform.Platform.fsti 2024-02-29 12:58:32 +--- extraction-edited/Libcrux_platform.Platform.fsti 2024-03-01 09:24:04 +++ extraction-secret-independent/Libcrux_platform.Platform.fsti 1970-01-01 01:00:00 @@ -1,20 +0,0 @@ -module Libcrux_platform.Platform @@ -8049,14 +8049,14 @@ diff -ruN extraction-edited/Libcrux_platform.Platform.fsti extraction-secret-ind -val simd128_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux_platform.fsti extraction-secret-independent/Libcrux_platform.fsti --- extraction-edited/Libcrux_platform.fsti 1970-01-01 01:00:00 -+++ extraction-secret-independent/Libcrux_platform.fsti 2024-02-29 12:58:38 ++++ extraction-secret-independent/Libcrux_platform.fsti 2024-03-01 09:24:08 @@ -0,0 +1,4 @@ +module Libcrux_platform +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" + +val simd256_support : unit -> bool diff -ruN extraction-edited/MkSeq.fst extraction-secret-independent/MkSeq.fst ---- extraction-edited/MkSeq.fst 2024-02-29 12:58:35 +--- extraction-edited/MkSeq.fst 2024-03-01 09:24:06 +++ extraction-secret-independent/MkSeq.fst 1970-01-01 01:00:00 @@ -1,91 +0,0 @@ -module MkSeq @@ -8151,7 +8151,7 @@ diff -ruN extraction-edited/MkSeq.fst extraction-secret-independent/MkSeq.fst - -%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff -ruN extraction-edited/Spec.Kyber.fst extraction-secret-independent/Spec.Kyber.fst ---- extraction-edited/Spec.Kyber.fst 2024-02-29 12:58:33 +--- extraction-edited/Spec.Kyber.fst 2024-03-01 09:24:05 +++ extraction-secret-independent/Spec.Kyber.fst 1970-01-01 01:00:00 @@ -1,433 +0,0 @@ -module Spec.Kyber diff --git a/proofs/fstar/patches.sh b/proofs/fstar/patches.sh index 2228333f5..09ed437c4 100755 --- a/proofs/fstar/patches.sh +++ b/proofs/fstar/patches.sh @@ -11,7 +11,7 @@ DENYLIST="Makefile Kyber.fst.config.json PROOFS.md" prepare_folder() { original="$1" workdir="$2" - find "$original" \( -name '*.fst' -o -name '*.fsti' \) -exec cp --parents \{\} "$workdir" \; + find "$original" \( -name '*.fst' -o -name '*.fsti' \) -exec gcp --parents \{\} "$workdir" \; } # `patch_folder ORIGINAL DESTINATION PATCH` creates the folder From 1aea834671efa46b2eca9f3f2871adce179b94dc Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 1 Mar 2024 09:25:22 +0100 Subject: [PATCH 24/28] rust format --- src/kem/kyber/hash_functions.rs | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/src/kem/kyber/hash_functions.rs b/src/kem/kyber/hash_functions.rs index f8ff00e13..a83e20c20 100644 --- a/src/kem/kyber/hash_functions.rs +++ b/src/kem/kyber/hash_functions.rs @@ -56,11 +56,13 @@ pub(crate) fn XOF_squeeze_three_blocks( match K as u8 { 2 => { if let XofState::X2(mut st) = xof_state { - let tmp = digest::shake128_squeeze_nblocks_x2::<504>(&mut st); + let tmp = digest::shake128_squeeze_nblocks_x2::<504>(&mut st); output[0] = tmp[0]; output[1] = tmp[1]; (output, XofState::X2(st)) - } else {unreachable!()} + } else { + unreachable!() + } } 3 => { if let XofState::X3(mut st) = xof_state { @@ -69,7 +71,9 @@ pub(crate) fn XOF_squeeze_three_blocks( output[1] = tmp[1]; output[2] = tmp[2]; (output, XofState::X3(st)) - } else {unreachable!()} + } else { + unreachable!() + } } 4 => { if let XofState::X4(mut st) = xof_state { @@ -79,7 +83,9 @@ pub(crate) fn XOF_squeeze_three_blocks( output[2] = tmp[2]; output[3] = tmp[3]; (output, XofState::X4(st)) - } else {unreachable!()} + } else { + unreachable!() + } } _ => unreachable!(), } @@ -91,11 +97,13 @@ pub(crate) fn XOF_squeeze_block(xof_state: XofState) -> ([[u8; 1 match K as u8 { 2 => { if let XofState::X2(mut st) = xof_state { - let tmp = digest::shake128_squeeze_nblocks_x2::<168>(&mut st); + let tmp = digest::shake128_squeeze_nblocks_x2::<168>(&mut st); output[0] = tmp[0]; output[1] = tmp[1]; (output, XofState::X2(st)) - } else {unreachable!()} + } else { + unreachable!() + } } 3 => { if let XofState::X3(mut st) = xof_state { @@ -104,7 +112,9 @@ pub(crate) fn XOF_squeeze_block(xof_state: XofState) -> ([[u8; 1 output[1] = tmp[1]; output[2] = tmp[2]; (output, XofState::X3(st)) - } else {unreachable!()} + } else { + unreachable!() + } } 4 => { if let XofState::X4(mut st) = xof_state { @@ -114,7 +124,9 @@ pub(crate) fn XOF_squeeze_block(xof_state: XofState) -> ([[u8; 1 output[2] = tmp[2]; output[3] = tmp[3]; (output, XofState::X4(st)) - } else {unreachable!()} + } else { + unreachable!() + } } _ => unreachable!(), } From d73de685c24904c5cf4003ce417a9a78c5c43417 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 1 Mar 2024 10:19:24 +0100 Subject: [PATCH 25/28] undo accidental commit gcp -> cp --- proofs/fstar/patches.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proofs/fstar/patches.sh b/proofs/fstar/patches.sh index 09ed437c4..2228333f5 100755 --- a/proofs/fstar/patches.sh +++ b/proofs/fstar/patches.sh @@ -11,7 +11,7 @@ DENYLIST="Makefile Kyber.fst.config.json PROOFS.md" prepare_folder() { original="$1" workdir="$2" - find "$original" \( -name '*.fst' -o -name '*.fsti' \) -exec gcp --parents \{\} "$workdir" \; + find "$original" \( -name '*.fst' -o -name '*.fsti' \) -exec cp --parents \{\} "$workdir" \; } # `patch_folder ORIGINAL DESTINATION PATCH` creates the folder From fa837650391f9fe03580cd8f63a1b32c0aa9526d Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 1 Mar 2024 10:45:03 +0100 Subject: [PATCH 26/28] updated extraction --- proofs/fstar/extraction-edited.patch | 449 ++++++++++-------- .../fstar/extraction-secret-independent.patch | 128 ++--- .../Libcrux.Kem.Kyber.Hash_functions.fst | 310 ++++++------ 3 files changed, 485 insertions(+), 402 deletions(-) diff --git a/proofs/fstar/extraction-edited.patch b/proofs/fstar/extraction-edited.patch index 787911d86..413abeb8a 100644 --- a/proofs/fstar/extraction-edited.patch +++ b/proofs/fstar/extraction-edited.patch @@ -1,6 +1,6 @@ diff -ruN extraction/BitVecEq.fst extraction-edited/BitVecEq.fst --- extraction/BitVecEq.fst 1970-01-01 01:00:00 -+++ extraction-edited/BitVecEq.fst 2024-03-01 09:24:06 ++++ extraction-edited/BitVecEq.fst 2024-03-01 10:44:26 @@ -0,0 +1,12 @@ +module BitVecEq + @@ -16,7 +16,7 @@ diff -ruN extraction/BitVecEq.fst extraction-edited/BitVecEq.fst + diff -ruN extraction/BitVecEq.fsti extraction-edited/BitVecEq.fsti --- extraction/BitVecEq.fsti 1970-01-01 01:00:00 -+++ extraction-edited/BitVecEq.fsti 2024-03-01 09:24:06 ++++ extraction-edited/BitVecEq.fsti 2024-03-01 10:44:26 @@ -0,0 +1,294 @@ +module BitVecEq +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -313,8 +313,8 @@ diff -ruN extraction/BitVecEq.fsti extraction-edited/BitVecEq.fsti + = admit () +*) diff -ruN extraction/Libcrux.Digest.fsti extraction-edited/Libcrux.Digest.fsti ---- extraction/Libcrux.Digest.fsti 2024-03-01 09:24:04 -+++ extraction-edited/Libcrux.Digest.fsti 2024-03-01 09:24:05 +--- extraction/Libcrux.Digest.fsti 2024-03-01 10:44:23 ++++ extraction-edited/Libcrux.Digest.fsti 2024-03-01 10:44:26 @@ -3,50 +3,29 @@ open Core open FStar.Mul @@ -379,8 +379,8 @@ diff -ruN extraction/Libcrux.Digest.fsti extraction-edited/Libcrux.Digest.fsti Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst ---- extraction/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 09:24:04 -+++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 09:24:06 +--- extraction/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 10:44:24 ++++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 10:44:26 @@ -1,81 +1,364 @@ module Libcrux.Kem.Kyber.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -786,8 +786,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux. + + diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti ---- extraction/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 09:24:03 -+++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 09:24:04 +--- extraction/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 10:44:22 ++++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 10:44:24 @@ -3,10 +3,32 @@ open Core open FStar.Mul @@ -1135,8 +1135,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux + + diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fst extraction-edited/Libcrux.Kem.Kyber.Compress.fst ---- extraction/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 09:24:03 -+++ extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 09:24:04 +--- extraction/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 10:44:22 ++++ extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 10:44:24 @@ -1,39 +1,79 @@ module Libcrux.Kem.Kyber.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1240,8 +1240,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fst extraction-edited/Libcrux.Ke + res <: Libcrux.Kem.Kyber.Arithmetic.i32_b 3328 +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fsti extraction-edited/Libcrux.Kem.Kyber.Compress.fsti ---- extraction/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 09:24:04 -+++ extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 09:24:05 +--- extraction/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 10:44:23 ++++ extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 10:44:25 @@ -3,8 +3,19 @@ open Core open FStar.Mul @@ -1307,8 +1307,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fsti extraction-edited/Libcrux.K + (requires fe =. 0l || fe =. 1l) + (fun result -> v result >= 0 /\ v result < 3329) diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst ---- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 09:24:02 -+++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 09:24:04 +--- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 10:44:21 ++++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 10:44:24 @@ -4,56 +4,163 @@ open FStar.Mul @@ -1494,8 +1494,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/L + ) +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti ---- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 09:24:04 -+++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 09:24:06 +--- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 10:44:24 ++++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 10:44:26 @@ -20,7 +20,8 @@ val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) @@ -1527,8 +1527,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-edited/ + Hax_lib.implies (selector =. 0uy <: bool) (fun _ -> result =. lhs <: bool) && + Hax_lib.implies (selector <>. 0uy <: bool) (fun _ -> result =. rhs <: bool)) diff -ruN extraction/Libcrux.Kem.Kyber.Constants.fsti extraction-edited/Libcrux.Kem.Kyber.Constants.fsti ---- extraction/Libcrux.Kem.Kyber.Constants.fsti 2024-03-01 09:24:04 -+++ extraction-edited/Libcrux.Kem.Kyber.Constants.fsti 2024-03-01 09:24:06 +--- extraction/Libcrux.Kem.Kyber.Constants.fsti 2024-03-01 10:44:23 ++++ extraction-edited/Libcrux.Kem.Kyber.Constants.fsti 2024-03-01 10:44:26 @@ -17,4 +17,6 @@ let v_H_DIGEST_SIZE: usize = sz 32 @@ -1537,9 +1537,9 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constants.fsti extraction-edited/Libcrux. + let v_SHARED_SECRET_SIZE: usize = sz 32 diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fst extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst ---- extraction/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 09:24:03 -+++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 09:24:05 -@@ -3,197 +3,114 @@ +--- extraction/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 10:44:22 ++++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 10:44:24 +@@ -3,239 +3,114 @@ open Core open FStar.Mul @@ -1604,82 +1604,29 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fst extraction-edited/Libc + let out:t_Array (t_Array u8 (sz 840)) v_K = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 840) <: t_Array u8 (sz 840)) v_K in -- match (cast (v_K <: usize) <: u8), xof_state <: (u8 & t_XofState) with -- | 2uy, XofState_X2 st -> -- let tmp0, out:(Libcrux.Digest.t_Shake128StateX2 & t_Array (t_Array u8 (sz 168)) (sz 2)) = -- Libcrux.Digest.shake128_squeeze_nblocks_x2 (sz 168) st -- in -- let st:Libcrux.Digest.t_Shake128StateX2 = tmp0 in -- let tmp:t_Array (t_Array u8 (sz 168)) (sz 2) = out in -- let output:t_Array (t_Array u8 (sz 168)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 0) -- (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) -- in -- let output:t_Array (t_Array u8 (sz 168)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 1) -- (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) -- in -- output, (XofState_X2 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) -- | 3uy, XofState_X3 st -> -- let tmp0, out:(Libcrux.Digest.t_Shake128StateX3 & t_Array (t_Array u8 (sz 168)) (sz 3)) = -- Libcrux.Digest.shake128_squeeze_nblocks_x3 (sz 168) st -- in -- let st:Libcrux.Digest.t_Shake128StateX3 = tmp0 in -- let tmp:t_Array (t_Array u8 (sz 168)) (sz 3) = out in -- let output:t_Array (t_Array u8 (sz 168)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 0) -- (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) -- in -- let output:t_Array (t_Array u8 (sz 168)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 1) -- (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) -- in -- let output:t_Array (t_Array u8 (sz 168)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 2) -- (tmp.[ sz 2 ] <: t_Array u8 (sz 168)) -- in -- output, (XofState_X3 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) -- | 4uy, XofState_X4 st -> -- let tmp0, out:(Libcrux.Digest.t_Shake128StateX4 & t_Array (t_Array u8 (sz 168)) (sz 4)) = -- Libcrux.Digest.shake128_squeeze_nblocks_x4 (sz 168) st -- in -- let st:Libcrux.Digest.t_Shake128StateX4 = tmp0 in -- let tmp:t_Array (t_Array u8 (sz 168)) (sz 4) = out in -- let output:t_Array (t_Array u8 (sz 168)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 0) -- (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) -- in -- let output:t_Array (t_Array u8 (sz 168)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 1) -- (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) -- in -- let output:t_Array (t_Array u8 (sz 168)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 2) -- (tmp.[ sz 2 ] <: t_Array u8 (sz 168)) -- in -- let output:t_Array (t_Array u8 (sz 168)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 3) -- (tmp.