diff --git a/bench/Makefile b/bench/Makefile index 23670396..f116a6a7 100644 --- a/bench/Makefile +++ b/bench/Makefile @@ -1,8 +1,8 @@ # TODO: cleanup / improve depen. / generic # -------------------------------------------------------------------- -CC= clang-14 -CFLAGS= -march=native -O3 -fomit-frame-pointer -fwrapv -Qunused-arguments -fPIC -fPIE +CC ?= clang-14 +CFLAGS ?= -march=native -O3 -fomit-frame-pointer -fwrapv -Qunused-arguments -fPIC -fPIE BIN ?= bin TARGETS ?= \ diff --git a/bench/src/jasmin/avx2/Makefile b/bench/src/jasmin/avx2/Makefile index 8d7abf28..c8d25f1c 100644 --- a/bench/src/jasmin/avx2/Makefile +++ b/bench/src/jasmin/avx2/Makefile @@ -1,11 +1,14 @@ .PHONY: libkyber768_avx2.a clean distclean +# pick the compiler from the submodule +JASMINC ?= ../../../../jasmin/compiler/jasminc + libkyber768_avx2.a: $(CC) $(CFLAGS) -c jkem.s $(AR) -r $@ jkem.o jkem.s: jkem.jazz - jasminc -nowarning -lea $< -o $@ + $(JASMINC) -nowarning -lea $< -o $@ clean: rm -f *.o *.a diff --git a/bench/src/jasmin/avx2/jkem.jazz b/bench/src/jasmin/avx2/jkem.jazz index 348587c5..90ff4792 100644 --- a/bench/src/jasmin/avx2/jkem.jazz +++ b/bench/src/jasmin/avx2/jkem.jazz @@ -1 +1 @@ -require "../../../../code/jasmin/avx2/jkem.jazz" +require "../../../../code/jasmin/mlkem_avx2/jkem.jazz" diff --git a/bench/src/pqclean/avx2/Makefile b/bench/src/pqclean/avx2/Makefile index 20296d54..1d1f9c2f 100644 --- a/bench/src/pqclean/avx2/Makefile +++ b/bench/src/pqclean/avx2/Makefile @@ -7,8 +7,8 @@ KECCAK4XDIR=./keccak4x KECCAK4XOBJ=KeccakP-1600-times4-SIMD256.o KECCAK4X=$(KECCAK4XDIR)/$(KECCAK4XOBJ) -CC = clang-14 -CFLAGS = -march=native -O3 -fomit-frame-pointer -fwrapv -Qunused-arguments -fPIC -fPIE -I../../randombytes $(EXTRAFLAGS) +CC ?= clang-14 +CFLAGS ?= -march=native -O3 -fomit-frame-pointer -fwrapv -Qunused-arguments -fPIC -fPIE -I../../randombytes $(EXTRAFLAGS) #CFLAGS=-mavx2 -mbmi2 -mpopcnt -O3 -Wall -Wextra -Wpedantic -Werror \ # -Wmissing-prototypes -Wredundant-decls \ # -Wpointer-arith -Wshadow \ diff --git a/bench/src/pqclean/clean/Makefile b/bench/src/pqclean/clean/Makefile index 720ace68..fbfbe57a 100644 --- a/bench/src/pqclean/clean/Makefile +++ b/bench/src/pqclean/clean/Makefile @@ -4,8 +4,8 @@ LIB=libkyber768_clean.a HEADERS=api.h cbd.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h symmetric.h verify.h fips202.h OBJECTS=cbd.o indcpa.o kem.o ntt.o poly.o polyvec.o reduce.o symmetric-shake.o verify.o fips202.o -CC=clang-14 -CFLAGS=-march=native -O3 -fomit-frame-pointer -fwrapv -Qunused-arguments -fPIC -fPIE -I../../randombytes $(EXTRAFLAGS) +CC ?= clang-14 +CFLAGS ?= -march=native -O3 -fomit-frame-pointer -fwrapv -Qunused-arguments -fPIC -fPIE -I../../randombytes $(EXTRAFLAGS) #CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../randombytes $(EXTRAFLAGS) all: $(LIB) diff --git a/bench/src/randombytes/Makefile b/bench/src/randombytes/Makefile index 72fee8f9..75210bdc 100644 --- a/bench/src/randombytes/Makefile +++ b/bench/src/randombytes/Makefile @@ -1,5 +1,5 @@ -CC = clang-14 -CFLAGS = -march=native -O3 -fomit-frame-pointer -fwrapv -Qunused-arguments -fPIC -fPIE +CC ?= clang-14 +CFLAGS ?= -march=native -O3 -fomit-frame-pointer -fwrapv -Qunused-arguments -fPIC -fPIE default: librandombytes1.a diff --git a/code/jasmin/mlkem_avx2/extraction/Array2144.ec b/code/jasmin/mlkem_avx2/extraction/Array2144.ec new file mode 100644 index 00000000..278a63b6 --- /dev/null +++ b/code/jasmin/mlkem_avx2/extraction/Array2144.ec @@ -0,0 +1,3 @@ +from Jasmin require import JArray. + +clone export PolyArray as Array2144 with op size <- 2144. diff --git a/code/jasmin/mlkem_avx2/extraction/WArray2144.ec b/code/jasmin/mlkem_avx2/extraction/WArray2144.ec new file mode 100644 index 00000000..3bfa2e0d --- /dev/null +++ b/code/jasmin/mlkem_avx2/extraction/WArray2144.ec @@ -0,0 +1,3 @@ +from Jasmin require import JWord_array. + +clone export WArray as WArray2144 with op size <- 2144. diff --git a/code/jasmin/mlkem_avx2/extraction/jkem_avx2.ec b/code/jasmin/mlkem_avx2/extraction/jkem_avx2.ec index 01ce12ca..dafb5514 100644 --- a/code/jasmin/mlkem_avx2/extraction/jkem_avx2.ec +++ b/code/jasmin/mlkem_avx2/extraction/jkem_avx2.ec @@ -1,1116 +1,1339 @@ require import AllCore IntDiv CoreMap List Distr. -from Jasmin require import JModel_x86. -import SLH64. - - -require import Array1 Array4 Array5 Array6 Array7 Array8 Array9 Array16 - Array24 Array25 Array32 Array33 Array64 Array128 Array136 - Array256 Array400 Array536 Array768 Array960 Array1024 - Array1088 Array2048 Array2144 Array2304. -require import WArray8 WArray16 WArray32 WArray33 WArray40 WArray64 WArray128 - WArray136 WArray160 WArray192 WArray200 WArray224 WArray256 - WArray288 WArray512 WArray536 WArray768 WArray800 WArray960 - WArray1088 WArray1536 WArray2048 WArray2144 WArray4608. - -abbrev gen_matrix_indexes = Array16.of_list witness [W16.of_int 0; -W16.of_int 1; W16.of_int 2; W16.of_int 256; W16.of_int 257; W16.of_int 258; -W16.of_int 512; W16.of_int 513; W16.of_int 0; W16.of_int 256; W16.of_int 512; -W16.of_int 1; W16.of_int 257; W16.of_int 513; W16.of_int 2; W16.of_int 258]. - - -abbrev rATE_BIT_x4 = Array1.of_list witness [W256.of_int (-57896044618658097708646941636650613544546956437755979579936703605971808681984)]. - - -abbrev sample_shuffle_table = Array2048.of_list witness [W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 4; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 4; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 6; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 6; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 6; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 6; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 4; -W8.of_int 6; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 4; W8.of_int 6; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 6; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 4; W8.of_int 6; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 8; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 8; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 8; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 8; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 4; W8.of_int 8; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 4; W8.of_int 8; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 8; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; W8.of_int 8; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 6; -W8.of_int 8; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 6; W8.of_int 8; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 6; W8.of_int 8; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 6; W8.of_int 8; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 4; W8.of_int 6; W8.of_int 8; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 4; W8.of_int 6; W8.of_int 8; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 4; W8.of_int 6; W8.of_int 8; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; -W8.of_int 6; W8.of_int 8; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 10; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 10; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 10; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 10; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 4; -W8.of_int 10; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 4; W8.of_int 10; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 10; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 4; W8.of_int 10; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 6; W8.of_int 10; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 6; W8.of_int 10; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 6; W8.of_int 10; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 6; -W8.of_int 10; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 4; W8.of_int 6; W8.of_int 10; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 4; -W8.of_int 6; W8.of_int 10; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 6; W8.of_int 10; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 4; W8.of_int 6; W8.of_int 10; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 8; W8.of_int 10; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 8; W8.of_int 10; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 8; W8.of_int 10; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 8; -W8.of_int 10; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 4; W8.of_int 8; W8.of_int 10; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 4; -W8.of_int 8; W8.of_int 10; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 8; W8.of_int 10; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 4; W8.of_int 8; W8.of_int 10; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 6; W8.of_int 8; W8.of_int 10; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 6; W8.of_int 8; W8.of_int 10; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 6; W8.of_int 8; W8.of_int 10; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 6; -W8.of_int 8; W8.of_int 10; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 4; W8.of_int 6; W8.of_int 8; W8.of_int 10; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 4; -W8.of_int 6; W8.of_int 8; W8.of_int 10; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 6; W8.of_int 8; -W8.of_int 10; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 4; W8.of_int 6; W8.of_int 8; W8.of_int 10; -W8.of_int (-1); W8.of_int (-1); W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 4; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 4; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 6; -W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 6; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 6; W8.of_int 12; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 6; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 4; W8.of_int 6; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 4; W8.of_int 6; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 4; W8.of_int 6; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; -W8.of_int 6; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 8; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 8; -W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 8; W8.of_int 12; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 8; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 4; W8.of_int 8; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 4; W8.of_int 8; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 4; W8.of_int 8; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; -W8.of_int 8; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 6; W8.of_int 8; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 6; -W8.of_int 8; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 6; W8.of_int 8; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 6; W8.of_int 8; W8.of_int 12; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 4; W8.of_int 6; W8.of_int 8; -W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 0; W8.of_int 4; W8.of_int 6; W8.of_int 8; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 4; -W8.of_int 6; W8.of_int 8; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; W8.of_int 6; -W8.of_int 8; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int 10; -W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 10; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 10; W8.of_int 12; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 10; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 4; W8.of_int 10; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 4; W8.of_int 10; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 4; W8.of_int 10; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; -W8.of_int 10; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 6; W8.of_int 10; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 6; -W8.of_int 10; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 6; W8.of_int 10; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 6; W8.of_int 10; W8.of_int 12; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 4; W8.of_int 6; W8.of_int 10; -W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 0; W8.of_int 4; W8.of_int 6; W8.of_int 10; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 4; -W8.of_int 6; W8.of_int 10; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; W8.of_int 6; -W8.of_int 10; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int 8; -W8.of_int 10; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 8; W8.of_int 10; -W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 2; W8.of_int 8; W8.of_int 10; W8.of_int 12; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; -W8.of_int 8; W8.of_int 10; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 4; W8.of_int 8; W8.of_int 10; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 4; W8.of_int 8; W8.of_int 10; W8.of_int 12; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 8; -W8.of_int 10; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 0; W8.of_int 2; W8.of_int 4; W8.of_int 8; W8.of_int 10; -W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int 6; W8.of_int 8; -W8.of_int 10; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 6; W8.of_int 8; W8.of_int 10; -W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 6; W8.of_int 8; W8.of_int 10; W8.of_int 12; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 6; -W8.of_int 8; W8.of_int 10; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int 4; W8.of_int 6; W8.of_int 8; W8.of_int 10; W8.of_int 12; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 4; -W8.of_int 6; W8.of_int 8; W8.of_int 10; W8.of_int 12; W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 6; W8.of_int 8; -W8.of_int 10; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 4; W8.of_int 6; W8.of_int 8; W8.of_int 10; -W8.of_int 12; W8.of_int (-1); W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 4; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 4; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 6; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 6; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 6; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 6; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 4; W8.of_int 6; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 4; W8.of_int 6; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 4; W8.of_int 6; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; -W8.of_int 6; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 8; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 8; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 8; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 8; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 4; W8.of_int 8; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 4; W8.of_int 8; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 4; W8.of_int 8; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; -W8.of_int 8; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 6; W8.of_int 8; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 6; -W8.of_int 8; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 6; W8.of_int 8; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 6; W8.of_int 8; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 4; W8.of_int 6; W8.of_int 8; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 0; W8.of_int 4; W8.of_int 6; W8.of_int 8; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 4; -W8.of_int 6; W8.of_int 8; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; W8.of_int 6; -W8.of_int 8; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int 10; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 10; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 10; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 10; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 4; W8.of_int 10; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 4; W8.of_int 10; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 4; W8.of_int 10; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; -W8.of_int 10; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 6; W8.of_int 10; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 6; -W8.of_int 10; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 6; W8.of_int 10; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 6; W8.of_int 10; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 4; W8.of_int 6; W8.of_int 10; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 0; W8.of_int 4; W8.of_int 6; W8.of_int 10; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 4; -W8.of_int 6; W8.of_int 10; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; W8.of_int 6; -W8.of_int 10; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int 8; -W8.of_int 10; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 8; W8.of_int 10; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 2; W8.of_int 8; W8.of_int 10; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; -W8.of_int 8; W8.of_int 10; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 4; W8.of_int 8; W8.of_int 10; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 4; W8.of_int 8; W8.of_int 10; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 8; -W8.of_int 10; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 0; W8.of_int 2; W8.of_int 4; W8.of_int 8; W8.of_int 10; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int 6; W8.of_int 8; -W8.of_int 10; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 6; W8.of_int 8; W8.of_int 10; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 6; W8.of_int 8; W8.of_int 10; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 6; -W8.of_int 8; W8.of_int 10; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int 4; W8.of_int 6; W8.of_int 8; W8.of_int 10; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 4; -W8.of_int 6; W8.of_int 8; W8.of_int 10; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 6; W8.of_int 8; -W8.of_int 10; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 4; W8.of_int 6; W8.of_int 8; W8.of_int 10; -W8.of_int 14; W8.of_int (-1); W8.of_int 12; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 12; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 12; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 4; W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 4; -W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 12; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 4; W8.of_int 12; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 6; W8.of_int 12; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 6; W8.of_int 12; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 6; W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 6; -W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 4; W8.of_int 6; W8.of_int 12; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 4; -W8.of_int 6; W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 6; W8.of_int 12; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 4; W8.of_int 6; W8.of_int 12; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int 8; W8.of_int 12; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 8; W8.of_int 12; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 8; W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 8; -W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 4; W8.of_int 8; W8.of_int 12; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 4; -W8.of_int 8; W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 8; W8.of_int 12; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 4; W8.of_int 8; W8.of_int 12; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int 6; W8.of_int 8; W8.of_int 12; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 0; W8.of_int 6; W8.of_int 8; W8.of_int 12; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 6; -W8.of_int 8; W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 6; W8.of_int 8; -W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int 4; -W8.of_int 6; W8.of_int 8; W8.of_int 12; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 4; W8.of_int 6; -W8.of_int 8; W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int 2; W8.of_int 4; W8.of_int 6; W8.of_int 8; W8.of_int 12; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; -W8.of_int 4; W8.of_int 6; W8.of_int 8; W8.of_int 12; W8.of_int 14; -W8.of_int (-1); W8.of_int 10; W8.of_int 12; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 10; W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 10; W8.of_int 12; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 0; W8.of_int 2; W8.of_int 10; W8.of_int 12; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 4; W8.of_int 10; -W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 4; W8.of_int 10; W8.of_int 12; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 4; W8.of_int 10; W8.of_int 12; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; -W8.of_int 10; W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int 6; W8.of_int 10; W8.of_int 12; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 6; -W8.of_int 10; W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 2; W8.of_int 6; W8.of_int 10; W8.of_int 12; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 6; W8.of_int 10; W8.of_int 12; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int 4; W8.of_int 6; W8.of_int 10; -W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 0; W8.of_int 4; W8.of_int 6; W8.of_int 10; W8.of_int 12; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 4; -W8.of_int 6; W8.of_int 10; W8.of_int 12; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 4; W8.of_int 6; -W8.of_int 10; W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int 8; -W8.of_int 10; W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 8; W8.of_int 10; -W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); -W8.of_int 2; W8.of_int 8; W8.of_int 10; W8.of_int 12; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; -W8.of_int 8; W8.of_int 10; W8.of_int 12; W8.of_int 14; W8.of_int (-1); -W8.of_int (-1); W8.of_int 4; W8.of_int 8; W8.of_int 10; W8.of_int 12; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 4; W8.of_int 8; W8.of_int 10; W8.of_int 12; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 8; -W8.of_int 10; W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int 0; W8.of_int 2; W8.of_int 4; W8.of_int 8; W8.of_int 10; -W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int 6; W8.of_int 8; -W8.of_int 10; W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int 0; W8.of_int 6; W8.of_int 8; W8.of_int 10; -W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int 2; -W8.of_int 6; W8.of_int 8; W8.of_int 10; W8.of_int 12; W8.of_int 14; -W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 2; W8.of_int 6; -W8.of_int 8; W8.of_int 10; W8.of_int 12; W8.of_int 14; W8.of_int (-1); -W8.of_int 4; W8.of_int 6; W8.of_int 8; W8.of_int 10; W8.of_int 12; -W8.of_int 14; W8.of_int (-1); W8.of_int (-1); W8.of_int 0; W8.of_int 4; -W8.of_int 6; W8.of_int 8; W8.of_int 10; W8.of_int 12; W8.of_int 14; -W8.of_int (-1); W8.of_int 2; W8.of_int 4; W8.of_int 6; W8.of_int 8; -W8.of_int 10; W8.of_int 12; W8.of_int 14; W8.of_int (-1); W8.of_int 0; -W8.of_int 2; W8.of_int 4; W8.of_int 6; W8.of_int 8; W8.of_int 10; -W8.of_int 12; W8.of_int 14]. - - -abbrev sample_q = W256.of_int 5881923629679188442283784376194736327817742869488325897419002016668082834689. - - -abbrev sample_mask = W256.of_int 7235349132933696807194982583513801520701008426120364839270295361446620368895. - - -abbrev sample_ones = W256.of_int 454086624460063511464984254936031011189294057512315937409637584344757371137. - - -abbrev sample_load_shuffle = Array32.of_list witness [W8.of_int 0; -W8.of_int 1; W8.of_int 1; W8.of_int 2; W8.of_int 3; W8.of_int 4; W8.of_int 4; -W8.of_int 5; W8.of_int 6; W8.of_int 7; W8.of_int 7; W8.of_int 8; W8.of_int 9; -W8.of_int 10; W8.of_int 10; W8.of_int 11; W8.of_int 4; W8.of_int 5; -W8.of_int 5; W8.of_int 6; W8.of_int 7; W8.of_int 8; W8.of_int 8; W8.of_int 9; -W8.of_int 10; W8.of_int 11; W8.of_int 11; W8.of_int 12; W8.of_int 13; -W8.of_int 14; W8.of_int 14; W8.of_int 15]. - - -abbrev kECCAK_RHOTATES_RIGHT = Array6.of_list witness [W256.of_int 144373339913893657577751063007562604548177214458152943091773; -W256.of_int 232252764209307188274174373867837442080505530800860351692863; -W256.of_int 156927543384667019098616994515559168111335794127330162507795; -W256.of_int 351517697181654122777866749001917765472957616589092975280182; -W256.of_int 276192476357013953622045746931053922384479139705868246843454; -W256.of_int 313855086769334038206421612937983674734430261968315659321364]. - - -abbrev kECCAK_RHOTATES_LEFT = Array6.of_list witness [W256.of_int 257361171150853911329517531560668107745210100483895842570243; -W256.of_int 169481746855440380633094220700393270212881784141188433969153; -W256.of_int 244806967680080549808651600052671544182051520814718623154221; -W256.of_int 50216813883093446129401845566312946820429698352955810381834; -W256.of_int 125542034707733615285222847637176789908908175236180538818562; -W256.of_int 87879424295413530700846981630247037558957052973733126340652]. - - -abbrev kECCAK_IOTAS = Array24.of_list witness [W256.of_int 6277101735386680764176071790128604879584176795969512275969; -W256.of_int 206504092890751023779864409751650843328560248233805014854828162; -W256.of_int (-57896044618657891154337237002533387566728630465883811983015055433200855646070); -W256.of_int (-57896044605177918687001956587831074660851270707671256656745893357814858874880); -W256.of_int 206560586806369503906741994397762000772476505824968740465311883; -W256.of_int 13479973339852421633450939126351338586088633588469736715148203130881; -W256.of_int (-57896044605177917877255832722949256082138009781081227190387086677747775274879); -W256.of_int (-57896044618657891964083360867415206145441891392473841449373862113267939246071); -W256.of_int 866240039483361945456297907037747473382616397843792694083722; -W256.of_int 853685836012588583927945763457490263623448044251853669531784; -W256.of_int 13480179078138900667299665761280331841242166839448401411882560290825; -W256.of_int 13479973396346337251931066003935984697246077504727327878873813614602; -W256.of_int 13480179894162126267568165104169664557960801185391384887919156166795; -W256.of_int (-57896044618658096836129800417901987324072977609879901317736128966209602322293); -W256.of_int (-57896044618657891160614338737920068330904702256012416862599232229170367922039); -W256.of_int (-57896044618657892001745971279735290730498322133245470726878922889085012901885); -W256.of_int (-57896044618657892008023073015121971494674393923374075606463099685054525177854); -W256.of_int (-57896044618658096905177919507155475730009767301294554993162073721874237357952); -W256.of_int 205750840682504622088163281136835410743010147018288673381711882; -W256.of_int (-57896044605178124312300604384719547540610971740509902075209375727097995067382); -W256.of_int (-57896044605177917877255832722949256082138009781081227190387086677747775274879); -W256.of_int (-57896044618657891217108254356400195208489348367169860778856823392895978405760); -W256.of_int 13479973339852421633450939126351338586088633588469736715148203130881; -W256.of_int (-57896044605177918636785142704737628547442696386642417620072478990058760667128)]. - - -abbrev rOL8 = W256.of_int 13620818001941277694121380808605999856886653716761013959207994299728839901191. - - -abbrev rOL56 = W256.of_int 10910488462195273559651782724632284871561478246514020268633800075540923875841. - - -abbrev kECCAK1600_RC_AVX2 = Array24.of_list witness [W256.of_int 6277101735386680764176071790128604879584176795969512275969; -W256.of_int 206504092890751023779864409751650843328560248233805014854828162; -W256.of_int (-57896044618657891154337237002533387566728630465883811983015055433200855646070); -W256.of_int (-57896044605177918687001956587831074660851270707671256656745893357814858874880); -W256.of_int 206560586806369503906741994397762000772476505824968740465311883; -W256.of_int 13479973339852421633450939126351338586088633588469736715148203130881; -W256.of_int (-57896044605177917877255832722949256082138009781081227190387086677747775274879); -W256.of_int (-57896044618657891964083360867415206145441891392473841449373862113267939246071); -W256.of_int 