[ sz 3 ] <: t_Array u8 (sz 168)) -- in -- output, (XofState_X4 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) -- | _ -> -- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" -- -- <: -- Rust_primitives.Hax.t_Never) +- match cast (v_K <: usize) <: u8 with +- | 2uy -> +- (match xof_state with +- | XofState_X2 st -> +- let tmp0, out:(Libcrux.Digest.t_Shake128StateX2 & t_Array (t_Array u8 (sz 168)) (sz 2)) = +- Libcrux.Digest.shake128_squeeze_nblocks_x2 (sz 168) st +- in +- let st:Libcrux.Digest.t_Shake128StateX2 = tmp0 in +- let tmp:t_Array (t_Array u8 (sz 168)) (sz 2) = out in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 0) +- (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) +- in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 1) +- (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) +- in +- output, (XofState_X2 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) +- | _ -> +- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - --let v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState) = -- let output:t_Array (t_Array u8 (sz 504)) v_K = -- Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 504) <: t_Array u8 (sz 504)) v_K + let out:t_Array (t_Array u8 (sz 840)) v_K = + if ~.(Libcrux_platform.Platform.simd256_support () <: bool) + then @@ -1701,7 +1648,80 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fst extraction-edited/Libc + (Rust_primitives.unsize (input.[ i ] <: t_Array u8 (sz 34)) <: t_Slice u8) + <: + t_Array u8 (sz 840)) -+ <: + <: +- Rust_primitives.Hax.t_Never)) +- | 3uy -> +- (match xof_state with +- | XofState_X3 st -> +- let tmp0, out:(Libcrux.Digest.t_Shake128StateX3 & t_Array (t_Array u8 (sz 168)) (sz 3)) = +- Libcrux.Digest.shake128_squeeze_nblocks_x3 (sz 168) st +- in +- let st:Libcrux.Digest.t_Shake128StateX3 = tmp0 in +- let tmp:t_Array (t_Array u8 (sz 168)) (sz 3) = out in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 0) +- (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) +- in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 1) +- (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) +- in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 2) +- (tmp.[ sz 2 ] <: t_Array u8 (sz 168)) +- in +- output, (XofState_X3 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) +- | _ -> +- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +- +- <: +- Rust_primitives.Hax.t_Never)) +- | 4uy -> +- (match xof_state with +- | XofState_X4 st -> +- let tmp0, out:(Libcrux.Digest.t_Shake128StateX4 & t_Array (t_Array u8 (sz 168)) (sz 4)) = +- Libcrux.Digest.shake128_squeeze_nblocks_x4 (sz 168) st +- in +- let st:Libcrux.Digest.t_Shake128StateX4 = tmp0 in +- let tmp:t_Array (t_Array u8 (sz 168)) (sz 4) = out in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 0) +- (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) +- in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 1) +- (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) +- in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 2) +- (tmp.[ sz 2 ] <: t_Array u8 (sz 168)) +- in +- let output:t_Array (t_Array u8 (sz 168)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 3) +- (tmp.[ sz 3 ] <: t_Array u8 (sz 168)) +- in +- output, (XofState_X4 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) +- | _ -> +- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +- +- <: +- Rust_primitives.Hax.t_Never)) +- | _ -> +- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +- +- <: +- Rust_primitives.Hax.t_Never) +- +-let v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState) = +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 504) <: t_Array u8 (sz 504)) v_K + t_Array (t_Array u8 (sz 840)) v_K) + else + let out:t_Array (t_Array u8 (sz 840)) v_K = @@ -1769,73 +1789,94 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fst extraction-edited/Libc + in + out in -- match (cast (v_K <: usize) <: u8), xof_state <: (u8 & t_XofState) with -- | 2uy, XofState_X2 st -> -- let tmp0, out:(Libcrux.Digest.t_Shake128StateX2 & t_Array (t_Array u8 (sz 504)) (sz 2)) = -- Libcrux.Digest.shake128_squeeze_nblocks_x2 (sz 504) st -- in -- let st:Libcrux.Digest.t_Shake128StateX2 = tmp0 in -- let tmp:t_Array (t_Array u8 (sz 504)) (sz 2) = out in -- let output:t_Array (t_Array u8 (sz 504)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 0) -- (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) -- in -- let output:t_Array (t_Array u8 (sz 504)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 1) -- (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) -- in -- output, (XofState_X2 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) -- | 3uy, XofState_X3 st -> -- let tmp0, out:(Libcrux.Digest.t_Shake128StateX3 & t_Array (t_Array u8 (sz 504)) (sz 3)) = -- Libcrux.Digest.shake128_squeeze_nblocks_x3 (sz 504) st -- in -- let st:Libcrux.Digest.t_Shake128StateX3 = tmp0 in -- let tmp:t_Array (t_Array u8 (sz 504)) (sz 3) = out in -- let output:t_Array (t_Array u8 (sz 504)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 0) -- (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) -- in -- let output:t_Array (t_Array u8 (sz 504)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 1) -- (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) -- in -- let output:t_Array (t_Array u8 (sz 504)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 2) -- (tmp.[ sz 2 ] <: t_Array u8 (sz 504)) -- in -- output, (XofState_X3 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) -- | 4uy, XofState_X4 st -> -- let tmp0, out:(Libcrux.Digest.t_Shake128StateX4 & t_Array (t_Array u8 (sz 504)) (sz 4)) = -- Libcrux.Digest.shake128_squeeze_nblocks_x4 (sz 504) st -- in -- let st:Libcrux.Digest.t_Shake128StateX4 = tmp0 in -- let tmp:t_Array (t_Array u8 (sz 504)) (sz 4) = out in -- let output:t_Array (t_Array u8 (sz 504)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 0) -- (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) -- in -- let output:t_Array (t_Array u8 (sz 504)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 1) -- (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) -- in -- let output:t_Array (t_Array u8 (sz 504)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 2) -- (tmp.[ sz 2 ] <: t_Array u8 (sz 504)) -- in -- let output:t_Array (t_Array u8 (sz 504)) v_K = -- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output -- (sz 3) -- (tmp.[ sz 3 ] <: t_Array u8 (sz 504)) -- in -- output, (XofState_X4 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) +- match cast (v_K <: usize) <: u8 with +- | 2uy -> +- (match xof_state with +- | XofState_X2 st -> +- let tmp0, out:(Libcrux.Digest.t_Shake128StateX2 & t_Array (t_Array u8 (sz 504)) (sz 2)) = +- Libcrux.Digest.shake128_squeeze_nblocks_x2 (sz 504) st +- in +- let st:Libcrux.Digest.t_Shake128StateX2 = tmp0 in +- let tmp:t_Array (t_Array u8 (sz 504)) (sz 2) = out in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 0) +- (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) +- in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 1) +- (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) +- in +- output, (XofState_X2 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) +- | _ -> +- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +- +- <: +- Rust_primitives.Hax.t_Never)) +- | 3uy -> +- (match xof_state with +- | XofState_X3 st -> +- let tmp0, out:(Libcrux.Digest.t_Shake128StateX3 & t_Array (t_Array u8 (sz 504)) (sz 3)) = +- Libcrux.Digest.shake128_squeeze_nblocks_x3 (sz 504) st +- in +- let st:Libcrux.Digest.t_Shake128StateX3 = tmp0 in +- let tmp:t_Array (t_Array u8 (sz 504)) (sz 3) = out in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 0) +- (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) +- in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 1) +- (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) +- in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 2) +- (tmp.[ sz 2 ] <: t_Array u8 (sz 504)) +- in +- output, (XofState_X3 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) +- | _ -> +- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +- +- <: +- Rust_primitives.Hax.t_Never)) +- | 4uy -> +- (match xof_state with +- | XofState_X4 st -> +- let tmp0, out:(Libcrux.Digest.t_Shake128StateX4 & t_Array (t_Array u8 (sz 504)) (sz 4)) = +- Libcrux.Digest.shake128_squeeze_nblocks_x4 (sz 504) st +- in +- let st:Libcrux.Digest.t_Shake128StateX4 = tmp0 in +- let tmp:t_Array (t_Array u8 (sz 504)) (sz 4) = out in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 0) +- (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) +- in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 1) +- (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) +- in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 2) +- (tmp.[ sz 2 ] <: t_Array u8 (sz 504)) +- in +- let output:t_Array (t_Array u8 (sz 504)) v_K = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output +- (sz 3) +- (tmp.[ sz 3 ] <: t_Array u8 (sz 504)) +- in +- output, (XofState_X4 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) +- | _ -> +- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +- +- <: +- Rust_primitives.Hax.t_Never)) - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - @@ -1844,8 +1885,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fst extraction-edited/Libc + admit(); // We assume that shake128x4 correctly implements XOFx4 + out diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti ---- extraction/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 09:24:03 -+++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 09:24:05 +--- extraction/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 10:44:22 ++++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 10:44:25 @@ -3,27 +3,17 @@ open Core open FStar.Mul @@ -1886,8 +1927,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-edited/Lib + (ensures (fun res -> + (forall i. i < v v_K ==> Seq.index res i == Spec.Kyber.v_XOF (sz 840) (Seq.index input i)))) diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst ---- extraction/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 09:24:04 -+++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 09:24:05 +--- extraction/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 10:44:23 ++++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 10:44:25 @@ -1,5 +1,5 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -2591,8 +2632,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem + res + diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti ---- extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 09:24:04 -+++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 09:24:06 +--- extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 10:44:23 ++++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 10:44:26 @@ -1,80 +1,151 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -2793,8 +2834,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Ke + + diff -ruN extraction/Libcrux.Kem.Kyber.Kyber1024.fst extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst ---- extraction/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 09:24:04 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 09:24:05 +--- extraction/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 10:44:23 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 10:44:25 @@ -7,19 +7,19 @@ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1568)) @@ -2828,8 +2869,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber1024.fst extraction-edited/Libcrux.K (sz 3168) (sz 1568) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber512.fst extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst ---- extraction/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 09:24:04 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 09:24:06 +--- extraction/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 10:44:23 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 10:44:26 @@ -7,19 +7,19 @@ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 768)) @@ -2863,8 +2904,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber512.fst extraction-edited/Libcrux.Ke (sz 1632) (sz 800) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fst extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst ---- extraction/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 09:24:03 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 09:24:04 +--- extraction/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 10:44:21 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 10:44:24 @@ -7,19 +7,19 @@ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1088)) @@ -2898,8 +2939,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fst extraction-edited/Libcrux.Ke (sz 2400) (sz 1184) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fsti extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti ---- extraction/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 09:24:03 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 09:24:05 +--- extraction/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 10:44:22 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 10:44:25 @@ -74,14 +74,15 @@ val decapsulate (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) @@ -2925,8 +2966,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fsti extraction-edited/Libcrux.K - (fun _ -> Prims.l_True) + (ensures (fun kp -> (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.kyber768_generate_keypair randomness)) diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem.Kyber.Matrix.fst ---- extraction/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 09:24:03 -+++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 09:24:04 +--- extraction/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 10:44:22 ++++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 10:44:24 @@ -3,192 +3,188 @@ open Core open FStar.Mul @@ -3724,8 +3765,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + admit(); //P-F v_A_transpose diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fsti extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti ---- extraction/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 09:24:04 -+++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 09:24:06 +--- extraction/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 10:44:24 ++++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 10:44:26 @@ -3,39 +3,71 @@ open Core open FStar.Mul @@ -3827,8 +3868,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fsti extraction-edited/Libcrux.Kem + if transpose then Libcrux.Kem.Kyber.Arithmetic.to_spec_matrix_b #p res == matrix_A + else Libcrux.Kem.Kyber.Arithmetic.to_spec_matrix_b #p res == Spec.Kyber.matrix_transpose matrix_A) diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyber.Ntt.fst ---- extraction/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 09:24:03 -+++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 09:24:05 +--- extraction/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 10:44:22 ++++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 10:44:24 @@ -1,56 +1,130 @@ module Libcrux.Kem.Kyber.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -4758,8 +4799,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + down_cast_poly_b #(8*3328) #3328 re +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti ---- extraction/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 09:24:03 -+++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 09:24:04 +--- extraction/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 10:44:22 ++++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 10:44:24 @@ -2,223 +2,80 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -5048,8 +5089,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Ky + (ensures fun _ -> True) + diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Kem.Kyber.Sampling.fst ---- extraction/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 09:24:03 -+++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 09:24:04 +--- extraction/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 10:44:22 ++++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 10:44:24 @@ -3,22 +3,34 @@ open Core open FStar.Mul @@ -5650,8 +5691,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Ke + out +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fsti extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti ---- extraction/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 09:24:03 -+++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 09:24:05 +--- extraction/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 10:44:22 ++++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 10:44:24 @@ -3,84 +3,37 @@ open Core open FStar.Mul @@ -5761,8 +5802,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fsti extraction-edited/Libcrux.K +// (ensures fun result -> (forall i. v (result.f_coefficients.[i]) >= 0)) + diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.Kem.Kyber.Serialize.fst ---- extraction/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 09:24:03 -+++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 09:24:04 +--- extraction/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 10:44:21 ++++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 10:44:24 @@ -1,8 +1,15 @@ module Libcrux.Kem.Kyber.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7238,8 +7279,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K +#pop-options + diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fsti extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti ---- extraction/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 09:24:04 -+++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 09:24:06 +--- extraction/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 10:44:24 ++++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 10:44:26 @@ -2,118 +2,188 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -7493,8 +7534,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fsti extraction-edited/Libcrux. + int_t_array_bitwise_eq res 8 coefficients 12 + )) diff -ruN extraction/Libcrux.Kem.Kyber.Types.fst extraction-edited/Libcrux.Kem.Kyber.Types.fst ---- extraction/Libcrux.Kem.Kyber.Types.fst 2024-03-01 09:24:04 -+++ extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-03-01 09:24:05 +--- extraction/Libcrux.Kem.Kyber.Types.fst 2024-03-01 10:44:23 ++++ extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-03-01 10:44:25 @@ -50,7 +50,9 @@ let impl_6__len (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) : usize = v_SIZE @@ -7529,8 +7570,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Types.fst extraction-edited/Libcrux.Kem.K type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { diff -ruN extraction/Libcrux.Kem.Kyber.fst extraction-edited/Libcrux.Kem.Kyber.fst ---- extraction/Libcrux.Kem.Kyber.fst 2024-03-01 09:24:03 -+++ extraction-edited/Libcrux.Kem.Kyber.fst 2024-03-01 09:24:04 +--- extraction/Libcrux.Kem.Kyber.fst 2024-03-01 10:44:22 ++++ extraction-edited/Libcrux.Kem.Kyber.fst 2024-03-01 10:44:24 @@ -1,12 +1,29 @@ module Libcrux.Kem.Kyber -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7800,8 +7841,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.fst extraction-edited/Libcrux.Kem.Kyber.f (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + diff -ruN extraction/Libcrux.Kem.Kyber.fsti extraction-edited/Libcrux.Kem.Kyber.fsti ---- extraction/Libcrux.Kem.Kyber.fsti 2024-03-01 09:24:03 -+++ extraction-edited/Libcrux.Kem.Kyber.fsti 2024-03-01 09:24:04 +--- extraction/Libcrux.Kem.Kyber.fsti 2024-03-01 10:44:22 ++++ extraction-edited/Libcrux.Kem.Kyber.fsti 2024-03-01 10:44:24 @@ -10,36 +10,84 @@ Libcrux.Kem.Kyber.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE +! Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE @@ -7903,7 +7944,7 @@ diff -ruN extraction/Libcrux.Kem.Kyber.fsti extraction-edited/Libcrux.Kem.Kyber. + (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.ind_cca_generate_keypair p randomness)) diff -ruN extraction/Libcrux.Kem.fst extraction-edited/Libcrux.Kem.fst --- extraction/Libcrux.Kem.fst 1970-01-01 01:00:00 -+++ extraction-edited/Libcrux.Kem.fst 2024-03-01 09:24:06 ++++ extraction-edited/Libcrux.Kem.fst 2024-03-01 10:44:26 @@ -0,0 +1,6 @@ +module Libcrux.Kem +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7913,7 +7954,7 @@ diff -ruN extraction/Libcrux.Kem.fst extraction-edited/Libcrux.Kem.fst + diff -ruN extraction/Libcrux_platform.Platform.fsti extraction-edited/Libcrux_platform.Platform.fsti --- extraction/Libcrux_platform.Platform.fsti 1970-01-01 01:00:00 -+++ extraction-edited/Libcrux_platform.Platform.fsti 2024-03-01 09:24:04 ++++ extraction-edited/Libcrux_platform.Platform.fsti 2024-03-01 10:44:24 @@ -0,0 +1,20 @@ +module Libcrux_platform.Platform +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7937,7 +7978,7 @@ diff -ruN extraction/Libcrux_platform.Platform.fsti extraction-edited/Libcrux_pl +val simd128_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction/MkSeq.fst extraction-edited/MkSeq.fst --- extraction/MkSeq.fst 1970-01-01 01:00:00 -+++ extraction-edited/MkSeq.fst 2024-03-01 09:24:06 ++++ extraction-edited/MkSeq.fst 2024-03-01 10:44:26 @@ -0,0 +1,91 @@ +module MkSeq +open Core @@ -8032,7 +8073,7 @@ diff -ruN extraction/MkSeq.fst extraction-edited/MkSeq.fst +%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff -ruN extraction/Spec.Kyber.fst extraction-edited/Spec.Kyber.fst --- extraction/Spec.Kyber.fst 1970-01-01 01:00:00 -+++ extraction-edited/Spec.Kyber.fst 2024-03-01 09:24:05 ++++ extraction-edited/Spec.Kyber.fst 2024-03-01 10:44:25 @@ -0,0 +1,433 @@ +module Spec.Kyber +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" diff --git a/proofs/fstar/extraction-secret-independent.patch b/proofs/fstar/extraction-secret-independent.patch index 53df8a230..a02d2405f 100644 --- a/proofs/fstar/extraction-secret-independent.patch +++ b/proofs/fstar/extraction-secret-independent.patch @@ -1,5 +1,5 @@ diff -ruN extraction-edited/BitVecEq.fst extraction-secret-independent/BitVecEq.fst ---- extraction-edited/BitVecEq.fst 2024-03-01 09:24:06 +--- extraction-edited/BitVecEq.fst 2024-03-01 10:44:26 +++ extraction-secret-independent/BitVecEq.fst 1970-01-01 01:00:00 @@ -1,12 +0,0 @@ -module BitVecEq @@ -15,7 +15,7 @@ diff -ruN extraction-edited/BitVecEq.fst extraction-secret-independent/BitVecEq. - - diff -ruN extraction-edited/BitVecEq.fsti extraction-secret-independent/BitVecEq.fsti ---- extraction-edited/BitVecEq.fsti 2024-03-01 09:24:06 +--- extraction-edited/BitVecEq.fsti 2024-03-01 10:44:26 +++ extraction-secret-independent/BitVecEq.fsti 1970-01-01 01:00:00 @@ -1,294 +0,0 @@ -module BitVecEq @@ -313,8 +313,8 @@ diff -ruN extraction-edited/BitVecEq.fsti extraction-secret-independent/BitVecEq - = admit () -*) diff -ruN extraction-edited/Libcrux.Digest.fsti extraction-secret-independent/Libcrux.Digest.fsti ---- extraction-edited/Libcrux.Digest.fsti 2024-03-01 09:24:05 -+++ extraction-secret-independent/Libcrux.Digest.fsti 2024-03-01 09:24:08 +--- extraction-edited/Libcrux.Digest.fsti 2024-03-01 10:44:26 ++++ extraction-secret-independent/Libcrux.Digest.fsti 2024-03-01 10:44:28 @@ -1,31 +1,41 @@ module Libcrux.Digest #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -379,8 +379,8 @@ diff -ruN extraction-edited/Libcrux.Digest.fsti extraction-secret-independent/Li - (fun _ -> Prims.l_True) +val shake256 (v_LEN: usize) (data: t_Slice u8) : t_Array u8 v_LEN diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst ---- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 09:24:06 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 09:24:08 +--- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 10:44:26 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 10:44:28 @@ -1,364 +1,81 @@ module Libcrux.Kem.Kyber.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -785,8 +785,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst extraction-secret-i - - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 09:24:04 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 09:24:07 +--- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 10:44:24 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 10:44:27 @@ -3,32 +3,10 @@ open Core open FStar.Mul @@ -1140,8 +1140,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret- + <: + bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fst extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst ---- extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 09:24:04 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 09:24:07 +--- extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 10:44:24 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 10:44:27 @@ -1,79 +1,39 @@ module Libcrux.Kem.Kyber.Compress -#set-options "--fuel 0 --ifuel 0 --z3rlimit 200" @@ -1246,8 +1246,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fst extraction-secret-ind + (Core.Ops.Arith.Neg.neg fe <: i32) &. + ((Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS +! 1l <: i32) /! 2l <: i32) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 09:24:05 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 09:24:08 +--- extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 10:44:25 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 10:44:28 @@ -3,42 +3,44 @@ open Core open FStar.Mul @@ -1319,8 +1319,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fsti extraction-secret-in - (fun result -> v result >= 0 /\ v result < 3329) + : Prims.Pure i32 (requires fe =. 0l || fe =. 1l) (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst ---- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 09:24:04 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 09:24:06 +--- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 10:44:24 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 10:44:27 @@ -4,163 +4,61 @@ open FStar.Mul @@ -1509,8 +1509,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-s -#pop-options + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 09:24:06 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 09:24:09 +--- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 10:44:26 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 10:44:28 @@ -20,26 +20,30 @@ val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) @@ -1554,7 +1554,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction- + result = rhs <: bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Conversions.fst extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst --- extraction-edited/Libcrux.Kem.Kyber.Conversions.fst 1970-01-01 01:00:00 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst 2024-03-01 09:24:07 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst 2024-03-01 10:44:27 @@ -0,0 +1,87 @@ +module Libcrux.Kem.Kyber.Conversions +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1645,8 +1645,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Conversions.fst extraction-secret- + cast (fe +! ((fe >>! 15l <: i32) &. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32)) <: u16 \ No newline at end of file diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst ---- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 09:24:05 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 09:24:07 +--- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 10:44:24 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 10:44:27 @@ -3,28 +3,18 @@ open Core open FStar.Mul @@ -1714,8 +1714,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst extraction-secr - out + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 09:24:05 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 09:24:07 +--- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 10:44:25 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 10:44:27 @@ -3,17 +3,12 @@ open Core open FStar.Mul @@ -1742,7 +1742,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-sec + : Prims.Pure (t_Array (t_Array u8 (sz 840)) v_K) Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Helper.fst extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst --- extraction-edited/Libcrux.Kem.Kyber.Helper.fst 1970-01-01 01:00:00 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst 2024-03-01 09:24:09 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst 2024-03-01 10:44:28 @@ -0,0 +1,6 @@ +module Libcrux.Kem.Kyber.Helper +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1751,8 +1751,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Helper.fst extraction-secret-indep + + diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst ---- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 09:24:05 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 09:24:08 +--- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 10:44:25 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 10:44:28 @@ -1,5 +1,5 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -2460,8 +2460,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - res - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 09:24:06 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 09:24:08 +--- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 10:44:26 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 10:44:28 @@ -1,151 +1,80 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -2662,8 +2662,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-secret-ind + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 09:24:05 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 09:24:07 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 10:44:25 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 10:44:28 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -2712,8 +2712,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst extraction-secret-in (sz 3168) (sz 1568) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-03-01 09:24:05 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-03-01 09:24:08 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-03-01 10:44:26 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-03-01 10:44:28 @@ -63,32 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_1024_ @@ -2759,8 +2759,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti extraction-secret-i Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 09:24:06 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 09:24:08 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 10:44:26 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 10:44:28 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -2809,8 +2809,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst extraction-secret-ind (sz 1632) (sz 800) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti 2024-03-01 09:24:05 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti 2024-03-01 09:24:07 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti 2024-03-01 10:44:24 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti 2024-03-01 10:44:27 @@ -63,32 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_512_ @@ -2856,8 +2856,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti extraction-secret-in Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 09:24:04 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 09:24:06 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 10:44:24 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 10:44:27 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -2906,8 +2906,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst extraction-secret-ind (sz 2400) (sz 1184) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 09:24:05 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 09:24:07 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 10:44:25 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 10:44:28 @@ -63,33 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_768_ @@ -2956,8 +2956,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti extraction-secret-in - (ensures (fun kp -> (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.kyber768_generate_keypair randomness)) + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst ---- extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 09:24:04 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 09:24:07 +--- extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 10:44:24 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 10:44:27 @@ -3,418 +3,432 @@ open Core open FStar.Mul @@ -3761,8 +3761,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep - admit(); //P-F v_A_transpose diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 09:24:06 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 09:24:08 +--- extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 10:44:26 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 10:44:28 @@ -3,71 +3,39 @@ open Core open FStar.Mul @@ -3864,8 +3864,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti extraction-secret-inde + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fst extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst ---- extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 09:24:05 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 09:24:07 +--- extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 10:44:24 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 10:44:27 @@ -1,130 +1,56 @@ module Libcrux.Kem.Kyber.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -4795,8 +4795,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fst extraction-secret-independ -#pop-options + re diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 09:24:04 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 09:24:07 +--- extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 10:44:24 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 10:44:27 @@ -2,80 +2,224 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -5086,8 +5086,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-indepen + <: + bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fst extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst ---- extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 09:24:04 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 09:24:07 +--- extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 10:44:24 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 10:44:27 @@ -3,34 +3,27 @@ open Core open FStar.Mul @@ -5524,8 +5524,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fst extraction-secret-ind -#pop-options + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 09:24:05 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 09:24:07 +--- extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 10:44:24 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 10:44:27 @@ -3,37 +3,77 @@ open Core open FStar.Mul @@ -5626,8 +5626,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti extraction-secret-in + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fst extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst ---- extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 09:24:04 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 09:24:07 +--- extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 10:44:24 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 10:44:27 @@ -1,15 +1,8 @@ module Libcrux.Kem.Kyber.Serialize -#set-options "--fuel 0 --ifuel 0 --z3rlimit 50 --retry 3" @@ -7110,8 +7110,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fst extraction-secret-in -#pop-options - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 09:24:06 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 09:24:08 +--- extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 10:44:26 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 10:44:28 @@ -2,188 +2,118 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -7365,8 +7365,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-i +val serialize_uncompressed_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + : Prims.Pure (t_Array u8 (sz 384)) Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Types.fst extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst ---- extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-03-01 09:24:05 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst 2024-03-01 09:24:08 +--- extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-03-01 10:44:25 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst 2024-03-01 10:44:28 @@ -3,31 +3,31 @@ open Core open FStar.Mul @@ -7634,8 +7634,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Types.fst extraction-secret-indepe + (self: t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : t_Array u8 v_PRIVATE_KEY_SIZE = impl_12__as_slice v_PRIVATE_KEY_SIZE self.f_sk diff -ruN extraction-edited/Libcrux.Kem.Kyber.fst extraction-secret-independent/Libcrux.Kem.Kyber.fst ---- extraction-edited/Libcrux.Kem.Kyber.fst 2024-03-01 09:24:04 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.fst 2024-03-01 09:24:07 +--- extraction-edited/Libcrux.Kem.Kyber.fst 2024-03-01 10:44:24 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.fst 2024-03-01 10:44:27 @@ -1,29 +1,12 @@ module Libcrux.Kem.Kyber -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -7914,8 +7914,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.fst extraction-secret-independent/ - + (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_KyberPublicKey v_PUBLIC_KEY_SIZE) diff -ruN extraction-edited/Libcrux.Kem.Kyber.fsti extraction-secret-independent/Libcrux.Kem.Kyber.fsti ---- extraction-edited/Libcrux.Kem.Kyber.fsti 2024-03-01 09:24:04 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.fsti 2024-03-01 09:24:07 +--- extraction-edited/Libcrux.Kem.Kyber.fsti 2024-03-01 10:44:24 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.fsti 2024-03-01 10:44:27 @@ -4,90 +4,37 @@ open FStar.Mul @@ -8024,7 +8024,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.fsti extraction-secret-independent + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux_platform.Platform.fsti extraction-secret-independent/Libcrux_platform.Platform.fsti ---- extraction-edited/Libcrux_platform.Platform.fsti 2024-03-01 09:24:04 +--- extraction-edited/Libcrux_platform.Platform.fsti 2024-03-01 10:44:24 +++ extraction-secret-independent/Libcrux_platform.Platform.fsti 1970-01-01 01:00:00 @@ -1,20 +0,0 @@ -module Libcrux_platform.Platform @@ -8049,14 +8049,14 @@ diff -ruN extraction-edited/Libcrux_platform.Platform.fsti extraction-secret-ind -val simd128_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux_platform.fsti extraction-secret-independent/Libcrux_platform.fsti --- extraction-edited/Libcrux_platform.fsti 1970-01-01 01:00:00 -+++ extraction-secret-independent/Libcrux_platform.fsti 2024-03-01 09:24:08 ++++ extraction-secret-independent/Libcrux_platform.fsti 2024-03-01 10:44:28 @@ -0,0 +1,4 @@ +module Libcrux_platform +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" + +val simd256_support : unit -> bool diff -ruN extraction-edited/MkSeq.fst extraction-secret-independent/MkSeq.fst ---- extraction-edited/MkSeq.fst 2024-03-01 09:24:06 +--- extraction-edited/MkSeq.fst 2024-03-01 10:44:26 +++ extraction-secret-independent/MkSeq.fst 1970-01-01 01:00:00 @@ -1,91 +0,0 @@ -module MkSeq @@ -8151,7 +8151,7 @@ diff -ruN extraction-edited/MkSeq.fst extraction-secret-independent/MkSeq.fst - -%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff -ruN extraction-edited/Spec.Kyber.fst extraction-secret-independent/Spec.Kyber.fst ---- extraction-edited/Spec.Kyber.fst 2024-03-01 09:24:05 +--- extraction-edited/Spec.Kyber.fst 2024-03-01 10:44:25 +++ extraction-secret-independent/Spec.Kyber.fst 1970-01-01 01:00:00 @@ -1,433 +0,0 @@ -module Spec.Kyber diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst index d0e2258fd..c3ffb488d 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst @@ -48,73 +48,94 @@ let v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState) = let output:t_Array (t_Array u8 (sz 168)) v_K = Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 168) <: t_Array u8 (sz 168)) v_K in - match (cast (v_K <: usize) <: u8), xof_state <: (u8 & t_XofState) with - | 2uy, XofState_X2 st -> - let tmp0, out:(Libcrux.Digest.t_Shake128StateX2 & t_Array (t_Array u8 (sz 168)) (sz 2)) = - Libcrux.Digest.shake128_squeeze_nblocks_x2 (sz 168) st - in - let st:Libcrux.Digest.t_Shake128StateX2 = tmp0 in - let tmp:t_Array (t_Array u8 (sz 168)) (sz 2) = out in - let output:t_Array (t_Array u8 (sz 168)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 0) - (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) - in - let output:t_Array (t_Array u8 (sz 168)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 1) - (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) - in - output, (XofState_X2 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) - | 3uy, XofState_X3 st -> - let tmp0, out:(Libcrux.Digest.t_Shake128StateX3 & t_Array (t_Array u8 (sz 168)) (sz 3)) = - Libcrux.Digest.shake128_squeeze_nblocks_x3 (sz 168) st - in - let st:Libcrux.Digest.t_Shake128StateX3 = tmp0 in - let tmp:t_Array (t_Array u8 (sz 168)) (sz 3) = out in - let output:t_Array (t_Array u8 (sz 168)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 0) - (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) - in - let output:t_Array (t_Array u8 (sz 168)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 1) - (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) - in - let output:t_Array (t_Array u8 (sz 168)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 2) - (tmp.[ sz 2 ] <: t_Array u8 (sz 168)) - in - output, (XofState_X3 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) - | 4uy, XofState_X4 st -> - let tmp0, out:(Libcrux.Digest.t_Shake128StateX4 & t_Array (t_Array u8 (sz 168)) (sz 4)) = - Libcrux.Digest.shake128_squeeze_nblocks_x4 (sz 168) st - in - let st:Libcrux.Digest.t_Shake128StateX4 = tmp0 in - let tmp:t_Array (t_Array u8 (sz 168)) (sz 4) = out in - let output:t_Array (t_Array u8 (sz 168)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 0) - (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) - in - let output:t_Array (t_Array u8 (sz 168)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 1) - (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) - in - let output:t_Array (t_Array u8 (sz 168)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 2) - (tmp.[ sz 2 ] <: t_Array u8 (sz 168)) - in - let output:t_Array (t_Array u8 (sz 168)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 3) - (tmp.[ sz 3 ] <: t_Array u8 (sz 168)) - in - output, (XofState_X4 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) + match cast (v_K <: usize) <: u8 with + | 2uy -> + (match xof_state with + | XofState_X2 st -> + let tmp0, out:(Libcrux.Digest.t_Shake128StateX2 & t_Array (t_Array u8 (sz 168)) (sz 2)) = + Libcrux.Digest.shake128_squeeze_nblocks_x2 (sz 168) st + in + let st:Libcrux.Digest.t_Shake128StateX2 = tmp0 in + let tmp:t_Array (t_Array u8 (sz 168)) (sz 2) = out in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 0) + (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) + in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 1) + (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) + in + output, (XofState_X2 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never)) + | 3uy -> + (match xof_state with + | XofState_X3 st -> + let tmp0, out:(Libcrux.Digest.t_Shake128StateX3 & t_Array (t_Array u8 (sz 168)) (sz 3)) = + Libcrux.Digest.shake128_squeeze_nblocks_x3 (sz 168) st + in + let st:Libcrux.Digest.t_Shake128StateX3 = tmp0 in + let tmp:t_Array (t_Array u8 (sz 168)) (sz 3) = out in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 0) + (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) + in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 1) + (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) + in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 2) + (tmp.