866240039483361945456297907037747473382616397843792694083722; -W256.of_int 853685836012588583927945763457490263623448044251853669531784; -W256.of_int 13480179078138900667299665761280331841242166839448401411882560290825; -W256.of_int 13479973396346337251931066003935984697246077504727327878873813614602; -W256.of_int 13480179894162126267568165104169664557960801185391384887919156166795; -W256.of_int (-57896044618658096836129800417901987324072977609879901317736128966209602322293); -W256.of_int (-57896044618657891160614338737920068330904702256012416862599232229170367922039); -W256.of_int (-57896044618657892001745971279735290730498322133245470726878922889085012901885); -W256.of_int (-57896044618657892008023073015121971494674393923374075606463099685054525177854); -W256.of_int (-57896044618658096905177919507155475730009767301294554993162073721874237357952); -W256.of_int 205750840682504622088163281136835410743010147018288673381711882; -W256.of_int (-57896044605178124312300604384719547540610971740509902075209375727097995067382); -W256.of_int (-57896044605177917877255832722949256082138009781081227190387086677747775274879); -W256.of_int (-57896044618657891217108254356400195208489348367169860778856823392895978405760); -W256.of_int 13479973339852421633450939126351338586088633588469736715148203130881; -W256.of_int (-57896044605177918636785142704737628547442696386642417620072478990058760667128)]. - - -abbrev pvc_shufbidx_s = Array32.of_list witness [W8.of_int 0; W8.of_int 1; -W8.of_int 2; W8.of_int 3; W8.of_int 4; W8.of_int 8; W8.of_int 9; -W8.of_int 10; W8.of_int 11; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 9; -W8.of_int 10; W8.of_int 11; W8.of_int 12; W8.of_int (-1); W8.of_int (-1); -W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int (-1); W8.of_int 0; -W8.of_int 1; W8.of_int 2; W8.of_int 3; W8.of_int 4; W8.of_int 8]. - - -abbrev pvc_sllvdidx_s = W64.of_int 12. - - -abbrev pvc_shift2_s = W64.of_int 288230380513787905. - - -abbrev pvc_mask_s = W16.of_int 1023. - - -abbrev pvc_shift1_s = W16.of_int 4096. - - -abbrev pvc_off_s = W16.of_int 15. - - -abbrev pvd_mask_s = W32.of_int 2145394680. - - -abbrev pvd_sllvdidx_s = W64.of_int 4. - - -abbrev pvd_shufbdidx_s = Array32.of_list witness [W8.of_int 0; W8.of_int 1; -W8.of_int 1; W8.of_int 2; W8.of_int 2; W8.of_int 3; W8.of_int 3; W8.of_int 4; -W8.of_int 5; W8.of_int 6; W8.of_int 6; W8.of_int 7; W8.of_int 7; W8.of_int 8; -W8.of_int 8; W8.of_int 9; W8.of_int 2; W8.of_int 3; W8.of_int 3; W8.of_int 4; -W8.of_int 4; W8.of_int 5; W8.of_int 5; W8.of_int 6; W8.of_int 7; W8.of_int 8; -W8.of_int 8; W8.of_int 9; W8.of_int 9; W8.of_int 10; W8.of_int 10; -W8.of_int 11]. - - -abbrev pvd_q_s = W32.of_int 218182660. - - -abbrev cbd_jshufbidx = Array32.of_list witness [W8.of_int 0; W8.of_int 1; -W8.of_int 2; W8.of_int (-1); W8.of_int 3; W8.of_int 4; W8.of_int 5; -W8.of_int (-1); W8.of_int 6; W8.of_int 7; W8.of_int 8; W8.of_int (-1); -W8.of_int 9; W8.of_int 10; W8.of_int 11; W8.of_int (-1); W8.of_int 4; -W8.of_int 5; W8.of_int 6; W8.of_int (-1); W8.of_int 7; W8.of_int 8; -W8.of_int 9; W8.of_int (-1); W8.of_int 10; W8.of_int 11; W8.of_int 12; -W8.of_int (-1); W8.of_int 13; W8.of_int 14; W8.of_int 15; W8.of_int (-1)]. - - -abbrev pfm_idx_s = Array16.of_list witness [W8.of_int 0; W8.of_int 1; -W8.of_int 4; W8.of_int 5; W8.of_int 8; W8.of_int 9; W8.of_int 12; -W8.of_int 13; W8.of_int 2; W8.of_int 3; W8.of_int 6; W8.of_int 7; -W8.of_int 10; W8.of_int 11; W8.of_int 14; W8.of_int 15]. +from Jasmin require import JModel_x86. -abbrev pfm_shift_s = Array4.of_list witness [W32.of_int 3; W32.of_int 2; -W32.of_int 1; W32.of_int 0]. +import SLH64. +require import +Array1 Array4 Array5 Array6 Array7 Array8 Array9 Array16 Array24 Array25 +Array32 Array33 Array64 Array128 Array136 Array256 Array400 Array536 Array768 +Array960 Array1024 Array1088 Array2048 Array2144 Array2304. -abbrev pd_shift_s = W32.of_int 8390656. +require import +WArray8 WArray16 WArray32 WArray33 WArray40 WArray64 WArray128 WArray136 +WArray160 WArray192 WArray200 WArray224 WArray256 WArray288 WArray512 +WArray536 WArray768 WArray800 WArray960 WArray1088 WArray1536 WArray2048 +WArray2144 WArray4608. +abbrev gen_matrix_indexes = +(Array16.of_list witness +[(W16.of_int 0); (W16.of_int 1); (W16.of_int 2); (W16.of_int 256); +(W16.of_int 257); (W16.of_int 258); (W16.of_int 512); (W16.of_int 513); +(W16.of_int 0); (W16.of_int 256); (W16.of_int 512); (W16.of_int 1); +(W16.of_int 257); (W16.of_int 513); (W16.of_int 2); (W16.of_int 258)]). -abbrev pd_mask_s = W32.of_int 15728655. +abbrev rATE_BIT_x4 = +(Array1.of_list witness +[(W256.of_int + (-57896044618658097708646941636650613544546956437755979579936703605971808681984) + )] +). +abbrev sample_shuffle_table = +(Array2048.of_list witness +[(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 2); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int 2); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 4); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int 4); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 2); (W8.of_int 4); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int 2); (W8.of_int 4); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 6); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int 6); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 2); (W8.of_int 6); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int 2); (W8.of_int 6); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 4); (W8.of_int 6); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int 4); (W8.of_int 6); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 2); (W8.of_int 4); (W8.of_int 6); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int 2); (W8.of_int 4); (W8.of_int 6); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 8); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 8); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); +(W8.of_int 8); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 2); (W8.of_int 8); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); +(W8.of_int 8); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 4); (W8.of_int 8); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 8); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 2); (W8.of_int 4); (W8.of_int 8); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 6); +(W8.of_int 8); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 6); (W8.of_int 8); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); +(W8.of_int 6); (W8.of_int 8); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 2); (W8.of_int 6); (W8.of_int 8); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 8); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 4); (W8.of_int 6); (W8.of_int 8); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 6); (W8.of_int 8); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 2); (W8.of_int 4); (W8.of_int 6); (W8.of_int 8); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 10); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 10); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 10); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 10); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 6); (W8.of_int 10); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 6); +(W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 6); +(W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 6); (W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 6); (W8.of_int 10); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 8); (W8.of_int 10); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 8); +(W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 8); +(W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 8); (W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 8); +(W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 8); (W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 8); (W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 8); (W8.of_int 10); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 6); (W8.of_int 8); +(W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 10); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 10); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 10); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 10); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 6); (W8.of_int 8); (W8.of_int 10); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 12); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 12); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 12); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 6); (W8.of_int 12); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 6); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 6); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 6); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 6); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 8); (W8.of_int 12); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 8); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 8); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 8); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 8); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 8); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 8); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 8); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 6); (W8.of_int 8); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 6); (W8.of_int 8); (W8.of_int 12); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 10); (W8.of_int 12); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 10); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 10); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 10); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 6); (W8.of_int 10); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 6); +(W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 6); +(W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 6); (W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 6); (W8.of_int 10); (W8.of_int 12); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 8); (W8.of_int 10); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 8); +(W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 8); +(W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 8); +(W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 8); (W8.of_int 10); (W8.of_int 12); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 6); (W8.of_int 8); +(W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 10); (W8.of_int 12); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 12); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 10); (W8.of_int 12); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 10); (W8.of_int 12); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 6); (W8.of_int 8); (W8.of_int 10); (W8.of_int 12); +(W8.of_int (-1)); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 2); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 4); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 6); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 6); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 2); (W8.of_int 6); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); (W8.of_int 6); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 4); (W8.of_int 6); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 8); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int 8); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 2); (W8.of_int 8); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int 2); (W8.of_int 8); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 4); (W8.of_int 8); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int 4); (W8.of_int 8); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 2); (W8.of_int 4); (W8.of_int 8); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int 2); (W8.of_int 4); (W8.of_int 8); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 2); (W8.of_int 6); (W8.of_int 8); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 4); (W8.of_int 6); (W8.of_int 8); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 6); (W8.of_int 8); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 2); (W8.of_int 4); (W8.of_int 6); (W8.of_int 8); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 10); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 10); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 10); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 10); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 6); (W8.of_int 10); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 6); +(W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 6); +(W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 6); (W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 6); (W8.of_int 10); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 8); (W8.of_int 10); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 8); +(W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 8); +(W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 8); +(W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 8); (W8.of_int 10); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 6); (W8.of_int 8); +(W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 10); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 10); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 10); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 6); (W8.of_int 8); (W8.of_int 10); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 2); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); (W8.of_int 12); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 4); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); (W8.of_int 12); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); (W8.of_int 12); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 6); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 6); (W8.of_int 12); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 2); (W8.of_int 6); (W8.of_int 12); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); (W8.of_int 6); +(W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 4); (W8.of_int 6); (W8.of_int 12); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 8); (W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int 8); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 2); (W8.of_int 8); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int 2); (W8.of_int 8); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); +(W8.of_int 8); (W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 4); (W8.of_int 8); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 8); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 2); (W8.of_int 4); (W8.of_int 8); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 6); (W8.of_int 8); +(W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 6); (W8.of_int 8); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int 10); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 10); (W8.of_int 12); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 2); (W8.of_int 10); (W8.of_int 12); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); (W8.of_int 10); +(W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 4); (W8.of_int 10); (W8.of_int 12); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); (W8.of_int 10); +(W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); (W8.of_int 10); +(W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 10); (W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 6); (W8.of_int 10); (W8.of_int 12); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 6); (W8.of_int 10); +(W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 2); (W8.of_int 6); (W8.of_int 10); +(W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); (W8.of_int 6); +(W8.of_int 10); (W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 4); (W8.of_int 6); (W8.of_int 10); +(W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 10); (W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 10); (W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 10); (W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int 8); (W8.of_int 10); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 2); (W8.of_int 8); (W8.of_int 10); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 4); (W8.of_int 8); +(W8.of_int 10); (W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 4); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); +(W8.of_int 4); (W8.of_int 8); (W8.of_int 10); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int 6); (W8.of_int 8); (W8.of_int 10); +(W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 6); (W8.of_int 8); +(W8.of_int 10); (W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 2); (W8.of_int 6); (W8.of_int 8); +(W8.of_int 10); (W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); (W8.of_int 6); (W8.of_int 8); +(W8.of_int 10); (W8.of_int 12); (W8.of_int 14); (W8.of_int (-1)); +(W8.of_int 4); (W8.of_int 6); (W8.of_int 8); (W8.of_int 10); (W8.of_int 12); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 0); +(W8.of_int 4); (W8.of_int 6); (W8.of_int 8); (W8.of_int 10); (W8.of_int 12); +(W8.of_int 14); (W8.of_int (-1)); (W8.of_int 2); (W8.of_int 4); +(W8.of_int 6); (W8.of_int 8); (W8.of_int 10); (W8.of_int 12); (W8.of_int 14); +(W8.of_int (-1)); (W8.of_int 0); (W8.of_int 2); (W8.of_int 4); (W8.of_int 6); +(W8.of_int 8); (W8.of_int 10); (W8.of_int 12); (W8.of_int 14)]). -abbrev pd_jshufbidx = Array32.of_list witness [W8.of_int 0; W8.of_int 0; -W8.of_int 0; W8.of_int 0; W8.of_int 1; W8.of_int 1; W8.of_int 1; W8.of_int 1; -W8.of_int 2; W8.of_int 2; W8.of_int 2; W8.of_int 2; W8.of_int 3; W8.of_int 3; -W8.of_int 3; W8.of_int 3; W8.of_int 4; W8.of_int 4; W8.of_int 4; W8.of_int 4; -W8.of_int 5; W8.of_int 5; W8.of_int 5; W8.of_int 5; W8.of_int 6; W8.of_int 6; -W8.of_int 6; W8.of_int 6; W8.of_int 7; W8.of_int 7; W8.of_int 7; -W8.of_int 7]. +abbrev sample_q = +(W256.of_int +5881923629679188442283784376194736327817742869488325897419002016668082834689). +abbrev sample_mask = +(W256.of_int +7235349132933696807194982583513801520701008426120364839270295361446620368895). -abbrev pc_permidx_s = Array8.of_list witness [W32.of_int 0; W32.of_int 4; -W32.of_int 1; W32.of_int 5; W32.of_int 2; W32.of_int 6; W32.of_int 3; -W32.of_int 7]. +abbrev sample_ones = +(W256.of_int +454086624460063511464984254936031011189294057512315937409637584344757371137). +abbrev sample_load_shuffle = +(Array32.of_list witness +[(W8.of_int 0); (W8.of_int 1); (W8.of_int 1); (W8.of_int 2); (W8.of_int 3); +(W8.of_int 4); (W8.of_int 4); (W8.of_int 5); (W8.of_int 6); (W8.of_int 7); +(W8.of_int 7); (W8.of_int 8); (W8.of_int 9); (W8.of_int 10); (W8.of_int 10); +(W8.of_int 11); (W8.of_int 4); (W8.of_int 5); (W8.of_int 5); (W8.of_int 6); +(W8.of_int 7); (W8.of_int 8); (W8.of_int 8); (W8.of_int 9); (W8.of_int 10); +(W8.of_int 11); (W8.of_int 11); (W8.of_int 12); (W8.of_int 13); +(W8.of_int 14); (W8.of_int 14); (W8.of_int 15)]). -abbrev pc_shift2_s = W16.of_int 4097. +abbrev kECCAK_RHOTATES_RIGHT = +(Array6.of_list witness +[(W256.of_int 144373339913893657577751063007562604548177214458152943091773); +(W256.of_int 232252764209307188274174373867837442080505530800860351692863); +(W256.of_int 156927543384667019098616994515559168111335794127330162507795); +(W256.of_int 351517697181654122777866749001917765472957616589092975280182); +(W256.of_int 276192476357013953622045746931053922384479139705868246843454); +(W256.of_int 313855086769334038206421612937983674734430261968315659321364)]). +abbrev kECCAK_RHOTATES_LEFT = +(Array6.of_list witness +[(W256.of_int 257361171150853911329517531560668107745210100483895842570243); +(W256.of_int 169481746855440380633094220700393270212881784141188433969153); +(W256.of_int 244806967680080549808651600052671544182051520814718623154221); +(W256.of_int 50216813883093446129401845566312946820429698352955810381834); +(W256.of_int 125542034707733615285222847637176789908908175236180538818562); +(W256.of_int 87879424295413530700846981630247037558957052973733126340652)]). -abbrev pc_mask_s = W16.of_int 15. +abbrev kECCAK_IOTAS = +(Array24.of_list witness +[(W256.of_int 6277101735386680764176071790128604879584176795969512275969); +(W256.of_int 206504092890751023779864409751650843328560248233805014854828162); +(W256.of_int +(-57896044618657891154337237002533387566728630465883811983015055433200855646070) +); +(W256.of_int +(-57896044605177918687001956587831074660851270707671256656745893357814858874880) +); +(W256.of_int 206560586806369503906741994397762000772476505824968740465311883); +(W256.of_int +13479973339852421633450939126351338586088633588469736715148203130881); +(W256.of_int +(-57896044605177917877255832722949256082138009781081227190387086677747775274879) +); +(W256.of_int +(-57896044618657891964083360867415206145441891392473841449373862113267939246071) +); +(W256.of_int 866240039483361945456297907037747473382616397843792694083722); +(W256.of_int 853685836012588583927945763457490263623448044251853669531784); +(W256.of_int +13480179078138900667299665761280331841242166839448401411882560290825); +(W256.of_int +13479973396346337251931066003935984697246077504727327878873813614602); +(W256.of_int +13480179894162126267568165104169664557960801185391384887919156166795); +(W256.of_int +(-57896044618658096836129800417901987324072977609879901317736128966209602322293) +); +(W256.of_int +(-57896044618657891160614338737920068330904702256012416862599232229170367922039) +); +(W256.of_int +(-57896044618657892001745971279735290730498322133245470726878922889085012901885) +); +(W256.of_int +(-57896044618657892008023073015121971494674393923374075606463099685054525177854) +); +(W256.of_int +(-57896044618658096905177919507155475730009767301294554993162073721874237357952) +); +(W256.of_int 205750840682504622088163281136835410743010147018288673381711882); +(W256.of_int +(-57896044605178124312300604384719547540610971740509902075209375727097995067382) +); +(W256.of_int +(-57896044605177917877255832722949256082138009781081227190387086677747775274879) +); +(W256.of_int +(-57896044618657891217108254356400195208489348367169860778856823392895978405760) +); +(W256.of_int +13479973339852421633450939126351338586088633588469736715148203130881); +(W256.of_int +(-57896044605177918636785142704737628547442696386642417620072478990058760667128) +)]). +abbrev rOL8 = +(W256.of_int +13620818001941277694121380808605999856886653716761013959207994299728839901191 +). -abbrev pc_shift1_s = W16.of_int 512. +abbrev rOL56 = +(W256.of_int +10910488462195273559651782724632284871561478246514020268633800075540923875841 +). +abbrev kECCAK1600_RC_AVX2 = +(Array24.of_list witness +[(W256.of_int 6277101735386680764176071790128604879584176795969512275969); +(W256.of_int 206504092890751023779864409751650843328560248233805014854828162); +(W256.of_int +(-57896044618657891154337237002533387566728630465883811983015055433200855646070) +); +(W256.of_int +(-57896044605177918687001956587831074660851270707671256656745893357814858874880) +); +(W256.of_int 206560586806369503906741994397762000772476505824968740465311883); +(W256.of_int +13479973339852421633450939126351338586088633588469736715148203130881); +(W256.of_int +(-57896044605177917877255832722949256082138009781081227190387086677747775274879) +); +(W256.of_int +(-57896044618657891964083360867415206145441891392473841449373862113267939246071) +); +(W256.of_int 866240039483361945456297907037747473382616397843792694083722); +(W256.of_int 853685836012588583927945763457490263623448044251853669531784); +(W256.of_int +13480179078138900667299665761280331841242166839448401411882560290825); +(W256.of_int +13479973396346337251931066003935984697246077504727327878873813614602); +(W256.of_int +13480179894162126267568165104169664557960801185391384887919156166795); +(W256.of_int +(-57896044618658096836129800417901987324072977609879901317736128966209602322293) +); +(W256.of_int +(-57896044618657891160614338737920068330904702256012416862599232229170367922039) +); +(W256.of_int +(-57896044618657892001745971279735290730498322133245470726878922889085012901885) +); +(W256.of_int +(-57896044618657892008023073015121971494674393923374075606463099685054525177854) +); +(W256.of_int +(-57896044618658096905177919507155475730009767301294554993162073721874237357952) +); +(W256.of_int 205750840682504622088163281136835410743010147018288673381711882); +(W256.of_int +(-57896044605178124312300604384719547540610971740509902075209375727097995067382) +); +(W256.of_int +(-57896044605177917877255832722949256082138009781081227190387086677747775274879) +); +(W256.of_int +(-57896044618657891217108254356400195208489348367169860778856823392895978405760) +); +(W256.of_int +13479973339852421633450939126351338586088633588469736715148203130881); +(W256.of_int +(-57896044605177918636785142704737628547442696386642417620072478990058760667128) +)]). -abbrev keccakF1600RoundConstants = Array24.of_list witness [W256.of_int 6277101735386680764176071790128604879584176795969512275969; -W256.of_int 206504092890751023779864409751650843328560248233805014854828162; -W256.of_int (-57896044618657891154337237002533387566728630465883811983015055433200855646070); -W256.of_int (-57896044605177918687001956587831074660851270707671256656745893357814858874880); -W256.of_int 206560586806369503906741994397762000772476505824968740465311883; -W256.of_int 13479973339852421633450939126351338586088633588469736715148203130881; -W256.of_int (-57896044605177917877255832722949256082138009781081227190387086677747775274879); -W256.of_int (-57896044618657891964083360867415206145441891392473841449373862113267939246071); -W256.of_int 866240039483361945456297907037747473382616397843792694083722; -W256.of_int 853685836012588583927945763457490263623448044251853669531784; -W256.of_int 13480179078138900667299665761280331841242166839448401411882560290825; -W256.of_int 13479973396346337251931066003935984697246077504727327878873813614602; -W256.of_int 13480179894162126267568165104169664557960801185391384887919156166795; -W256.of_int (-57896044618658096836129800417901987324072977609879901317736128966209602322293); -W256.of_int (-57896044618657891160614338737920068330904702256012416862599232229170367922039); -W256.of_int (-57896044618657892001745971279735290730498322133245470726878922889085012901885); -W256.of_int (-57896044618657892008023073015121971494674393923374075606463099685054525177854); -W256.of_int (-57896044618658096905177919507155475730009767301294554993162073721874237357952); -W256.of_int 205750840682504622088163281136835410743010147018288673381711882; -W256.of_int (-57896044605178124312300604384719547540610971740509902075209375727097995067382); -W256.of_int (-57896044605177917877255832722949256082138009781081227190387086677747775274879); -W256.of_int (-57896044618657891217108254356400195208489348367169860778856823392895978405760); -W256.of_int 13479973339852421633450939126351338586088633588469736715148203130881; -W256.of_int (-57896044605177918636785142704737628547442696386642417620072478990058760667128)]. +abbrev pvc_shufbidx_s = +(Array32.of_list witness +[(W8.of_int 0); (W8.of_int 1); (W8.of_int 2); (W8.of_int 3); (W8.of_int 4); +(W8.of_int 8); (W8.of_int 9); (W8.of_int 10); (W8.of_int 11); (W8.of_int 12); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int 9); (W8.of_int 10); +(W8.of_int 11); (W8.of_int 12); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); (W8.of_int (-1)); +(W8.of_int 0); (W8.of_int 1); (W8.of_int 2); (W8.of_int 3); (W8.of_int 4); +(W8.of_int 8)]). +abbrev pvc_sllvdidx_s = (W64.of_int 12). -abbrev rho8 = W256.of_int 13620818001941277694121380808605999856886653716761013959207994299728839901191. +abbrev pvc_shift2_s = (W64.of_int 288230380513787905). +abbrev pvc_mask_s = (W16.of_int 1023). -abbrev rho56 = W256.of_int 10910488462195273559651782724632284871561478246514020268633800075540923875841. +abbrev pvc_shift1_s = (W16.of_int 4096). +abbrev pvc_off_s = (W16.of_int 15). -abbrev shake_sep = Array4.of_list witness [W64.of_int (-9223372036854775808); -W64.of_int (-9223372036854775808); W64.of_int (-9223372036854775808); -W64.of_int (-9223372036854775808)]. +abbrev pvd_mask_s = (W32.of_int 2145394680). +abbrev pvd_sllvdidx_s = (W64.of_int 4). -abbrev kECCAK1600_RC = Array24.of_list witness [W64.of_int 1; -W64.of_int 32898; W64.of_int (-9223372036854742902); -W64.of_int (-9223372034707259392); W64.of_int 32907; W64.of_int 2147483649; -W64.of_int (-9223372034707259263); W64.of_int (-9223372036854743031); -W64.of_int 138; W64.of_int 136; W64.of_int 2147516425; W64.of_int 2147483658; -W64.of_int 2147516555; W64.of_int (-9223372036854775669); -W64.of_int (-9223372036854742903); W64.of_int (-9223372036854743037); -W64.of_int (-9223372036854743038); W64.of_int (-9223372036854775680); -W64.of_int 32778; W64.of_int (-9223372034707292150); -W64.of_int (-9223372034707259263); W64.of_int (-9223372036854742912); -W64.of_int 2147483649; W64.of_int (-9223372034707259384)]. +abbrev pvd_shufbdidx_s = +(Array32.of_list witness +[(W8.of_int 0); (W8.of_int 1); (W8.of_int 1); (W8.of_int 2); (W8.of_int 2); +(W8.of_int 3); (W8.of_int 3); (W8.of_int 4); (W8.of_int 5); (W8.of_int 6); +(W8.of_int 6); (W8.of_int 7); (W8.of_int 7); (W8.of_int 8); (W8.of_int 8); +(W8.of_int 9); (W8.of_int 2); (W8.of_int 3); (W8.of_int 3); (W8.of_int 4); +(W8.of_int 4); (W8.of_int 5); (W8.of_int 5); (W8.of_int 6); (W8.of_int 7); +(W8.of_int 8); (W8.of_int 8); (W8.of_int 9); (W8.of_int 9); (W8.of_int 10); +(W8.of_int 10); (W8.of_int 11)]). +abbrev pvd_q_s = (W32.of_int 218182660). -abbrev jdmontx16 = Array16.of_list witness [W16.of_int 1353; W16.of_int 1353; -W16.of_int 1353; W16.of_int 1353; W16.of_int 1353; W16.of_int 1353; -W16.of_int 1353; W16.of_int 1353; W16.of_int 1353; W16.of_int 1353; -W16.of_int 1353; W16.of_int 1353; W16.of_int 1353; W16.of_int 1353; -W16.of_int 1353; W16.of_int 1353]. +abbrev cbd_jshufbidx = +(Array32.of_list witness +[(W8.of_int 0); (W8.of_int 1); (W8.of_int 2); (W8.of_int (-1)); +(W8.of_int 3); (W8.of_int 4); (W8.of_int 5); (W8.of_int (-1)); (W8.of_int 6); +(W8.of_int 7); (W8.of_int 8); (W8.of_int (-1)); (W8.of_int 9); +(W8.of_int 10); (W8.of_int 11); (W8.of_int (-1)); (W8.of_int 4); +(W8.of_int 5); (W8.of_int 6); (W8.of_int (-1)); (W8.of_int 7); (W8.of_int 8); +(W8.of_int 9); (W8.of_int (-1)); (W8.of_int 10); (W8.of_int 11); +(W8.of_int 12); (W8.of_int (-1)); (W8.of_int 13); (W8.of_int 14); +(W8.of_int 15); (W8.of_int (-1))]). +abbrev pfm_idx_s = +(Array16.of_list witness +[(W8.of_int 0); (W8.of_int 1); (W8.of_int 4); (W8.of_int 5); (W8.of_int 8); +(W8.of_int 9); (W8.of_int 12); (W8.of_int 13); (W8.of_int 2); (W8.of_int 3); +(W8.of_int 6); (W8.of_int 7); (W8.of_int 10); (W8.of_int 11); (W8.of_int 14); +(W8.of_int 15)]). -abbrev mqinvx16 = Array16.of_list witness [W16.of_int 15099; -W16.of_int 15099; W16.of_int 15099; W16.of_int 15099; W16.of_int 15099; -W16.of_int 15099; W16.of_int 15099; W16.of_int 15099; W16.of_int 15099; -W16.of_int 15099; W16.of_int 15099; W16.of_int 15099; W16.of_int 15099; -W16.of_int 15099; W16.of_int 15099; W16.of_int 15099]. +abbrev pfm_shift_s = +(Array4.of_list witness +[(W32.of_int 3); (W32.of_int 2); (W32.of_int 1); (W32.of_int 0)]). +abbrev pd_shift_s = (W32.of_int 8390656). -abbrev hhqx16 = Array16.of_list witness [W16.of_int 832; W16.of_int 832; -W16.of_int 832; W16.of_int 832; W16.of_int 832; W16.of_int 832; -W16.of_int 832; W16.of_int 832; W16.of_int 832; W16.of_int 832; -W16.of_int 832; W16.of_int 832; W16.of_int 832; W16.of_int 832; -W16.of_int 832; W16.of_int 832]. +abbrev pd_mask_s = (W32.of_int 15728655). +abbrev pd_jshufbidx = +(Array32.of_list witness +[(W8.of_int 0); (W8.of_int 0); (W8.of_int 0); (W8.of_int 0); (W8.of_int 1); +(W8.of_int 1); (W8.of_int 1); (W8.of_int 1); (W8.of_int 2); (W8.of_int 2); +(W8.of_int 2); (W8.of_int 2); (W8.of_int 3); (W8.of_int 3); (W8.of_int 3); +(W8.of_int 3); (W8.of_int 4); (W8.of_int 4); (W8.of_int 4); (W8.of_int 4); +(W8.of_int 5); (W8.of_int 5); (W8.of_int 5); (W8.of_int 5); (W8.of_int 6); +(W8.of_int 6); (W8.of_int 6); (W8.of_int 6); (W8.of_int 7); (W8.of_int 7); +(W8.of_int 7); (W8.of_int 7)]). -abbrev hqx16_m1 = Array16.of_list witness [W16.of_int 1664; W16.of_int 1664; -W16.of_int 1664; W16.of_int 1664; W16.of_int 1664; W16.of_int 1664; -W16.of_int 1664; W16.of_int 1664; W16.of_int 1664; W16.of_int 1664; -W16.of_int 1664; W16.of_int 1664; W16.of_int 1664; W16.of_int 1664; -W16.of_int 1664; W16.of_int 1664]. +abbrev pc_permidx_s = +(Array8.of_list witness +[(W32.of_int 0); (W32.of_int 4); (W32.of_int 1); (W32.of_int 5); +(W32.of_int 2); (W32.of_int 6); (W32.of_int 3); (W32.of_int 7)]). +abbrev pc_shift2_s = (W16.of_int 4097). -abbrev hqx16_p1 = Array16.of_list witness [W16.of_int 1665; W16.of_int 1665; -W16.of_int 1665; W16.of_int 1665; W16.of_int 1665; W16.of_int 1665; -W16.of_int 1665; W16.of_int 1665; W16.of_int 1665; W16.of_int 1665; -W16.of_int 1665; W16.of_int 1665; W16.of_int 1665; W16.of_int 1665; -W16.of_int 1665; W16.of_int 1665]. +abbrev pc_mask_s = (W16.of_int 15). +abbrev pc_shift1_s = (W16.of_int 512). -abbrev maskx16 = Array16.of_list witness [W16.of_int 4095; W16.of_int 4095; -W16.of_int 4095; W16.of_int 4095; W16.of_int 4095; W16.of_int 4095; -W16.of_int 4095; W16.of_int 4095; W16.of_int 4095; W16.of_int 4095; -W16.of_int 4095; W16.of_int 4095; W16.of_int 4095; W16.of_int 4095; -W16.of_int 4095; W16.of_int 4095]. +abbrev keccakF1600RoundConstants = +(Array24.of_list witness +[(W256.of_int 6277101735386680764176071790128604879584176795969512275969); +(W256.of_int 206504092890751023779864409751650843328560248233805014854828162); +(W256.of_int +(-57896044618657891154337237002533387566728630465883811983015055433200855646070) +); +(W256.of_int +(-57896044605177918687001956587831074660851270707671256656745893357814858874880) +); +(W256.of_int 206560586806369503906741994397762000772476505824968740465311883); +(W256.of_int +13479973339852421633450939126351338586088633588469736715148203130881); +(W256.of_int +(-57896044605177917877255832722949256082138009781081227190387086677747775274879) +); +(W256.of_int +(-57896044618657891964083360867415206145441891392473841449373862113267939246071) +); +(W256.of_int 866240039483361945456297907037747473382616397843792694083722); +(W256.of_int 853685836012588583927945763457490263623448044251853669531784); +(W256.of_int +13480179078138900667299665761280331841242166839448401411882560290825); +(W256.of_int +13479973396346337251931066003935984697246077504727327878873813614602); +(W256.of_int +13480179894162126267568165104169664557960801185391384887919156166795); +(W256.of_int +(-57896044618658096836129800417901987324072977609879901317736128966209602322293) +); +(W256.of_int +(-57896044618657891160614338737920068330904702256012416862599232229170367922039) +); +(W256.of_int +(-57896044618657892001745971279735290730498322133245470726878922889085012901885) +); +(W256.of_int +(-57896044618657892008023073015121971494674393923374075606463099685054525177854) +); +(W256.of_int +(-57896044618658096905177919507155475730009767301294554993162073721874237357952) +); +(W256.of_int 205750840682504622088163281136835410743010147018288673381711882); +(W256.of_int +(-57896044605178124312300604384719547540610971740509902075209375727097995067382) +); +(W256.of_int +(-57896044605177917877255832722949256082138009781081227190387086677747775274879) +); +(W256.of_int +(-57896044618657891217108254356400195208489348367169860778856823392895978405760) +); +(W256.of_int +13479973339852421633450939126351338586088633588469736715148203130881); +(W256.of_int +(-57896044605177918636785142704737628547442696386642417620072478990058760667128) +)]). +abbrev rho8 = +(W256.of_int +13620818001941277694121380808605999856886653716761013959207994299728839901191 +). -abbrev jflox16 = Array16.of_list witness [W16.of_int (-10079); -W16.of_int (-10079); W16.of_int (-10079); W16.of_int (-10079); -W16.of_int (-10079); W16.of_int (-10079); W16.of_int (-10079); -W16.of_int (-10079); W16.of_int (-10079); W16.of_int (-10079); -W16.of_int (-10079); W16.of_int (-10079); W16.of_int (-10079); -W16.of_int (-10079); W16.of_int (-10079); W16.of_int (-10079)]. +abbrev rho56 = +(W256.of_int +10910488462195273559651782724632284871561478246514020268633800075540923875841 +). +abbrev shake_sep = +(Array4.of_list witness +[(W64.of_int (-9223372036854775808)); (W64.of_int (-9223372036854775808)); +(W64.of_int (-9223372036854775808)); (W64.of_int (-9223372036854775808))]). -abbrev jfhix16 = Array16.of_list witness [W16.of_int 1441; W16.of_int 1441; -W16.of_int 1441; W16.of_int 1441; W16.of_int 1441; W16.of_int 1441; -W16.of_int 1441; W16.of_int 1441; W16.of_int 1441; W16.of_int 1441; -W16.of_int 1441; W16.of_int 1441; W16.of_int 1441; W16.of_int 1441; -W16.of_int 1441; W16.of_int 1441]. +abbrev kECCAK1600_RC = +(Array24.of_list witness +[(W64.of_int 1); (W64.of_int 32898); (W64.of_int (-9223372036854742902)); +(W64.of_int (-9223372034707259392)); (W64.of_int 32907); +(W64.of_int 2147483649); (W64.of_int (-9223372034707259263)); +(W64.of_int (-9223372036854743031)); (W64.of_int 138); (W64.of_int 136); +(W64.of_int 2147516425); (W64.of_int 2147483658); (W64.of_int 2147516555); +(W64.of_int (-9223372036854775669)); (W64.of_int (-9223372036854742903)); +(W64.of_int (-9223372036854743037)); (W64.of_int (-9223372036854743038)); +(W64.of_int (-9223372036854775680)); (W64.of_int 32778); +(W64.of_int (-9223372034707292150)); (W64.of_int (-9223372034707259263)); +(W64.of_int (-9223372036854742912)); (W64.of_int 2147483649); +(W64.of_int (-9223372034707259384))]). +abbrev jdmontx16 = +(Array16.of_list witness +[(W16.of_int 1353); (W16.of_int 1353); (W16.of_int 1353); (W16.of_int 1353); +(W16.of_int 1353); (W16.of_int 1353); (W16.of_int 1353); (W16.of_int 1353); +(W16.of_int 1353); (W16.of_int 1353); (W16.of_int 1353); (W16.of_int 1353); +(W16.of_int 1353); (W16.of_int 1353); (W16.of_int 1353); (W16.of_int 1353)]). -abbrev jvx16 = Array16.of_list witness [W16.of_int 20159; W16.of_int 20159; -W16.of_int 20159; W16.of_int 20159; W16.of_int 20159; W16.of_int 20159; -W16.of_int 20159; W16.of_int 20159; W16.of_int 20159; W16.of_int 20159; -W16.of_int 20159; W16.of_int 20159; W16.of_int 20159; W16.of_int 20159; -W16.of_int 20159; W16.of_int 20159]. +abbrev mqinvx16 = +(Array16.of_list witness +[(W16.of_int 15099); (W16.of_int 15099); (W16.of_int 15099); +(W16.of_int 15099); (W16.of_int 15099); (W16.of_int 15099); +(W16.of_int 15099); (W16.of_int 15099); (W16.of_int 15099); +(W16.of_int 15099); (W16.of_int 15099); (W16.of_int 15099); +(W16.of_int 15099); (W16.of_int 15099); (W16.of_int 15099); +(W16.of_int 15099)]). +abbrev hhqx16 = +(Array16.of_list witness +[(W16.of_int 832); (W16.of_int 832); (W16.of_int 832); (W16.of_int 832); +(W16.of_int 832); (W16.of_int 832); (W16.of_int 832); (W16.of_int 832); +(W16.of_int 832); (W16.of_int 832); (W16.of_int 832); (W16.of_int 832); +(W16.of_int 832); (W16.of_int 832); (W16.of_int 832); (W16.of_int 832)]). -abbrev jqinvx16 = Array16.of_list witness [W16.of_int (-3327); -W16.of_int (-3327); W16.of_int (-3327); W16.of_int (-3327); -W16.of_int (-3327); W16.of_int (-3327); W16.of_int (-3327); -W16.of_int (-3327); W16.of_int (-3327); W16.of_int (-3327); -W16.of_int (-3327); W16.of_int (-3327); W16.of_int (-3327); -W16.of_int (-3327); W16.of_int (-3327); W16.of_int (-3327)]. +abbrev hqx16_m1 = +(Array16.of_list witness +[(W16.of_int 1664); (W16.of_int 1664); (W16.of_int 1664); (W16.of_int 1664); +(W16.of_int 1664); (W16.of_int 1664); (W16.of_int 1664); (W16.of_int 1664); +(W16.of_int 1664); (W16.of_int 1664); (W16.of_int 1664); (W16.of_int 1664); +(W16.of_int 1664); (W16.of_int 1664); (W16.of_int 1664); (W16.of_int 1664)]). +abbrev hqx16_p1 = +(Array16.of_list witness +[(W16.of_int 1665); (W16.of_int 1665); (W16.of_int 1665); (W16.of_int 1665); +(W16.of_int 1665); (W16.of_int 1665); (W16.of_int 1665); (W16.of_int 1665); +(W16.of_int 1665); (W16.of_int 1665); (W16.of_int 1665); (W16.of_int 1665); +(W16.of_int 1665); (W16.of_int 1665); (W16.of_int 1665); (W16.of_int 1665)]). -abbrev jqx16 = Array16.of_list witness [W16.of_int 3329; W16.of_int 3329; -W16.of_int 3329; W16.of_int 3329; W16.of_int 3329; W16.of_int 3329; -W16.of_int 3329; W16.of_int 3329; W16.of_int 3329; W16.of_int 3329; -W16.of_int 3329; W16.of_int 3329; W16.of_int 3329; W16.of_int 3329; -W16.of_int 3329; W16.of_int 3329]. +abbrev maskx16 = +(Array16.of_list witness +[(W16.of_int 4095); (W16.of_int 4095); (W16.of_int 4095); (W16.of_int 4095); +(W16.of_int 4095); (W16.of_int 4095); (W16.of_int 4095); (W16.of_int 4095); +(W16.of_int 4095); (W16.of_int 4095); (W16.of_int 4095); (W16.of_int 4095); +(W16.of_int 4095); (W16.of_int 4095); (W16.of_int 4095); (W16.of_int 4095)]). +abbrev jflox16 = +(Array16.of_list witness +[(W16.of_int (-10079)); (W16.of_int (-10079)); (W16.of_int (-10079)); +(W16.of_int (-10079)); (W16.of_int (-10079)); (W16.of_int (-10079)); +(W16.of_int (-10079)); (W16.of_int (-10079)); (W16.of_int (-10079)); +(W16.of_int (-10079)); (W16.of_int (-10079)); (W16.of_int (-10079)); +(W16.of_int (-10079)); (W16.of_int (-10079)); (W16.of_int (-10079)); +(W16.of_int (-10079))]). -abbrev jzetas_inv_exp = Array400.of_list witness [W16.of_int (-23131); -W16.of_int (-7756); W16.of_int 20258; W16.of_int 23860; W16.of_int 17443; -W16.of_int (-23210); W16.of_int 20199; W16.of_int 21498; W16.of_int (-14469); -W16.of_int 11045; W16.of_int 14903; W16.of_int 6280; W16.of_int 32385; -W16.of_int (-15355); W16.of_int (-2145); W16.of_int (-20296); -W16.of_int 1701; W16.of_int 1460; W16.of_int 2338; W16.of_int 308; -W16.of_int 2851; W16.of_int 854; W16.of_int 2535; W16.of_int 1530; -W16.of_int 1659; W16.of_int 3109; W16.of_int 1335; W16.of_int 136; -W16.of_int 2945; W16.of_int 1285; W16.of_int 2719; W16.of_int 2232; -W16.of_int 17423; W16.of_int (-23997); W16.of_int (-28643); -W16.of_int (-31636); W16.of_int (-10906); W16.of_int 22502; W16.of_int 7934; -W16.of_int (-10335); W16.of_int (-16989); W16.of_int (-24214); -W16.of_int (-10945); W16.of_int 20927; W16.of_int (-24391); W16.of_int 7383; -W16.of_int (-25434); W16.of_int 31184; W16.of_int 1807; W16.of_int 2371; -W16.of_int 2333; W16.of_int 108; W16.of_int 870; W16.of_int 1510; -W16.of_int 1278; W16.of_int 1185; W16.of_int 1187; W16.of_int 874; -W16.of_int 2111; W16.of_int 1215; W16.of_int 1465; W16.of_int 2007; -W16.of_int 2726; W16.of_int 2512; W16.of_int 17915; W16.of_int 24156; -W16.of_int (-4311); W16.of_int (-16831); W16.of_int 12757; W16.of_int 29156; -W16.of_int (-14016); W16.of_int (-13426); W16.of_int (-18249); -W16.of_int 30199; W16.of_int (-9075); W16.of_int 28310; W16.of_int 8899; -W16.of_int 15887; W16.of_int 28250; W16.of_int (-19883); W16.of_int 1275; -W16.of_int 2652; W16.of_int 1065; W16.of_int 2881; W16.of_int 725; -W16.of_int 1508; W16.of_int 2368; W16.of_int 398; W16.of_int 951; -W16.of_int 247; W16.of_int 1421; W16.of_int 3222; W16.of_int 2499; -W16.of_int 271; W16.of_int 90; W16.of_int 853; W16.of_int 16163; -W16.of_int 16163; W16.of_int (-26675); W16.of_int (-26675); -W16.of_int (-8858); W16.of_int (-8858); W16.of_int (-18426); -W16.of_int (-18426); W16.of_int (-8799); W16.of_int (-8799); -W16.of_int 10533; W16.of_int 10533; W16.of_int (-24312); W16.of_int (-24312); -W16.of_int 28073; W16.of_int 28073; W16.of_int 1571; W16.of_int 1571; -W16.of_int 205; W16.of_int 205; W16.of_int 2918; W16.of_int 2918; -W16.of_int 1542; W16.of_int 1542; W16.of_int 2721; W16.of_int 2721; -W16.of_int 2597; W16.of_int 2597; W16.of_int 2312; W16.of_int 2312; -W16.of_int 681; W16.of_int 681; W16.of_int (-31163); W16.of_int (-31163); -W16.of_int (-31163); W16.of_int (-31163); W16.of_int 11202; W16.of_int 11202; -W16.of_int 11202; W16.of_int 11202; W16.of_int (-1358); W16.of_int (-1358); -W16.of_int (-1358); W16.of_int (-1358); W16.of_int (-10689); -W16.of_int (-10689); W16.of_int (-10689); W16.of_int (-10689); -W16.of_int 1861; W16.of_int 1861; W16.of_int 1861; W16.of_int 1861; -W16.of_int 1474; W16.of_int 1474; W16.of_int 1474; W16.of_int 1474; -W16.of_int 1202; W16.of_int 1202; W16.of_int 1202; W16.of_int 1202; -W16.of_int 2367; W16.of_int 2367; W16.of_int 2367; W16.of_int 2367; -W16.of_int 16695; W16.of_int 16695; W16.of_int 16695; W16.of_int 16695; -W16.of_int 16695; W16.of_int 16695; W16.of_int 16695; W16.of_int 16695; -W16.of_int (-28190); W16.of_int (-28190); W16.of_int (-28190); -W16.of_int (-28190); W16.of_int (-28190); W16.of_int (-28190); -W16.of_int (-28190); W16.of_int (-28190); W16.of_int 3127; W16.of_int 3127; -W16.of_int 3127; W16.of_int 3127; W16.of_int 3127; W16.of_int 3127; -W16.of_int 3127; W16.of_int 3127; W16.of_int 3042; W16.of_int 3042; -W16.of_int 3042; W16.of_int 3042; W16.of_int 3042; W16.of_int 3042; -W16.of_int 3042; W16.of_int 3042; W16.of_int (-787); W16.of_int (-787); -W16.of_int 1517; W16.of_int 1517; W16.of_int 12619; W16.of_int (-19528); -W16.of_int (-18524); W16.of_int (-20099); W16.of_int (-12638); -W16.of_int 18742; W16.of_int (-30317); W16.of_int 32503; W16.of_int (-5492); -W16.of_int (-23092); W16.of_int 4587; W16.of_int (-13130); W16.of_int 21656; -W16.of_int 14234; W16.of_int (-13386); W16.of_int (-11181); W16.of_int 75; -W16.of_int 3000; W16.of_int 2980; W16.of_int 2685; W16.of_int 2210; -W16.of_int 1846; W16.of_int 147; W16.of_int 2551; W16.of_int 1676; -W16.of_int 460; W16.of_int 235; W16.of_int 2742; W16.of_int 3224; -W16.of_int 2458; W16.of_int 2486; W16.of_int 2899; W16.of_int 5276; -W16.of_int 14431; W16.of_int (-17560); W16.of_int 18486; W16.of_int 28762; -W16.of_int (-29175); W16.of_int (-10630); W16.of_int (-32010); -W16.of_int (-6181); W16.of_int 14883; W16.of_int (-944); W16.of_int 27739; -W16.of_int (-20493); W16.of_int 32227; W16.of_int 11478; W16.of_int 335; -W16.of_int 156; W16.of_int 2911; W16.of_int 872; W16.of_int 1590; -W16.of_int 602; W16.of_int 777; W16.of_int 2170; W16.of_int 246; -W16.of_int 1755; W16.of_int 291; W16.of_int 3152; W16.of_int 2907; -W16.of_int 1779; W16.of_int 1251; W16.of_int 2774; W16.of_int 1103; -W16.of_int (-27836); W16.of_int 25987; W16.of_int 650; W16.of_int (-9134); -W16.of_int 12442; W16.of_int (-16064); W16.of_int (-26616); W16.of_int 12797; -W16.of_int (-25080); W16.of_int (-20710); W16.of_int (-20178); -W16.of_int 23565; W16.of_int (-30966); W16.of_int (-1496); W16.of_int 6517; -W16.of_int 5690; W16.of_int 1860; W16.of_int 3203; W16.of_int 1162; -W16.of_int 1618; W16.of_int 666; W16.of_int 320; W16.of_int 8; -W16.of_int 2813; W16.of_int 1544; W16.of_int 282; W16.of_int 1838; -W16.of_int 1293; W16.of_int 2314; W16.of_int 552; W16.of_int 2677; -W16.of_int 2106; W16.of_int 26242; W16.of_int 26242; W16.of_int (-21438); -W16.of_int (-21438); W16.of_int 1103; W16.of_int 1103; W16.of_int (-5571); -W16.of_int (-5571); W16.of_int 29058; W16.of_int 29058; W16.of_int 26361; -W16.of_int 26361; W16.of_int (-17363); W16.of_int (-17363); W16.of_int 5828; -W16.of_int 5828; W16.of_int 130; W16.of_int 130; W16.of_int 1602; -W16.of_int 1602; W16.of_int 1871; W16.of_int 1871; W16.of_int 829; -W16.of_int 829; W16.of_int 2946; W16.of_int 2946; W16.of_int 3065; -W16.of_int 3065; W16.of_int 1325; W16.of_int 1325; W16.of_int 2756; -W16.of_int 2756; W16.of_int 15691; W16.of_int 15691; W16.of_int 15691; -W16.of_int 15691; W16.of_int 3800; W16.of_int 3800; W16.of_int 3800; -W16.of_int 3800; W16.of_int (-27757); W16.of_int (-27757); -W16.of_int (-27757); W16.of_int (-27757); W16.of_int 20907; W16.of_int 20907; -W16.of_int 20907; W16.of_int 20907; W16.of_int 3147; W16.of_int 3147; -W16.of_int 3147; W16.of_int 3147; W16.of_int 1752; W16.of_int 1752; -W16.of_int 1752; W16.of_int 1752; W16.of_int 2707; W16.of_int 2707; -W16.of_int 2707; W16.of_int 2707; W16.of_int 171; W16.of_int 171; -W16.of_int 171; W16.of_int 171; W16.of_int 12403; W16.of_int 12403; -W16.of_int 12403; W16.of_int 12403; W16.of_int 12403; W16.of_int 12403; -W16.of_int 12403; W16.of_int 12403; W16.of_int (-13524); W16.of_int (-13524); -W16.of_int (-13524); W16.of_int (-13524); W16.of_int (-13524); -W16.of_int (-13524); W16.of_int (-13524); W16.of_int (-13524); -W16.of_int 1907; W16.of_int 1907; W16.of_int 1907; W16.of_int 1907; -W16.of_int 1907; W16.of_int 1907; W16.of_int 1907; W16.of_int 1907; -W16.of_int 1836; W16.of_int 1836; W16.of_int 1836; W16.of_int 1836; -W16.of_int 1836; W16.of_int 1836; W16.of_int 1836; W16.of_int 1836; -W16.of_int (-14745); W16.of_int (-14745); W16.of_int 359; W16.of_int 359; -W16.of_int (-5236); W16.of_int (-5236); W16.of_int 1932; W16.of_int 1932; -W16.of_int 0; W16.of_int 0; W16.of_int 0; W16.of_int 0]. +abbrev jfhix16 = +(Array16.of_list witness +[(W16.of_int 1441); (W16.of_int 1441); (W16.of_int 1441); (W16.of_int 1441); +(W16.of_int 1441); (W16.of_int 1441); (W16.of_int 1441); (W16.of_int 1441); +(W16.of_int 1441); (W16.of_int 1441); (W16.of_int 1441); (W16.of_int 1441); +(W16.of_int 1441); (W16.of_int 1441); (W16.of_int 1441); (W16.of_int 1441)]). +abbrev jvx16 = +(Array16.of_list witness +[(W16.of_int 20159); (W16.of_int 20159); (W16.of_int 20159); +(W16.of_int 20159); (W16.of_int 20159); (W16.of_int 20159); +(W16.of_int 20159); (W16.of_int 20159); (W16.of_int 20159); +(W16.of_int 20159); (W16.of_int 20159); (W16.of_int 20159); +(W16.of_int 20159); (W16.of_int 20159); (W16.of_int 20159); +(W16.of_int 20159)]). -abbrev jzetas_exp = Array400.of_list witness [W16.of_int 31499; -W16.of_int 31499; W16.of_int 2571; W16.of_int 2571; W16.of_int 14746; -W16.of_int 14746; W16.of_int 2970; W16.of_int 2970; W16.of_int 13525; -W16.of_int 13525; W16.of_int 13525; W16.of_int 13525; W16.of_int 13525; -W16.of_int 13525; W16.of_int 13525; W16.of_int 13525; W16.of_int (-12402); -W16.of_int (-12402); W16.of_int (-12402); W16.of_int (-12402); -W16.of_int (-12402); W16.of_int (-12402); W16.of_int (-12402); -W16.of_int (-12402); W16.of_int 1493; W16.of_int 1493; W16.of_int 1493; -W16.of_int 1493; W16.of_int 1493; W16.of_int 1493; W16.of_int 1493; -W16.of_int 1493; W16.of_int 1422; W16.of_int 1422; W16.of_int 1422; -W16.of_int 1422; W16.of_int 1422; W16.of_int 1422; W16.of_int 1422; -W16.of_int 1422; W16.of_int (-20906); W16.of_int (-20906); -W16.of_int (-20906); W16.of_int (-20906); W16.of_int 27758; W16.of_int 27758; -W16.of_int 27758; W16.of_int 27758; W16.of_int (-3799); W16.of_int (-3799); -W16.of_int (-3799); W16.of_int (-3799); W16.of_int (-15690); -W16.of_int (-15690); W16.of_int (-15690); W16.of_int (-15690); -W16.of_int 3158; W16.of_int 3158; W16.of_int 3158; W16.of_int 3158; -W16.of_int 622; W16.of_int 622; W16.of_int 622; W16.of_int 622; -W16.of_int 1577; W16.of_int 1577; W16.of_int 1577; W16.of_int 1577; -W16.of_int 182; W16.of_int 182; W16.of_int 182; W16.of_int 182; -W16.of_int (-5827); W16.of_int (-5827); W16.of_int 17364; W16.of_int 17364; -W16.of_int (-26360); W16.of_int (-26360); W16.of_int (-29057); -W16.of_int (-29057); W16.of_int 5572; W16.of_int 5572; W16.of_int (-1102); -W16.of_int (-1102); W16.of_int 21439; W16.of_int 21439; W16.of_int (-26241); -W16.of_int (-26241); W16.of_int 573; W16.of_int 573; W16.of_int 2004; -W16.of_int 2004; W16.of_int 264; W16.of_int 264; W16.of_int 383; -W16.of_int 383; W16.of_int 2500; W16.of_int 2500; W16.of_int 1458; -W16.of_int 1458; W16.of_int 1727; W16.of_int 1727; W16.of_int 3199; -W16.of_int 3199; W16.of_int (-5689); W16.of_int (-6516); W16.of_int 1497; -W16.of_int 30967; W16.of_int (-23564); W16.of_int 20179; W16.of_int 20711; -W16.of_int 25081; W16.of_int (-12796); W16.of_int 26617; W16.of_int 16065; -W16.of_int (-12441); W16.of_int 9135; W16.of_int (-649); W16.of_int (-25986); -W16.of_int 27837; W16.of_int 1223; W16.of_int 652; W16.of_int 2777; -W16.of_int 1015; W16.of_int 2036; W16.of_int 1491; W16.of_int 3047; -W16.of_int 1785; W16.of_int 516; W16.of_int 3321; W16.of_int 3009; -W16.of_int 2663; W16.of_int 1711; W16.of_int 2167; W16.of_int 126; -W16.of_int 1469; W16.of_int (-334); W16.of_int (-11477); W16.of_int (-32226); -W16.of_int 20494; W16.of_int (-27738); W16.of_int 945; W16.of_int (-14882); -W16.of_int 6182; W16.of_int 32011; W16.of_int 10631; W16.of_int 29176; -W16.of_int (-28761); W16.of_int (-18485); W16.of_int 17561; -W16.of_int (-14430); W16.of_int (-5275); W16.of_int 2226; W16.of_int 555; -W16.of_int 2078; W16.of_int 1550; W16.of_int 422; W16.of_int 177; -W16.of_int 3038; W16.of_int 1574; W16.of_int 3083; W16.of_int 1159; -W16.of_int 2552; W16.of_int 2727; W16.of_int 1739; W16.of_int 2457; -W16.of_int 418; W16.of_int 3173; W16.of_int 11182; W16.of_int 13387; -W16.of_int (-14233); W16.of_int (-21655); W16.of_int 13131; -W16.of_int (-4586); W16.of_int 23093; W16.of_int 5493; W16.of_int (-32502); -W16.of_int 30318; W16.of_int (-18741); W16.of_int 12639; W16.of_int 20100; -W16.of_int 18525; W16.of_int 19529; W16.of_int (-12618); W16.of_int 430; -W16.of_int 843; W16.of_int 871; W16.of_int 105; W16.of_int 587; -W16.of_int 3094; W16.of_int 2869; W16.of_int 1653; W16.of_int 778; -W16.of_int 3182; W16.of_int 1483; W16.of_int 1119; W16.of_int 644; -W16.of_int 349; W16.of_int 329; W16.of_int 3254; W16.of_int 788; -W16.of_int 788; W16.of_int 1812; W16.of_int 1812; W16.of_int 28191; -W16.of_int 28191; W16.of_int 28191; W16.of_int 28191; W16.of_int 28191; -W16.of_int 28191; W16.of_int 28191; W16.of_int 28191; W16.of_int (-16694); -W16.of_int (-16694); W16.of_int (-16694); W16.of_int (-16694); -W16.of_int (-16694); W16.of_int (-16694); W16.of_int (-16694); -W16.of_int (-16694); W16.of_int 287; W16.of_int 287; W16.of_int 287; -W16.of_int 287; W16.of_int 287; W16.of_int 287; W16.of_int 287; -W16.of_int 287; W16.of_int 202; W16.of_int 202; W16.of_int 202; -W16.of_int 202; W16.of_int 202; W16.of_int 202; W16.of_int 202; -W16.of_int 202; W16.of_int 10690; W16.of_int 10690; W16.of_int 10690; -W16.of_int 10690; W16.of_int 1359; W16.of_int 1359; W16.of_int 1359; -W16.of_int 1359; W16.of_int (-11201); W16.of_int (-11201); -W16.of_int (-11201); W16.of_int (-11201); W16.of_int 31164; W16.of_int 31164; -W16.of_int 31164; W16.of_int 31164; W16.of_int 962; W16.of_int 962; -W16.of_int 962; W16.of_int 962; W16.of_int 2127; W16.of_int 2127; -W16.of_int 2127; W16.of_int 2127; W16.of_int 1855; W16.of_int 1855; -W16.of_int 1855; W16.of_int 1855; W16.of_int 1468; W16.of_int 1468; -W16.of_int 1468; W16.of_int 1468; W16.of_int (-28072); W16.of_int (-28072); -W16.of_int 24313; W16.of_int 24313; W16.of_int (-10532); W16.of_int (-10532); -W16.of_int 8800; W16.of_int 8800; W16.of_int 18427; W16.of_int 18427; -W16.of_int 8859; W16.of_int 8859; W16.of_int 26676; W16.of_int 26676; -W16.of_int (-16162); W16.of_int (-16162); W16.of_int 2648; W16.of_int 2648; -W16.of_int 1017; W16.of_int 1017; W16.of_int 732; W16.of_int 732; -W16.of_int 608; W16.of_int 608; W16.of_int 1787; W16.of_int 1787; -W16.of_int 411; W16.of_int 411; W16.of_int 3124; W16.of_int 3124; -W16.of_int 1758; W16.of_int 1758; W16.of_int 19884; W16.of_int (-28249); -W16.of_int (-15886); W16.of_int (-8898); W16.of_int (-28309); -W16.of_int 9076; W16.of_int (-30198); W16.of_int 18250; W16.of_int 13427; -W16.of_int 14017; W16.of_int (-29155); W16.of_int (-12756); W16.of_int 16832; -W16.of_int 4312; W16.of_int (-24155); W16.of_int (-17914); W16.of_int 2476; -W16.of_int 3239; W16.of_int 3058; W16.of_int 830; W16.of_int 107; -W16.of_int 1908; W16.of_int 3082; W16.of_int 2378; W16.of_int 2931; -W16.of_int 961; W16.of_int 1821; W16.of_int 2604; W16.of_int 448; -W16.of_int 2264; W16.of_int 677; W16.of_int 2054; W16.of_int (-31183); -W16.of_int 25435; W16.of_int (-7382); W16.of_int 24392; W16.of_int (-20926); -W16.of_int 10946; W16.of_int 24215; W16.of_int 16990; W16.of_int 10336; -W16.of_int (-7933); W16.of_int (-22501); W16.of_int 10907; W16.of_int 31637; -W16.of_int 28644; W16.of_int 23998; W16.of_int (-17422); W16.of_int 817; -W16.of_int 603; W16.of_int 1322; W16.of_int 1864; W16.of_int 2114; -W16.of_int 1218; W16.of_int 2455; W16.of_int 2142; W16.of_int 2144; -W16.of_int 2051; W16.of_int 1819; W16.of_int 2459; W16.of_int 3221; -W16.of_int 996; W16.of_int 958; W16.of_int 1522; W16.of_int 20297; -W16.of_int 2146; W16.of_int 15356; W16.of_int (-32384); W16.of_int (-6279); -W16.of_int (-14902); W16.of_int (-11044); W16.of_int 14470; -W16.of_int (-21497); W16.of_int (-20198); W16.of_int 23211; -W16.of_int (-17442); W16.of_int (-23859); W16.of_int (-20257); -W16.of_int 7757; W16.of_int 23132; W16.of_int 1097; W16.of_int 610; -W16.of_int 2044; W16.of_int 384; W16.of_int 3193; W16.of_int 1994; -W16.of_int 220; W16.of_int 1670; W16.of_int 1799; W16.of_int 794; -W16.of_int 2475; W16.of_int 478; W16.of_int 3021; W16.of_int 991; -W16.of_int 1869; W16.of_int 1628; W16.of_int 0; W16.of_int 0; W16.of_int 0; -W16.of_int 0]. +abbrev jqinvx16 = +(Array16.of_list witness +[(W16.of_int (-3327)); (W16.of_int (-3327)); (W16.of_int (-3327)); +(W16.of_int (-3327)); (W16.of_int (-3327)); (W16.of_int (-3327)); +(W16.of_int (-3327)); (W16.of_int (-3327)); (W16.of_int (-3327)); +(W16.of_int (-3327)); (W16.of_int (-3327)); (W16.of_int (-3327)); +(W16.of_int (-3327)); (W16.of_int (-3327)); (W16.of_int (-3327)); +(W16.of_int (-3327))]). +abbrev jqx16 = +(Array16.of_list witness +[(W16.of_int 3329); (W16.of_int 3329); (W16.of_int 3329); (W16.of_int 3329); +(W16.of_int 3329); (W16.of_int 3329); (W16.of_int 3329); (W16.of_int 3329); +(W16.of_int 3329); (W16.of_int 3329); (W16.of_int 3329); (W16.of_int 3329); +(W16.of_int 3329); (W16.of_int 3329); (W16.of_int 3329); (W16.of_int 3329)]). -abbrev jzetas_inv = Array128.of_list witness [W16.of_int 1701; -W16.of_int 1807; W16.of_int 1460; W16.of_int 2371; W16.of_int 2338; -W16.of_int 2333; W16.of_int 308; W16.of_int 108; W16.of_int 2851; -W16.of_int 870; W16.of_int 854; W16.of_int 1510; W16.of_int 2535; -W16.of_int 1278; W16.of_int 1530; W16.of_int 1185; W16.of_int 1659; -W16.of_int 1187; W16.of_int 3109; W16.of_int 874; W16.of_int 1335; -W16.of_int 2111; W16.of_int 136; W16.of_int 1215; W16.of_int 2945; -W16.of_int 1465; W16.of_int 1285; W16.of_int 2007; W16.of_int 2719; -W16.of_int 2726; W16.of_int 2232; W16.of_int 2512; W16.of_int 75; -W16.of_int 156; W16.of_int 3000; W16.of_int 2911; W16.of_int 2980; -W16.of_int 872; W16.of_int 2685; W16.of_int 1590; W16.of_int 2210; -W16.of_int 602; W16.of_int 1846; W16.of_int 777; W16.of_int 147; -W16.of_int 2170; W16.of_int 2551; W16.of_int 246; W16.of_int 1676; -W16.of_int 1755; W16.of_int 460; W16.of_int 291; W16.of_int 235; -W16.of_int 3152; W16.of_int 2742; W16.of_int 2907; W16.of_int 3224; -W16.of_int 1779; W16.of_int 2458; W16.of_int 1251; W16.of_int 2486; -W16.of_int 2774; W16.of_int 2899; W16.of_int 1103; W16.of_int 1275; -W16.of_int 2652; W16.of_int 1065; W16.of_int 2881; W16.of_int 725; -W16.of_int 1508; W16.of_int 2368; W16.of_int 398; W16.of_int 951; -W16.of_int 247; W16.of_int 1421; W16.of_int 3222; W16.of_int 2499; -W16.of_int 271; W16.of_int 90; W16.of_int 853; W16.of_int 1860; -W16.of_int 3203; W16.of_int 1162; W16.of_int 1618; W16.of_int 666; -W16.of_int 320; W16.of_int 8; W16.of_int 2813; W16.of_int 1544; -W16.of_int 282; W16.of_int 1838; W16.of_int 1293; W16.of_int 2314; -W16.of_int 552; W16.of_int 2677; W16.of_int 2106; W16.of_int 1571; -W16.of_int 205; W16.of_int 2918; W16.of_int 1542; W16.of_int 2721; -W16.of_int 2597; W16.of_int 2312; W16.of_int 681; W16.of_int 130; -W16.of_int 1602; W16.of_int 1871; W16.of_int 829; W16.of_int 2946; -W16.of_int 3065; W16.of_int 1325; W16.of_int 2756; W16.of_int 1861; -W16.of_int 1474; W16.of_int 1202; W16.of_int 2367; W16.of_int 3147; -W16.of_int 1752; W16.of_int 2707; W16.of_int 171; W16.of_int 3127; -W16.of_int 3042; W16.of_int 1907; W16.of_int 1836; W16.of_int 1517; -W16.of_int 359; W16.of_int 758; W16.of_int 1441]. +abbrev jzetas_inv_exp = +(Array400.of_list witness +[(W16.of_int (-23131)); (W16.of_int (-7756)); (W16.of_int 20258); +(W16.of_int 23860); (W16.of_int 17443); (W16.of_int (-23210)); +(W16.of_int 20199); (W16.of_int 21498); (W16.of_int (-14469)); +(W16.of_int 11045); (W16.of_int 14903); (W16.of_int 6280); +(W16.of_int 32385); (W16.of_int (-15355)); (W16.of_int (-2145)); +(W16.of_int (-20296)); (W16.of_int 1701); (W16.of_int 1460); +(W16.of_int 2338); (W16.of_int 308); (W16.of_int 2851); (W16.of_int 854); +(W16.of_int 2535); (W16.of_int 1530); (W16.of_int 1659); (W16.of_int 3109); +(W16.of_int 1335); (W16.of_int 136); (W16.of_int 2945); (W16.of_int 1285); +(W16.of_int 2719); (W16.of_int 2232); (W16.of_int 17423); +(W16.of_int (-23997)); (W16.of_int (-28643)); (W16.of_int (-31636)); +(W16.of_int (-10906)); (W16.of_int 22502); (W16.of_int 7934); +(W16.of_int (-10335)); (W16.of_int (-16989)); (W16.of_int (-24214)); +(W16.of_int (-10945)); (W16.of_int 20927); (W16.of_int (-24391)); +(W16.of_int 7383); (W16.of_int (-25434)); (W16.of_int 31184); +(W16.of_int 1807); (W16.of_int 2371); (W16.of_int 2333); (W16.of_int 108); +(W16.of_int 870); (W16.of_int 1510); (W16.of_int 1278); (W16.of_int 1185); +(W16.of_int 1187); (W16.of_int 874); (W16.of_int 2111); (W16.of_int 1215); +(W16.of_int 1465); (W16.of_int 2007); (W16.of_int 2726); (W16.of_int 2512); +(W16.of_int 17915); (W16.of_int 24156); (W16.of_int (-4311)); +(W16.of_int (-16831)); (W16.of_int 12757); (W16.of_int 29156); +(W16.of_int (-14016)); (W16.of_int (-13426)); (W16.of_int (-18249)); +(W16.of_int 30199); (W16.of_int (-9075)); (W16.of_int 28310); +(W16.of_int 8899); (W16.of_int 15887); (W16.of_int 28250); +(W16.of_int (-19883)); (W16.of_int 1275); (W16.of_int 2652); +(W16.of_int 1065); (W16.of_int 2881); (W16.of_int 725); (W16.of_int 1508); +(W16.of_int 2368); (W16.of_int 398); (W16.of_int 951); (W16.of_int 247); +(W16.of_int 1421); (W16.of_int 3222); (W16.of_int 2499); (W16.of_int 271); +(W16.of_int 90); (W16.of_int 853); (W16.of_int 16163); (W16.of_int 16163); +(W16.of_int (-26675)); (W16.of_int (-26675)); (W16.of_int (-8858)); +(W16.of_int (-8858)); (W16.of_int (-18426)); (W16.of_int (-18426)); +(W16.of_int (-8799)); (W16.of_int (-8799)); (W16.of_int 10533); +(W16.of_int 10533); (W16.of_int (-24312)); (W16.of_int (-24312)); +(W16.of_int 28073); (W16.of_int 28073); (W16.of_int 1571); (W16.of_int 1571); +(W16.of_int 205); (W16.of_int 205); (W16.of_int 2918); (W16.of_int 2918); +(W16.of_int 1542); (W16.of_int 1542); (W16.of_int 2721); (W16.of_int 2721); +(W16.of_int 2597); (W16.of_int 2597); (W16.of_int 2312); (W16.of_int 2312); +(W16.of_int 681); (W16.of_int 681); (W16.of_int (-31163)); +(W16.of_int (-31163)); (W16.of_int (-31163)); (W16.of_int (-31163)); +(W16.of_int 11202); (W16.of_int 11202); (W16.of_int 11202); +(W16.of_int 11202); (W16.of_int (-1358)); (W16.of_int (-1358)); +(W16.of_int (-1358)); (W16.of_int (-1358)); (W16.of_int (-10689)); +(W16.of_int (-10689)); (W16.of_int (-10689)); (W16.of_int (-10689)); +(W16.of_int 1861); (W16.of_int 1861); (W16.of_int 1861); (W16.of_int 1861); +(W16.of_int 1474); (W16.of_int 1474); (W16.of_int 1474); (W16.of_int 1474); +(W16.of_int 1202); (W16.of_int 1202); (W16.of_int 1202); (W16.of_int 1202); +(W16.of_int 2367); (W16.of_int 2367); (W16.of_int 2367); (W16.of_int 2367); +(W16.of_int 16695); (W16.of_int 16695); (W16.of_int 16695); +(W16.of_int 16695); (W16.of_int 16695); (W16.of_int 16695); +(W16.of_int 16695); (W16.of_int 16695); (W16.of_int (-28190)); +(W16.of_int (-28190)); (W16.of_int (-28190)); (W16.of_int (-28190)); +(W16.of_int (-28190)); (W16.of_int (-28190)); (W16.of_int (-28190)); +(W16.of_int (-28190)); (W16.of_int 3127); (W16.of_int 3127); +(W16.of_int 3127); (W16.of_int 3127); (W16.of_int 3127); (W16.of_int 3127); +(W16.of_int 3127); (W16.of_int 3127); (W16.of_int 3042); (W16.of_int 3042); +(W16.of_int 3042); (W16.of_int 3042); (W16.of_int 3042); (W16.of_int 3042); +(W16.of_int 3042); (W16.of_int 3042); (W16.of_int (-787)); +(W16.of_int (-787)); (W16.of_int 1517); (W16.of_int 1517); +(W16.of_int 12619); (W16.of_int (-19528)); (W16.of_int (-18524)); +(W16.of_int (-20099)); (W16.of_int (-12638)); (W16.of_int 18742); +(W16.of_int (-30317)); (W16.of_int 32503); (W16.of_int (-5492)); +(W16.of_int (-23092)); (W16.of_int 4587); (W16.of_int (-13130)); +(W16.of_int 21656); (W16.of_int 14234); (W16.of_int (-13386)); +(W16.of_int (-11181)); (W16.of_int 75); (W16.of_int 3000); (W16.of_int 2980); +(W16.of_int 2685); (W16.of_int 2210); (W16.of_int 1846); (W16.of_int 147); +(W16.of_int 2551); (W16.of_int 1676); (W16.of_int 460); (W16.of_int 235); +(W16.of_int 2742); (W16.of_int 3224); (W16.of_int 2458); (W16.of_int 2486); +(W16.of_int 2899); (W16.of_int 5276); (W16.of_int 14431); +(W16.of_int (-17560)); (W16.of_int 18486); (W16.of_int 28762); +(W16.of_int (-29175)); (W16.of_int (-10630)); (W16.of_int (-32010)); +(W16.of_int (-6181)); (W16.of_int 14883); (W16.of_int (-944)); +(W16.of_int 27739); (W16.of_int (-20493)); (W16.of_int 32227); +(W16.of_int 11478); (W16.of_int 335); (W16.of_int 156); (W16.of_int 2911); +(W16.of_int 872); (W16.of_int 1590); (W16.of_int 602); (W16.of_int 777); +(W16.of_int 2170); (W16.of_int 246); (W16.of_int 1755); (W16.of_int 291); +(W16.of_int 3152); (W16.of_int 2907); (W16.of_int 1779); (W16.of_int 1251); +(W16.of_int 2774); (W16.of_int 1103); (W16.of_int (-27836)); +(W16.of_int 25987); (W16.of_int 650); (W16.of_int (-9134)); +(W16.of_int 12442); (W16.of_int (-16064)); (W16.of_int (-26616)); +(W16.of_int 12797); (W16.of_int (-25080)); (W16.of_int (-20710)); +(W16.of_int (-20178)); (W16.of_int 23565); (W16.of_int (-30966)); +(W16.of_int (-1496)); (W16.of_int 6517); (W16.of_int 5690); +(W16.of_int 1860); (W16.of_int 3203); (W16.of_int 1162); (W16.of_int 1618); +(W16.of_int 666); (W16.of_int 320); (W16.of_int 8); (W16.of_int 2813); +(W16.of_int 1544); (W16.of_int 282); (W16.of_int 1838); (W16.of_int 1293); +(W16.of_int 2314); (W16.of_int 552); (W16.of_int 2677); (W16.of_int 2106); +(W16.of_int 26242); (W16.of_int 26242); (W16.of_int (-21438)); +(W16.of_int (-21438)); (W16.of_int 1103); (W16.of_int 1103); +(W16.of_int (-5571)); (W16.of_int (-5571)); (W16.of_int 29058); +(W16.of_int 29058); (W16.of_int 26361); (W16.of_int 26361); +(W16.of_int (-17363)); (W16.of_int (-17363)); (W16.of_int 5828); +(W16.of_int 5828); (W16.of_int 130); (W16.of_int 130); (W16.of_int 1602); +(W16.of_int 1602); (W16.of_int 1871); (W16.of_int 1871); (W16.of_int 829); +(W16.of_int 829); (W16.of_int 2946); (W16.of_int 2946); (W16.of_int 3065); +(W16.of_int 3065); (W16.of_int 1325); (W16.of_int 1325); (W16.of_int 2756); +(W16.of_int 2756); (W16.of_int 15691); (W16.of_int 15691); +(W16.of_int 15691); (W16.of_int 15691); (W16.of_int 3800); (W16.of_int 3800); +(W16.of_int 3800); (W16.of_int 3800); (W16.of_int (-27757)); +(W16.of_int (-27757)); (W16.of_int (-27757)); (W16.of_int (-27757)); +(W16.of_int 20907); (W16.of_int 20907); (W16.of_int 20907); +(W16.of_int 20907); (W16.of_int 3147); (W16.of_int 3147); (W16.of_int 3147); +(W16.of_int 3147); (W16.of_int 1752); (W16.of_int 1752); (W16.of_int 1752); +(W16.of_int 1752); (W16.of_int 2707); (W16.of_int 2707); (W16.of_int 2707); +(W16.of_int 2707); (W16.of_int 171); (W16.of_int 171); (W16.of_int 171); +(W16.of_int 171); (W16.of_int 12403); (W16.of_int 12403); (W16.of_int 12403); +(W16.of_int 12403); (W16.of_int 12403); (W16.of_int 12403); +(W16.of_int 12403); (W16.of_int 12403); (W16.of_int (-13524)); +(W16.of_int (-13524)); (W16.of_int (-13524)); (W16.of_int (-13524)); +(W16.of_int (-13524)); (W16.of_int (-13524)); (W16.of_int (-13524)); +(W16.of_int (-13524)); (W16.of_int 1907); (W16.of_int 1907); +(W16.of_int 1907); (W16.of_int 1907); (W16.of_int 1907); (W16.of_int 1907); +(W16.of_int 1907); (W16.of_int 1907); (W16.of_int 1836); (W16.of_int 1836); +(W16.of_int 1836); (W16.of_int 1836); (W16.of_int 1836); (W16.of_int 1836); +(W16.of_int 1836); (W16.of_int 1836); (W16.of_int (-14745)); +(W16.of_int (-14745)); (W16.of_int 359); (W16.of_int 359); +(W16.of_int (-5236)); (W16.of_int (-5236)); (W16.of_int 1932); +(W16.of_int 1932); (W16.of_int 0); (W16.of_int 0); (W16.of_int 0); +(W16.of_int 0)]). +abbrev jzetas_exp = +(Array400.of_list witness +[(W16.of_int 31499); (W16.of_int 31499); (W16.of_int 2571); +(W16.of_int 2571); (W16.of_int 14746); (W16.of_int 14746); (W16.of_int 2970); +(W16.of_int 2970); (W16.of_int 13525); (W16.of_int 13525); +(W16.of_int 13525); (W16.of_int 13525); (W16.of_int 13525); +(W16.of_int 13525); (W16.of_int 13525); (W16.of_int 13525); +(W16.of_int (-12402)); (W16.of_int (-12402)); (W16.of_int (-12402)); +(W16.of_int (-12402)); (W16.of_int (-12402)); (W16.of_int (-12402)); +(W16.of_int (-12402)); (W16.of_int (-12402)); (W16.of_int 1493); +(W16.of_int 1493); (W16.of_int 1493); (W16.of_int 1493); (W16.of_int 1493); +(W16.of_int 1493); (W16.of_int 1493); (W16.of_int 1493); (W16.of_int 1422); +(W16.of_int 1422); (W16.of_int 1422); (W16.of_int 1422); (W16.of_int 1422); +(W16.of_int 1422); (W16.of_int 1422); (W16.of_int 1422); +(W16.of_int (-20906)); (W16.of_int (-20906)); (W16.of_int (-20906)); +(W16.of_int (-20906)); (W16.of_int 27758); (W16.of_int 27758); +(W16.of_int 27758); (W16.of_int 27758); (W16.of_int (-3799)); +(W16.of_int (-3799)); (W16.of_int (-3799)); (W16.of_int (-3799)); +(W16.of_int (-15690)); (W16.of_int (-15690)); (W16.of_int (-15690)); +(W16.of_int (-15690)); (W16.of_int 3158); (W16.of_int 3158); +(W16.of_int 3158); (W16.of_int 3158); (W16.of_int 622); (W16.of_int 622); +(W16.of_int 622); (W16.of_int 622); (W16.of_int 1577); (W16.of_int 1577); +(W16.of_int 1577); (W16.of_int 1577); (W16.of_int 182); (W16.of_int 182); +(W16.of_int 182); (W16.of_int 182); (W16.of_int (-5827)); +(W16.of_int (-5827)); (W16.of_int 17364); (W16.of_int 17364); +(W16.of_int (-26360)); (W16.of_int (-26360)); (W16.of_int (-29057)); +(W16.of_int (-29057)); (W16.of_int 5572); (W16.of_int 5572); +(W16.of_int (-1102)); (W16.of_int (-1102)); (W16.of_int 21439); +(W16.of_int 21439); (W16.of_int (-26241)); (W16.of_int (-26241)); +(W16.of_int 573); (W16.of_int 573); (W16.of_int 2004); (W16.of_int 2004); +(W16.of_int 264); (W16.of_int 264); (W16.of_int 383); (W16.of_int 383); +(W16.of_int 2500); (W16.of_int 2500); (W16.of_int 1458); (W16.of_int 1458); +(W16.of_int 1727); (W16.of_int 1727); (W16.of_int 3199); (W16.of_int 3199); +(W16.of_int (-5689)); (W16.of_int (-6516)); (W16.of_int 1497); +(W16.of_int 30967); (W16.of_int (-23564)); (W16.of_int 20179); +(W16.of_int 20711); (W16.of_int 25081); (W16.of_int (-12796)); +(W16.of_int 26617); (W16.of_int 16065); (W16.of_int (-12441)); +(W16.of_int 9135); (W16.of_int (-649)); (W16.of_int (-25986)); +(W16.of_int 27837); (W16.of_int 1223); (W16.of_int 652); (W16.of_int 2777); +(W16.of_int 1015); (W16.of_int 2036); (W16.of_int 1491); (W16.of_int 3047); +(W16.of_int 1785); (W16.of_int 516); (W16.of_int 3321); (W16.of_int 3009); +(W16.of_int 2663); (W16.of_int 1711); (W16.of_int 2167); (W16.of_int 126); +(W16.of_int 1469); (W16.of_int (-334)); (W16.of_int (-11477)); +(W16.of_int (-32226)); (W16.of_int 20494); (W16.of_int (-27738)); +(W16.of_int 945); (W16.of_int (-14882)); (W16.of_int 6182); +(W16.of_int 32011); (W16.of_int 10631); (W16.of_int 29176); +(W16.of_int (-28761)); (W16.of_int (-18485)); (W16.of_int 17561); +(W16.of_int (-14430)); (W16.of_int (-5275)); (W16.of_int 2226); +(W16.of_int 555); (W16.of_int 2078); (W16.of_int 1550); (W16.of_int 422); +(W16.of_int 177); (W16.of_int 3038); (W16.of_int 1574); (W16.of_int 3083); +(W16.of_int 1159); (W16.of_int 2552); (W16.of_int 2727); (W16.of_int 1739); +(W16.of_int 2457); (W16.of_int 418); (W16.of_int 3173); (W16.of_int 11182); +(W16.of_int 13387); (W16.of_int (-14233)); (W16.of_int (-21655)); +(W16.of_int 13131); (W16.of_int (-4586)); (W16.of_int 23093); +(W16.of_int 5493); (W16.of_int (-32502)); (W16.of_int 30318); +(W16.of_int (-18741)); (W16.of_int 12639); (W16.of_int 20100); +(W16.of_int 18525); (W16.of_int 19529); (W16.of_int (-12618)); +(W16.of_int 430); (W16.of_int 843); (W16.of_int 871); (W16.of_int 105); +(W16.of_int 587); (W16.of_int 3094); (W16.of_int 2869); (W16.of_int 1653); +(W16.of_int 778); (W16.of_int 3182); (W16.of_int 1483); (W16.of_int 1119); +(W16.of_int 644); (W16.of_int 349); (W16.of_int 329); (W16.of_int 3254); +(W16.of_int 788); (W16.of_int 788); (W16.of_int 1812); (W16.of_int 1812); +(W16.of_int 28191); (W16.of_int 28191); (W16.of_int 28191); +(W16.of_int 28191); (W16.of_int 28191); (W16.of_int 28191); +(W16.of_int 28191); (W16.of_int 28191); (W16.of_int (-16694)); +(W16.of_int (-16694)); (W16.of_int (-16694)); (W16.of_int (-16694)); +(W16.of_int (-16694)); (W16.of_int (-16694)); (W16.of_int (-16694)); +(W16.of_int (-16694)); (W16.of_int 287); (W16.of_int 287); (W16.of_int 287); +(W16.of_int 287); (W16.of_int 287); (W16.of_int 287); (W16.of_int 287); +(W16.of_int 287); (W16.of_int 202); (W16.of_int 202); (W16.of_int 202); +(W16.of_int 202); (W16.of_int 202); (W16.of_int 202); (W16.of_int 202); +(W16.of_int 202); (W16.of_int 10690); (W16.of_int 10690); (W16.of_int 10690); +(W16.of_int 10690); (W16.of_int 1359); (W16.of_int 1359); (W16.of_int 1359); +(W16.of_int 1359); (W16.of_int (-11201)); (W16.of_int (-11201)); +(W16.of_int (-11201)); (W16.of_int (-11201)); (W16.of_int 31164); +(W16.of_int 31164); (W16.of_int 31164); (W16.of_int 31164); (W16.of_int 962); +(W16.of_int 962); (W16.of_int 962); (W16.of_int 962); (W16.of_int 2127); +(W16.of_int 2127); (W16.of_int 2127); (W16.of_int 2127); (W16.of_int 1855); +(W16.of_int 1855); (W16.of_int 1855); (W16.of_int 1855); (W16.of_int 1468); +(W16.of_int 1468); (W16.of_int 1468); (W16.of_int 1468); +(W16.of_int (-28072)); (W16.of_int (-28072)); (W16.of_int 24313); +(W16.of_int 24313); (W16.of_int (-10532)); (W16.of_int (-10532)); +(W16.of_int 8800); (W16.of_int 8800); (W16.of_int 18427); (W16.of_int 18427); +(W16.of_int 8859); (W16.of_int 8859); (W16.of_int 26676); (W16.of_int 26676); +(W16.of_int (-16162)); (W16.of_int (-16162)); (W16.of_int 2648); +(W16.of_int 2648); (W16.of_int 1017); (W16.of_int 1017); (W16.of_int 732); +(W16.of_int 732); (W16.of_int 608); (W16.of_int 608); (W16.of_int 1787); +(W16.of_int 1787); (W16.of_int 411); (W16.of_int 411); (W16.of_int 3124); +(W16.of_int 3124); (W16.of_int 1758); (W16.of_int 1758); (W16.of_int 19884); +(W16.of_int (-28249)); (W16.of_int (-15886)); (W16.of_int (-8898)); +(W16.of_int (-28309)); (W16.of_int 9076); (W16.of_int (-30198)); +(W16.of_int 18250); (W16.of_int 13427); (W16.of_int 14017); +(W16.of_int (-29155)); (W16.of_int (-12756)); (W16.of_int 16832); +(W16.of_int 4312); (W16.of_int (-24155)); (W16.of_int (-17914)); +(W16.of_int 2476); (W16.of_int 3239); (W16.of_int 3058); (W16.of_int 830); +(W16.of_int 107); (W16.of_int 1908); (W16.of_int 3082); (W16.of_int 2378); +(W16.of_int 2931); (W16.of_int 961); (W16.of_int 1821); (W16.of_int 2604); +(W16.of_int 448); (W16.of_int 2264); (W16.of_int 677); (W16.of_int 2054); +(W16.of_int (-31183)); (W16.of_int 25435); (W16.of_int (-7382)); +(W16.of_int 24392); (W16.of_int (-20926)); (W16.of_int 10946); +(W16.of_int 24215); (W16.of_int 16990); (W16.of_int 10336); +(W16.of_int (-7933)); (W16.of_int (-22501)); (W16.of_int 10907); +(W16.of_int 31637); (W16.of_int 28644); (W16.of_int 23998); +(W16.of_int (-17422)); (W16.of_int 817); (W16.of_int 603); (W16.of_int 1322); +(W16.of_int 1864); (W16.of_int 2114); (W16.of_int 1218); (W16.of_int 2455); +(W16.of_int 2142); (W16.of_int 2144); (W16.of_int 2051); (W16.of_int 1819); +(W16.of_int 2459); (W16.of_int 3221); (W16.of_int 996); (W16.of_int 958); +(W16.of_int 1522); (W16.of_int 20297); (W16.of_int 2146); (W16.of_int 15356); +(W16.of_int (-32384)); (W16.of_int (-6279)); (W16.of_int (-14902)); +(W16.of_int (-11044)); (W16.of_int 14470); (W16.of_int (-21497)); +(W16.of_int (-20198)); (W16.of_int 23211); (W16.of_int (-17442)); +(W16.of_int (-23859)); (W16.of_int (-20257)); (W16.of_int 7757); +(W16.of_int 23132); (W16.of_int 1097); (W16.of_int 610); (W16.of_int 2044); +(W16.of_int 384); (W16.of_int 3193); (W16.of_int 1994); (W16.of_int 220); +(W16.of_int 1670); (W16.of_int 1799); (W16.of_int 794); (W16.of_int 2475); +(W16.of_int 478); (W16.of_int 3021); (W16.of_int 991); (W16.of_int 1869); +(W16.of_int 1628); (W16.of_int 0); (W16.of_int 0); (W16.of_int 0); +(W16.of_int 0)]). -abbrev jzetas = Array128.of_list witness [W16.of_int 2285; W16.of_int 2571; -W16.of_int 2970; W16.of_int 1812; W16.of_int 1493; W16.of_int 1422; -W16.of_int 287; W16.of_int 202; W16.of_int 3158; W16.of_int 622; -W16.of_int 1577; W16.of_int 182; W16.of_int 962; W16.of_int 2127; -W16.of_int 1855; W16.of_int 1468; W16.of_int 573; W16.of_int 2004; -W16.of_int 264; W16.of_int 383; W16.of_int 2500; W16.of_int 1458; -W16.of_int 1727; W16.of_int 3199; W16.of_int 2648; W16.of_int 1017; -W16.of_int 732; W16.of_int 608; W16.of_int 1787; W16.of_int 411; -W16.of_int 3124; W16.of_int 1758; W16.of_int 1223; W16.of_int 652; -W16.of_int 2777; W16.of_int 1015; W16.of_int 2036; W16.of_int 1491; -W16.of_int 3047; W16.of_int 1785; W16.of_int 516; W16.of_int 3321; -W16.of_int 3009; W16.of_int 2663; W16.of_int 1711; W16.of_int 2167; -W16.of_int 126; W16.of_int 1469; W16.of_int 2476; W16.of_int 3239; -W16.of_int 3058; W16.of_int 830; W16.of_int 107; W16.of_int 1908; -W16.of_int 3082; W16.of_int 2378; W16.of_int 2931; W16.of_int 961; -W16.of_int 1821; W16.of_int 2604; W16.of_int 448; W16.of_int 2264; -W16.of_int 677; W16.of_int 2054; W16.of_int 2226; W16.of_int 430; -W16.of_int 555; W16.of_int 843; W16.of_int 2078; W16.of_int 871; -W16.of_int 1550; W16.of_int 105; W16.of_int 422; W16.of_int 587; -W16.of_int 177; W16.of_int 3094; W16.of_int 3038; W16.of_int 2869; -W16.of_int 1574; W16.of_int 1653; W16.of_int 3083; W16.of_int 778; -W16.of_int 1159; W16.of_int 3182; W16.of_int 2552; W16.of_int 1483; -W16.of_int 2727; W16.of_int 1119; W16.of_int 1739; W16.of_int 644; -W16.of_int 2457; W16.of_int 349; W16.of_int 418; W16.of_int 329; -W16.of_int 3173; W16.of_int 3254; W16.of_int 817; W16.of_int 1097; -W16.of_int 603; W16.of_int 610; W16.of_int 1322; W16.of_int 2044; -W16.of_int 1864; W16.of_int 384; W16.of_int 2114; W16.of_int 3193; -W16.of_int 1218; W16.of_int 1994; W16.of_int 2455; W16.of_int 220; -W16.of_int 2142; W16.of_int 1670; W16.of_int 2144; W16.of_int 1799; -W16.of_int 2051; W16.of_int 794; W16.of_int 1819; W16.of_int 2475; -W16.of_int 2459; W16.of_int 478; W16.of_int 3221; W16.of_int 3021; -W16.of_int 996; W16.of_int 991; W16.of_int 958; W16.of_int 1869; -W16.of_int 1522; W16.of_int 1628]. +abbrev jzetas_inv = +(Array128.of_list witness +[(W16.of_int 1701); (W16.of_int 1807); (W16.of_int 1460); (W16.of_int 2371); +(W16.of_int 2338); (W16.of_int 2333); (W16.of_int 308); (W16.of_int 108); +(W16.of_int 2851); (W16.of_int 870); (W16.of_int 854); (W16.of_int 1510); +(W16.of_int 2535); (W16.of_int 1278); (W16.of_int 1530); (W16.of_int 1185); +(W16.of_int 1659); (W16.of_int 1187); (W16.of_int 3109); (W16.of_int 874); +(W16.of_int 1335); (W16.of_int 2111); (W16.of_int 136); (W16.of_int 1215); +(W16.of_int 2945); (W16.of_int 1465); (W16.of_int 1285); (W16.of_int 2007); +(W16.of_int 2719); (W16.of_int 2726); (W16.of_int 2232); (W16.of_int 2512); +(W16.of_int 75); (W16.of_int 156); (W16.of_int 3000); (W16.of_int 2911); +(W16.of_int 2980); (W16.of_int 872); (W16.of_int 2685); (W16.of_int 1590); +(W16.of_int 2210); (W16.of_int 602); (W16.of_int 1846); (W16.of_int 777); +(W16.of_int 147); (W16.of_int 2170); (W16.of_int 2551); (W16.of_int 246); +(W16.of_int 1676); (W16.of_int 1755); (W16.of_int 460); (W16.of_int 291); +(W16.of_int 235); (W16.of_int 3152); (W16.of_int 2742); (W16.of_int 2907); +(W16.of_int 3224); (W16.of_int 1779); (W16.of_int 2458); (W16.of_int 1251); +(W16.of_int 2486); (W16.of_int 2774); (W16.of_int 2899); (W16.of_int 1103); +(W16.of_int 1275); (W16.of_int 2652); (W16.of_int 1065); (W16.of_int 2881); +(W16.of_int 725); (W16.of_int 1508); (W16.of_int 2368); (W16.of_int 398); +(W16.of_int 951); (W16.of_int 247); (W16.of_int 1421); (W16.of_int 3222); +(W16.of_int 2499); (W16.of_int 271); (W16.of_int 90); (W16.of_int 853); +(W16.of_int 1860); (W16.of_int 3203); (W16.of_int 1162); (W16.of_int 1618); +(W16.of_int 666); (W16.of_int 320); (W16.of_int 8); (W16.of_int 2813); +(W16.of_int 1544); (W16.of_int 282); (W16.of_int 1838); (W16.of_int 1293); +(W16.of_int 2314); (W16.of_int 552); (W16.of_int 2677); (W16.of_int 2106); +(W16.of_int 1571); (W16.of_int 205); (W16.of_int 2918); (W16.of_int 1542); +(W16.of_int 2721); (W16.of_int 2597); (W16.of_int 2312); (W16.of_int 681); +(W16.of_int 130); (W16.of_int 1602); (W16.of_int 1871); (W16.of_int 829); +(W16.of_int 2946); (W16.of_int 3065); (W16.of_int 1325); (W16.of_int 2756); +(W16.of_int 1861); (W16.of_int 1474); (W16.of_int 1202); (W16.of_int 2367); +(W16.of_int 3147); (W16.of_int 1752); (W16.of_int 2707); (W16.of_int 171); +(W16.of_int 3127); (W16.of_int 3042); (W16.of_int 1907); (W16.of_int 1836); +(W16.of_int 1517); (W16.of_int 359); (W16.of_int 758); (W16.of_int 1441)]). +abbrev jzetas = +(Array128.of_list witness +[(W16.of_int 2285); (W16.of_int 2571); (W16.of_int 2970); (W16.of_int 1812); +(W16.of_int 1493); (W16.of_int 1422); (W16.of_int 287); (W16.of_int 202); +(W16.of_int 3158); (W16.of_int 622); (W16.of_int 1577); (W16.of_int 182); +(W16.of_int 962); (W16.of_int 2127); (W16.of_int 1855); (W16.of_int 1468); +(W16.of_int 573); (W16.of_int 2004); (W16.of_int 264); (W16.of_int 383); +(W16.of_int 2500); (W16.of_int 1458); (W16.of_int 1727); (W16.of_int 3199); +(W16.of_int 2648); (W16.of_int 1017); (W16.of_int 732); (W16.of_int 608); +(W16.of_int 1787); (W16.of_int 411); (W16.of_int 3124); (W16.of_int 1758); +(W16.of_int 1223); (W16.of_int 652); (W16.of_int 2777); (W16.of_int 1015); +(W16.of_int 2036); (W16.of_int 1491); (W16.of_int 3047); (W16.of_int 1785); +(W16.of_int 516); (W16.of_int 3321); (W16.of_int 3009); (W16.of_int 2663); +(W16.of_int 1711); (W16.of_int 2167); (W16.of_int 126); (W16.of_int 1469); +(W16.of_int 2476); (W16.of_int 3239); (W16.of_int 3058); (W16.of_int 830); +(W16.of_int 107); (W16.of_int 1908); (W16.of_int 3082); (W16.of_int 2378); +(W16.of_int 2931); (W16.of_int 961); (W16.of_int 1821); (W16.of_int 2604); +(W16.of_int 448); (W16.of_int 2264); (W16.of_int 677); (W16.of_int 2054); +(W16.of_int 2226); (W16.of_int 430); (W16.of_int 555); (W16.of_int 843); +(W16.of_int 2078); (W16.of_int 871); (W16.of_int 1550); (W16.of_int 105); +(W16.of_int 422); (W16.of_int 587); (W16.of_int 177); (W16.of_int 3094); +(W16.of_int 3038); (W16.of_int 2869); (W16.of_int 1574); (W16.of_int 1653); +(W16.of_int 3083); (W16.of_int 778); (W16.of_int 1159); (W16.of_int 3182); +(W16.of_int 2552); (W16.of_int 1483); (W16.of_int 2727); (W16.of_int 1119); +(W16.of_int 1739); (W16.of_int 644); (W16.of_int 2457); (W16.of_int 349); +(W16.of_int 418); (W16.of_int 329); (W16.of_int 3173); (W16.of_int 3254); +(W16.of_int 817); (W16.of_int 1097); (W16.of_int 603); (W16.of_int 610); +(W16.of_int 1322); (W16.of_int 2044); (W16.of_int 1864); (W16.of_int 384); +(W16.of_int 2114); (W16.of_int 3193); (W16.of_int 1218); (W16.of_int 1994); +(W16.of_int 2455); (W16.of_int 220); (W16.of_int 2142); (W16.of_int 1670); +(W16.of_int 2144); (W16.of_int 1799); (W16.of_int 2051); (W16.of_int 794); +(W16.of_int 1819); (W16.of_int 2475); (W16.of_int 2459); (W16.of_int 478); +(W16.of_int 3221); (W16.of_int 3021); (W16.of_int 996); (W16.of_int 991); +(W16.of_int 958); (W16.of_int 1869); (W16.of_int 1522); (W16.of_int 1628)]). module type Syscall_t = { - proc randombytes_32(_:W8.t Array32.t) : W8.t Array32.t - proc randombytes_64(_:W8.t Array64.t) : W8.t Array64.t + proc randombytes_32 (_:W8.t Array32.t) : W8.t Array32.t + proc randombytes_64 (_:W8.t Array64.t) : W8.t Array64.t }. module Syscall : Syscall_t = { - proc randombytes_32(a:W8.t Array32.t) : W8.t Array32.t = { - a <$ dmap WArray32.darray - (fun a => Array32.init (fun i => WArray32.get8 a i)); + proc randombytes_32 (a:W8.t Array32.t) : W8.t Array32.t = { + + a <$ + (dmap WArray32.darray + (fun a => (Array32.init (fun i => (WArray32.get8 a i))))); return a; } - - proc randombytes_64(a:W8.t Array64.t) : W8.t Array64.t = { - a <$ dmap WArray64.darray - (fun a => Array64.init (fun i => WArray64.get8 a i)); + proc randombytes_64 (a:W8.t Array64.t) : W8.t Array64.t = { + + a <$ + (dmap WArray64.darray + (fun a => (Array64.init (fun i => (WArray64.get8 a i))))); return a; } }. module M(SC:Syscall_t) = { proc __shuffle8 (a:W256.t, b:W256.t) : W256.t * W256.t = { - var r0:W256.t; var r1:W256.t; - - r0 <- VPERM2I128 a b (W8.of_int 32); - r1 <- VPERM2I128 a b (W8.of_int 49); + r0 <- (VPERM2I128 a b (W8.of_int 32)); + r1 <- (VPERM2I128 a b (W8.of_int 49)); return (r0, r1); } - proc __shuffle4 (a:W256.t, b:W256.t) : W256.t * W256.t = { - var r0:W256.t; var r1:W256.t; - - r0 <- VPUNPCKL_4u64 a b; - r1 <- VPUNPCKH_4u64 a b; + r0 <- (VPUNPCKL_4u64 a b); + r1 <- (VPUNPCKH_4u64 a b); return (r0, r1); } - proc __shuffle2 (a:W256.t, b:W256.t) : W256.t * W256.t = { - var t0:W256.t; var t1:W256.t; - - t0 <- VMOVSLDUP_256 b; - t0 <- VPBLEND_8u32 a t0 (W8.of_int 170); - a <- VPSRL_4u64 a (W8.of_int 32); - t1 <- VPBLEND_8u32 a b (W8.of_int 170); + t0 <- (VMOVSLDUP_256 b); + t0 <- (VPBLEND_8u32 a t0 (W8.of_int 170)); + a <- (VPSRL_4u64 a (W8.of_int 32)); + t1 <- (VPBLEND_8u32 a b (W8.of_int 170)); return (t0, t1); } - proc __shuffle1 (a:W256.t, b:W256.t) : W256.t * W256.t = { - var r0:W256.t; var r1:W256.t; var t0:W256.t; var t1:W256.t; - - t0 <- VPSLL_8u32 b (W8.of_int 16); - r0 <- VPBLEND_16u16 a t0 (W8.of_int 170); - t1 <- VPSRL_8u32 a (W8.of_int 16); - r1 <- VPBLEND_16u16 t1 b (W8.of_int 170); + t0 <- (VPSLL_8u32 b (W8.of_int 16)); + r0 <- (VPBLEND_16u16 a t0 (W8.of_int 170)); + t1 <- (VPSRL_8u32 a (W8.of_int 16)); + r1 <- (VPBLEND_16u16 t1 b (W8.of_int 170)); return (r0, r1); } - proc __nttunpack128 (r0:W256.t, r1:W256.t, r2:W256.t, r3:W256.t, r4:W256.t, r5:W256.t, r6:W256.t, r7:W256.t) : W256.t * W256.t * W256.t * W256.t * W256.t * W256.t * W256.t * W256.t = { - - (r0, r4) <@ __shuffle8 (r0, r4); (r1, r5) <@ __shuffle8 (r1, r5); (r2, r6) <@ __shuffle8 (r2, r6); @@ -1129,9 +1352,7 @@ module M(SC:Syscall_t) = { (r3, r7) <@ __shuffle1 (r3, r7); return (r0, r4, r1, r5, r2, r6, r3, r7); } - proc _nttunpack (rp:W16.t Array256.t) : W16.t Array256.t = { - var r0:W256.t; var r1:W256.t; var r2:W256.t; @@ -1140,149 +1361,161 @@ module M(SC:Syscall_t) = { var r5:W256.t; var r6:W256.t; var r7:W256.t; - - r0 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 0)); - r1 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 1)); - r2 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 2)); - r3 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 3)); - r4 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 4)); - r5 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 5)); - r6 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 6)); - r7 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 7)); - (r0, r1, r2, r3, r4, r5, r6, r7) <@ __nttunpack128 (r0, r1, r2, r3, r4, - r5, r6, r7); + r0 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 0)); + r1 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 1)); + r2 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 2)); + r3 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 3)); + r4 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 4)); + r5 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 5)); + r6 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 6)); + r7 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 7)); + (r0, r1, r2, r3, r4, r5, r6, r7) <@ __nttunpack128 (r0, r1, r2, r3, + r4, r5, r6, r7); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 0) (r0))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 0) + r0))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 1) (r1))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 1) + r1))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 2) (r2))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 2) + r2))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 3) (r3))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 3) + r3))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 4) (r4))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 4) + r4))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 5) (r5))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 5) + r5))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 6) (r6))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 6) + r6))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 7) (r7))); - r0 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 8)); - r1 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 9)); - r2 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 10)); - r3 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 11)); - r4 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 12)); - r5 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 13)); - r6 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 14)); - r7 <- (get256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 15)); - (r0, r1, r2, r3, r4, r5, r6, r7) <@ __nttunpack128 (r0, r1, r2, r3, r4, - r5, r6, r7); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 7) + r7))); + r0 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 8)); + r1 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 9)); + r2 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 10)); + r3 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 11)); + r4 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 12)); + r5 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 13)); + r6 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 14)); + r7 <- (get256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 15)); + (r0, r1, r2, r3, r4, r5, r6, r7) <@ __nttunpack128 (r0, r1, r2, r3, + r4, r5, r6, r7); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 8) (r0))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 8) + r0))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 9) (r1))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 9) + r1))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 10) (r2))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 10) + r2))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 11) (r3))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 11) + r3))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 12) (r4))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 12) + r4))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 13) (r5))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 13) + r5))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 14) (r6))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 14) + r6))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 15) (r7))); - return (rp); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 15) + r7))); + return rp; } - proc __csubq (r:W256.t, qx16:W256.t) : W256.t = { - var t:W256.t; - - r <- VPSUB_16u16 r qx16; - t <- VPSRA_16u16 r (W8.of_int 15); - t <- VPAND_256 t qx16; - r <- VPADD_16u16 t r; - return (r); + r <- (VPSUB_16u16 r qx16); + t <- (VPSRA_16u16 r (W8.of_int 15)); + t <- (VPAND_256 t qx16); + r <- (VPADD_16u16 t r); + return r; } - proc __red16x (r:W256.t, qx16:W256.t, vx16:W256.t) : W256.t = { - var x:W256.t; - - x <- VPMULH_16u16 r vx16; - x <- VPSRA_16u16 x (W8.of_int 10); - x <- VPMULL_16u16 x qx16; - r <- VPSUB_16u16 r x; - return (r); + x <- (VPMULH_16u16 r vx16); + x <- (VPSRA_16u16 x (W8.of_int 10)); + x <- (VPMULL_16u16 x qx16); + r <- (VPSUB_16u16 r x); + return r; } - proc __fqmulprecomp16x (b:W256.t, al:W256.t, ah:W256.t, qx16:W256.t) : W256.t = { - var x:W256.t; - - x <- VPMULL_16u16 al b; - b <- VPMULH_16u16 ah b; - x <- VPMULH_16u16 x qx16; - b <- VPSUB_16u16 b x; - return (b); - } - - proc __fqmulx16 (a:W256.t, b:W256.t, qx16:W256.t, qinvx16:W256.t) : - W256.t = { - + x <- (VPMULL_16u16 al b); + b <- (VPMULH_16u16 ah b); + x <- (VPMULH_16u16 x qx16); + b <- (VPSUB_16u16 b x); + return b; + } + proc __fqmulx16 (a:W256.t, b:W256.t, qx16:W256.t, qinvx16:W256.t) : W256.t = { var rd:W256.t; var rhi:W256.t; var rlo:W256.t; - - rhi <- VPMULH_16u16 a b; - rlo <- VPMULL_16u16 a b; - rlo <- VPMULL_16u16 rlo qinvx16; - rlo <- VPMULH_16u16 rlo qx16; - rd <- VPSUB_16u16 rhi rlo; - return (rd); - } - + rhi <- (VPMULH_16u16 a b); + rlo <- (VPMULL_16u16 a b); + rlo <- (VPMULL_16u16 rlo qinvx16); + rlo <- (VPMULH_16u16 rlo qx16); + rd <- (VPSUB_16u16 rhi rlo); + return rd; + } proc keccakf1600_index (x:int, y:int) : int = { - var r:int; - r <- ((x %% 5) + (5 * (y %% 5))); - return (r); + return r; } - proc keccakf1600_rho_offsets (i:int) : int = { - var aux: int; - + var aux:int; var r:int; var x:int; var y:int; var t:int; var z:int; - r <- 0; x <- 1; y <- 0; t <- 0; - while (t < 24) { + while ((t < 24)) { if ((i = (x + (5 * y)))) { r <- ((((t + 1) * (t + 2)) %/ 2) %% 64); } else { @@ -1291,76 +1524,67 @@ module M(SC:Syscall_t) = { z <- (((2 * x) + (3 * y)) %% 5); x <- y; y <- z; - t <- t + 1; + t <- (t + 1); } - return (r); + return r; } - proc keccakf1600_rhotates (x:int, y:int) : int = { - var r:int; var i:int; - i <@ keccakf1600_index (x, y); r <@ keccakf1600_rho_offsets (i); - return (r); + return r; } - proc keccakf1600_theta_sum (a:W64.t Array25.t) : W64.t Array5.t = { - var aux: int; - + var aux:int; var c:W64.t Array5.t; var x:int; var y:int; c <- witness; x <- 0; - while (x < 5) { + while ((x < 5)) { c.[x] <- a.[(x + 0)]; - x <- x + 1; + x <- (x + 1); } y <- 1; - while (y < 5) { + while ((y < 5)) { x <- 0; - while (x < 5) { + while ((x < 5)) { c.[x] <- (c.[x] `^` a.[(x + (y * 5))]); - x <- x + 1; + x <- (x + 1); } - y <- y + 1; + y <- (y + 1); } - return (c); + return c; } - proc keccakf1600_theta_rol (c:W64.t Array5.t) : W64.t Array5.t = { - var aux_1: bool; - var aux_0: bool; - var aux: int; - var aux_2: W64.t; - + var aux_1:bool; + var aux_0:bool; + var aux:int; + var aux_2:W64.t; var d:W64.t Array5.t; var x:int; var _0:bool; var _1:bool; d <- witness; x <- 0; - while (x < 5) { + while ((x < 5)) { d.[x] <- c.[((x + 1) %% 5)]; - (aux_1, aux_0, aux_2) <- ROL_64 d.[x] (W8.of_int 1); + (aux_1, aux_0, aux_2) <- (ROL_64 d.[x] (W8.of_int 1)); _0 <- aux_1; _1 <- aux_0; d.[x] <- aux_2; d.[x] <- (d.[x] `^` c.[(((x - 1) + 5) %% 5)]); - x <- x + 1; + x <- (x + 1); } - return (d); + return d; } - proc keccakf1600_rol_sum (a:W64.t Array25.t, d:W64.t Array5.t, y:int) : W64.t Array5.t = { - var aux_1: bool; - var aux_0: bool; - var aux: int; - var aux_2: W64.t; - + var aux_1:bool; + var aux_0:bool; + var aux:int; + var aux_2:W64.t; var b:W64.t Array5.t; var x:int; var x_:int; @@ -1370,36 +1594,33 @@ module M(SC:Syscall_t) = { var _1:bool; b <- witness; x <- 0; - while (x < 5) { + while ((x < 5)) { x_ <- ((x + (3 * y)) %% 5); y_ <- x; r <@ keccakf1600_rhotates (x_, y_); b.[x] <- a.[(x_ + (y_ * 5))]; b.[x] <- (b.[x] `^` d.[x_]); if ((r <> 0)) { - (aux_1, aux_0, aux_2) <- ROL_64 b.[x] (W8.of_int r); + (aux_1, aux_0, aux_2) <- (ROL_64 b.[x] (W8.of_int r)); _0 <- aux_1; _1 <- aux_0; b.[x] <- aux_2; } else { } - x <- x + 1; + x <- (x + 1); } - return (b); + return b; } - proc keccakf1600_set_row (e:W64.t Array25.t, b:W64.t Array5.t, y:int, s_rc:W64.t) : W64.t Array25.t = { - var aux: int; - + var aux:int; var x:int; var x1:int; var x2:int; var t:W64.t; - x <- 0; - while (x < 5) { + while ((x < 5)) { x1 <- ((x + 1) %% 5); x2 <- ((x + 2) %% 5); t <- ((invw b.[x1]) `&` b.[x2]); @@ -1410,15 +1631,13 @@ module M(SC:Syscall_t) = { } e.[(x + (y * 5))] <- t; - x <- x + 1; + x <- (x + 1); } - return (e); + return e; } - proc keccakf1600_round (e:W64.t Array25.t, a:W64.t Array25.t, rc:W64.t) : W64.t Array25.t = { - var aux: int; - + var aux:int; var s_rc:W64.t; var c:W64.t Array5.t; var d:W64.t Array5.t; @@ -1431,16 +1650,14 @@ module M(SC:Syscall_t) = { c <@ keccakf1600_theta_sum (a); d <@ keccakf1600_theta_rol (c); y <- 0; - while (y < 5) { + while ((y < 5)) { b <@ keccakf1600_rol_sum (a, d, y); e <@ keccakf1600_set_row (e, b, y, s_rc); - y <- y + 1; + y <- (y + 1); } - return (e); + return e; } - proc __keccakf1600 (a:W64.t Array25.t) : W64.t Array25.t = { - var rC:W64.t Array24.t; var s_e:W64.t Array25.t; var e:W64.t Array25.t; @@ -1452,7 +1669,6 @@ module M(SC:Syscall_t) = { rC <- kECCAK1600_RC; e <- s_e; c <- (W64.of_int 0); - while ((c \ult (W64.of_int (24 - 1)))) { rc <- rC.[(W64.to_uint c)]; e <@ keccakf1600_round (e, a, rc); @@ -1460,51 +1676,38 @@ module M(SC:Syscall_t) = { a <@ keccakf1600_round (a, e, rc); c <- (c + (W64.of_int 2)); } - return (a); + return a; } - proc _keccakf1600 (a:W64.t Array25.t) : W64.t Array25.t = { - - a <@ __keccakf1600 (a); - return (a); + return a; } - proc _keccakf1600_ (a:W64.t Array25.t) : W64.t Array25.t = { - - a <- a; a <@ _keccakf1600 (a); a <- a; - return (a); + return a; } - proc __st0 (state:W64.t Array25.t) : W64.t Array25.t = { - var aux: int; - + var aux:int; var i:int; - i <- 0; - while (i < 25) { + while ((i < 25)) { state.[i] <- (W64.of_int 0); - i <- i + 1; + i <- (i + 1); } - return (state); + return state; } - proc __add_full_block (state:W64.t Array25.t, in_0:W64.t, inlen:W64.t, r8:W64.t) : W64.t Array25.t * W64.t * W64.t = { - var r64:W64.t; var i:W64.t; var t:W64.t; - r64 <- r8; r64 <- (r64 `>>` (W8.of_int 3)); i <- (W64.of_int 0); - while ((i \ult r64)) { t <- (loadW64 Glob.mem (W64.to_uint (in_0 + ((W64.of_int 8) * i)))); state.[(W64.to_uint i)] <- (state.[(W64.to_uint i)] `^` t); @@ -1514,50 +1717,52 @@ module M(SC:Syscall_t) = { inlen <- (inlen - r8); return (state, in_0, inlen); } - proc __add_final_block (state:W64.t Array25.t, in_0:W64.t, inlen:W64.t, trail_byte:W8.t, r8:W64.t) : W64.t Array25.t = { - var inlen8:W64.t; var i:W64.t; var t:W64.t; var c:W8.t; - inlen8 <- inlen; inlen8 <- (inlen8 `>>` (W8.of_int 3)); i <- (W64.of_int 0); - while ((i \ult inlen8)) { t <- (loadW64 Glob.mem (W64.to_uint (in_0 + ((W64.of_int 8) * i)))); state.[(W64.to_uint i)] <- (state.[(W64.to_uint i)] `^` t); i <- (i + (W64.of_int 1)); } i <- (i `<<` (W8.of_int 3)); - while ((i \ult inlen)) { c <- (loadW8 Glob.mem (W64.to_uint (in_0 + i))); state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) (W64.to_uint i) (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) (W64.to_uint i)) `^` c)))); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) + (W64.to_uint i) + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) (W64.to_uint i)) `^` + c)))); i <- (i + (W64.of_int 1)); } state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) (W64.to_uint i) (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) (W64.to_uint i)) `^` trail_byte)))); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) + (W64.to_uint i) + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) (W64.to_uint i)) `^` + trail_byte)))); i <- r8; i <- (i - (W64.of_int 1)); state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) (W64.to_uint i) (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) (W64.to_uint i)) `^` (W8.of_int 128))))); - return (state); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) + (W64.to_uint i) + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) (W64.to_uint i)) `^` + (W8.of_int 128))))); + return state; } - proc _isha3_256 (out:W8.t Array32.t, in_0:W64.t, inlen:W64.t) : W8.t Array32.t = { - var aux: int; - + var aux:int; var state:W64.t Array25.t; var r8:W64.t; var ilen:W64.t; @@ -1569,7 +1774,6 @@ module M(SC:Syscall_t) = { state <@ __st0 (state); r8 <- (W64.of_int 136); ilen <- inlen; - while ((r8 \ule ilen)) { (state, in_0, ilen) <@ __add_full_block (state, in_0, ilen, r8); (* Erased call to spill *) @@ -1581,19 +1785,18 @@ module M(SC:Syscall_t) = { state <@ _keccakf1600_ (state); (* Erased call to unspill *) i <- 0; - while (i < 4) { + while ((i < 4)) { t64 <- state.[i]; out <- - Array32.init - (WArray32.get8 (WArray32.set64 (WArray32.init8 (fun i_0 => (out).[i_0])) i (t64))); - i <- i + 1; + (Array32.init + (WArray32.get8 + (WArray32.set64 (WArray32.init8 (fun i_0 => out.[i_0])) i t64))); + i <- (i + 1); } - return (out); + return out; } - proc _shake256_1120_32 (out:W64.t, in0:W64.t, in1:W64.t) : unit = { - var aux: int; - + var aux:int; var state:W64.t Array25.t; var i:int; var t64:W64.t; @@ -1605,18 +1808,19 @@ module M(SC:Syscall_t) = { state <@ __st0 (state); aux <- (32 %/ 8); i <- 0; - while (i < aux) { + while ((i < aux)) { t64 <- (loadW64 Glob.mem (W64.to_uint (in0 + (W64.of_int (i * 8))))); state.[i] <- (state.[i] `^` t64); - i <- i + 1; + i <- (i + 1); } aux <- (136 %/ 8); i <- (32 %/ 8); - while (i < aux) { + while ((i < aux)) { t64 <- - (loadW64 Glob.mem (W64.to_uint (in1 + (W64.of_int ((i - (32 %/ 8)) * 8))))); + (loadW64 Glob.mem + (W64.to_uint (in1 + (W64.of_int ((i - (32 %/ 8)) * 8))))); state.[i] <- (state.[i] `^` t64); - i <- i + 1; + i <- (i + 1); } (* Erased call to spill *) state <@ _keccakf1600_ (state); @@ -1624,7 +1828,6 @@ module M(SC:Syscall_t) = { r8 <- (W64.of_int 136); ilen <- (W64.of_int (((3 * 320) + 128) - (136 - 32))); in1 <- (in1 + (W64.of_int (136 - 32))); - while ((r8 \ule ilen)) { (state, in1, ilen) <@ __add_full_block (state, in1, ilen, r8); (* Erased call to spill *) @@ -1637,18 +1840,16 @@ module M(SC:Syscall_t) = { (* Erased call to unspill *) aux <- (32 %/ 8); i <- 0; - while (i < aux) { + while ((i < aux)) { t64 <- state.[i]; Glob.mem <- - storeW64 Glob.mem (W64.to_uint (out + (W64.of_int (8 * i)))) (t64); - i <- i + 1; + (storeW64 Glob.mem (W64.to_uint (out + (W64.of_int (8 * i)))) t64); + i <- (i + 1); } return (); } - proc _sha3_512_64 (out:W8.t Array64.t, in_0:W8.t Array64.t) : W8.t Array64.t = { - var aux: int; - + var aux:int; var state:W64.t Array25.t; var i:int; var t64:W64.t; @@ -1656,35 +1857,38 @@ module M(SC:Syscall_t) = { (* Erased call to spill *) state <@ __st0 (state); i <- 0; - while (i < 8) { - t64 <- (get64 (WArray64.init8 (fun i_0 => (in_0).[i_0])) i); + while ((i < 8)) { + t64 <- (get64 (WArray64.init8 (fun i_0 => in_0.[i_0])) i); state.[i] <- (state.[i] `^` t64); - i <- i + 1; + i <- (i + 1); } state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) 64 (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) 64) `^` (W8.of_int 6))))); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) 64 + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) 64) `^` (W8.of_int 6)) + ))); state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) (72 - 1) (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) (72 - 1)) `^` (W8.of_int 128))))); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) (72 - 1) + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) (72 - 1)) `^` + (W8.of_int 128))))); state <@ _keccakf1600_ (state); (* Erased call to unspill *) i <- 0; - while (i < 8) { + while ((i < 8)) { t64 <- state.[i]; out <- - Array64.init - (WArray64.get8 (WArray64.set64 (WArray64.init8 (fun i_0 => (out).[i_0])) i (t64))); - i <- i + 1; + (Array64.init + (WArray64.get8 + (WArray64.set64 (WArray64.init8 (fun i_0 => out.[i_0])) i t64))); + i <- (i + 1); } - return (out); + return out; } - proc _sha3_512_32 (out:W8.t Array64.t, in_0:W8.t Array32.t) : W8.t Array64.t = { - var aux: int; - + var aux:int; var state:W64.t Array25.t; var i:int; var t64:W64.t; @@ -1692,68 +1896,61 @@ module M(SC:Syscall_t) = { (* Erased call to spill *) state <@ __st0 (state); i <- 0; - while (i < 4) { - t64 <- (get64 (WArray32.init8 (fun i_0 => (in_0).[i_0])) i); + while ((i < 4)) { + t64 <- (get64 (WArray32.init8 (fun i_0 => in_0.[i_0])) i); state.[i] <- (state.[i] `^` t64); - i <- i + 1; + i <- (i + 1); } state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) 32 (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) 32) `^` (W8.of_int 6))))); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) 32 + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) 32) `^` (W8.of_int 6)) + ))); state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) (72 - 1) (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) (72 - 1)) `^` (W8.of_int 128))))); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) (72 - 1) + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) (72 - 1)) `^` + (W8.of_int 128))))); state <@ _keccakf1600_ (state); (* Erased call to unspill *) i <- 0; - while (i < 8) { + while ((i < 8)) { t64 <- state.[i]; out <- - Array64.init - (WArray64.get8 (WArray64.set64 (WArray64.init8 (fun i_0 => (out).[i_0])) i (t64))); - i <- i + 1; + (Array64.init + (WArray64.get8 + (WArray64.set64 (WArray64.init8 (fun i_0 => out.[i_0])) i t64))); + i <- (i + 1); } - return (out); + return out; } - proc __rol_4u64_rho56 (a:W256.t) : W256.t = { - var r:W256.t; - - r <- VPSHUFB_256 a rho56; - return (r); + r <- (VPSHUFB_256 a rho56); + return r; } - proc __rol_4u64_rho8 (a:W256.t) : W256.t = { - var r:W256.t; - - r <- VPSHUFB_256 a rho8; - return (r); + r <- (VPSHUFB_256 a rho8); + return r; } - proc __rol_4u64 (a:W256.t, o:int) : W256.t = { - var r:W256.t; var t256:W256.t; - - r <- VPSLL_4u64 a (W8.of_int o); - t256 <- VPSRL_4u64 a (W8.of_int (64 - o)); + r <- (VPSLL_4u64 a (W8.of_int o)); + t256 <- (VPSRL_4u64 a (W8.of_int (64 - o))); r <- (r `|` t256); - return (r); + return r; } - proc __prepare_theta (a_4x:W256.t Array25.t) : W256.t * W256.t * W256.t * W256.t * W256.t = { - var ca:W256.t; var ce:W256.t; var ci:W256.t; var co:W256.t; var cu:W256.t; - ca <- a_4x.[20]; ca <- (ca `^` a_4x.[15]); ca <- (ca `^` a_4x.[10]); @@ -1781,10 +1978,8 @@ module M(SC:Syscall_t) = { cu <- (cu `^` a_4x.[4]); return (ca, ce, ci, co, cu); } - proc __first (ca:W256.t, ce:W256.t, ci:W256.t, co:W256.t, cu:W256.t) : W256.t * W256.t * W256.t * W256.t * W256.t = { - var da:W256.t; var de:W256.t; var di:W256.t; @@ -1795,7 +1990,6 @@ module M(SC:Syscall_t) = { var co1:W256.t; var cu1:W256.t; var ca1:W256.t; - ce1 <@ __rol_4u64 (ce, 1); da <- (cu `^` ce1); ci1 <@ __rol_4u64 (ci, 1); @@ -1808,7 +2002,6 @@ module M(SC:Syscall_t) = { du <- (co `^` ca1); return (da, de, di, do_0, du); } - proc __second_even (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, index:int, ca:W256.t, ce:W256.t, ci:W256.t, co:W256.t, cu:W256.t, da:W256.t, de:W256.t, di:W256.t, @@ -1816,14 +2009,12 @@ module M(SC:Syscall_t) = { W256.t Array25.t * W256.t * W256.t * W256.t * W256.t * W256.t = { - var t256:W256.t; var bba:W256.t; var bbe:W256.t; var bbi:W256.t; var bbo:W256.t; var bbu:W256.t; - t256 <- a_4x.[0]; t256 <- (t256 `^` da); a_4x.[0] <- t256; @@ -1836,7 +2027,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` di); a_4x.[12] <- t256; bbi <@ __rol_4u64 (t256, 43); - t256 <- VPANDN_256 bbe bbi; + t256 <- (VPANDN_256 bbe bbi); t256 <- (t256 `^` bba); t256 <- (t256 `^` keccakF1600RoundConstants.[index]); e_4x.[0] <- t256; @@ -1845,7 +2036,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` do_0); a_4x.[18] <- t256; bbo <@ __rol_4u64 (t256, 21); - t256 <- VPANDN_256 bbi bbo; + t256 <- (VPANDN_256 bbi bbo); t256 <- (t256 `^` bbe); e_4x.[1] <- t256; ce <- t256; @@ -1853,34 +2044,31 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` du); a_4x.[24] <- t256; bbu <@ __rol_4u64 (t256, 14); - t256 <- VPANDN_256 bbo bbu; + t256 <- (VPANDN_256 bbo bbu); t256 <- (t256 `^` bbi); e_4x.[2] <- t256; ci <- t256; - t256 <- VPANDN_256 bbu bba; + t256 <- (VPANDN_256 bbu bba); t256 <- (t256 `^` bbo); e_4x.[3] <- t256; co <- t256; - t256 <- VPANDN_256 bba bbe; + t256 <- (VPANDN_256 bba bbe); t256 <- (t256 `^` bbu); e_4x.[4] <- t256; cu <- t256; return (a_4x, e_4x, ca, ce, ci, co, cu); } - proc __third_even (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, ca:W256.t, ce:W256.t, ci:W256.t, co:W256.t, cu:W256.t, da:W256.t, de:W256.t, di:W256.t, do_0:W256.t, du:W256.t) : W256.t Array25.t * W256.t Array25.t * W256.t * W256.t * W256.t * W256.t * W256.t = { - var t256:W256.t; var bga:W256.t; var bge:W256.t; var bgi:W256.t; var bgo:W256.t; var bgu:W256.t; - t256 <- a_4x.[3]; t256 <- (t256 `^` do_0); a_4x.[3] <- t256; @@ -1893,7 +2081,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` da); a_4x.[10] <- t256; bgi <@ __rol_4u64 (t256, 3); - t256 <- VPANDN_256 bge bgi; + t256 <- (VPANDN_256 bge bgi); t256 <- (t256 `^` bga); e_4x.[5] <- t256; ca <- (ca `^` t256); @@ -1901,7 +2089,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` de); a_4x.[16] <- t256; bgo <@ __rol_4u64 (t256, 45); - t256 <- VPANDN_256 bgi bgo; + t256 <- (VPANDN_256 bgi bgo); t256 <- (t256 `^` bge); e_4x.[6] <- t256; ce <- (ce `^` t256); @@ -1909,34 +2097,31 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` di); a_4x.[22] <- t256; bgu <@ __rol_4u64 (t256, 61); - t256 <- VPANDN_256 bgo bgu; + t256 <- (VPANDN_256 bgo bgu); t256 <- (t256 `^` bgi); e_4x.[7] <- t256; ci <- (ci `^` t256); - t256 <- VPANDN_256 bgu bga; + t256 <- (VPANDN_256 bgu bga); t256 <- (t256 `^` bgo); e_4x.[8] <- t256; co <- (co `^` t256); - t256 <- VPANDN_256 bga bge; + t256 <- (VPANDN_256 bga bge); t256 <- (t256 `^` bgu); e_4x.[9] <- t256; cu <- (cu `^` t256); return (a_4x, e_4x, ca, ce, ci, co, cu); } - proc __fourth_even (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, ca:W256.t, ce:W256.t, ci:W256.t, co:W256.t, cu:W256.t, da:W256.t, de:W256.t, di:W256.t, do_0:W256.t, du:W256.t) : W256.t Array25.t * W256.t Array25.t * W256.t * W256.t * W256.t * W256.t * W256.t = { - var t256:W256.t; var bka:W256.t; var bke:W256.t; var bki:W256.t; var bko:W256.t; var bku:W256.t; - t256 <- a_4x.[1]; t256 <- (t256 `^` de); a_4x.[1] <- t256; @@ -1949,7 +2134,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` do_0); a_4x.[13] <- t256; bki <@ __rol_4u64 (t256, 25); - t256 <- VPANDN_256 bke bki; + t256 <- (VPANDN_256 bke bki); t256 <- (t256 `^` bka); e_4x.[10] <- t256; ca <- (ca `^` t256); @@ -1957,7 +2142,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` du); a_4x.[19] <- t256; bko <@ __rol_4u64_rho8 (t256); - t256 <- VPANDN_256 bki bko; + t256 <- (VPANDN_256 bki bko); t256 <- (t256 `^` bke); e_4x.[11] <- t256; ce <- (ce `^` t256); @@ -1965,34 +2150,31 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` da); a_4x.[20] <- t256; bku <@ __rol_4u64 (t256, 18); - t256 <- VPANDN_256 bko bku; + t256 <- (VPANDN_256 bko bku); t256 <- (t256 `^` bki); e_4x.[12] <- t256; ci <- (ci `^` t256); - t256 <- VPANDN_256 bku bka; + t256 <- (VPANDN_256 bku bka); t256 <- (t256 `^` bko); e_4x.[13] <- t256; co <- (co `^` t256); - t256 <- VPANDN_256 bka bke; + t256 <- (VPANDN_256 bka bke); t256 <- (t256 `^` bku); e_4x.[14] <- t256; cu <- (cu `^` t256); return (a_4x, e_4x, ca, ce, ci, co, cu); } - proc __fifth_even (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, ca:W256.t, ce:W256.t, ci:W256.t, co:W256.t, cu:W256.t, da:W256.t, de:W256.t, di:W256.t, do_0:W256.t, du:W256.t) : W256.t Array25.t * W256.t Array25.t * W256.t * W256.t * W256.t * W256.t * W256.t = { - var t256:W256.t; var bma:W256.t; var bme:W256.t; var bmi:W256.t; var bmo:W256.t; var bmu:W256.t; - t256 <- a_4x.[4]; t256 <- (t256 `^` du); a_4x.[4] <- t256; @@ -2005,7 +2187,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` de); a_4x.[11] <- t256; bmi <@ __rol_4u64 (t256, 10); - t256 <- VPANDN_256 bme bmi; + t256 <- (VPANDN_256 bme bmi); t256 <- (t256 `^` bma); e_4x.[15] <- t256; ca <- (ca `^` t256); @@ -2013,7 +2195,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` di); a_4x.[17] <- t256; bmo <@ __rol_4u64 (t256, 15); - t256 <- VPANDN_256 bmi bmo; + t256 <- (VPANDN_256 bmi bmo); t256 <- (t256 `^` bme); e_4x.[16] <- t256; ce <- (ce `^` t256); @@ -2021,34 +2203,31 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` do_0); a_4x.[23] <- t256; bmu <@ __rol_4u64_rho56 (t256); - t256 <- VPANDN_256 bmo bmu; + t256 <- (VPANDN_256 bmo bmu); t256 <- (t256 `^` bmi); e_4x.[17] <- t256; ci <- (ci `^` t256); - t256 <- VPANDN_256 bmu bma; + t256 <- (VPANDN_256 bmu bma); t256 <- (t256 `^` bmo); e_4x.[18] <- t256; co <- (co `^` t256); - t256 <- VPANDN_256 bma bme; + t256 <- (VPANDN_256 bma bme); t256 <- (t256 `^` bmu); e_4x.[19] <- t256; cu <- (cu `^` t256); return (a_4x, e_4x, ca, ce, ci, co, cu); } - proc __sixth_even (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, ca:W256.t, ce:W256.t, ci:W256.t, co:W256.t, cu:W256.t, da:W256.t, de:W256.t, di:W256.t, do_0:W256.t, du:W256.t) : W256.t Array25.t * W256.t Array25.t * W256.t * W256.t * W256.t * W256.t * W256.t = { - var t256:W256.t; var bsa:W256.t; var bse:W256.t; var bsi:W256.t; var bso:W256.t; var bsu:W256.t; - t256 <- a_4x.[2]; t256 <- (t256 `^` di); a_4x.[2] <- t256; @@ -2061,7 +2240,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` du); a_4x.[14] <- t256; bsi <@ __rol_4u64 (t256, 39); - t256 <- VPANDN_256 bse bsi; + t256 <- (VPANDN_256 bse bsi); t256 <- (t256 `^` bsa); e_4x.[20] <- t256; ca <- (ca `^` t256); @@ -2069,7 +2248,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` da); a_4x.[15] <- t256; bso <@ __rol_4u64 (t256, 41); - t256 <- VPANDN_256 bsi bso; + t256 <- (VPANDN_256 bsi bso); t256 <- (t256 `^` bse); e_4x.[21] <- t256; ce <- (ce `^` t256); @@ -2077,34 +2256,31 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` de); a_4x.[21] <- t256; bsu <@ __rol_4u64 (t256, 2); - t256 <- VPANDN_256 bso bsu; + t256 <- (VPANDN_256 bso bsu); t256 <- (t256 `^` bsi); e_4x.[22] <- t256; ci <- (ci `^` t256); - t256 <- VPANDN_256 bsu bsa; + t256 <- (VPANDN_256 bsu bsa); t256 <- (t256 `^` bso); e_4x.[23] <- t256; co <- (co `^` t256); - t256 <- VPANDN_256 bsa bse; + t256 <- (VPANDN_256 bsa bse); t256 <- (t256 `^` bsu); e_4x.[24] <- t256; cu <- (cu `^` t256); return (a_4x, e_4x, ca, ce, ci, co, cu); } - proc __second_odd (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, index:int, ca:W256.t, ce:W256.t, ci:W256.t, co:W256.t, cu:W256.t, da:W256.t, de:W256.t, di:W256.t, do_0:W256.t, du:W256.t) : W256.t Array25.t * W256.t Array25.t * W256.t * W256.t * W256.t * W256.t * W256.t = { - var t256:W256.t; var bba:W256.t; var bbe:W256.t; var bbi:W256.t; var bbo:W256.t; var bbu:W256.t; - t256 <- a_4x.[0]; t256 <- (t256 `^` da); a_4x.[0] <- t256; @@ -2117,7 +2293,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` di); a_4x.