[ sz 2 ] <: t_Array u8 (sz 168)) + in + output, (XofState_X3 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never)) + | 4uy -> + (match xof_state with + | XofState_X4 st -> + let tmp0, out:(Libcrux.Digest.t_Shake128StateX4 & t_Array (t_Array u8 (sz 168)) (sz 4)) = + Libcrux.Digest.shake128_squeeze_nblocks_x4 (sz 168) st + in + let st:Libcrux.Digest.t_Shake128StateX4 = tmp0 in + let tmp:t_Array (t_Array u8 (sz 168)) (sz 4) = out in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 0) + (tmp.[ sz 0 ] <: t_Array u8 (sz 168)) + in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 1) + (tmp.[ sz 1 ] <: t_Array u8 (sz 168)) + in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 2) + (tmp.[ sz 2 ] <: t_Array u8 (sz 168)) + in + let output:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 3) + (tmp.[ sz 3 ] <: t_Array u8 (sz 168)) + in + output, (XofState_X4 st <: t_XofState) <: (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never)) | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" @@ -125,73 +146,94 @@ let v_XOF_squeeze_three_blocks (v_K: usize) (xof_state: t_XofState) = let output:t_Array (t_Array u8 (sz 504)) v_K = Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 504) <: t_Array u8 (sz 504)) v_K in - match (cast (v_K <: usize) <: u8), xof_state <: (u8 & t_XofState) with - | 2uy, XofState_X2 st -> - let tmp0, out:(Libcrux.Digest.t_Shake128StateX2 & t_Array (t_Array u8 (sz 504)) (sz 2)) = - Libcrux.Digest.shake128_squeeze_nblocks_x2 (sz 504) st - in - let st:Libcrux.Digest.t_Shake128StateX2 = tmp0 in - let tmp:t_Array (t_Array u8 (sz 504)) (sz 2) = out in - let output:t_Array (t_Array u8 (sz 504)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 0) - (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) - in - let output:t_Array (t_Array u8 (sz 504)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 1) - (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) - in - output, (XofState_X2 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) - | 3uy, XofState_X3 st -> - let tmp0, out:(Libcrux.Digest.t_Shake128StateX3 & t_Array (t_Array u8 (sz 504)) (sz 3)) = - Libcrux.Digest.shake128_squeeze_nblocks_x3 (sz 504) st - in - let st:Libcrux.Digest.t_Shake128StateX3 = tmp0 in - let tmp:t_Array (t_Array u8 (sz 504)) (sz 3) = out in - let output:t_Array (t_Array u8 (sz 504)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 0) - (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) - in - let output:t_Array (t_Array u8 (sz 504)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 1) - (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) - in - let output:t_Array (t_Array u8 (sz 504)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 2) - (tmp.[ sz 2 ] <: t_Array u8 (sz 504)) - in - output, (XofState_X3 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) - | 4uy, XofState_X4 st -> - let tmp0, out:(Libcrux.Digest.t_Shake128StateX4 & t_Array (t_Array u8 (sz 504)) (sz 4)) = - Libcrux.Digest.shake128_squeeze_nblocks_x4 (sz 504) st - in - let st:Libcrux.Digest.t_Shake128StateX4 = tmp0 in - let tmp:t_Array (t_Array u8 (sz 504)) (sz 4) = out in - let output:t_Array (t_Array u8 (sz 504)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 0) - (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) - in - let output:t_Array (t_Array u8 (sz 504)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 1) - (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) - in - let output:t_Array (t_Array u8 (sz 504)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 2) - (tmp.[ sz 2 ] <: t_Array u8 (sz 504)) - in - let output:t_Array (t_Array u8 (sz 504)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output - (sz 3) - (tmp.[ sz 3 ] <: t_Array u8 (sz 504)) - in - output, (XofState_X4 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) + match cast (v_K <: usize) <: u8 with + | 2uy -> + (match xof_state with + | XofState_X2 st -> + let tmp0, out:(Libcrux.Digest.t_Shake128StateX2 & t_Array (t_Array u8 (sz 504)) (sz 2)) = + Libcrux.Digest.shake128_squeeze_nblocks_x2 (sz 504) st + in + let st:Libcrux.Digest.t_Shake128StateX2 = tmp0 in + let tmp:t_Array (t_Array u8 (sz 504)) (sz 2) = out in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 0) + (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) + in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 1) + (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) + in + output, (XofState_X2 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never)) + | 3uy -> + (match xof_state with + | XofState_X3 st -> + let tmp0, out:(Libcrux.Digest.t_Shake128StateX3 & t_Array (t_Array u8 (sz 504)) (sz 3)) = + Libcrux.Digest.shake128_squeeze_nblocks_x3 (sz 504) st + in + let st:Libcrux.Digest.t_Shake128StateX3 = tmp0 in + let tmp:t_Array (t_Array u8 (sz 504)) (sz 3) = out in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 0) + (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) + in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 1) + (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) + in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 2) + (tmp.[ sz 2 ] <: t_Array u8 (sz 504)) + in + output, (XofState_X3 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never)) + | 4uy -> + (match xof_state with + | XofState_X4 st -> + let tmp0, out:(Libcrux.Digest.t_Shake128StateX4 & t_Array (t_Array u8 (sz 504)) (sz 4)) = + Libcrux.Digest.shake128_squeeze_nblocks_x4 (sz 504) st + in + let st:Libcrux.Digest.t_Shake128StateX4 = tmp0 in + let tmp:t_Array (t_Array u8 (sz 504)) (sz 4) = out in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 0) + (tmp.[ sz 0 ] <: t_Array u8 (sz 504)) + in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 1) + (tmp.[ sz 1 ] <: t_Array u8 (sz 504)) + in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 2) + (tmp.[ sz 2 ] <: t_Array u8 (sz 504)) + in + let output:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize output + (sz 3) + (tmp.[ sz 3 ] <: t_Array u8 (sz 504)) + in + output, (XofState_X4 st <: t_XofState) <: (t_Array (t_Array u8 (sz 504)) v_K & t_XofState) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never)) | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" From 7fc6a4c6575e66161515515df88827670356082d Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Sat, 2 Mar 2024 13:23:53 +0100 Subject: [PATCH 27/28] updated code to free SHAKE state, avoiding memory leaks in C --- proofs/fstar/extraction-edited.patch | 179 +++++++++++------- .../fstar/extraction-secret-independent.patch | 128 ++++++------- proofs/fstar/extraction/Libcrux.Digest.fsti | 9 + .../Libcrux.Kem.Kyber.Hash_functions.fst | 38 ++++ .../Libcrux.Kem.Kyber.Hash_functions.fsti | 3 + .../extraction/Libcrux.Kem.Kyber.Sampling.fst | 1 + src/digest.rs | 40 ++++ src/hacl/sha3.rs | 33 +++- src/kem/kyber/hash_functions.rs | 28 +++ src/kem/kyber/sampling.rs | 3 +- 10 files changed, 323 insertions(+), 139 deletions(-) diff --git a/proofs/fstar/extraction-edited.patch b/proofs/fstar/extraction-edited.patch index 413abeb8a..4a6897ae5 100644 --- a/proofs/fstar/extraction-edited.patch +++ b/proofs/fstar/extraction-edited.patch @@ -1,6 +1,6 @@ diff -ruN extraction/BitVecEq.fst extraction-edited/BitVecEq.fst --- extraction/BitVecEq.fst 1970-01-01 01:00:00 -+++ extraction-edited/BitVecEq.fst 2024-03-01 10:44:26 ++++ extraction-edited/BitVecEq.fst 2024-03-02 13:23:21 @@ -0,0 +1,12 @@ +module BitVecEq + @@ -16,7 +16,7 @@ diff -ruN extraction/BitVecEq.fst extraction-edited/BitVecEq.fst + diff -ruN extraction/BitVecEq.fsti extraction-edited/BitVecEq.fsti --- extraction/BitVecEq.fsti 1970-01-01 01:00:00 -+++ extraction-edited/BitVecEq.fsti 2024-03-01 10:44:26 ++++ extraction-edited/BitVecEq.fsti 2024-03-02 13:23:21 @@ -0,0 +1,294 @@ +module BitVecEq +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -313,9 +313,9 @@ diff -ruN extraction/BitVecEq.fsti extraction-edited/BitVecEq.fsti + = admit () +*) diff -ruN extraction/Libcrux.Digest.fsti extraction-edited/Libcrux.Digest.fsti ---- extraction/Libcrux.Digest.fsti 2024-03-01 10:44:23 -+++ extraction-edited/Libcrux.Digest.fsti 2024-03-01 10:44:26 -@@ -3,50 +3,29 @@ +--- extraction/Libcrux.Digest.fsti 2024-03-02 13:23:19 ++++ extraction-edited/Libcrux.Digest.fsti 2024-03-02 13:23:21 +@@ -3,59 +3,29 @@ open Core open FStar.Mul @@ -351,6 +351,15 @@ diff -ruN extraction/Libcrux.Digest.fsti extraction-edited/Libcrux.Digest.fsti -val shake128_absorb_final_x4 (st: t_Shake128StateX4) (data0 data1 data2 data3: t_Slice u8) - : Prims.Pure t_Shake128StateX4 Prims.l_True (fun _ -> Prims.l_True) - +-val shake128_free_x2 (st: t_Shake128StateX2) +- : Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True) +- +-val shake128_free_x3 (st: t_Shake128StateX3) +- : Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True) +- +-val shake128_free_x4 (st: t_Shake128StateX4) +- : Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True) +- -val shake128_init_x2: Prims.unit - -> Prims.Pure t_Shake128StateX2 Prims.l_True (fun _ -> Prims.l_True) - @@ -379,8 +388,8 @@ diff -ruN extraction/Libcrux.Digest.fsti extraction-edited/Libcrux.Digest.fsti Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst ---- extraction/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 10:44:24 -+++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 10:44:26 +--- extraction/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-02 13:23:19 ++++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-02 13:23:21 @@ -1,81 +1,364 @@ module Libcrux.Kem.Kyber.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -786,8 +795,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux. + + diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti ---- extraction/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 10:44:22 -+++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 10:44:24 +--- extraction/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-02 13:23:17 ++++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-02 13:23:19 @@ -3,10 +3,32 @@ open Core open FStar.Mul @@ -1135,8 +1144,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux + + diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fst extraction-edited/Libcrux.Kem.Kyber.Compress.fst ---- extraction/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 10:44:22 -+++ extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 10:44:24 +--- extraction/Libcrux.Kem.Kyber.Compress.fst 2024-03-02 13:23:17 ++++ extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-03-02 13:23:19 @@ -1,39 +1,79 @@ module Libcrux.Kem.Kyber.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1240,8 +1249,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fst extraction-edited/Libcrux.Ke + res <: Libcrux.Kem.Kyber.Arithmetic.i32_b 3328 +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fsti extraction-edited/Libcrux.Kem.Kyber.Compress.fsti ---- extraction/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 10:44:23 -+++ extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 10:44:25 +--- extraction/Libcrux.Kem.Kyber.Compress.fsti 2024-03-02 13:23:18 ++++ extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-03-02 13:23:21 @@ -3,8 +3,19 @@ open Core open FStar.Mul @@ -1307,8 +1316,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fsti extraction-edited/Libcrux.K + (requires fe =. 0l || fe =. 1l) + (fun result -> v result >= 0 /\ v result < 3329) diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst ---- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 10:44:21 -+++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 10:44:24 +--- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-02 13:23:17 ++++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-02 13:23:19 @@ -4,56 +4,163 @@ open FStar.Mul @@ -1494,8 +1503,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/L + ) +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti ---- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 10:44:24 -+++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 10:44:26 +--- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-02 13:23:19 ++++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-02 13:23:21 @@ -20,7 +20,8 @@ val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) @@ -1527,8 +1536,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-edited/ + Hax_lib.implies (selector =. 0uy <: bool) (fun _ -> result =. lhs <: bool) && + Hax_lib.implies (selector <>. 