[12] <- t256; bbi <@ __rol_4u64 (t256, 43); - t256 <- VPANDN_256 bbe bbi; + t256 <- (VPANDN_256 bbe bbi); t256 <- (t256 `^` bba); t256 <- (t256 `^` keccakF1600RoundConstants.[index]); e_4x.[0] <- t256; @@ -2126,7 +2302,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` do_0); a_4x.[18] <- t256; bbo <@ __rol_4u64 (t256, 21); - t256 <- VPANDN_256 bbi bbo; + t256 <- (VPANDN_256 bbi bbo); t256 <- (t256 `^` bbe); e_4x.[1] <- t256; ce <- t256; @@ -2134,21 +2310,20 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` du); a_4x.[24] <- t256; bbu <@ __rol_4u64 (t256, 14); - t256 <- VPANDN_256 bbo bbu; + t256 <- (VPANDN_256 bbo bbu); t256 <- (t256 `^` bbi); e_4x.[2] <- t256; ci <- t256; - t256 <- VPANDN_256 bbu bba; + t256 <- (VPANDN_256 bbu bba); t256 <- (t256 `^` bbo); e_4x.[3] <- t256; co <- t256; - t256 <- VPANDN_256 bba bbe; + t256 <- (VPANDN_256 bba bbe); t256 <- (t256 `^` bbu); e_4x.[4] <- t256; cu <- t256; return (a_4x, e_4x, ca, ce, ci, co, cu); } - proc __third_odd (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, ca:W256.t, ce:W256.t, ci:W256.t, co:W256.t, cu:W256.t, da:W256.t, de:W256.t, di:W256.t, do_0:W256.t, du:W256.t) : W256.t Array25.t * @@ -2158,14 +2333,12 @@ module M(SC:Syscall_t) = { W256.t * W256.t * W256.t = { - var t256:W256.t; var bga:W256.t; var bge:W256.t; var bgi:W256.t; var bgo:W256.t; var bgu:W256.t; - t256 <- a_4x.[3]; t256 <- (t256 `^` do_0); a_4x.[3] <- t256; @@ -2178,7 +2351,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` da); a_4x.[10] <- t256; bgi <@ __rol_4u64 (t256, 3); - t256 <- VPANDN_256 bge bgi; + t256 <- (VPANDN_256 bge bgi); t256 <- (t256 `^` bga); e_4x.[5] <- t256; ca <- (ca `^` t256); @@ -2186,7 +2359,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` de); a_4x.[16] <- t256; bgo <@ __rol_4u64 (t256, 45); - t256 <- VPANDN_256 bgi bgo; + t256 <- (VPANDN_256 bgi bgo); t256 <- (t256 `^` bge); e_4x.[6] <- t256; ce <- (ce `^` t256); @@ -2194,34 +2367,31 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` di); a_4x.[22] <- t256; bgu <@ __rol_4u64 (t256, 61); - t256 <- VPANDN_256 bgo bgu; + t256 <- (VPANDN_256 bgo bgu); t256 <- (t256 `^` bgi); e_4x.[7] <- t256; ci <- (ci `^` t256); - t256 <- VPANDN_256 bgu bga; + t256 <- (VPANDN_256 bgu bga); t256 <- (t256 `^` bgo); e_4x.[8] <- t256; co <- (co `^` t256); - t256 <- VPANDN_256 bga bge; + t256 <- (VPANDN_256 bga bge); t256 <- (t256 `^` bgu); e_4x.[9] <- t256; cu <- (cu `^` t256); return (a_4x, e_4x, ca, ce, ci, co, cu); } - proc __fourth_odd (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, ca:W256.t, ce:W256.t, ci:W256.t, co:W256.t, cu:W256.t, da:W256.t, de:W256.t, di:W256.t, do_0:W256.t, du:W256.t) : W256.t Array25.t * W256.t Array25.t * W256.t * W256.t * W256.t * W256.t * W256.t = { - var t256:W256.t; var bka:W256.t; var bke:W256.t; var bki:W256.t; var bko:W256.t; var bku:W256.t; - t256 <- a_4x.[1]; t256 <- (t256 `^` de); a_4x.[1] <- t256; @@ -2234,7 +2404,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` do_0); a_4x.[13] <- t256; bki <@ __rol_4u64 (t256, 25); - t256 <- VPANDN_256 bke bki; + t256 <- (VPANDN_256 bke bki); t256 <- (t256 `^` bka); e_4x.[10] <- t256; ca <- (ca `^` t256); @@ -2242,7 +2412,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` du); a_4x.[19] <- t256; bko <@ __rol_4u64_rho8 (t256); - t256 <- VPANDN_256 bki bko; + t256 <- (VPANDN_256 bki bko); t256 <- (t256 `^` bke); e_4x.[11] <- t256; ce <- (ce `^` t256); @@ -2250,21 +2420,20 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` da); a_4x.[20] <- t256; bku <@ __rol_4u64 (t256, 18); - t256 <- VPANDN_256 bko bku; + t256 <- (VPANDN_256 bko bku); t256 <- (t256 `^` bki); e_4x.[12] <- t256; ci <- (ci `^` t256); - t256 <- VPANDN_256 bku bka; + t256 <- (VPANDN_256 bku bka); t256 <- (t256 `^` bko); e_4x.[13] <- t256; co <- (co `^` t256); - t256 <- VPANDN_256 bka bke; + t256 <- (VPANDN_256 bka bke); t256 <- (t256 `^` bku); e_4x.[14] <- t256; cu <- (cu `^` t256); return (a_4x, e_4x, ca, ce, ci, co, cu); } - proc __fifth_odd (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, ca:W256.t, ce:W256.t, ci:W256.t, co:W256.t, cu:W256.t, da:W256.t, de:W256.t, di:W256.t, do_0:W256.t, du:W256.t) : W256.t Array25.t * @@ -2274,14 +2443,12 @@ module M(SC:Syscall_t) = { W256.t * W256.t * W256.t = { - var t256:W256.t; var bma:W256.t; var bme:W256.t; var bmi:W256.t; var bmo:W256.t; var bmu:W256.t; - t256 <- a_4x.[4]; t256 <- (t256 `^` du); a_4x.[4] <- t256; @@ -2294,7 +2461,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` de); a_4x.[11] <- t256; bmi <@ __rol_4u64 (t256, 10); - t256 <- VPANDN_256 bme bmi; + t256 <- (VPANDN_256 bme bmi); t256 <- (t256 `^` bma); e_4x.[15] <- t256; ca <- (ca `^` t256); @@ -2302,7 +2469,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` di); a_4x.[17] <- t256; bmo <@ __rol_4u64 (t256, 15); - t256 <- VPANDN_256 bmi bmo; + t256 <- (VPANDN_256 bmi bmo); t256 <- (t256 `^` bme); e_4x.[16] <- t256; ce <- (ce `^` t256); @@ -2310,21 +2477,20 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` do_0); a_4x.[23] <- t256; bmu <@ __rol_4u64_rho56 (t256); - t256 <- VPANDN_256 bmo bmu; + t256 <- (VPANDN_256 bmo bmu); t256 <- (t256 `^` bmi); e_4x.[17] <- t256; ci <- (ci `^` t256); - t256 <- VPANDN_256 bmu bma; + t256 <- (VPANDN_256 bmu bma); t256 <- (t256 `^` bmo); e_4x.[18] <- t256; co <- (co `^` t256); - t256 <- VPANDN_256 bma bme; + t256 <- (VPANDN_256 bma bme); t256 <- (t256 `^` bmu); e_4x.[19] <- t256; cu <- (cu `^` t256); return (a_4x, e_4x, ca, ce, ci, co, cu); } - proc __sixth_odd (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, ca:W256.t, ce:W256.t, ci:W256.t, co:W256.t, cu:W256.t, da:W256.t, de:W256.t, di:W256.t, do_0:W256.t, du:W256.t) : W256.t Array25.t * @@ -2334,14 +2500,12 @@ module M(SC:Syscall_t) = { W256.t * W256.t * W256.t = { - var t256:W256.t; var bsa:W256.t; var bse:W256.t; var bsi:W256.t; var bso:W256.t; var bsu:W256.t; - t256 <- a_4x.[2]; t256 <- (t256 `^` di); a_4x.[2] <- t256; @@ -2354,7 +2518,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` du); a_4x.[14] <- t256; bsi <@ __rol_4u64 (t256, 39); - t256 <- VPANDN_256 bse bsi; + t256 <- (VPANDN_256 bse bsi); t256 <- (t256 `^` bsa); e_4x.[20] <- t256; ca <- (ca `^` t256); @@ -2362,7 +2526,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` da); a_4x.[15] <- t256; bso <@ __rol_4u64 (t256, 41); - t256 <- VPANDN_256 bsi bso; + t256 <- (VPANDN_256 bsi bso); t256 <- (t256 `^` bse); e_4x.[21] <- t256; ce <- (ce `^` t256); @@ -2370,33 +2534,30 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` de); a_4x.[21] <- t256; bsu <@ __rol_4u64 (t256, 2); - t256 <- VPANDN_256 bso bsu; + t256 <- (VPANDN_256 bso bsu); t256 <- (t256 `^` bsi); e_4x.[22] <- t256; ci <- (ci `^` t256); - t256 <- VPANDN_256 bsu bsa; + t256 <- (VPANDN_256 bsu bsa); t256 <- (t256 `^` bso); e_4x.[23] <- t256; co <- (co `^` t256); - t256 <- VPANDN_256 bsa bse; + t256 <- (VPANDN_256 bsa bse); t256 <- (t256 `^` bsu); e_4x.[24] <- t256; cu <- (cu `^` t256); return (a_4x, e_4x, ca, ce, ci, co, cu); } - proc __second_last (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, index:int, da:W256.t, de:W256.t, di:W256.t, do_0:W256.t, du:W256.t) : W256.t Array25.t * W256.t Array25.t = { - var t256:W256.t; var bba:W256.t; var bbe:W256.t; var bbi:W256.t; var bbo:W256.t; var bbu:W256.t; - t256 <- a_4x.[0]; t256 <- (t256 `^` da); a_4x.[0] <- t256; @@ -2409,7 +2570,7 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` di); a_4x.[12] <- t256; bbi <@ __rol_4u64 (t256, 43); - t256 <- VPANDN_256 bbe bbi; + t256 <- (VPANDN_256 bbe bbi); t256 <- (t256 `^` bba); t256 <- (t256 `^` keccakF1600RoundConstants.[index]); e_4x.[0] <- t256; @@ -2417,36 +2578,33 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` do_0); a_4x.[18] <- t256; bbo <@ __rol_4u64 (t256, 21); - t256 <- VPANDN_256 bbi bbo; + t256 <- (VPANDN_256 bbi bbo); t256 <- (t256 `^` bbe); e_4x.[1] <- t256; t256 <- a_4x.[24]; t256 <- (t256 `^` du); a_4x.[24] <- t256; bbu <@ __rol_4u64 (t256, 14); - t256 <- VPANDN_256 bbo bbu; + t256 <- (VPANDN_256 bbo bbu); t256 <- (t256 `^` bbi); e_4x.[2] <- t256; - t256 <- VPANDN_256 bbu bba; + t256 <- (VPANDN_256 bbu bba); t256 <- (t256 `^` bbo); e_4x.[3] <- t256; - t256 <- VPANDN_256 bba bbe; + t256 <- (VPANDN_256 bba bbe); t256 <- (t256 `^` bbu); e_4x.[4] <- t256; return (a_4x, e_4x); } - proc __third_last (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, da:W256.t, de:W256.t, di:W256.t, do_0:W256.t, du:W256.t) : W256.t Array25.t * W256.t Array25.t = { - var t256:W256.t; var bga:W256.t; var bge:W256.t; var bgi:W256.t; var bgo:W256.t; var bgu:W256.t; - t256 <- a_4x.[3]; t256 <- (t256 `^` do_0); a_4x.[3] <- t256; @@ -2459,43 +2617,40 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` da); a_4x.[10] <- t256; bgi <@ __rol_4u64 (t256, 3); - t256 <- VPANDN_256 bge bgi; + t256 <- (VPANDN_256 bge bgi); t256 <- (t256 `^` bga); e_4x.[5] <- t256; t256 <- a_4x.[16]; t256 <- (t256 `^` de); a_4x.[16] <- t256; bgo <@ __rol_4u64 (t256, 45); - t256 <- VPANDN_256 bgi bgo; + t256 <- (VPANDN_256 bgi bgo); t256 <- (t256 `^` bge); e_4x.[6] <- t256; t256 <- a_4x.[22]; t256 <- (t256 `^` di); a_4x.[22] <- t256; bgu <@ __rol_4u64 (t256, 61); - t256 <- VPANDN_256 bgo bgu; + t256 <- (VPANDN_256 bgo bgu); t256 <- (t256 `^` bgi); e_4x.[7] <- t256; - t256 <- VPANDN_256 bgu bga; + t256 <- (VPANDN_256 bgu bga); t256 <- (t256 `^` bgo); e_4x.[8] <- t256; - t256 <- VPANDN_256 bga bge; + t256 <- (VPANDN_256 bga bge); t256 <- (t256 `^` bgu); e_4x.[9] <- t256; return (a_4x, e_4x); } - proc __fourth_last (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, da:W256.t, de:W256.t, di:W256.t, do_0:W256.t, du:W256.t) : W256.t Array25.t * W256.t Array25.t = { - var t256:W256.t; var bka:W256.t; var bke:W256.t; var bki:W256.t; var bko:W256.t; var bku:W256.t; - t256 <- a_4x.[1]; t256 <- (t256 `^` de); a_4x.[1] <- t256; @@ -2508,43 +2663,40 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` do_0); a_4x.[13] <- t256; bki <@ __rol_4u64 (t256, 25); - t256 <- VPANDN_256 bke bki; + t256 <- (VPANDN_256 bke bki); t256 <- (t256 `^` bka); e_4x.[10] <- t256; t256 <- a_4x.[19]; t256 <- (t256 `^` du); a_4x.[19] <- t256; bko <@ __rol_4u64_rho8 (t256); - t256 <- VPANDN_256 bki bko; + t256 <- (VPANDN_256 bki bko); t256 <- (t256 `^` bke); e_4x.[11] <- t256; t256 <- a_4x.[20]; t256 <- (t256 `^` da); a_4x.[20] <- t256; bku <@ __rol_4u64 (t256, 18); - t256 <- VPANDN_256 bko bku; + t256 <- (VPANDN_256 bko bku); t256 <- (t256 `^` bki); e_4x.[12] <- t256; - t256 <- VPANDN_256 bku bka; + t256 <- (VPANDN_256 bku bka); t256 <- (t256 `^` bko); e_4x.[13] <- t256; - t256 <- VPANDN_256 bka bke; + t256 <- (VPANDN_256 bka bke); t256 <- (t256 `^` bku); e_4x.[14] <- t256; return (a_4x, e_4x); } - proc __fifth_last (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, da:W256.t, de:W256.t, di:W256.t, do_0:W256.t, du:W256.t) : W256.t Array25.t * W256.t Array25.t = { - var t256:W256.t; var bma:W256.t; var bme:W256.t; var bmi:W256.t; var bmo:W256.t; var bmu:W256.t; - t256 <- a_4x.[4]; t256 <- (t256 `^` du); a_4x.[4] <- t256; @@ -2557,43 +2709,40 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` de); a_4x.[11] <- t256; bmi <@ __rol_4u64 (t256, 10); - t256 <- VPANDN_256 bme bmi; + t256 <- (VPANDN_256 bme bmi); t256 <- (t256 `^` bma); e_4x.[15] <- t256; t256 <- a_4x.[17]; t256 <- (t256 `^` di); a_4x.[17] <- t256; bmo <@ __rol_4u64 (t256, 15); - t256 <- VPANDN_256 bmi bmo; + t256 <- (VPANDN_256 bmi bmo); t256 <- (t256 `^` bme); e_4x.[16] <- t256; t256 <- a_4x.[23]; t256 <- (t256 `^` do_0); a_4x.[23] <- t256; bmu <@ __rol_4u64_rho56 (t256); - t256 <- VPANDN_256 bmo bmu; + t256 <- (VPANDN_256 bmo bmu); t256 <- (t256 `^` bmi); e_4x.[17] <- t256; - t256 <- VPANDN_256 bmu bma; + t256 <- (VPANDN_256 bmu bma); t256 <- (t256 `^` bmo); e_4x.[18] <- t256; - t256 <- VPANDN_256 bma bme; + t256 <- (VPANDN_256 bma bme); t256 <- (t256 `^` bmu); e_4x.[19] <- t256; return (a_4x, e_4x); } - proc __sixth_last (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, da:W256.t, de:W256.t, di:W256.t, do_0:W256.t, du:W256.t) : W256.t Array25.t * W256.t Array25.t = { - var t256:W256.t; var bsa:W256.t; var bse:W256.t; var bsi:W256.t; var bso:W256.t; var bsu:W256.t; - t256 <- a_4x.[2]; t256 <- (t256 `^` di); a_4x.[2] <- t256; @@ -2606,32 +2755,31 @@ module M(SC:Syscall_t) = { t256 <- (t256 `^` du); a_4x.[14] <- t256; bsi <@ __rol_4u64 (t256, 39); - t256 <- VPANDN_256 bse bsi; + t256 <- (VPANDN_256 bse bsi); t256 <- (t256 `^` bsa); e_4x.[20] <- t256; t256 <- a_4x.[15]; t256 <- (t256 `^` da); a_4x.[15] <- t256; bso <@ __rol_4u64 (t256, 41); - t256 <- VPANDN_256 bsi bso; + t256 <- (VPANDN_256 bsi bso); t256 <- (t256 `^` bse); e_4x.[21] <- t256; t256 <- a_4x.[21]; t256 <- (t256 `^` de); a_4x.[21] <- t256; bsu <@ __rol_4u64 (t256, 2); - t256 <- VPANDN_256 bso bsu; + t256 <- (VPANDN_256 bso bsu); t256 <- (t256 `^` bsi); e_4x.[22] <- t256; - t256 <- VPANDN_256 bsu bsa; + t256 <- (VPANDN_256 bsu bsa); t256 <- (t256 `^` bso); e_4x.[23] <- t256; - t256 <- VPANDN_256 bsa bse; + t256 <- (VPANDN_256 bsa bse); t256 <- (t256 `^` bsu); e_4x.[24] <- t256; return (a_4x, e_4x); } - proc __theta_rho_pi_chi_iota_prepare_theta_even (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, index:int, ca:W256.t, @@ -2639,27 +2787,24 @@ module M(SC:Syscall_t) = { co:W256.t, cu:W256.t) : W256.t Array25.t * W256.t Array25.t * W256.t * W256.t * W256.t * W256.t * W256.t = { - var da:W256.t; var de:W256.t; var di:W256.t; var do_0:W256.t; var du:W256.t; - (da, de, di, do_0, du) <@ __first (ca, ce, ci, co, cu); - (a_4x, e_4x, ca, ce, ci, co, cu) <@ __second_even (a_4x, e_4x, index, ca, + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __second_even (a_4x, e_4x, index, + ca, ce, ci, co, cu, da, de, di, do_0, du); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __third_even (a_4x, e_4x, ca, + ce, ci, co, cu, da, de, di, do_0, du); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __fourth_even (a_4x, e_4x, ca, + ce, ci, co, cu, da, de, di, do_0, du); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __fifth_even (a_4x, e_4x, ca, + ce, ci, co, cu, da, de, di, do_0, du); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __sixth_even (a_4x, e_4x, ca, ce, ci, co, cu, da, de, di, do_0, du); - (a_4x, e_4x, ca, ce, ci, co, cu) <@ __third_even (a_4x, e_4x, ca, ce, ci, - co, cu, da, de, di, do_0, du); - (a_4x, e_4x, ca, ce, ci, co, cu) <@ __fourth_even (a_4x, e_4x, ca, ce, - ci, co, cu, da, de, di, do_0, du); - (a_4x, e_4x, ca, ce, ci, co, cu) <@ __fifth_even (a_4x, e_4x, ca, ce, ci, - co, cu, da, de, di, do_0, du); - (a_4x, e_4x, ca, ce, ci, co, cu) <@ __sixth_even (a_4x, e_4x, ca, ce, ci, - co, cu, da, de, di, do_0, du); return (a_4x, e_4x, ca, ce, ci, co, cu); } - proc __theta_rho_pi_chi_iota_prepare_theta_odd (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, index:int, ca:W256.t, @@ -2667,38 +2812,33 @@ module M(SC:Syscall_t) = { co:W256.t, cu:W256.t) : W256.t Array25.t * W256.t Array25.t * W256.t * W256.t * W256.t * W256.t * W256.t = { - var da:W256.t; var de:W256.t; var di:W256.t; var do_0:W256.t; var du:W256.t; - (da, de, di, do_0, du) <@ __first (ca, ce, ci, co, cu); - (a_4x, e_4x, ca, ce, ci, co, cu) <@ __second_odd (a_4x, e_4x, index, ca, + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __second_odd (a_4x, e_4x, index, + ca, ce, ci, co, cu, da, de, di, do_0, du); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __third_odd (a_4x, e_4x, ca, + ce, ci, co, cu, da, de, di, do_0, du); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __fourth_odd (a_4x, e_4x, ca, + ce, ci, co, cu, da, de, di, do_0, du); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __fifth_odd (a_4x, e_4x, ca, + ce, ci, co, cu, da, de, di, do_0, du); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __sixth_odd (a_4x, e_4x, ca, ce, ci, co, cu, da, de, di, do_0, du); - (a_4x, e_4x, ca, ce, ci, co, cu) <@ __third_odd (a_4x, e_4x, ca, ce, ci, - co, cu, da, de, di, do_0, du); - (a_4x, e_4x, ca, ce, ci, co, cu) <@ __fourth_odd (a_4x, e_4x, ca, ce, ci, - co, cu, da, de, di, do_0, du); - (a_4x, e_4x, ca, ce, ci, co, cu) <@ __fifth_odd (a_4x, e_4x, ca, ce, ci, - co, cu, da, de, di, do_0, du); - (a_4x, e_4x, ca, ce, ci, co, cu) <@ __sixth_odd (a_4x, e_4x, ca, ce, ci, - co, cu, da, de, di, do_0, du); return (a_4x, e_4x, ca, ce, ci, co, cu); } - proc __theta_rho_pi_chi_iota (a_4x:W256.t Array25.t, e_4x:W256.t Array25.t, index:int, ca:W256.t, ce:W256.t, ci:W256.t, co:W256.t, cu:W256.t) : W256.t Array25.t * W256.t Array25.t = { - var da:W256.t; var de:W256.t; var di:W256.t; var do_0:W256.t; var du:W256.t; - (da, de, di, do_0, du) <@ __first (ca, ce, ci, co, cu); (a_4x, e_4x) <@ __second_last (a_4x, e_4x, index, da, de, di, do_0, du); (a_4x, e_4x) <@ __third_last (a_4x, e_4x, da, de, di, do_0, du); @@ -2707,9 +2847,7 @@ module M(SC:Syscall_t) = { (a_4x, e_4x) <@ __sixth_last (a_4x, e_4x, da, de, di, do_0, du); return (a_4x, e_4x); } - proc _KeccakF1600_StatePermute4x (a_4x:W256.t Array25.t) : W256.t Array25.t = { - var ca:W256.t; var ce:W256.t; var ci:W256.t; @@ -2718,164 +2856,156 @@ module M(SC:Syscall_t) = { var e_4x:W256.t Array25.t; e_4x <- witness; (ca, ce, ci, co, cu) <@ __prepare_theta (a_4x); - (a_4x, e_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even (a_4x, e_4x, 0, ca, ce, - ci, co, cu); - (e_4x, a_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd (e_4x, a_4x, 1, ca, ce, - ci, co, cu); - (a_4x, e_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even (a_4x, e_4x, 2, ca, ce, + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even ( + a_4x, e_4x, 0, ca, ce, ci, co, cu); + (e_4x, a_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd ( + e_4x, a_4x, 1, ca, ce, ci, co, cu); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even ( + a_4x, e_4x, 2, ca, ce, ci, co, cu); + (e_4x, a_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd ( + e_4x, a_4x, 3, ca, ce, ci, co, cu); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even ( + a_4x, e_4x, 4, ca, ce, ci, co, cu); + (e_4x, a_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd ( + e_4x, a_4x, 5, ca, ce, ci, co, cu); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even ( + a_4x, e_4x, 6, ca, ce, ci, co, cu); + (e_4x, a_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd ( + e_4x, a_4x, 7, ca, ce, ci, co, cu); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even ( + a_4x, e_4x, 8, ca, ce, ci, co, cu); + (e_4x, a_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd ( + e_4x, a_4x, 9, ca, ce, ci, co, cu); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even ( + a_4x, e_4x, 10, ca, ce, ci, co, cu); + (e_4x, a_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd ( + e_4x, a_4x, 11, ca, ce, ci, co, cu); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even ( + a_4x, e_4x, 12, ca, ce, ci, co, cu); + (e_4x, a_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd ( + e_4x, a_4x, 13, ca, ce, ci, co, cu); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even ( + a_4x, e_4x, 14, ca, ce, ci, co, cu); + (e_4x, a_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd ( + e_4x, a_4x, 15, ca, ce, ci, co, cu); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even ( + a_4x, e_4x, 16, ca, ce, ci, co, cu); + (e_4x, a_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd ( + e_4x, a_4x, 17, ca, ce, ci, co, cu); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even ( + a_4x, e_4x, 18, ca, ce, ci, co, cu); + (e_4x, a_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd ( + e_4x, a_4x, 19, ca, ce, ci, co, cu); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even ( + a_4x, e_4x, 20, ca, ce, ci, co, cu); + (e_4x, a_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd ( + e_4x, a_4x, 21, ca, ce, ci, co, cu); + (a_4x, e_4x, ca, ce, ci, co, cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even ( + a_4x, e_4x, 22, ca, ce, ci, co, cu); + (e_4x, a_4x) <@ __theta_rho_pi_chi_iota (e_4x, a_4x, 23, ca, ce, ci, co, cu); - (e_4x, a_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd (e_4x, a_4x, 3, ca, ce, - ci, co, cu); - (a_4x, e_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even (a_4x, e_4x, 4, ca, ce, - ci, co, cu); - (e_4x, a_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd (e_4x, a_4x, 5, ca, ce, - ci, co, cu); - (a_4x, e_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even (a_4x, e_4x, 6, ca, ce, - ci, co, cu); - (e_4x, a_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd (e_4x, a_4x, 7, ca, ce, - ci, co, cu); - (a_4x, e_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even (a_4x, e_4x, 8, ca, ce, - ci, co, cu); - (e_4x, a_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd (e_4x, a_4x, 9, ca, ce, - ci, co, cu); - (a_4x, e_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even (a_4x, e_4x, 10, ca, - ce, ci, co, cu); - (e_4x, a_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd (e_4x, a_4x, 11, ca, ce, - ci, co, cu); - (a_4x, e_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even (a_4x, e_4x, 12, ca, - ce, ci, co, cu); - (e_4x, a_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd (e_4x, a_4x, 13, ca, ce, - ci, co, cu); - (a_4x, e_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even (a_4x, e_4x, 14, ca, - ce, ci, co, cu); - (e_4x, a_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd (e_4x, a_4x, 15, ca, ce, - ci, co, cu); - (a_4x, e_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even (a_4x, e_4x, 16, ca, - ce, ci, co, cu); - (e_4x, a_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd (e_4x, a_4x, 17, ca, ce, - ci, co, cu); - (a_4x, e_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even (a_4x, e_4x, 18, ca, - ce, ci, co, cu); - (e_4x, a_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd (e_4x, a_4x, 19, ca, ce, - ci, co, cu); - (a_4x, e_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even (a_4x, e_4x, 20, ca, - ce, ci, co, cu); - (e_4x, a_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_odd (e_4x, a_4x, 21, ca, ce, - ci, co, cu); - (a_4x, e_4x, ca, ce, ci, co, - cu) <@ __theta_rho_pi_chi_iota_prepare_theta_even (a_4x, e_4x, 22, ca, - ce, ci, co, cu); - (e_4x, a_4x) <@ __theta_rho_pi_chi_iota (e_4x, a_4x, 23, ca, ce, ci, co, - cu); - return (a_4x); - } - + return a_4x; + } proc _shake256_absorb4x_33 (s:W256.t Array25.t, m0:W8.t Array33.t, m1:W8.t Array33.t, m2:W8.t Array33.t, m3:W8.t Array33.t) : W256.t Array25.t = { - var aux: int; - + var aux:int; var t0:W256.t; var i:int; var t64:W64.t; var t8:W8.t; var t1:W256.t; - i <- 0; - while (i < 25) { - t0 <- set0_256 ; + while ((i < 25)) { + t0 <- (set0_256); s.[i] <- t0; - i <- i + 1; + i <- (i + 1); } i <- 0; - while (i < 4) { - t64 <- (get64 (WArray33.init8 (fun i_0 => (m0).[i_0])) i); + while ((i < 4)) { + t64 <- (get64 (WArray33.init8 (fun i_0 => m0.[i_0])) i); s <- - Array25.init - (WArray800.get256 (WArray800.set64 (WArray800.init256 (fun i_0 => (s).[i_0])) (4 * i) (( - (get64 (WArray800.init256 (fun i_0 => (s).[i_0])) (4 * i)) `^` t64)))); - t64 <- (get64 (WArray33.init8 (fun i_0 => (m1).[i_0])) i); + (Array25.init + (WArray800.get256 + (WArray800.set64 (WArray800.init256 (fun i_0 => s.[i_0])) (4 * i) + ((get64 (WArray800.init256 (fun i_0 => s.[i_0])) (4 * i)) `^` t64)))); + t64 <- (get64 (WArray33.init8 (fun i_0 => m1.[i_0])) i); s <- - Array25.init - (WArray800.get256 (WArray800.set64 (WArray800.init256 (fun i_0 => (s).[i_0])) ((4 * i) + 1) (( - (get64 (WArray800.init256 (fun i_0 => (s).[i_0])) ((4 * i) + 1)) `^` t64)))); - t64 <- (get64 (WArray33.init8 (fun i_0 => (m2).[i_0])) i); + (Array25.init + (WArray800.get256 + (WArray800.set64 (WArray800.init256 (fun i_0 => s.[i_0])) ((4 * i) + 1) + ((get64 (WArray800.init256 (fun i_0 => s.[i_0])) ((4 * i) + 1)) `^` + t64)))); + t64 <- (get64 (WArray33.init8 (fun i_0 => m2.[i_0])) i); s <- - Array25.init - (WArray800.get256 (WArray800.set64 (WArray800.init256 (fun i_0 => (s).[i_0])) ((4 * i) + 2) (( - (get64 (WArray800.init256 (fun i_0 => (s).[i_0])) ((4 * i) + 2)) `^` t64)))); - t64 <- (get64 (WArray33.init8 (fun i_0 => (m3).[i_0])) i); + (Array25.init + (WArray800.get256 + (WArray800.set64 (WArray800.init256 (fun i_0 => s.[i_0])) ((4 * i) + 2) + ((get64 (WArray800.init256 (fun i_0 => s.[i_0])) ((4 * i) + 2)) `^` + t64)))); + t64 <- (get64 (WArray33.init8 (fun i_0 => m3.[i_0])) i); s <- - Array25.init - (WArray800.get256 (WArray800.set64 (WArray800.init256 (fun i_0 => (s).[i_0])) ((4 * i) + 3) (( - (get64 (WArray800.init256 (fun i_0 => (s).[i_0])) ((4 * i) + 3)) `^` t64)))); - i <- i + 1; + (Array25.init + (WArray800.get256 + (WArray800.set64 (WArray800.init256 (fun i_0 => s.[i_0])) ((4 * i) + 3) + ((get64 (WArray800.init256 (fun i_0 => s.[i_0])) ((4 * i) + 3)) `^` + t64)))); + i <- (i + 1); } t8 <- m0.[32]; s <- - Array25.init - (WArray800.get256 (WArray800.set8 (WArray800.init256 (fun i_0 => (s).[i_0])) 128 (( - (get8 (WArray800.init256 (fun i_0 => (s).[i_0])) 128) `^` t8)))); + (Array25.init + (WArray800.get256 + (WArray800.set8 (WArray800.init256 (fun i_0 => s.[i_0])) 128 + ((get8 (WArray800.init256 (fun i_0 => s.[i_0])) 128) `^` t8)))); s <- - Array25.init - (WArray800.get256 (WArray800.set8 (WArray800.init256 (fun i_0 => (s).[i_0])) 129 (( - (get8 (WArray800.init256 (fun i_0 => (s).[i_0])) 129) `^` (W8.of_int 31))))); + (Array25.init + (WArray800.get256 + (WArray800.set8 (WArray800.init256 (fun i_0 => s.[i_0])) 129 + ((get8 (WArray800.init256 (fun i_0 => s.[i_0])) 129) `^` (W8.of_int 31))) + )); t8 <- m1.[32]; s <- - Array25.init - (WArray800.get256 (WArray800.set8 (WArray800.init256 (fun i_0 => (s).[i_0])) 136 (( - (get8 (WArray800.init256 (fun i_0 => (s).[i_0])) 136) `^` t8)))); + (Array25.init + (WArray800.get256 + (WArray800.set8 (WArray800.init256 (fun i_0 => s.[i_0])) 136 + ((get8 (WArray800.init256 (fun i_0 => s.[i_0])) 136) `^` t8)))); s <- - Array25.init - (WArray800.get256 (WArray800.set8 (WArray800.init256 (fun i_0 => (s).[i_0])) 137 (( - (get8 (WArray800.init256 (fun i_0 => (s).[i_0])) 137) `^` (W8.of_int 31))))); + (Array25.init + (WArray800.get256 + (WArray800.set8 (WArray800.init256 (fun i_0 => s.[i_0])) 137 + ((get8 (WArray800.init256 (fun i_0 => s.[i_0])) 137) `^` (W8.of_int 31))) + )); t8 <- m2.[32]; s <- - Array25.init - (WArray800.get256 (WArray800.set8 (WArray800.init256 (fun i_0 => (s).[i_0])) 144 (( - (get8 (WArray800.init256 (fun i_0 => (s).[i_0])) 144) `^` t8)))); + (Array25.init + (WArray800.get256 + (WArray800.set8 (WArray800.init256 (fun i_0 => s.[i_0])) 144 + ((get8 (WArray800.init256 (fun i_0 => s.[i_0])) 144) `^` t8)))); s <- - Array25.init - (WArray800.get256 (WArray800.set8 (WArray800.init256 (fun i_0 => (s).[i_0])) 145 (( - (get8 (WArray800.init256 (fun i_0 => (s).[i_0])) 145) `^` (W8.of_int 31))))); + (Array25.init + (WArray800.get256 + (WArray800.set8 (WArray800.init256 (fun i_0 => s.[i_0])) 145 + ((get8 (WArray800.init256 (fun i_0 => s.[i_0])) 145) `^` (W8.of_int 31))) + )); t8 <- m3.[32]; s <- - Array25.init - (WArray800.get256 (WArray800.set8 (WArray800.init256 (fun i_0 => (s).[i_0])) 152 (( - (get8 (WArray800.init256 (fun i_0 => (s).[i_0])) 152) `^` t8)))); + (Array25.init + (WArray800.get256 + (WArray800.set8 (WArray800.init256 (fun i_0 => s.[i_0])) 152 + ((get8 (WArray800.init256 (fun i_0 => s.[i_0])) 152) `^` t8)))); s <- - Array25.init - (WArray800.get256 (WArray800.set8 (WArray800.init256 (fun i_0 => (s).[i_0])) 153 (( - (get8 (WArray800.init256 (fun i_0 => (s).[i_0])) 153) `^` (W8.of_int 31))))); - t0 <- (get256 (WArray32.init64 (fun i_0 => (shake_sep).[i_0])) 0); + (Array25.init + (WArray800.get256 + (WArray800.set8 (WArray800.init256 (fun i_0 => s.[i_0])) 153 + ((get8 (WArray800.init256 (fun i_0 => s.[i_0])) 153) `^` (W8.of_int 31))) + )); + t0 <- (get256 (WArray32.init64 (fun i_0 => shake_sep.[i_0])) 0); t1 <- s.[((136 %/ 8) - 1)]; t0 <- (t0 `^` t1); s.[((136 %/ 8) - 1)] <- t0; - return (s); + return s; } - proc __shake256_squeezeblock4x (state:W256.t Array25.t, h0:W8.t Array136.t, h1:W8.t Array136.t, h2:W8.t Array136.t, h3:W8.t Array136.t) : W256.t Array25.t * @@ -2883,133 +3013,120 @@ module M(SC:Syscall_t) = { W8.t Array136.t * W8.t Array136.t * W8.t Array136.t = { - var aux: int; - + var aux:int; var i:int; var t256:W256.t; var t128:W128.t; - state <@ _KeccakF1600_StatePermute4x (state); aux <- (136 %/ 8); i <- 0; - while (i < aux) { + while ((i < aux)) { t256 <- state.[i]; t128 <- (truncateu128 t256); h0 <- - Array136.init - (WArray136.get8 (WArray136.set64 (WArray136.init8 (fun i_0 => (h0).[i_0])) i (VMOVLPD t128))); + (Array136.init + (WArray136.get8 + (WArray136.set64 (WArray136.init8 (fun i_0 => h0.[i_0])) i + (VMOVLPD t128)))); h1 <- - Array136.init - (WArray136.get8 (WArray136.set64 (WArray136.init8 (fun i_0 => (h1).[i_0])) i (VMOVHPD t128))); - t128 <- VEXTRACTI128 t256 (W8.of_int 1); + (Array136.init + (WArray136.get8 + (WArray136.set64 (WArray136.init8 (fun i_0 => h1.[i_0])) i + (VMOVHPD t128)))); + t128 <- (VEXTRACTI128 t256 (W8.of_int 1)); h2 <- - Array136.init - (WArray136.get8 (WArray136.set64 (WArray136.init8 (fun i_0 => (h2).[i_0])) i (VMOVLPD t128))); + (Array136.init + (WArray136.get8 + (WArray136.set64 (WArray136.init8 (fun i_0 => h2.[i_0])) i + (VMOVLPD t128)))); h3 <- - Array136.init - (WArray136.get8 (WArray136.set64 (WArray136.init8 (fun i_0 => (h3).[i_0])) i (VMOVHPD t128))); - i <- i + 1; + (Array136.init + (WArray136.get8 + (WArray136.set64 (WArray136.init8 (fun i_0 => h3.[i_0])) i + (VMOVHPD t128)))); + i <- (i + 1); } return (state, h0, h1, h2, h3); } - proc _poly_add2 (rp:W16.t Array256.t, bp:W16.t Array256.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var i:int; var a:W256.t; var b:W256.t; var r:W256.t; - i <- 0; - while (i < 16) { - a <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * i)); - b <- - (get256_direct (WArray512.init16 (fun i_0 => (bp).[i_0])) (32 * i)); - r <- VPADD_16u16 a b; + while ((i < 16)) { + a <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * i)); + b <- (get256_direct (WArray512.init16 (fun i_0 => bp.[i_0])) (32 * i)); + r <- (VPADD_16u16 a b); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * i) (r))); - i <- i + 1; + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * i) r))); + i <- (i + 1); } - return (rp); + return rp; } - proc _poly_csubq (rp:W16.t Array256.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var qx16:W256.t; var i:int; var r:W256.t; - - qx16 <- (get256 (WArray32.init16 (fun i_0 => (jqx16).[i_0])) 0); + qx16 <- (get256 (WArray32.init16 (fun i_0 => jqx16.[i_0])) 0); i <- 0; - while (i < 16) { - r <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * i)); + while ((i < 16)) { + r <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * i)); r <@ __csubq (r, qx16); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * i) (r))); - i <- i + 1; + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * i) r))); + i <- (i + 1); } - return (rp); + return rp; } - proc __w256_interleave_u16 (al:W256.t, ah:W256.t) : W256.t * W256.t = { - var a0:W256.t; var a1:W256.t; - - a0 <- VPUNPCKL_16u16 al ah; - a1 <- VPUNPCKH_16u16 al ah; + a0 <- (VPUNPCKL_16u16 al ah); + a1 <- (VPUNPCKH_16u16 al ah); return (a0, a1); } - proc __w256_deinterleave_u16 (_zero:W256.t, a0:W256.t, a1:W256.t) : W256.t * W256.t = { - var al:W256.t; var ah:W256.t; - - al <- VPBLEND_16u16 a0 _zero (W8.of_int 170); - ah <- VPBLEND_16u16 a1 _zero (W8.of_int 170); - al <- VPACKUS_8u32 al ah; - a0 <- VPSRL_8u32 a0 (W8.of_int 16); - a1 <- VPSRL_8u32 a1 (W8.of_int 16); - ah <- VPACKUS_8u32 a0 a1; + al <- (VPBLEND_16u16 a0 _zero (W8.of_int 170)); + ah <- (VPBLEND_16u16 a1 _zero (W8.of_int 170)); + al <- (VPACKUS_8u32 al ah); + a0 <- (VPSRL_8u32 a0 (W8.of_int 16)); + a1 <- (VPSRL_8u32 a1 (W8.of_int 16)); + ah <- (VPACKUS_8u32 a0 a1); return (al, ah); } - proc __mont_red (lo:W256.t, hi:W256.t, qx16:W256.t, qinvx16:W256.t) : W256.t = { - var m:W256.t; - - m <- VPMULL_16u16 lo qinvx16; - m <- VPMULH_16u16 m qx16; - lo <- VPSUB_16u16 hi m; - return (lo); + m <- (VPMULL_16u16 lo qinvx16); + m <- (VPMULH_16u16 m qx16); + lo <- (VPSUB_16u16 hi m); + return lo; } - proc __wmul_16u16 (x:W256.t, y:W256.t) : W256.t * W256.t = { - var xy0:W256.t; var xy1:W256.t; var xyL:W256.t; var xyH:W256.t; - - xyL <- VPMULL_16u16 x y; - xyH <- VPMULH_16u16 x y; + xyL <- (VPMULL_16u16 x y); + xyH <- (VPMULH_16u16 x y); (xy0, xy1) <@ __w256_interleave_u16 (xyL, xyH); return (xy0, xy1); } - proc __schoolbook16x (are:W256.t, aim:W256.t, bre:W256.t, bim:W256.t, zeta_0:W256.t, zetaqinv:W256.t, qx16:W256.t, qinvx16:W256.t, sign:int) : W256.t * W256.t = { - var x0:W256.t; var y0:W256.t; var zaim:W256.t; @@ -3024,32 +3141,29 @@ module M(SC:Syscall_t) = { var x1:W256.t; var y1:W256.t; var _zero:W256.t; - zaim <@ __fqmulprecomp16x (aim, zetaqinv, zeta_0, qx16); (ac0, ac1) <@ __wmul_16u16 (are, bre); (ad0, ad1) <@ __wmul_16u16 (are, bim); (bc0, bc1) <@ __wmul_16u16 (aim, bre); (zbd0, zbd1) <@ __wmul_16u16 (zaim, bim); if ((sign = 0)) { - x0 <- VPADD_8u32 ac0 zbd0; - x1 <- VPADD_8u32 ac1 zbd1; + x0 <- (VPADD_8u32 ac0 zbd0); + x1 <- (VPADD_8u32 ac1 zbd1); } else { - x0 <- VPSUB_8u32 ac0 zbd0; - x1 <- VPSUB_8u32 ac1 zbd1; + x0 <- (VPSUB_8u32 ac0 zbd0); + x1 <- (VPSUB_8u32 ac1 zbd1); } - y0 <- VPADD_8u32 bc0 ad0; - y1 <- VPADD_8u32 bc1 ad1; - _zero <- set0_256 ; + y0 <- (VPADD_8u32 bc0 ad0); + y1 <- (VPADD_8u32 bc1 ad1); + _zero <- (set0_256); (x0, x1) <@ __w256_deinterleave_u16 (_zero, x0, x1); (y0, y1) <@ __w256_deinterleave_u16 (_zero, y0, y1); x0 <@ __mont_red (x0, x1, qx16, qinvx16); y0 <@ __mont_red (y0, y1, qx16, qinvx16); return (x0, y0); } - proc _poly_basemul (rp:W16.t Array256.t, ap:W16.t Array256.t, bp:W16.t Array256.t) : W16.t Array256.t = { - var qx16:W256.t; var qinvx16:W256.t; var zetaqinv:W256.t; @@ -3058,127 +3172,156 @@ module M(SC:Syscall_t) = { var aim:W256.t; var bre:W256.t; var bim:W256.t; - - qx16 <- (get256_direct (WArray32.init16 (fun i => (jqx16).[i])) 0); - qinvx16 <- (get256_direct (WArray32.init16 (fun i => (jqinvx16).[i])) 0); + qx16 <- (get256_direct (WArray32.init16 (fun i => jqx16.[i])) 0); + qinvx16 <- (get256_direct (WArray32.init16 (fun i => jqinvx16.[i])) 0); zetaqinv <- - (get256_direct (WArray800.init16 (fun i => (jzetas_exp).[i])) 272); + (get256_direct (WArray800.init16 (fun i => jzetas_exp.[i])) 272); zeta_0 <- - (get256_direct (WArray800.init16 (fun i => (jzetas_exp).[i])) 304); - are <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 0)); - aim <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 1)); - bre <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 0)); - bim <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 1)); + (get256_direct (WArray800.init16 (fun i => jzetas_exp.[i])) 304); + are <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 0)); + aim <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 1)); + bre <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 0)); + bim <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 1)); (are, aim) <@ __schoolbook16x (are, aim, bre, bim, zeta_0, zetaqinv, qx16, qinvx16, 0); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 0) (are))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 0) + are))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 1) (aim))); - are <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 2)); - aim <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 3)); - bre <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 2)); - bim <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 3)); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 1) + aim))); + are <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 2)); + aim <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 3)); + bre <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 2)); + bim <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 3)); (are, aim) <@ __schoolbook16x (are, aim, bre, bim, zeta_0, zetaqinv, qx16, qinvx16, 1); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 2) (are))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 2) + are))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 3) (aim))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 3) + aim))); zetaqinv <- - (get256_direct (WArray800.init16 (fun i => (jzetas_exp).[i])) 336); + (get256_direct (WArray800.init16 (fun i => jzetas_exp.[i])) 336); zeta_0 <- - (get256_direct (WArray800.init16 (fun i => (jzetas_exp).[i])) 368); - are <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 4)); - aim <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 5)); - bre <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 4)); - bim <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 5)); + (get256_direct (WArray800.init16 (fun i => jzetas_exp.[i])) 368); + are <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 4)); + aim <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 5)); + bre <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 4)); + bim <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 5)); (are, aim) <@ __schoolbook16x (are, aim, bre, bim, zeta_0, zetaqinv, qx16, qinvx16, 0); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 4) (are))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 4) + are))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 5) (aim))); - are <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 6)); - aim <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 7)); - bre <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 6)); - bim <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 7)); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 5) + aim))); + are <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 6)); + aim <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 7)); + bre <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 6)); + bim <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 7)); (are, aim) <@ __schoolbook16x (are, aim, bre, bim, zeta_0, zetaqinv, qx16, qinvx16, 1); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 6) (are))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 6) + are))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 7) (aim))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 7) + aim))); zetaqinv <- - (get256_direct (WArray800.init16 (fun i => (jzetas_exp).[i])) 664); + (get256_direct (WArray800.init16 (fun i => jzetas_exp.[i])) 664); zeta_0 <- - (get256_direct (WArray800.init16 (fun i => (jzetas_exp).[i])) 696); - are <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 8)); - aim <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 9)); - bre <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 8)); - bim <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 9)); + (get256_direct (WArray800.init16 (fun i => jzetas_exp.[i])) 696); + are <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 8)); + aim <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 9)); + bre <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 8)); + bim <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 9)); (are, aim) <@ __schoolbook16x (are, aim, bre, bim, zeta_0, zetaqinv, qx16, qinvx16, 0); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 8) (are))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 8) + are))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 9) (aim))); - are <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 10)); - aim <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 11)); - bre <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 10)); - bim <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 11)); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 9) + aim))); + are <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 10)); + aim <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 11)); + bre <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 10)); + bim <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 11)); (are, aim) <@ __schoolbook16x (are, aim, bre, bim, zeta_0, zetaqinv, qx16, qinvx16, 1); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 10) (are))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 10) + are))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 11) (aim))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 11) + aim))); zetaqinv <- - (get256_direct (WArray800.init16 (fun i => (jzetas_exp).[i])) 728); + (get256_direct (WArray800.init16 (fun i => jzetas_exp.[i])) 728); zeta_0 <- - (get256_direct (WArray800.init16 (fun i => (jzetas_exp).[i])) 760); - are <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 12)); - aim <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 13)); - bre <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 12)); - bim <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 13)); + (get256_direct (WArray800.init16 (fun i => jzetas_exp.[i])) 760); + are <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 12)); + aim <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 13)); + bre <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 12)); + bim <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 13)); (are, aim) <@ __schoolbook16x (are, aim, bre, bim, zeta_0, zetaqinv, qx16, qinvx16, 0); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 12) (are))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 12) + are))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 13) (aim))); - are <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 14)); - aim <- (get256_direct (WArray512.init16 (fun i => (ap).[i])) (32 * 15)); - bre <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 14)); - bim <- (get256_direct (WArray512.init16 (fun i => (bp).[i])) (32 * 15)); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 13) + aim))); + are <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 14)); + aim <- (get256_direct (WArray512.init16 (fun i => ap.[i])) (32 * 15)); + bre <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 14)); + bim <- (get256_direct (WArray512.init16 (fun i => bp.[i])) (32 * 15)); (are, aim) <@ __schoolbook16x (are, aim, bre, bim, zeta_0, zetaqinv, qx16, qinvx16, 1); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 14) (are))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 14) + are))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i => (rp).[i])) (32 * 15) (aim))); - return (rp); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i => rp.[i])) (32 * 15) + aim))); + return rp; } - proc _poly_compress (rp:W64.t, a:W16.t Array256.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var x16p:W16.t Array16.t; var v:W256.t; var shift1:W256.t; @@ -3193,48 +3336,45 @@ module M(SC:Syscall_t) = { x16p <- witness; a <@ _poly_csubq (a); x16p <- jvx16; - v <- (get256 (WArray32.init16 (fun i_0 => (x16p).[i_0])) 0); - shift1 <- VPBROADCAST_16u16 pc_shift1_s; - mask <- VPBROADCAST_16u16 pc_mask_s; - shift2 <- VPBROADCAST_16u16 pc_shift2_s; - permidx <- - (get256 (WArray32.init32 (fun i_0 => (pc_permidx_s).[i_0])) 0); + v <- (get256 (WArray32.init16 (fun i_0 => x16p.[i_0])) 0); + shift1 <- (VPBROADCAST_16u16 pc_shift1_s); + mask <- (VPBROADCAST_16u16 pc_mask_s); + shift2 <- (VPBROADCAST_16u16 pc_shift2_s); + permidx <- (get256 (WArray32.init32 (fun i_0 => pc_permidx_s.[i_0])) 0); aux <- (256 %/ 64); i <- 0; - while (i < aux) { - f0 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) (4 * i)); - f1 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) ((4 * i) + 1)); - f2 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) ((4 * i) + 2)); - f3 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) ((4 * i) + 3)); - f0 <- VPMULH_16u16 f0 v; - f1 <- VPMULH_16u16 f1 v; - f2 <- VPMULH_16u16 f2 v; - f3 <- VPMULH_16u16 f3 v; - f0 <- VPMULHRS_16u16 f0 shift1; - f1 <- VPMULHRS_16u16 f1 shift1; - f2 <- VPMULHRS_16u16 f2 shift1; - f3 <- VPMULHRS_16u16 f3 shift1; - f0 <- VPAND_256 f0 mask; - f1 <- VPAND_256 f1 mask; - f2 <- VPAND_256 f2 mask; - f3 <- VPAND_256 f3 mask; - f0 <- VPACKUS_16u16 f0 f1; - f2 <- VPACKUS_16u16 f2 f3; - f0 <- VPMADDUBSW_256 f0 shift2; - f2 <- VPMADDUBSW_256 f2 shift2; - f0 <- VPACKUS_16u16 f0 f2; - f0 <- VPERMD permidx f0; + while ((i < aux)) { + f0 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) (4 * i)); + f1 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) ((4 * i) + 1)); + f2 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) ((4 * i) + 2)); + f3 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) ((4 * i) + 3)); + f0 <- (VPMULH_16u16 f0 v); + f1 <- (VPMULH_16u16 f1 v); + f2 <- (VPMULH_16u16 f2 v); + f3 <- (VPMULH_16u16 f3 v); + f0 <- (VPMULHRS_16u16 f0 shift1); + f1 <- (VPMULHRS_16u16 f1 shift1); + f2 <- (VPMULHRS_16u16 f2 shift1); + f3 <- (VPMULHRS_16u16 f3 shift1); + f0 <- (VPAND_256 f0 mask); + f1 <- (VPAND_256 f1 mask); + f2 <- (VPAND_256 f2 mask); + f3 <- (VPAND_256 f3 mask); + f0 <- (VPACKUS_16u16 f0 f1); + f2 <- (VPACKUS_16u16 f2 f3); + f0 <- (VPMADDUBSW_256 f0 shift2); + f2 <- (VPMADDUBSW_256 f2 shift2); + f0 <- (VPACKUS_16u16 f0 f2); + f0 <- (VPERMD permidx f0); Glob.mem <- - storeW256 Glob.mem (W64.to_uint (rp + (W64.of_int (32 * i)))) (f0); - i <- i + 1; + (storeW256 Glob.mem (W64.to_uint (rp + (W64.of_int (32 * i)))) f0); + i <- (i + 1); } - return (a); + return a; } - proc _poly_compress_1 (rp:W8.t Array128.t, a:W16.t Array256.t) : W8.t Array128.t * W16.t Array256.t = { - var aux: int; - + var aux:int; var x16p:W16.t Array16.t; var v:W256.t; var shift1:W256.t; @@ -3249,48 +3389,47 @@ module M(SC:Syscall_t) = { x16p <- witness; a <@ _poly_csubq (a); x16p <- jvx16; - v <- (get256 (WArray32.init16 (fun i_0 => (x16p).[i_0])) 0); - shift1 <- VPBROADCAST_16u16 pc_shift1_s; - mask <- VPBROADCAST_16u16 pc_mask_s; - shift2 <- VPBROADCAST_16u16 pc_shift2_s; - permidx <- - (get256 (WArray32.init32 (fun i_0 => (pc_permidx_s).[i_0])) 0); + v <- (get256 (WArray32.init16 (fun i_0 => x16p.[i_0])) 0); + shift1 <- (VPBROADCAST_16u16 pc_shift1_s); + mask <- (VPBROADCAST_16u16 pc_mask_s); + shift2 <- (VPBROADCAST_16u16 pc_shift2_s); + permidx <- (get256 (WArray32.init32 (fun i_0 => pc_permidx_s.[i_0])) 0); aux <- (256 %/ 64); i <- 0; - while (i < aux) { - f0 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) (4 * i)); - f1 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) ((4 * i) + 1)); - f2 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) ((4 * i) + 2)); - f3 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) ((4 * i) + 3)); - f0 <- VPMULH_16u16 f0 v; - f1 <- VPMULH_16u16 f1 v; - f2 <- VPMULH_16u16 f2 v; - f3 <- VPMULH_16u16 f3 v; - f0 <- VPMULHRS_16u16 f0 shift1; - f1 <- VPMULHRS_16u16 f1 shift1; - f2 <- VPMULHRS_16u16 f2 shift1; - f3 <- VPMULHRS_16u16 f3 shift1; - f0 <- VPAND_256 f0 mask; - f1 <- VPAND_256 f1 mask; - f2 <- VPAND_256 f2 mask; - f3 <- VPAND_256 f3 mask; - f0 <- VPACKUS_16u16 f0 f1; - f2 <- VPACKUS_16u16 f2 f3; - f0 <- VPMADDUBSW_256 f0 shift2; - f2 <- VPMADDUBSW_256 f2 shift2; - f0 <- VPACKUS_16u16 f0 f2; - f0 <- VPERMD permidx f0; + while ((i < aux)) { + f0 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) (4 * i)); + f1 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) ((4 * i) + 1)); + f2 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) ((4 * i) + 2)); + f3 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) ((4 * i) + 3)); + f0 <- (VPMULH_16u16 f0 v); + f1 <- (VPMULH_16u16 f1 v); + f2 <- (VPMULH_16u16 f2 v); + f3 <- (VPMULH_16u16 f3 v); + f0 <- (VPMULHRS_16u16 f0 shift1); + f1 <- (VPMULHRS_16u16 f1 shift1); + f2 <- (VPMULHRS_16u16 f2 shift1); + f3 <- (VPMULHRS_16u16 f3 shift1); + f0 <- (VPAND_256 f0 mask); + f1 <- (VPAND_256 f1 mask); + f2 <- (VPAND_256 f2 mask); + f3 <- (VPAND_256 f3 mask); + f0 <- (VPACKUS_16u16 f0 f1); + f2 <- (VPACKUS_16u16 f2 f3); + f0 <- (VPMADDUBSW_256 f0 shift2); + f2 <- (VPMADDUBSW_256 f2 shift2); + f0 <- (VPACKUS_16u16 f0 f2); + f0 <- (VPERMD permidx f0); rp <- - Array128.init - (WArray128.get8 (WArray128.set256_direct (WArray128.init8 (fun i_0 => (rp).[i_0])) (32 * i) (f0))); - i <- i + 1; + (Array128.init + (WArray128.get8 + (WArray128.set256_direct (WArray128.init8 (fun i_0 => rp.[i_0])) + (32 * i) f0))); + i <- (i + 1); } return (rp, a); } - proc _poly_decompress (rp:W16.t Array256.t, ap:W64.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var x16p:W16.t Array16.t; var q:W256.t; var x32p:W8.t Array32.t; @@ -3304,34 +3443,34 @@ module M(SC:Syscall_t) = { x16p <- witness; x32p <- witness; x16p <- jqx16; - q <- (get256 (WArray32.init16 (fun i_0 => (x16p).[i_0])) 0); + q <- (get256 (WArray32.init16 (fun i_0 => x16p.[i_0])) 0); x32p <- pd_jshufbidx; - shufbidx <- (get256 (WArray32.init8 (fun i_0 => (x32p).[i_0])) 0); - mask <- VPBROADCAST_8u32 pd_mask_s; - shift <- VPBROADCAST_8u32 pd_shift_s; - f <- set0_256 ; + shufbidx <- (get256 (WArray32.init8 (fun i_0 => x32p.[i_0])) 0); + mask <- (VPBROADCAST_8u32 pd_mask_s); + shift <- (VPBROADCAST_8u32 pd_shift_s); + f <- (set0_256); aux <- (256 %/ 16); i <- 0; - while (i < aux) { + while ((i < aux)) { h <- - (zeroextu128 (loadW64 Glob.mem (W64.to_uint (ap + (W64.of_int (8 * i)))))); + (zeroextu128 + (loadW64 Glob.mem (W64.to_uint (ap + (W64.of_int (8 * i)))))); sh <- h; - f <- VPBROADCAST_2u128 sh; - f <- VPSHUFB_256 f shufbidx; - f <- VPAND_256 f mask; - f <- VPMULL_16u16 f shift; - f <- VPMULHRS_16u16 f q; + f <- (VPBROADCAST_2u128 sh); + f <- (VPSHUFB_256 f shufbidx); + f <- (VPAND_256 f mask); + f <- (VPMULL_16u16 f shift); + f <- (VPMULHRS_16u16 f q); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) i (f))); - i <- i + 1; + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) i f))); + i <- (i + 1); } - return (rp); + return rp; } - proc _poly_frombytes (rp:W16.t Array256.t, ap:W64.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var maskp:W16.t Array16.t; var mask:W256.t; var i:int; @@ -3350,9 +3489,9 @@ module M(SC:Syscall_t) = { var t11:W256.t; maskp <- witness; maskp <- maskx16; - mask <- (get256 (WArray32.init16 (fun i_0 => (maskp).[i_0])) 0); + mask <- (get256 (WArray32.init16 (fun i_0 => maskp.[i_0])) 0); i <- 0; - while (i < 2) { + while ((i < 2)) { t0 <- (loadW256 Glob.mem (W64.to_uint (ap + (W64.of_int (192 * i))))); t1 <- (loadW256 Glob.mem (W64.to_uint (ap + (W64.of_int ((192 * i) + 32))))); @@ -3376,60 +3515,74 @@ module M(SC:Syscall_t) = { (t6, t3) <@ __shuffle1 (t0, t3); (t0, t4) <@ __shuffle1 (t1, t4); (t1, t5) <@ __shuffle1 (t2, t5); - t7 <- VPSRL_16u16 t6 (W8.of_int 12); - t8 <- VPSLL_16u16 t3 (W8.of_int 4); - t7 <- VPOR_256 t7 t8; - t6 <- VPAND_256 mask t6; - t7 <- VPAND_256 mask t7; - t8 <- VPSRL_16u16 t3 (W8.of_int 8); - t9 <- VPSLL_16u16 t0 (W8.of_int 8); - t8 <- VPOR_256 t8 t9; - t8 <- VPAND_256 mask t8; - t9 <- VPSRL_16u16 t0 (W8.of_int 4); - t9 <- VPAND_256 mask t9; - t10 <- VPSRL_16u16 t4 (W8.of_int 12); - t11 <- VPSLL_16u16 t1 (W8.of_int 4); - t10 <- VPOR_256 t10 t11; - t4 <- VPAND_256 mask t4; - t10 <- VPAND_256 mask t10; - t11 <- VPSRL_16u16 t1 (W8.of_int 8); - tt <- VPSLL_16u16 t5 (W8.of_int 8); - t11 <- VPOR_256 t11 tt; - t11 <- VPAND_256 mask t11; - tt <- VPSRL_16u16 t5 (W8.of_int 4); - tt <- VPAND_256 mask tt; + t7 <- (VPSRL_16u16 t6 (W8.of_int 12)); + t8 <- (VPSLL_16u16 t3 (W8.of_int 4)); + t7 <- (VPOR_256 t7 t8); + t6 <- (VPAND_256 mask t6); + t7 <- (VPAND_256 mask t7); + t8 <- (VPSRL_16u16 t3 (W8.of_int 8)); + t9 <- (VPSLL_16u16 t0 (W8.of_int 8)); + t8 <- (VPOR_256 t8 t9); + t8 <- (VPAND_256 mask t8); + t9 <- (VPSRL_16u16 t0 (W8.of_int 4)); + t9 <- (VPAND_256 mask t9); + t10 <- (VPSRL_16u16 t4 (W8.of_int 12)); + t11 <- (VPSLL_16u16 t1 (W8.of_int 4)); + t10 <- (VPOR_256 t10 t11); + t4 <- (VPAND_256 mask t4); + t10 <- (VPAND_256 mask t10); + t11 <- (VPSRL_16u16 t1 (W8.of_int 8)); + tt <- (VPSLL_16u16 t5 (W8.of_int 8)); + t11 <- (VPOR_256 t11 tt); + t11 <- (VPAND_256 mask t11); + tt <- (VPSRL_16u16 t5 (W8.of_int 4)); + tt <- (VPAND_256 mask tt); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) (8 * i) (t6))); + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) (8 * i) t6)) + ); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) ((8 * i) + 1) (t7))); + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) + ((8 * i) + 1) t7))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) ((8 * i) + 2) (t8))); + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) + ((8 * i) + 2) t8))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) ((8 * i) + 3) (t9))); + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) + ((8 * i) + 3) t9))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) ((8 * i) + 4) (t4))); + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) + ((8 * i) + 4) t4))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) ((8 * i) + 5) (t10))); + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) + ((8 * i) + 5) t10))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) ((8 * i) + 6) (t11))); + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) + ((8 * i) + 6) t11))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) ((8 * i) + 7) (tt))); - i <- i + 1; + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) + ((8 * i) + 7) tt))); + i <- (i + 1); } - return (rp); + return rp; } - proc _poly_frommont (rp:W16.t Array256.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var x16p:W16.t Array16.t; var qx16:W256.t; var qinvx16:W256.t; @@ -3438,27 +3591,26 @@ module M(SC:Syscall_t) = { var t:W256.t; x16p <- witness; x16p <- jqx16; - qx16 <- (get256 (WArray32.init16 (fun i_0 => (x16p).[i_0])) 0); + qx16 <- (get256 (WArray32.init16 (fun i_0 => x16p.[i_0])) 0); x16p <- jqinvx16; - qinvx16 <- (get256 (WArray32.init16 (fun i_0 => (x16p).[i_0])) 0); + qinvx16 <- (get256 (WArray32.init16 (fun i_0 => x16p.[i_0])) 0); x16p <- jdmontx16; - dmontx16 <- (get256 (WArray32.init16 (fun i_0 => (x16p).[i_0])) 0); + dmontx16 <- (get256 (WArray32.init16 (fun i_0 => x16p.[i_0])) 0); aux <- (256 %/ 16); i <- 0; - while (i < aux) { - t <- (get256 (WArray512.init16 (fun i_0 => (rp).[i_0])) i); + while ((i < aux)) { + t <- (get256 (WArray512.init16 (fun i_0 => rp.[i_0])) i); t <@ __fqmulx16 (t, dmontx16, qx16, qinvx16); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) i (t))); - i <- i + 1; + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) i t))); + i <- (i + 1); } - return (rp); + return rp; } - proc _poly_frommsg_1 (rp:W16.t Array256.t, ap:W8.t Array32.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var x16p:W16.t Array16.t; var hqs:W256.t; var shift:W256.t; @@ -3475,58 +3627,64 @@ module M(SC:Syscall_t) = { var h3:W256.t; x16p <- witness; x16p <- hqx16_p1; - hqs <- (get256 (WArray32.init16 (fun i_0 => (x16p).[i_0])) 0); + hqs <- (get256 (WArray32.init16 (fun i_0 => x16p.[i_0])) 0); shift <- - VPBROADCAST_2u128 (get128 - (WArray16.init32 (fun i_0 => (pfm_shift_s).[i_0])) 0); + (VPBROADCAST_2u128 + (get128 (WArray16.init32 (fun i_0 => pfm_shift_s.[i_0])) 0)); idx <- - VPBROADCAST_2u128 (get128 (WArray16.init8 (fun i_0 => (pfm_idx_s).[i_0])) - 0); - f <- (get256 (WArray32.init8 (fun i_0 => (ap).[i_0])) 0); + (VPBROADCAST_2u128 + (get128 (WArray16.init8 (fun i_0 => pfm_idx_s.[i_0])) 0)); + f <- (get256 (WArray32.init8 (fun i_0 => ap.[i_0])) 0); i <- 0; - while (i < 4) { - g3 <- VPSHUFD_256 f (W8.of_int (85 * i)); - g3 <- VPSLLV_8u32 g3 shift; - g3 <- VPSHUFB_256 g3 idx; - g0 <- VPSLL_16u16 g3 (W8.of_int 12); - g1 <- VPSLL_16u16 g3 (W8.of_int 8); - g2 <- VPSLL_16u16 g3 (W8.of_int 4); - g0 <- VPSRA_16u16 g0 (W8.of_int 15); - g1 <- VPSRA_16u16 g1 (W8.of_int 15); - g2 <- VPSRA_16u16 g2 (W8.of_int 15); - g3 <- VPSRA_16u16 g3 (W8.of_int 15); - g0 <- VPAND_256 g0 hqs; - g1 <- VPAND_256 g1 hqs; - g2 <- VPAND_256 g2 hqs; - g3 <- VPAND_256 g3 hqs; - h0 <- VPUNPCKL_4u64 g0 g1; - h2 <- VPUNPCKH_4u64 g0 g1; - h1 <- VPUNPCKL_4u64 g2 g3; - h3 <- VPUNPCKH_4u64 g2 g3; - g0 <- VPERM2I128 h0 h1 (W8.of_int 32); - g2 <- VPERM2I128 h0 h1 (W8.of_int 49); - g1 <- VPERM2I128 h2 h3 (W8.of_int 32); - g3 <- VPERM2I128 h2 h3 (W8.of_int 49); + while ((i < 4)) { + g3 <- (VPSHUFD_256 f (W8.of_int (85 * i))); + g3 <- (VPSLLV_8u32 g3 shift); + g3 <- (VPSHUFB_256 g3 idx); + g0 <- (VPSLL_16u16 g3 (W8.of_int 12)); + g1 <- (VPSLL_16u16 g3 (W8.of_int 8)); + g2 <- (VPSLL_16u16 g3 (W8.of_int 4)); + g0 <- (VPSRA_16u16 g0 (W8.of_int 15)); + g1 <- (VPSRA_16u16 g1 (W8.of_int 15)); + g2 <- (VPSRA_16u16 g2 (W8.of_int 15)); + g3 <- (VPSRA_16u16 g3 (W8.of_int 15)); + g0 <- (VPAND_256 g0 hqs); + g1 <- (VPAND_256 g1 hqs); + g2 <- (VPAND_256 g2 hqs); + g3 <- (VPAND_256 g3 hqs); + h0 <- (VPUNPCKL_4u64 g0 g1); + h2 <- (VPUNPCKH_4u64 g0 g1); + h1 <- (VPUNPCKL_4u64 g2 g3); + h3 <- (VPUNPCKH_4u64 g2 g3); + g0 <- (VPERM2I128 h0 h1 (W8.of_int 32)); + g2 <- (VPERM2I128 h0 h1 (W8.of_int 49)); + g1 <- (VPERM2I128 h2 h3 (W8.of_int 32)); + g3 <- (VPERM2I128 h2 h3 (W8.of_int 49)); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) (2 * i) (g0))); + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) (2 * i) g0)) + ); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) ((2 * i) + 1) (g1))); + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) + ((2 * i) + 1) g1))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) ((2 * i) + 8) (g2))); + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) + ((2 * i) + 8) g2))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) (((2 * i) + 8) + 1) (g3))); - i <- i + 1; + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) + (((2 * i) + 8) + 1) g3))); + i <- (i + 1); } - return (rp); + return rp; } - proc __cbd3 (rp:W16.t Array256.t, buf:W8.t Array128.