0uy <: bool) (fun _ -> result =. rhs <: bool)) diff -ruN extraction/Libcrux.Kem.Kyber.Constants.fsti extraction-edited/Libcrux.Kem.Kyber.Constants.fsti ---- extraction/Libcrux.Kem.Kyber.Constants.fsti 2024-03-01 10:44:23 -+++ extraction-edited/Libcrux.Kem.Kyber.Constants.fsti 2024-03-01 10:44:26 +--- extraction/Libcrux.Kem.Kyber.Constants.fsti 2024-03-02 13:23:19 ++++ extraction-edited/Libcrux.Kem.Kyber.Constants.fsti 2024-03-02 13:23:21 @@ -17,4 +17,6 @@ let v_H_DIGEST_SIZE: usize = sz 32 @@ -1537,9 +1546,9 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constants.fsti extraction-edited/Libcrux. + let v_SHARED_SECRET_SIZE: usize = sz 32 diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fst extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst ---- extraction/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 10:44:22 -+++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 10:44:24 -@@ -3,239 +3,114 @@ +--- extraction/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-02 13:23:18 ++++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-02 13:23:20 +@@ -3,277 +3,114 @@ open Core open FStar.Mul @@ -1596,6 +1605,44 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fst extraction-edited/Libc - <: - Rust_primitives.Hax.t_Never) - +-let v_XOF_free (v_K: usize) (xof_state: t_XofState) = +- match cast (v_K <: usize) <: u8 with +- | 2uy -> +- (match xof_state with +- | XofState_X2 st -> +- let _:Prims.unit = Libcrux.Digest.shake128_free_x2 st in +- () +- | _ -> +- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +- +- <: +- Rust_primitives.Hax.t_Never)) +- | 3uy -> +- (match xof_state with +- | XofState_X3 st -> +- let _:Prims.unit = Libcrux.Digest.shake128_free_x3 st in +- () +- | _ -> +- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +- +- <: +- Rust_primitives.Hax.t_Never)) +- | 4uy -> +- (match xof_state with +- | XofState_X4 st -> +- let _:Prims.unit = Libcrux.Digest.shake128_free_x4 st in +- () +- | _ -> +- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +- +- <: +- Rust_primitives.Hax.t_Never)) +- | _ -> +- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +- +- <: +- Rust_primitives.Hax.t_Never) +- -let v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState) = - let output:t_Array (t_Array u8 (sz 168)) v_K = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 168) <: t_Array u8 (sz 168)) v_K @@ -1885,9 +1932,9 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fst extraction-edited/Libc + admit(); // We assume that shake128x4 correctly implements XOFx4 + out diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti ---- extraction/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 10:44:22 -+++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 10:44:25 -@@ -3,27 +3,17 @@ +--- extraction/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-02 13:23:18 ++++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-02 13:23:20 +@@ -3,30 +3,17 @@ open Core open FStar.Mul @@ -1910,6 +1957,9 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-edited/Lib -val v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) - : Prims.Pure t_XofState Prims.l_True (fun _ -> Prims.l_True) - +-val v_XOF_free (v_K: usize) (xof_state: t_XofState) +- : Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True) +- -val v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState) - : Prims.Pure (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) - Prims.l_True @@ -1927,8 +1977,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-edited/Lib + (ensures (fun res -> + (forall i. i < v v_K ==> Seq.index res i == Spec.Kyber.v_XOF (sz 840) (Seq.index input i)))) diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst ---- extraction/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 10:44:23 -+++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 10:44:25 +--- extraction/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-02 13:23:18 ++++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-02 13:23:21 @@ -1,5 +1,5 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -2632,8 +2682,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem + res + diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti ---- extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 10:44:23 -+++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 10:44:26 +--- extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-02 13:23:19 ++++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-02 13:23:21 @@ -1,80 +1,151 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -2834,8 +2884,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Ke + + diff -ruN extraction/Libcrux.Kem.Kyber.Kyber1024.fst extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst ---- extraction/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 10:44:23 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 10:44:25 +--- extraction/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-02 13:23:18 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-02 13:23:20 @@ -7,19 +7,19 @@ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1568)) @@ -2869,8 +2919,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber1024.fst extraction-edited/Libcrux.K (sz 3168) (sz 1568) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber512.fst extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst ---- extraction/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 10:44:23 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 10:44:26 +--- extraction/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-02 13:23:19 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-02 13:23:21 @@ -7,19 +7,19 @@ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 768)) @@ -2904,8 +2954,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber512.fst extraction-edited/Libcrux.Ke (sz 1632) (sz 800) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fst extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst ---- extraction/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 10:44:21 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 10:44:24 +--- extraction/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-02 13:23:17 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-02 13:23:19 @@ -7,19 +7,19 @@ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1088)) @@ -2939,8 +2989,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fst extraction-edited/Libcrux.Ke (sz 2400) (sz 1184) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fsti extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti ---- extraction/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 10:44:22 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 10:44:25 +--- extraction/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-02 13:23:18 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-02 13:23:20 @@ -74,14 +74,15 @@ val decapsulate (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) @@ -2966,8 +3016,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fsti extraction-edited/Libcrux.K - (fun _ -> Prims.l_True) + (ensures (fun kp -> (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.kyber768_generate_keypair randomness)) diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem.Kyber.Matrix.fst ---- extraction/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 10:44:22 -+++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 10:44:24 +--- extraction/Libcrux.Kem.Kyber.Matrix.fst 2024-03-02 13:23:18 ++++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-03-02 13:23:20 @@ -3,192 +3,188 @@ open Core open FStar.Mul @@ -3765,8 +3815,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + admit(); //P-F v_A_transpose diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fsti extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti ---- extraction/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 10:44:24 -+++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 10:44:26 +--- extraction/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-02 13:23:19 ++++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-02 13:23:21 @@ -3,39 +3,71 @@ open Core open FStar.Mul @@ -3868,8 +3918,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fsti extraction-edited/Libcrux.Kem + if transpose then Libcrux.Kem.Kyber.Arithmetic.to_spec_matrix_b #p res == matrix_A + else Libcrux.Kem.Kyber.Arithmetic.to_spec_matrix_b #p res == Spec.Kyber.matrix_transpose matrix_A) diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyber.Ntt.fst ---- extraction/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 10:44:22 -+++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 10:44:24 +--- extraction/Libcrux.Kem.Kyber.Ntt.fst 2024-03-02 13:23:18 ++++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-03-02 13:23:20 @@ -1,56 +1,130 @@ module Libcrux.Kem.Kyber.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -4799,8 +4849,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + down_cast_poly_b #(8*3328) #3328 re +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti ---- extraction/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 10:44:22 -+++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 10:44:24 +--- extraction/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-02 13:23:18 ++++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-02 13:23:20 @@ -2,223 +2,80 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -5089,8 +5139,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Ky + (ensures fun _ -> True) + diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Kem.Kyber.Sampling.fst ---- extraction/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 10:44:22 -+++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 10:44:24 +--- extraction/Libcrux.Kem.Kyber.Sampling.fst 2024-03-02 13:23:18 ++++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-03-02 13:23:20 @@ -3,22 +3,34 @@ open Core open FStar.Mul @@ -5349,7 +5399,7 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Ke match cast (v_ETA <: usize) <: u32 with | 2ul -> sample_from_binomial_distribution_2_ randomness | 3ul -> sample_from_binomial_distribution_3_ randomness -@@ -153,225 +220,131 @@ +@@ -153,226 +220,131 @@ <: Rust_primitives.Hax.t_Never) @@ -5686,13 +5736,14 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Ke - t_Array usize v_K & - Libcrux.Kem.Kyber.Hash_functions.t_XofState)) - in +- let _:Prims.unit = Libcrux.Kem.Kyber.Hash_functions.v_XOF_free v_K xof_state in let _:Prims.unit = () <: Prims.unit in - out + out +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fsti extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti ---- extraction/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 10:44:22 -+++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 10:44:24 +--- extraction/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-02 13:23:18 ++++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-02 13:23:20 @@ -3,84 +3,37 @@ open Core open FStar.Mul @@ -5802,8 +5853,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fsti extraction-edited/Libcrux.K +// (ensures fun result -> (forall i. v (result.f_coefficients.[i]) >= 0)) + diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.Kem.Kyber.Serialize.fst ---- extraction/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 10:44:21 -+++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 10:44:24 +--- extraction/Libcrux.Kem.Kyber.Serialize.fst 2024-03-02 13:23:17 ++++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-03-02 13:23:19 @@ -1,8 +1,15 @@ module Libcrux.Kem.Kyber.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7279,8 +7330,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K +#pop-options + diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fsti extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti ---- extraction/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 10:44:24 -+++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 10:44:26 +--- extraction/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-02 13:23:19 ++++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-02 13:23:21 @@ -2,118 +2,188 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -7534,8 +7585,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fsti extraction-edited/Libcrux. + int_t_array_bitwise_eq res 8 coefficients 12 + )) diff -ruN extraction/Libcrux.Kem.Kyber.Types.fst extraction-edited/Libcrux.Kem.Kyber.Types.fst ---- extraction/Libcrux.Kem.Kyber.Types.fst 2024-03-01 10:44:23 -+++ extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-03-01 10:44:25 +--- extraction/Libcrux.Kem.Kyber.Types.fst 2024-03-02 13:23:18 ++++ extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-03-02 13:23:20 @@ -50,7 +50,9 @@ let impl_6__len (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) : usize = v_SIZE @@ -7570,8 +7621,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Types.fst extraction-edited/Libcrux.Kem.K type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { diff -ruN extraction/Libcrux.Kem.Kyber.fst extraction-edited/Libcrux.Kem.Kyber.fst ---- extraction/Libcrux.Kem.Kyber.fst 2024-03-01 10:44:22 -+++ extraction-edited/Libcrux.Kem.Kyber.fst 2024-03-01 10:44:24 +--- extraction/Libcrux.Kem.Kyber.fst 2024-03-02 13:23:17 ++++ extraction-edited/Libcrux.Kem.Kyber.fst 2024-03-02 13:23:19 @@ -1,12 +1,29 @@ module Libcrux.Kem.Kyber -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7841,8 +7892,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.fst extraction-edited/Libcrux.Kem.Kyber.f (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + diff -ruN extraction/Libcrux.Kem.Kyber.fsti extraction-edited/Libcrux.Kem.Kyber.fsti ---- extraction/Libcrux.Kem.Kyber.fsti 2024-03-01 10:44:22 -+++ extraction-edited/Libcrux.Kem.Kyber.fsti 2024-03-01 10:44:24 +--- extraction/Libcrux.Kem.Kyber.fsti 2024-03-02 13:23:18 ++++ extraction-edited/Libcrux.Kem.Kyber.fsti 2024-03-02 13:23:20 @@ -10,36 +10,84 @@ Libcrux.Kem.Kyber.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE +! Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE @@ -7944,7 +7995,7 @@ diff -ruN extraction/Libcrux.Kem.Kyber.fsti extraction-edited/Libcrux.Kem.Kyber. + (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.ind_cca_generate_keypair p randomness)) diff -ruN extraction/Libcrux.Kem.fst extraction-edited/Libcrux.Kem.fst --- extraction/Libcrux.Kem.fst 1970-01-01 01:00:00 -+++ extraction-edited/Libcrux.Kem.fst 2024-03-01 10:44:26 ++++ extraction-edited/Libcrux.Kem.fst 2024-03-02 13:23:21 @@ -0,0 +1,6 @@ +module Libcrux.Kem +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7954,7 +8005,7 @@ diff -ruN extraction/Libcrux.Kem.fst extraction-edited/Libcrux.Kem.fst + diff -ruN extraction/Libcrux_platform.Platform.fsti extraction-edited/Libcrux_platform.Platform.fsti --- extraction/Libcrux_platform.Platform.fsti 1970-01-01 01:00:00 -+++ extraction-edited/Libcrux_platform.Platform.fsti 2024-03-01 10:44:24 ++++ extraction-edited/Libcrux_platform.Platform.fsti 2024-03-02 13:23:19 @@ -0,0 +1,20 @@ +module Libcrux_platform.Platform +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -7978,7 +8029,7 @@ diff -ruN extraction/Libcrux_platform.Platform.fsti extraction-edited/Libcrux_pl +val simd128_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction/MkSeq.fst extraction-edited/MkSeq.fst --- extraction/MkSeq.fst 1970-01-01 01:00:00 -+++ extraction-edited/MkSeq.fst 2024-03-01 10:44:26 ++++ extraction-edited/MkSeq.fst 2024-03-02 13:23:21 @@ -0,0 +1,91 @@ +module MkSeq +open Core @@ -8073,7 +8124,7 @@ diff -ruN extraction/MkSeq.fst extraction-edited/MkSeq.fst +%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff -ruN extraction/Spec.Kyber.fst extraction-edited/Spec.Kyber.fst --- extraction/Spec.Kyber.fst 1970-01-01 01:00:00 -+++ extraction-edited/Spec.Kyber.fst 2024-03-01 10:44:25 ++++ extraction-edited/Spec.Kyber.fst 2024-03-02 13:23:20 @@ -0,0 +1,433 @@ +module Spec.Kyber +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" diff --git a/proofs/fstar/extraction-secret-independent.patch b/proofs/fstar/extraction-secret-independent.patch index a02d2405f..2bacc3c28 100644 --- a/proofs/fstar/extraction-secret-independent.patch +++ b/proofs/fstar/extraction-secret-independent.patch @@ -1,5 +1,5 @@ diff -ruN extraction-edited/BitVecEq.fst extraction-secret-independent/BitVecEq.fst ---- extraction-edited/BitVecEq.fst 2024-03-01 10:44:26 +--- extraction-edited/BitVecEq.fst 2024-03-02 13:23:21 +++ extraction-secret-independent/BitVecEq.fst 1970-01-01 01:00:00 @@ -1,12 +0,0 @@ -module BitVecEq @@ -15,7 +15,7 @@ diff -ruN extraction-edited/BitVecEq.fst extraction-secret-independent/BitVecEq. - - diff -ruN extraction-edited/BitVecEq.fsti extraction-secret-independent/BitVecEq.fsti ---- extraction-edited/BitVecEq.fsti 2024-03-01 10:44:26 +--- extraction-edited/BitVecEq.fsti 2024-03-02 13:23:21 +++ extraction-secret-independent/BitVecEq.fsti 1970-01-01 01:00:00 @@ -1,294 +0,0 @@ -module BitVecEq @@ -313,8 +313,8 @@ diff -ruN extraction-edited/BitVecEq.fsti extraction-secret-independent/BitVecEq - = admit () -*) diff -ruN extraction-edited/Libcrux.Digest.fsti extraction-secret-independent/Libcrux.Digest.fsti ---- extraction-edited/Libcrux.Digest.fsti 2024-03-01 10:44:26 -+++ extraction-secret-independent/Libcrux.Digest.fsti 2024-03-01 10:44:28 +--- extraction-edited/Libcrux.Digest.fsti 2024-03-02 13:23:21 ++++ extraction-secret-independent/Libcrux.Digest.fsti 2024-03-02 13:23:23 @@ -1,31 +1,41 @@ module Libcrux.Digest #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -379,8 +379,8 @@ diff -ruN extraction-edited/Libcrux.Digest.fsti extraction-secret-independent/Li - (fun _ -> Prims.l_True) +val shake256 (v_LEN: usize) (data: t_Slice u8) : t_Array u8 v_LEN diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst ---- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 10:44:26 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-01 10:44:28 +--- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-02 13:23:21 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst 2024-03-02 13:23:24 @@ -1,364 +1,81 @@ module Libcrux.Kem.Kyber.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -785,8 +785,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst extraction-secret-i - - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 10:44:24 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-01 10:44:27 +--- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-02 13:23:19 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-03-02 13:23:22 @@ -3,32 +3,10 @@ open Core open FStar.Mul @@ -1140,8 +1140,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret- + <: + bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fst extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst ---- extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 10:44:24 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst 2024-03-01 10:44:27 +--- extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-03-02 13:23:19 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst 2024-03-02 13:23:22 @@ -1,79 +1,39 @@ module Libcrux.Kem.Kyber.Compress -#set-options "--fuel 0 --ifuel 0 --z3rlimit 200" @@ -1246,8 +1246,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fst extraction-secret-ind + (Core.Ops.Arith.Neg.neg fe <: i32) &. + ((Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS +! 1l <: i32) /! 2l <: i32) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 10:44:25 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fsti 2024-03-01 10:44:28 +--- extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-03-02 13:23:21 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fsti 2024-03-02 13:23:23 @@ -3,42 +3,44 @@ open Core open FStar.Mul @@ -1319,8 +1319,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fsti extraction-secret-in - (fun result -> v result >= 0 /\ v result < 3329) + : Prims.Pure i32 (requires fe =. 0l || fe =. 1l) (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst ---- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 10:44:24 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-01 10:44:27 +--- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-02 13:23:19 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-03-02 13:23:21 @@ -4,163 +4,61 @@ open FStar.Mul @@ -1509,8 +1509,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-s -#pop-options + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 10:44:26 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-01 10:44:28 +--- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-02 13:23:21 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-03-02 13:23:24 @@ -20,26 +20,30 @@ val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) @@ -1554,7 +1554,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction- + result = rhs <: bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Conversions.fst extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst --- extraction-edited/Libcrux.Kem.Kyber.Conversions.fst 1970-01-01 01:00:00 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst 2024-03-01 10:44:27 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst 2024-03-02 13:23:22 @@ -0,0 +1,87 @@ +module Libcrux.Kem.Kyber.Conversions +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1645,8 +1645,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Conversions.fst extraction-secret- + cast (fe +! ((fe >>! 15l <: i32) &. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32)) <: u16 \ No newline at end of file diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst ---- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 10:44:24 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-01 10:44:27 +--- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-02 13:23:20 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst 2024-03-02 13:23:22 @@ -3,28 +3,18 @@ open Core open FStar.Mul @@ -1714,8 +1714,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst extraction-secr - out + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 10:44:25 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-01 10:44:27 +--- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-02 13:23:20 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-03-02 13:23:23 @@ -3,17 +3,12 @@ open Core open FStar.Mul @@ -1742,7 +1742,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-sec + : Prims.Pure (t_Array (t_Array u8 (sz 840)) v_K) Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Helper.fst extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst --- extraction-edited/Libcrux.Kem.Kyber.Helper.fst 1970-01-01 01:00:00 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst 2024-03-01 10:44:28 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst 2024-03-02 13:23:24 @@ -0,0 +1,6 @@ +module Libcrux.Kem.Kyber.Helper +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1751,8 +1751,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Helper.fst extraction-secret-indep + + diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst ---- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 10:44:25 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-01 10:44:28 +--- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-02 13:23:21 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-03-02 13:23:23 @@ -1,5 +1,5 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -2460,8 +2460,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - res - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 10:44:26 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-01 10:44:28 +--- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-02 13:23:21 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-03-02 13:23:24 @@ -1,151 +1,80 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -2662,8 +2662,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-secret-ind + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 10:44:25 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-01 10:44:28 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-02 13:23:20 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst 2024-03-02 13:23:23 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -2712,8 +2712,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst extraction-secret-in (sz 3168) (sz 1568) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-03-01 10:44:26 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-03-01 10:44:28 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-03-02 13:23:21 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-03-02 13:23:23 @@ -63,32 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_1024_ @@ -2759,8 +2759,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti extraction-secret-i Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 10:44:26 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-01 10:44:28 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-02 13:23:21 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst 2024-03-02 13:23:23 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -2809,8 +2809,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst extraction-secret-ind (sz 1632) (sz 800) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti 2024-03-01 10:44:24 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti 2024-03-01 10:44:27 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti 2024-03-02 13:23:20 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti 2024-03-02 13:23:23 @@ -63,32 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_512_ @@ -2856,8 +2856,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti extraction-secret-in Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 10:44:24 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-01 10:44:27 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-02 13:23:19 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst 2024-03-02 13:23:21 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -2906,8 +2906,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst extraction-secret-ind (sz 2400) (sz 1184) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 10:44:25 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-01 10:44:28 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-02 13:23:20 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti 2024-03-02 13:23:23 @@ -63,33 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_768_ @@ -2956,8 +2956,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti extraction-secret-in - (ensures (fun kp -> (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.kyber768_generate_keypair randomness)) + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst ---- extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 10:44:24 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst 2024-03-01 10:44:27 +--- extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-03-02 13:23:20 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst 2024-03-02 13:23:22 @@ -3,418 +3,432 @@ open Core open FStar.Mul @@ -3761,8 +3761,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep - admit(); //P-F v_A_transpose diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 10:44:26 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-01 10:44:28 +--- extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-02 13:23:21 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti 2024-03-02 13:23:24 @@ -3,71 +3,39 @@ open Core open FStar.Mul @@ -3864,8 +3864,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti extraction-secret-inde + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fst extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst ---- extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 10:44:24 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst 2024-03-01 10:44:27 +--- extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-03-02 13:23:20 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst 2024-03-02 13:23:23 @@ -1,130 +1,56 @@ module Libcrux.Kem.Kyber.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -4795,8 +4795,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fst extraction-secret-independ -#pop-options + re diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 10:44:24 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-01 10:44:27 +--- extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-02 13:23:20 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fsti 2024-03-02 13:23:22 @@ -2,80 +2,224 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -5086,8 +5086,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-indepen + <: + bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fst extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst ---- extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 10:44:24 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst 2024-03-01 10:44:27 +--- extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-03-02 13:23:20 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst 2024-03-02 13:23:22 @@ -3,34 +3,27 @@ open Core open FStar.Mul @@ -5524,8 +5524,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fst extraction-secret-ind -#pop-options + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 10:44:24 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-01 10:44:27 +--- extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-02 13:23:20 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti 2024-03-02 13:23:23 @@ -3,37 +3,77 @@ open Core open FStar.Mul @@ -5626,8 +5626,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti extraction-secret-in + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fst extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst ---- extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 10:44:24 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst 2024-03-01 10:44:27 +--- extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-03-02 13:23:19 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst 2024-03-02 13:23:22 @@ -1,15 +1,8 @@ module Libcrux.Kem.Kyber.Serialize -#set-options "--fuel 0 --ifuel 0 --z3rlimit 50 --retry 3" @@ -7110,8 +7110,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fst extraction-secret-in -#pop-options - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 10:44:26 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-01 10:44:28 +--- extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-02 13:23:21 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti 2024-03-02 13:23:24 @@ -2,188 +2,118 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -7365,8 +7365,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-i +val serialize_uncompressed_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + : Prims.Pure (t_Array u8 (sz 384)) Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Types.fst extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst ---- extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-03-01 10:44:25 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst 2024-03-01 10:44:28 +--- extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-03-02 13:23:20 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst 2024-03-02 13:23:23 @@ -3,31 +3,31 @@ open Core open FStar.Mul @@ -7634,8 +7634,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Types.fst extraction-secret-indepe + (self: t_KyberKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : t_Array u8 v_PRIVATE_KEY_SIZE = impl_12__as_slice v_PRIVATE_KEY_SIZE self.f_sk diff -ruN extraction-edited/Libcrux.Kem.Kyber.fst extraction-secret-independent/Libcrux.Kem.Kyber.fst ---- extraction-edited/Libcrux.Kem.Kyber.fst 2024-03-01 10:44:24 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.fst 2024-03-01 10:44:27 +--- extraction-edited/Libcrux.Kem.Kyber.fst 2024-03-02 13:23:19 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.fst 2024-03-02 13:23:22 @@ -1,29 +1,12 @@ module Libcrux.Kem.Kyber -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -7914,8 +7914,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.fst extraction-secret-independent/ - + (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_KyberPublicKey v_PUBLIC_KEY_SIZE) diff -ruN extraction-edited/Libcrux.Kem.Kyber.fsti extraction-secret-independent/Libcrux.Kem.Kyber.fsti ---- extraction-edited/Libcrux.Kem.Kyber.fsti 2024-03-01 10:44:24 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.fsti 2024-03-01 10:44:27 +--- extraction-edited/Libcrux.Kem.Kyber.fsti 2024-03-02 13:23:20 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.fsti 2024-03-02 13:23:22 @@ -4,90 +4,37 @@ open FStar.Mul @@ -8024,7 +8024,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.fsti extraction-secret-independent + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux_platform.Platform.fsti extraction-secret-independent/Libcrux_platform.Platform.fsti ---- extraction-edited/Libcrux_platform.Platform.fsti 2024-03-01 10:44:24 +--- extraction-edited/Libcrux_platform.Platform.fsti 2024-03-02 13:23:19 +++ extraction-secret-independent/Libcrux_platform.Platform.fsti 1970-01-01 01:00:00 @@ -1,20 +0,0 @@ -module Libcrux_platform.Platform @@ -8049,14 +8049,14 @@ diff -ruN extraction-edited/Libcrux_platform.Platform.fsti extraction-secret-ind -val simd128_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux_platform.fsti extraction-secret-independent/Libcrux_platform.fsti --- extraction-edited/Libcrux_platform.fsti 1970-01-01 01:00:00 -+++ extraction-secret-independent/Libcrux_platform.fsti 2024-03-01 10:44:28 ++++ extraction-secret-independent/Libcrux_platform.fsti 2024-03-02 13:23:24 @@ -0,0 +1,4 @@ +module Libcrux_platform +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" + +val simd256_support : unit -> bool diff -ruN extraction-edited/MkSeq.fst extraction-secret-independent/MkSeq.fst ---- extraction-edited/MkSeq.fst 2024-03-01 10:44:26 +--- extraction-edited/MkSeq.fst 2024-03-02 13:23:21 +++ extraction-secret-independent/MkSeq.fst 1970-01-01 01:00:00 @@ -1,91 +0,0 @@ -module MkSeq @@ -8151,7 +8151,7 @@ diff -ruN extraction-edited/MkSeq.fst extraction-secret-independent/MkSeq.fst - -%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff -ruN extraction-edited/Spec.Kyber.fst extraction-secret-independent/Spec.Kyber.fst ---- extraction-edited/Spec.Kyber.fst 2024-03-01 10:44:25 +--- extraction-edited/Spec.Kyber.fst 2024-03-02 13:23:20 +++ extraction-secret-independent/Spec.Kyber.fst 1970-01-01 01:00:00 @@ -1,433 +0,0 @@ -module Spec.Kyber diff --git a/proofs/fstar/extraction/Libcrux.Digest.fsti b/proofs/fstar/extraction/Libcrux.Digest.fsti index 4997246d1..630299a6b 100644 --- a/proofs/fstar/extraction/Libcrux.Digest.fsti +++ b/proofs/fstar/extraction/Libcrux.Digest.fsti @@ -27,6 +27,15 @@ val shake128_absorb_final_x3 (st: t_Shake128StateX3) (data0 data1 data2: t_Slice val shake128_absorb_final_x4 (st: t_Shake128StateX4) (data0 data1 data2 data3: t_Slice u8) : Prims.Pure t_Shake128StateX4 Prims.l_True (fun _ -> Prims.l_True) +val shake128_free_x2 (st: t_Shake128StateX2) + : Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True) + +val shake128_free_x3 (st: t_Shake128StateX3) + : Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True) + +val shake128_free_x4 (st: t_Shake128StateX4) + : Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True) + val shake128_init_x2: Prims.unit -> Prims.Pure t_Shake128StateX2 Prims.l_True (fun _ -> Prims.l_True) diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst index c3ffb488d..02169aa78 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fst @@ -44,6 +44,44 @@ let v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = <: Rust_primitives.Hax.t_Never) +let v_XOF_free (v_K: usize) (xof_state: t_XofState) = + match cast (v_K <: usize) <: u8 with + | 2uy -> + (match xof_state with + | XofState_X2 st -> + let _:Prims.unit = Libcrux.Digest.shake128_free_x2 st in + () + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never)) + | 3uy -> + (match xof_state with + | XofState_X3 st -> + let _:Prims.unit = Libcrux.Digest.shake128_free_x3 st in + () + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never)) + | 4uy -> + (match xof_state with + | XofState_X4 st -> + let _:Prims.unit = Libcrux.Digest.shake128_free_x4 st in + () + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never)) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + let v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState) = let output:t_Array (t_Array u8 (sz 168)) v_K = Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 168) <: t_Array u8 (sz 168)) v_K diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti index d6e7723ea..cb20edea9 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Hash_functions.fsti @@ -18,6 +18,9 @@ type t_XofState = val v_XOF_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) : Prims.Pure t_XofState Prims.l_True (fun _ -> Prims.l_True) +val v_XOF_free (v_K: usize) (xof_state: t_XofState) + : Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True) + val v_XOF_squeeze_block (v_K: usize) (xof_state: t_XofState) : Prims.Pure (t_Array (t_Array u8 (sz 168)) v_K & t_XofState) Prims.l_True diff --git a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst index bbaecad87..5b21e619d 100644 --- a/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst +++ b/proofs/fstar/extraction/Libcrux.Kem.Kyber.Sampling.fst @@ -373,5 +373,6 @@ let sample_from_xof (v_K: usize) (seeds: t_Array (t_Array u8 (sz 34)) v_K) = t_Array usize v_K & Libcrux.Kem.Kyber.Hash_functions.t_XofState)) in + let _:Prims.unit = Libcrux.Kem.Kyber.Hash_functions.v_XOF_free v_K xof_state in let _:Prims.unit = () <: Prims.unit in out diff --git a/src/digest.rs b/src/digest.rs index 324498574..ddb2094e3 100644 --- a/src/digest.rs +++ b/src/digest.rs @@ -386,6 +386,10 @@ pub fn shake128_squeeze_nblocks( st.0.squeeze_nblocks() } +pub fn shake128_free(mut st:Shake128State) { + st.0.free() +} + /// SHAKE 128 Incremental API (SIMD) #[cfg(simd256)] #[cfg_attr(hax, hax_lib_macros::opaque_type)] @@ -410,6 +414,19 @@ pub fn shake128_init_x4() -> Shake128StateX4 { ]) } +#[cfg(simd256)] +pub fn shake128_free_x4(mut st:Shake128StateX4) { + st.0.free() +} + +#[cfg(not(simd256))] +pub fn shake128_free_x4(mut st:Shake128StateX4) { + st.0[0].free(); + st.0[1].free(); + st.0[2].free(); + st.0[3].free(); +} + #[cfg(simd256)] pub fn shake128_absorb_nblocks_x4( st: &mut Shake128StateX4, @@ -500,6 +517,17 @@ pub fn shake128_init_x2() -> Shake128StateX2 { ]) } +#[cfg(simd256)] +pub fn shake128_free_x2(mut st:Shake128StateX2) { + st.0.free() +} + +#[cfg(not(simd256))] +pub fn shake128_free_x2(mut st:Shake128StateX2) { + st.0[0].free(); + st.0[1].free(); +} + #[cfg(simd256)] pub fn shake128_absorb_nblocks_x2(st: &mut Shake128StateX2, data0: &[u8], data1: &[u8]) { st.0.absorb_nblocks(data0, data1, data0, data1); @@ -565,6 +593,18 @@ pub fn shake128_init_x3() -> Shake128StateX3 { ]) } +#[cfg(simd256)] +pub fn shake128_free_x3(mut st:Shake128StateX3) { + st.0.free() +} + +#[cfg(not(simd256))] +pub fn shake128_free_x3(mut st:Shake128StateX3) { + st.0[0].free(); + st.0[1].free(); + st.0[2].free(); +} + #[cfg(simd256)] pub fn shake128_absorb_nblocks_x3( st: &mut Shake128StateX3, diff --git a/src/hacl/sha3.rs b/src/hacl/sha3.rs index d911d96db..94f9b4e50 100644 --- a/src/hacl/sha3.rs +++ b/src/hacl/sha3.rs @@ -255,6 +255,10 @@ pub mod incremental { state } + pub fn free(&mut self) { + unsafe { Hacl_Hash_SHA3_Scalar_state_free(self.state) } + } + pub fn absorb_nblocks(&mut self, input: &[u8]) { unsafe { Hacl_Hash_SHA3_Scalar_shake128_absorb_nblocks( @@ -287,12 +291,15 @@ pub mod incremental { output } + } - impl Drop for Shake128State { - fn drop(&mut self) { - unsafe { Hacl_Hash_SHA3_Scalar_state_free(self.state) } - } - } + + // For now, we are explicitly using "free" to work around a memory leak in the generated C code + // impl Drop for Shake128State { + // fn drop(&mut self) { + // unsafe { Hacl_Hash_SHA3_Scalar_state_free(self.state) } + // } + // } } #[cfg(simd256)] @@ -321,6 +328,10 @@ pub mod incremental_x4 { state } + pub fn free(&mut self) { + unsafe { Hacl_Hash_SHA3_Simd256_state_free(self.state) } + } + pub fn absorb_nblocks( &mut self, input0: &[u8], @@ -383,9 +394,11 @@ pub mod incremental_x4 { output } } - impl Drop for Shake128StateX4 { - fn drop(&mut self) { - unsafe { Hacl_Hash_SHA3_Simd256_state_free(self.state) } - } - } + + // For now, we are explicitly using "free" to work around a memory leak in the generated C code + // impl Drop for Shake128StateX4 { + // fn drop(&mut self) { + // unsafe { Hacl_Hash_SHA3_Simd256_state_free(self.state) } + // } + // } } diff --git a/src/kem/kyber/hash_functions.rs b/src/kem/kyber/hash_functions.rs index a83e20c20..ae173440f 100644 --- a/src/kem/kyber/hash_functions.rs +++ b/src/kem/kyber/hash_functions.rs @@ -131,3 +131,31 @@ pub(crate) fn XOF_squeeze_block(xof_state: XofState) -> ([[u8; 1 _ => unreachable!(), } } + +#[inline(always)] +pub(crate) fn XOF_free(xof_state: XofState) { + match K as u8 { + 2 => { + if let XofState::X2(st) = xof_state { + digest::shake128_free_x2(st); + } else { + unreachable!() + } + } + 3 => { + if let XofState::X3(st) = xof_state { + digest::shake128_free_x3(st); + } else { + unreachable!() + } + } + 4 => { + if let XofState::X4(st) = xof_state { + digest::shake128_free_x4(st); + } else { + unreachable!() + } + } + _ => unreachable!(), + } +} diff --git a/src/kem/kyber/sampling.rs b/src/kem/kyber/sampling.rs index 59e3bc8c1..3a26be401 100644 --- a/src/kem/kyber/sampling.rs +++ b/src/kem/kyber/sampling.rs @@ -1,7 +1,7 @@ use super::{ arithmetic::{FieldElement, PolynomialRingElement}, constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS}, - hash_functions::{XOF_absorb, XOF_squeeze_block, XOF_squeeze_three_blocks}, + hash_functions::{XOF_absorb, XOF_squeeze_block, XOF_squeeze_three_blocks, XOF_free}, }; use crate::cloop; use crate::hax_utils::hax_debug_assert; @@ -95,6 +95,7 @@ pub fn sample_from_xof(seeds: [[u8; 34]; K]) -> [PolynomialRingE done = sample_from_uniform_distribution_next(randomness, &mut sampled_coefficients, &mut out); } + XOF_free::(xof_state); hax_debug_assert!(out[0] .coefficients From 19bf8ae1778dba790b58e930a38fde2378bf9327 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Sat, 2 Mar 2024 16:42:14 +0100 Subject: [PATCH 28/28] rust format --- src/digest.rs | 14 +++++++------- src/hacl/sha3.rs | 3 +-- src/kem/kyber/sampling.rs | 2 +- 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/src/digest.rs b/src/digest.rs index ddb2094e3..e4bbe7954 100644 --- a/src/digest.rs +++ b/src/digest.rs @@ -386,7 +386,7 @@ pub fn shake128_squeeze_nblocks( st.0.squeeze_nblocks() } -pub fn shake128_free(mut st:Shake128State) { +pub fn shake128_free(mut st: Shake128State) { st.0.free() } @@ -415,12 +415,12 @@ pub fn shake128_init_x4() -> Shake128StateX4 { } #[cfg(simd256)] -pub fn shake128_free_x4(mut st:Shake128StateX4) { +pub fn shake128_free_x4(mut st: Shake128StateX4) { st.0.free() } #[cfg(not(simd256))] -pub fn shake128_free_x4(mut st:Shake128StateX4) { +pub fn shake128_free_x4(mut st: Shake128StateX4) { st.0[0].free(); st.0[1].free(); st.0[2].free(); @@ -518,12 +518,12 @@ pub fn shake128_init_x2() -> Shake128StateX2 { } #[cfg(simd256)] -pub fn shake128_free_x2(mut st:Shake128StateX2) { +pub fn shake128_free_x2(mut st: Shake128StateX2) { st.0.free() } #[cfg(not(simd256))] -pub fn shake128_free_x2(mut st:Shake128StateX2) { +pub fn shake128_free_x2(mut st: Shake128StateX2) { st.0[0].free(); st.0[1].free(); } @@ -594,12 +594,12 @@ pub fn shake128_init_x3() -> Shake128StateX3 { } #[cfg(simd256)] -pub fn shake128_free_x3(mut st:Shake128StateX3) { +pub fn shake128_free_x3(mut st: Shake128StateX3) { st.0.free() } #[cfg(not(simd256))] -pub fn shake128_free_x3(mut st:Shake128StateX3) { +pub fn shake128_free_x3(mut st: Shake128StateX3) { st.0[0].free(); st.0[1].free(); st.0[2].free(); diff --git a/src/hacl/sha3.rs b/src/hacl/sha3.rs index 94f9b4e50..6f8c57f21 100644 --- a/src/hacl/sha3.rs +++ b/src/hacl/sha3.rs @@ -291,7 +291,6 @@ pub mod incremental { output } - } // For now, we are explicitly using "free" to work around a memory leak in the generated C code @@ -394,7 +393,7 @@ pub mod incremental_x4 { output } } - + // For now, we are explicitly using "free" to work around a memory leak in the generated C code // impl Drop for Shake128StateX4 { // fn drop(&mut self) { diff --git a/src/kem/kyber/sampling.rs b/src/kem/kyber/sampling.rs index 3a26be401..5fb050e18 100644 --- a/src/kem/kyber/sampling.rs +++ b/src/kem/kyber/sampling.rs @@ -1,7 +1,7 @@ use super::{ arithmetic::{FieldElement, PolynomialRingElement}, constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS}, - hash_functions::{XOF_absorb, XOF_squeeze_block, XOF_squeeze_three_blocks, XOF_free}, + hash_functions::{XOF_absorb, XOF_free, XOF_squeeze_block, XOF_squeeze_three_blocks}, }; use crate::cloop; use crate::hax_utils::hax_debug_assert;