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var mask249_s:W32.t; var mask6DB_s:W32.t; var mask07_s:W32.t; @@ -3543,65 +3701,65 @@ module M(SC:Syscall_t) = { var f1:W256.t; var f2:W256.t; var f3:W256.t; - mask249_s <- (W32.of_int 2396745); mask6DB_s <- (W32.of_int 7190235); mask07_s <- (W32.of_int 7); mask70_s <- (W32.of_int (7 `<<` 16)); mask3_s <- (W16.of_int 3); - mask249 <- VPBROADCAST_8u32 mask249_s; - mask6DB <- VPBROADCAST_8u32 mask6DB_s; - mask07 <- VPBROADCAST_8u32 mask07_s; - mask70 <- VPBROADCAST_8u32 mask70_s; - mask3 <- VPBROADCAST_16u16 mask3_s; - shufbidx <- - (get256 (WArray32.init8 (fun i_0 => (cbd_jshufbidx).[i_0])) 0); + mask249 <- (VPBROADCAST_8u32 mask249_s); + mask6DB <- (VPBROADCAST_8u32 mask6DB_s); + mask07 <- (VPBROADCAST_8u32 mask07_s); + mask70 <- (VPBROADCAST_8u32 mask70_s); + mask3 <- (VPBROADCAST_16u16 mask3_s); + shufbidx <- (get256 (WArray32.init8 (fun i_0 => cbd_jshufbidx.[i_0])) 0); aux <- (256 %/ 32); i <- 0; - while (i < aux) { + while ((i < aux)) { f0 <- - (get256_direct (WArray128.init8 (fun i_0 => (buf).[i_0])) (24 * i)); - f0 <- VPERMQ f0 (W8.of_int 148); - f0 <- VPSHUFB_256 f0 shufbidx; - f1 <- VPSRL_8u32 f0 (W8.of_int 1); - f2 <- VPSRL_8u32 f0 (W8.of_int 2); - f0 <- VPAND_256 mask249 f0; - f1 <- VPAND_256 mask249 f1; - f2 <- VPAND_256 mask249 f2; - f0 <- VPADD_8u32 f0 f1; - f0 <- VPADD_8u32 f0 f2; - f1 <- VPSRL_8u32 f0 (W8.of_int 3); - f0 <- VPADD_8u32 f0 mask6DB; - f0 <- VPSUB_8u32 f0 f1; - f1 <- VPSLL_8u32 f0 (W8.of_int 10); - f2 <- VPSRL_8u32 f0 (W8.of_int 12); - f3 <- VPSRL_8u32 f0 (W8.of_int 2); - f0 <- VPAND_256 f0 mask07; - f1 <- VPAND_256 f1 mask70; - f2 <- VPAND_256 f2 mask07; - f3 <- VPAND_256 f3 mask70; - f0 <- VPADD_16u16 f0 f1; - f1 <- VPADD_16u16 f2 f3; - f0 <- VPSUB_16u16 f0 mask3; - f1 <- VPSUB_16u16 f1 mask3; - f2 <- VPUNPCKL_8u32 f0 f1; - f3 <- VPUNPCKH_8u32 f0 f1; - f0 <- VPERM2I128 f2 f3 (W8.of_int 32); - f1 <- VPERM2I128 f2 f3 (W8.of_int 49); + (get256_direct (WArray128.init8 (fun i_0 => buf.[i_0])) (24 * i)); + f0 <- (VPERMQ f0 (W8.of_int 148)); + f0 <- (VPSHUFB_256 f0 shufbidx); + f1 <- (VPSRL_8u32 f0 (W8.of_int 1)); + f2 <- (VPSRL_8u32 f0 (W8.of_int 2)); + f0 <- (VPAND_256 mask249 f0); + f1 <- (VPAND_256 mask249 f1); + f2 <- (VPAND_256 mask249 f2); + f0 <- (VPADD_8u32 f0 f1); + f0 <- (VPADD_8u32 f0 f2); + f1 <- (VPSRL_8u32 f0 (W8.of_int 3)); + f0 <- (VPADD_8u32 f0 mask6DB); + f0 <- (VPSUB_8u32 f0 f1); + f1 <- (VPSLL_8u32 f0 (W8.of_int 10)); + f2 <- (VPSRL_8u32 f0 (W8.of_int 12)); + f3 <- (VPSRL_8u32 f0 (W8.of_int 2)); + f0 <- (VPAND_256 f0 mask07); + f1 <- (VPAND_256 f1 mask70); + f2 <- (VPAND_256 f2 mask07); + f3 <- (VPAND_256 f3 mask70); + f0 <- (VPADD_16u16 f0 f1); + f1 <- (VPADD_16u16 f2 f3); + f0 <- (VPSUB_16u16 f0 mask3); + f1 <- (VPSUB_16u16 f1 mask3); + f2 <- (VPUNPCKL_8u32 f0 f1); + f3 <- (VPUNPCKH_8u32 f0 f1); + f0 <- (VPERM2I128 f2 f3 (W8.of_int 32)); + f1 <- (VPERM2I128 f2 f3 (W8.of_int 49)); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) (2 * i) (f0))); + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) (2 * i) f0)) + ); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) ((2 * i) + 1) (f1))); - i <- i + 1; + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) + ((2 * i) + 1) f1))); + i <- (i + 1); } - return (rp); + return rp; } - proc __cbd2 (rp:W16.t Array256.t, buf:W8.t Array128.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var mask55_s:W32.t; var mask33_s:W32.t; var mask03_s:W32.t; @@ -3616,72 +3774,75 @@ module M(SC:Syscall_t) = { var f2:W256.t; var f3:W256.t; var t:W128.t; - mask55_s <- (W32.of_int 1431655765); mask33_s <- (W32.of_int 858993459); mask03_s <- (W32.of_int 50529027); mask0F_s <- (W32.of_int 252645135); - mask55 <- VPBROADCAST_8u32 mask55_s; - mask33 <- VPBROADCAST_8u32 mask33_s; - mask03 <- VPBROADCAST_8u32 mask03_s; - mask0F <- VPBROADCAST_8u32 mask0F_s; + mask55 <- (VPBROADCAST_8u32 mask55_s); + mask33 <- (VPBROADCAST_8u32 mask33_s); + mask03 <- (VPBROADCAST_8u32 mask03_s); + mask0F <- (VPBROADCAST_8u32 mask0F_s); aux <- (256 %/ 64); i <- 0; - while (i < aux) { - f0 <- (get256 (WArray128.init8 (fun i_0 => (buf).[i_0])) i); - f1 <- VPSRL_16u16 f0 (W8.of_int 1); - f0 <- VPAND_256 mask55 f0; - f1 <- VPAND_256 mask55 f1; - f0 <- VPADD_32u8 f0 f1; - f1 <- VPSRL_16u16 f0 (W8.of_int 2); - f0 <- VPAND_256 mask33 f0; - f1 <- VPAND_256 mask33 f1; - f0 <- VPADD_32u8 f0 mask33; - f0 <- VPSUB_32u8 f0 f1; - f1 <- VPSRL_16u16 f0 (W8.of_int 4); - f0 <- VPAND_256 mask0F f0; - f1 <- VPAND_256 mask0F f1; - f0 <- VPSUB_32u8 f0 mask03; - f1 <- VPSUB_32u8 f1 mask03; - f2 <- VPUNPCKL_32u8 f0 f1; - f3 <- VPUNPCKH_32u8 f0 f1; + while ((i < aux)) { + f0 <- (get256 (WArray128.init8 (fun i_0 => buf.[i_0])) i); + f1 <- (VPSRL_16u16 f0 (W8.of_int 1)); + f0 <- (VPAND_256 mask55 f0); + f1 <- (VPAND_256 mask55 f1); + f0 <- (VPADD_32u8 f0 f1); + f1 <- (VPSRL_16u16 f0 (W8.of_int 2)); + f0 <- (VPAND_256 mask33 f0); + f1 <- (VPAND_256 mask33 f1); + f0 <- (VPADD_32u8 f0 mask33); + f0 <- (VPSUB_32u8 f0 f1); + f1 <- (VPSRL_16u16 f0 (W8.of_int 4)); + f0 <- (VPAND_256 mask0F f0); + f1 <- (VPAND_256 mask0F f1); + f0 <- (VPSUB_32u8 f0 mask03); + f1 <- (VPSUB_32u8 f1 mask03); + f2 <- (VPUNPCKL_32u8 f0 f1); + f3 <- (VPUNPCKH_32u8 f0 f1); t <- (truncateu128 f2); - f0 <- VPMOVSX_16u8_16u16 t; - t <- VEXTRACTI128 f2 (W8.of_int 1); - f1 <- VPMOVSX_16u8_16u16 t; + f0 <- (VPMOVSX_16u8_16u16 t); + t <- (VEXTRACTI128 f2 (W8.of_int 1)); + f1 <- (VPMOVSX_16u8_16u16 t); t <- (truncateu128 f3); - f2 <- VPMOVSX_16u8_16u16 t; - t <- VEXTRACTI128 f3 (W8.of_int 1); - f3 <- VPMOVSX_16u8_16u16 t; + f2 <- (VPMOVSX_16u8_16u16 t); + t <- (VEXTRACTI128 f3 (W8.of_int 1)); + f3 <- (VPMOVSX_16u8_16u16 t); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) (4 * i) (f0))); + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) (4 * i) f0)) + ); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) ((4 * i) + 1) (f2))); + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) + ((4 * i) + 1) f2))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) ((4 * i) + 2) (f1))); + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) + ((4 * i) + 2) f1))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256 (WArray512.init16 (fun i_0 => (rp).[i_0])) ((4 * i) + 3) (f3))); - i <- i + 1; + (Array256.init + (WArray512.get16 + (WArray512.set256 (WArray512.init16 (fun i_0 => rp.[i_0])) + ((4 * i) + 3) f3))); + i <- (i + 1); } - return (rp); + return rp; } - proc __poly_cbd_eta1 (rp:W16.t Array256.t, buf:W8.t Array128.t) : W16.t Array256.t = { - - if ((2 = 2)) { - rp <@ __cbd2 (rp, (Array128.init (fun i => buf.[0 + i]))); + rp <@ __cbd2 (rp, (Array128.init (fun i => buf.[(0 + i)]))); } else { rp <@ __cbd3 (rp, buf); } - return (rp); + return rp; } - proc __shake256_squeezenblocks4x (state:W256.t Array25.t, buf0:W8.t Array136.t, buf1:W8.t Array136.t, @@ -3691,49 +3852,60 @@ module M(SC:Syscall_t) = { W8.t Array136.t * W8.t Array136.t * W8.t Array136.t = { - var aux: int; - var aux_4: W8.t Array136.t; - var aux_3: W8.t Array136.t; - var aux_2: W8.t Array136.t; - var aux_1: W8.t Array136.t; - var aux_0: W256.t Array25.t; - + var aux:int; + var aux_4:W8.t Array136.t; + var aux_3:W8.t Array136.t; + var aux_2:W8.t Array136.t; + var aux_1:W8.t Array136.t; + var aux_0:W256.t Array25.t; var i:int; - aux <- (((((2 * 256) %/ 4) + 136) - 1) %/ 136); i <- 0; - while (i < aux) { - (aux_0, aux_4, aux_3, aux_2, - aux_1) <@ __shake256_squeezeblock4x (state, - (Array136.init (fun i_0 => buf0.[(i * 136) + i_0])), - (Array136.init (fun i_0 => buf1.[(i * 136) + i_0])), - (Array136.init (fun i_0 => buf2.[(i * 136) + i_0])), - (Array136.init (fun i_0 => buf3.[(i * 136) + i_0]))); + while ((i < aux)) { + (aux_0, aux_4, aux_3, aux_2, aux_1) <@ __shake256_squeezeblock4x ( + state, (Array136.init (fun i_0 => buf0.[((i * 136) + i_0)])), + (Array136.init (fun i_0 => buf1.[((i * 136) + i_0)])), + (Array136.init (fun i_0 => buf2.[((i * 136) + i_0)])), + (Array136.init (fun i_0 => buf3.[((i * 136) + i_0)]))); state <- aux_0; - buf0 <- Array136.init - (fun i_0 => if (i * 136) <= i_0 < (i * 136) + 136 - then aux_4.[i_0-(i * 136)] else buf0.[i_0]); - buf1 <- Array136.init - (fun i_0 => if (i * 136) <= i_0 < (i * 136) + 136 - then aux_3.[i_0-(i * 136)] else buf1.[i_0]); - buf2 <- Array136.init - (fun i_0 => if (i * 136) <= i_0 < (i * 136) + 136 - then aux_2.[i_0-(i * 136)] else buf2.[i_0]); - buf3 <- Array136.init - (fun i_0 => if (i * 136) <= i_0 < (i * 136) + 136 - then aux_1.[i_0-(i * 136)] else buf3.[i_0]); - i <- i + 1; + buf0 <- + (Array136.init + (fun i_0 => (if ((i * 136) <= i_0 < ((i * 136) + 136)) then aux_4.[ + (i_0 - + (i * 136))] else + buf0.[i_0])) + ); + buf1 <- + (Array136.init + (fun i_0 => (if ((i * 136) <= i_0 < ((i * 136) + 136)) then aux_3.[ + (i_0 - + (i * 136))] else + buf1.[i_0])) + ); + buf2 <- + (Array136.init + (fun i_0 => (if ((i * 136) <= i_0 < ((i * 136) + 136)) then aux_2.[ + (i_0 - + (i * 136))] else + buf2.[i_0])) + ); + buf3 <- + (Array136.init + (fun i_0 => (if ((i * 136) <= i_0 < ((i * 136) + 136)) then aux_1.[ + (i_0 - + (i * 136))] else + buf3.[i_0])) + ); + i <- (i + 1); } return (state, buf0, buf1, buf2, buf3); } - proc _poly_getnoise_eta1_4x (r0:W16.t Array256.t, r1:W16.t Array256.t, r2:W16.t Array256.t, r3:W16.t Array256.t, seed:W8.t Array32.t, nonce:W8.t) : W16.t Array256.t * W16.t Array256.t * W16.t Array256.t * W16.t Array256.t = { - var f:W256.t; var buf0:W8.t Array136.t; var buf1:W8.t Array136.t; @@ -3745,48 +3917,55 @@ module M(SC:Syscall_t) = { buf2 <- witness; buf3 <- witness; state <- witness; - f <- (get256 (WArray32.init8 (fun i => (seed).[i])) 0); + f <- (get256 (WArray32.init8 (fun i => seed.[i])) 0); buf0 <- - Array136.init - (WArray136.get8 (WArray136.set256 (WArray136.init8 (fun i => (buf0).[i])) 0 (f))); + (Array136.init + (WArray136.get8 + (WArray136.set256 (WArray136.init8 (fun i => buf0.[i])) 0 f))); buf1 <- - Array136.init - (WArray136.get8 (WArray136.set256 (WArray136.init8 (fun i => (buf1).[i])) 0 (f))); + (Array136.init + (WArray136.get8 + (WArray136.set256 (WArray136.init8 (fun i => buf1.[i])) 0 f))); buf2 <- - Array136.init - (WArray136.get8 (WArray136.set256 (WArray136.init8 (fun i => (buf2).[i])) 0 (f))); + (Array136.init + (WArray136.get8 + (WArray136.set256 (WArray136.init8 (fun i => buf2.[i])) 0 f))); buf3 <- - Array136.init - (WArray136.get8 (WArray136.set256 (WArray136.init8 (fun i => (buf3).[i])) 0 (f))); + (Array136.init + (WArray136.get8 + (WArray136.set256 (WArray136.init8 (fun i => buf3.[i])) 0 f))); buf0 <- - Array136.init - (WArray136.get8 (WArray136.set8_direct (WArray136.init8 (fun i => (buf0).[i])) 32 (nonce))); + (Array136.init + (WArray136.get8 + (WArray136.set8_direct (WArray136.init8 (fun i => buf0.[i])) 32 nonce))); nonce <- (nonce + (W8.of_int 1)); buf1 <- - Array136.init - (WArray136.get8 (WArray136.set8_direct (WArray136.init8 (fun i => (buf1).[i])) 32 (nonce))); + (Array136.init + (WArray136.get8 + (WArray136.set8_direct (WArray136.init8 (fun i => buf1.[i])) 32 nonce))); nonce <- (nonce + (W8.of_int 1)); buf2 <- - Array136.init - (WArray136.get8 (WArray136.set8_direct (WArray136.init8 (fun i => (buf2).[i])) 32 (nonce))); + (Array136.init + (WArray136.get8 + (WArray136.set8_direct (WArray136.init8 (fun i => buf2.[i])) 32 nonce))); nonce <- (nonce + (W8.of_int 1)); buf3 <- - Array136.init - (WArray136.get8 (WArray136.set8_direct (WArray136.init8 (fun i => (buf3).[i])) 32 (nonce))); + (Array136.init + (WArray136.get8 + (WArray136.set8_direct (WArray136.init8 (fun i => buf3.[i])) 32 nonce))); state <@ _shake256_absorb4x_33 (state, - (Array33.init (fun i => buf0.[0 + i])), - (Array33.init (fun i => buf1.[0 + i])), - (Array33.init (fun i => buf2.[0 + i])), - (Array33.init (fun i => buf3.[0 + i]))); + (Array33.init (fun i => buf0.[(0 + i)])), + (Array33.init (fun i => buf1.[(0 + i)])), + (Array33.init (fun i => buf2.[(0 + i)])), + (Array33.init (fun i => buf3.[(0 + i)]))); (state, buf0, buf1, buf2, buf3) <@ __shake256_squeezenblocks4x (state, buf0, buf1, buf2, buf3); - r0 <@ __poly_cbd_eta1 (r0, (Array128.init (fun i => buf0.[0 + i]))); - r1 <@ __poly_cbd_eta1 (r1, (Array128.init (fun i => buf1.[0 + i]))); - r2 <@ __poly_cbd_eta1 (r2, (Array128.init (fun i => buf2.[0 + i]))); - r3 <@ __poly_cbd_eta1 (r3, (Array128.init (fun i => buf3.[0 + i]))); + r0 <@ __poly_cbd_eta1 (r0, (Array128.init (fun i => buf0.[(0 + i)]))); + r1 <@ __poly_cbd_eta1 (r1, (Array128.init (fun i => buf1.[(0 + i)]))); + r2 <@ __poly_cbd_eta1 (r2, (Array128.init (fun i => buf2.[(0 + i)]))); + r3 <@ __poly_cbd_eta1 (r3, (Array128.init (fun i => buf3.[(0 + i)]))); return (r0, r1, r2, r3); } - proc __invntt___butterfly64x (rl0:W256.t, rl1:W256.t, rl2:W256.t, rl3:W256.t, rh0:W256.t, rh1:W256.t, rh2:W256.t, rh3:W256.t, zl0:W256.t, @@ -3794,42 +3973,38 @@ module M(SC:Syscall_t) = { qx16:W256.t) : W256.t * W256.t * W256.t * W256.t * W256.t * W256.t * W256.t * W256.t = { - var t0:W256.t; var t1:W256.t; var t2:W256.t; var t3:W256.t; - - t0 <- VPSUB_16u16 rl0 rh0; - t1 <- VPSUB_16u16 rl1 rh1; - t2 <- VPSUB_16u16 rl2 rh2; - rl0 <- VPADD_16u16 rh0 rl0; - rl1 <- VPADD_16u16 rh1 rl1; - rh0 <- VPMULL_16u16 zl0 t0; - rl2 <- VPADD_16u16 rh2 rl2; - rh1 <- VPMULL_16u16 zl0 t1; - t3 <- VPSUB_16u16 rl3 rh3; - rl3 <- VPADD_16u16 rh3 rl3; - rh2 <- VPMULL_16u16 zl1 t2; - rh3 <- VPMULL_16u16 zl1 t3; - t0 <- VPMULH_16u16 zh0 t0; - t1 <- VPMULH_16u16 zh0 t1; - t2 <- VPMULH_16u16 zh1 t2; - t3 <- VPMULH_16u16 zh1 t3; - rh0 <- VPMULH_16u16 qx16 rh0; - rh1 <- VPMULH_16u16 qx16 rh1; - rh2 <- VPMULH_16u16 qx16 rh2; - rh3 <- VPMULH_16u16 qx16 rh3; - rh0 <- VPSUB_16u16 t0 rh0; - rh1 <- VPSUB_16u16 t1 rh1; - rh2 <- VPSUB_16u16 t2 rh2; - rh3 <- VPSUB_16u16 t3 rh3; + t0 <- (VPSUB_16u16 rl0 rh0); + t1 <- (VPSUB_16u16 rl1 rh1); + t2 <- (VPSUB_16u16 rl2 rh2); + rl0 <- (VPADD_16u16 rh0 rl0); + rl1 <- (VPADD_16u16 rh1 rl1); + rh0 <- (VPMULL_16u16 zl0 t0); + rl2 <- (VPADD_16u16 rh2 rl2); + rh1 <- (VPMULL_16u16 zl0 t1); + t3 <- (VPSUB_16u16 rl3 rh3); + rl3 <- (VPADD_16u16 rh3 rl3); + rh2 <- (VPMULL_16u16 zl1 t2); + rh3 <- (VPMULL_16u16 zl1 t3); + t0 <- (VPMULH_16u16 zh0 t0); + t1 <- (VPMULH_16u16 zh0 t1); + t2 <- (VPMULH_16u16 zh1 t2); + t3 <- (VPMULH_16u16 zh1 t3); + rh0 <- (VPMULH_16u16 qx16 rh0); + rh1 <- (VPMULH_16u16 qx16 rh1); + rh2 <- (VPMULH_16u16 qx16 rh2); + rh3 <- (VPMULH_16u16 qx16 rh3); + rh0 <- (VPSUB_16u16 t0 rh0); + rh1 <- (VPSUB_16u16 t1 rh1); + rh2 <- (VPSUB_16u16 t2 rh2); + rh3 <- (VPSUB_16u16 t3 rh3); return (rl0, rl1, rl2, rl3, rh0, rh1, rh2, rh3); } - proc _poly_invntt (rp:W16.t Array256.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var zetasp:W16.t Array400.t; var qx16:W256.t; var i:int; @@ -3850,152 +4025,168 @@ module M(SC:Syscall_t) = { var fhix16:W256.t; zetasp <- witness; zetasp <- jzetas_inv_exp; - qx16 <- (get256 (WArray32.init16 (fun i_0 => (jqx16).[i_0])) 0); + qx16 <- (get256 (WArray32.init16 (fun i_0 => jqx16.[i_0])) 0); i <- 0; - while (i < 2) { + while ((i < 2)) { zeta0 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (0 + (392 * i))); zeta1 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (64 + (392 * i))); zeta2 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (32 + (392 * i))); zeta3 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (96 + (392 * i))); r0 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 0) + (256 * i))); r1 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 1) + (256 * i))); r2 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 2) + (256 * i))); r3 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 3) + (256 * i))); r4 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 4) + (256 * i))); r5 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 5) + (256 * i))); r6 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 6) + (256 * i))); r7 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 7) + (256 * i))); - (r0, r1, r4, r5, r2, r3, r6, r7) <@ __invntt___butterfly64x (r0, r1, - r4, r5, r2, r3, r6, r7, zeta0, zeta1, zeta2, zeta3, qx16); - vx16 <- (get256 (WArray32.init16 (fun i_0 => (jvx16).[i_0])) 0); + (r0, r1, r4, r5, r2, r3, r6, r7) <@ __invntt___butterfly64x (r0, + r1, r4, r5, r2, r3, r6, r7, zeta0, zeta1, zeta2, zeta3, qx16); + vx16 <- (get256 (WArray32.init16 (fun i_0 => jvx16.[i_0])) 0); zeta0 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (128 + (392 * i))); zeta1 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (160 + (392 * i))); r0 <@ __red16x (r0, qx16, vx16); r1 <@ __red16x (r1, qx16, vx16); r4 <@ __red16x (r4, qx16, vx16); r5 <@ __red16x (r5, qx16, vx16); - (r0, r1, r2, r3, r4, r5, r6, r7) <@ __invntt___butterfly64x (r0, r1, - r2, r3, r4, r5, r6, r7, zeta0, zeta0, zeta1, zeta1, qx16); + (r0, r1, r2, r3, r4, r5, r6, r7) <@ __invntt___butterfly64x (r0, + r1, r2, r3, r4, r5, r6, r7, zeta0, zeta0, zeta1, zeta1, qx16); (r0, r1) <@ __shuffle1 (r0, r1); (r2, r3) <@ __shuffle1 (r2, r3); (r4, r5) <@ __shuffle1 (r4, r5); (r6, r7) <@ __shuffle1 (r6, r7); zeta0 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (192 + (392 * i))); zeta1 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (224 + (392 * i))); - (r0, r2, r4, r6, r1, r3, r5, r7) <@ __invntt___butterfly64x (r0, r2, - r4, r6, r1, r3, r5, r7, zeta0, zeta0, zeta1, zeta1, qx16); + (r0, r2, r4, r6, r1, r3, r5, r7) <@ __invntt___butterfly64x (r0, + r2, r4, r6, r1, r3, r5, r7, zeta0, zeta0, zeta1, zeta1, qx16); r0 <@ __red16x (r0, qx16, vx16); (r0, r2) <@ __shuffle2 (r0, r2); (r4, r6) <@ __shuffle2 (r4, r6); (r1, r3) <@ __shuffle2 (r1, r3); (r5, r7) <@ __shuffle2 (r5, r7); zeta0 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (256 + (392 * i))); zeta1 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (288 + (392 * i))); - (r0, r4, r1, r5, r2, r6, r3, r7) <@ __invntt___butterfly64x (r0, r4, - r1, r5, r2, r6, r3, r7, zeta0, zeta0, zeta1, zeta1, qx16); + (r0, r4, r1, r5, r2, r6, r3, r7) <@ __invntt___butterfly64x (r0, + r4, r1, r5, r2, r6, r3, r7, zeta0, zeta0, zeta1, zeta1, qx16); r0 <@ __red16x (r0, qx16, vx16); (r0, r4) <@ __shuffle4 (r0, r4); (r1, r5) <@ __shuffle4 (r1, r5); (r2, r6) <@ __shuffle4 (r2, r6); (r3, r7) <@ __shuffle4 (r3, r7); zeta0 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (320 + (392 * i))); zeta1 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (352 + (392 * i))); - (r0, r1, r2, r3, r4, r5, r6, r7) <@ __invntt___butterfly64x (r0, r1, - r2, r3, r4, r5, r6, r7, zeta0, zeta0, zeta1, zeta1, qx16); + (r0, r1, r2, r3, r4, r5, r6, r7) <@ __invntt___butterfly64x (r0, + r1, r2, r3, r4, r5, r6, r7, zeta0, zeta0, zeta1, zeta1, qx16); r0 <@ __red16x (r0, qx16, vx16); (r0, r1) <@ __shuffle8 (r0, r1); (r2, r3) <@ __shuffle8 (r2, r3); (r4, r5) <@ __shuffle8 (r4, r5); (r6, r7) <@ __shuffle8 (r6, r7); zeta0 <- - VPBROADCAST_8u32 (get32_direct - (WArray800.init16 (fun i_0 => (zetasp).[i_0])) - (384 + (392 * i))); + (VPBROADCAST_8u32 + (get32_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) + (384 + (392 * i)))); zeta1 <- - VPBROADCAST_8u32 (get32_direct - (WArray800.init16 (fun i_0 => (zetasp).[i_0])) - (388 + (392 * i))); - (r0, r2, r4, r6, r1, r3, r5, r7) <@ __invntt___butterfly64x (r0, r2, - r4, r6, r1, r3, r5, r7, zeta0, zeta0, zeta1, zeta1, qx16); + (VPBROADCAST_8u32 + (get32_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) + (388 + (392 * i)))); + (r0, r2, r4, r6, r1, r3, r5, r7) <@ __invntt___butterfly64x (r0, + r2, r4, r6, r1, r3, r5, r7, zeta0, zeta0, zeta1, zeta1, qx16); r0 <@ __red16x (r0, qx16, vx16); if ((i = 0)) { rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 0) + (256 * i)) (r0))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 0) + (256 * i)) r0))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 1) + (256 * i)) (r2))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 1) + (256 * i)) r2))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 2) + (256 * i)) (r4))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 2) + (256 * i)) r4))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 3) + (256 * i)) (r6))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 3) + (256 * i)) r6))); } else { } rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 4) + (256 * i)) (r1))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 4) + (256 * i)) r1))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 5) + (256 * i)) (r3))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 5) + (256 * i)) r3))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 6) + (256 * i)) (r5))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 6) + (256 * i)) r5))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 7) + (256 * i)) (r7))); - i <- i + 1; + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 7) + (256 * i)) r7))); + i <- (i + 1); } zeta0 <- - VPBROADCAST_8u32 (get32_direct - (WArray800.init16 (fun i_0 => (zetasp).[i_0])) 784); + (VPBROADCAST_8u32 + (get32_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) 784)); zeta1 <- - VPBROADCAST_8u32 (get32_direct - (WArray800.init16 (fun i_0 => (zetasp).[i_0])) 788); + (VPBROADCAST_8u32 + (get32_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) 788)); i <- 0; - while (i < 2) { + while ((i < 2)) { if ((i = 0)) { r7 <- r6; r6 <- r4; @@ -4003,73 +4194,87 @@ module M(SC:Syscall_t) = { r4 <- r0; } else { r4 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 8) + (128 * i))); r5 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 9) + (128 * i))); r6 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 10) + (128 * i))); r7 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 11) + (128 * i))); } r0 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 0) + (128 * i))); r1 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 1) + (128 * i))); r2 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 2) + (128 * i))); r3 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 3) + (128 * i))); - (r0, r1, r2, r3, r4, r5, r6, r7) <@ __invntt___butterfly64x (r0, r1, - r2, r3, r4, r5, r6, r7, zeta0, zeta0, zeta1, zeta1, qx16); - flox16 <- (get256 (WArray32.init16 (fun i_0 => (jflox16).[i_0])) 0); - fhix16 <- (get256 (WArray32.init16 (fun i_0 => (jfhix16).[i_0])) 0); + (r0, r1, r2, r3, r4, r5, r6, r7) <@ __invntt___butterfly64x (r0, + r1, r2, r3, r4, r5, r6, r7, zeta0, zeta0, zeta1, zeta1, qx16); + flox16 <- (get256 (WArray32.init16 (fun i_0 => jflox16.[i_0])) 0); + fhix16 <- (get256 (WArray32.init16 (fun i_0 => jfhix16.[i_0])) 0); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 8) + (128 * i)) (r4))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 8) + (128 * i)) r4))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 9) + (128 * i)) (r5))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 9) + (128 * i)) r5))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 10) + (128 * i)) (r6))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 10) + (128 * i)) r6))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 11) + (128 * i)) (r7))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 11) + (128 * i)) r7))); r0 <@ __fqmulprecomp16x (r0, flox16, fhix16, qx16); r1 <@ __fqmulprecomp16x (r1, flox16, fhix16, qx16); r2 <@ __fqmulprecomp16x (r2, flox16, fhix16, qx16); r3 <@ __fqmulprecomp16x (r3, flox16, fhix16, qx16); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 0) + (128 * i)) (r0))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 0) + (128 * i)) r0))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 1) + (128 * i)) (r1))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 1) + (128 * i)) r1))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 2) + (128 * i)) (r2))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 2) + (128 * i)) r2))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 3) + (128 * i)) (r3))); - i <- i + 1; + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 3) + (128 * i)) r3))); + i <- (i + 1); } - return (rp); + return rp; } - proc __butterfly64x (rl0:W256.t, rl1:W256.t, rl2:W256.t, rl3:W256.t, rh0:W256.t, rh1:W256.t, rh2:W256.t, rh3:W256.t, zl0:W256.t, zl1:W256.t, zh0:W256.t, zh1:W256.t, qx16:W256.t) : W256.t * W256.t * W256.t * W256.t * W256.t * W256.t * W256.t * W256.t = { - var t0:W256.t; var t1:W256.t; var t2:W256.t; @@ -4078,41 +4283,38 @@ module M(SC:Syscall_t) = { var t5:W256.t; var t6:W256.t; var t7:W256.t; - - t0 <- VPMULL_16u16 zl0 rh0; - t1 <- VPMULH_16u16 zh0 rh0; - t2 <- VPMULL_16u16 zl0 rh1; - t3 <- VPMULH_16u16 zh0 rh1; - t4 <- VPMULL_16u16 zl1 rh2; - t5 <- VPMULH_16u16 zh1 rh2; - t6 <- VPMULL_16u16 zl1 rh3; - t7 <- VPMULH_16u16 zh1 rh3; - t0 <- VPMULH_16u16 t0 qx16; - t2 <- VPMULH_16u16 t2 qx16; - t4 <- VPMULH_16u16 t4 qx16; - t6 <- VPMULH_16u16 t6 qx16; - rh1 <- VPSUB_16u16 rl1 t3; - rl1 <- VPADD_16u16 t3 rl1; - rh0 <- VPSUB_16u16 rl0 t1; - rl0 <- VPADD_16u16 t1 rl0; - rh3 <- VPSUB_16u16 rl3 t7; - rl3 <- VPADD_16u16 t7 rl3; - rh2 <- VPSUB_16u16 rl2 t5; - rl2 <- VPADD_16u16 t5 rl2; - rh0 <- VPADD_16u16 t0 rh0; - rl0 <- VPSUB_16u16 rl0 t0; - rh1 <- VPADD_16u16 t2 rh1; - rl1 <- VPSUB_16u16 rl1 t2; - rh2 <- VPADD_16u16 t4 rh2; - rl2 <- VPSUB_16u16 rl2 t4; - rh3 <- VPADD_16u16 t6 rh3; - rl3 <- VPSUB_16u16 rl3 t6; + t0 <- (VPMULL_16u16 zl0 rh0); + t1 <- (VPMULH_16u16 zh0 rh0); + t2 <- (VPMULL_16u16 zl0 rh1); + t3 <- (VPMULH_16u16 zh0 rh1); + t4 <- (VPMULL_16u16 zl1 rh2); + t5 <- (VPMULH_16u16 zh1 rh2); + t6 <- (VPMULL_16u16 zl1 rh3); + t7 <- (VPMULH_16u16 zh1 rh3); + t0 <- (VPMULH_16u16 t0 qx16); + t2 <- (VPMULH_16u16 t2 qx16); + t4 <- (VPMULH_16u16 t4 qx16); + t6 <- (VPMULH_16u16 t6 qx16); + rh1 <- (VPSUB_16u16 rl1 t3); + rl1 <- (VPADD_16u16 t3 rl1); + rh0 <- (VPSUB_16u16 rl0 t1); + rl0 <- (VPADD_16u16 t1 rl0); + rh3 <- (VPSUB_16u16 rl3 t7); + rl3 <- (VPADD_16u16 t7 rl3); + rh2 <- (VPSUB_16u16 rl2 t5); + rl2 <- (VPADD_16u16 t5 rl2); + rh0 <- (VPADD_16u16 t0 rh0); + rl0 <- (VPSUB_16u16 rl0 t0); + rh1 <- (VPADD_16u16 t2 rh1); + rl1 <- (VPSUB_16u16 rl1 t2); + rh2 <- (VPADD_16u16 t4 rh2); + rl2 <- (VPSUB_16u16 rl2 t4); + rh3 <- (VPADD_16u16 t6 rh3); + rl3 <- (VPSUB_16u16 rl3 t6); return (rl0, rl1, rl2, rl3, rh0, rh1, rh2, rh3); } - proc _poly_ntt (rp:W16.t Array256.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var zetasp:W16.t Array400.t; var qx16:W256.t; var zeta0:W256.t; @@ -4131,93 +4333,101 @@ module M(SC:Syscall_t) = { var vx16:W256.t; zetasp <- witness; zetasp <- jzetas_exp; - qx16 <- (get256 (WArray32.init16 (fun i_0 => (jqx16).[i_0])) 0); + qx16 <- (get256 (WArray32.init16 (fun i_0 => jqx16.[i_0])) 0); zeta0 <- - VPBROADCAST_8u32 (get32 (WArray800.init16 (fun i_0 => (zetasp).[i_0])) 0); + (VPBROADCAST_8u32 (get32 (WArray800.init16 (fun i_0 => zetasp.[i_0])) 0)); zeta1 <- - VPBROADCAST_8u32 (get32 (WArray800.init16 (fun i_0 => (zetasp).[i_0])) 1); - r0 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 0)); - r1 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 1)); - r2 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 2)); - r3 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 3)); - r4 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 8)); - r5 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 9)); - r6 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 10)); - r7 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 11)); - (r0, r1, r2, r3, r4, r5, r6, r7) <@ __butterfly64x (r0, r1, r2, r3, r4, - r5, r6, r7, zeta0, zeta0, zeta1, zeta1, qx16); + (VPBROADCAST_8u32 (get32 (WArray800.init16 (fun i_0 => zetasp.[i_0])) 1)); + r0 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 0)); + r1 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 1)); + r2 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 2)); + r3 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 3)); + r4 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 8)); + r5 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 9)); + r6 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 10)); + r7 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 11)); + (r0, r1, r2, r3, r4, r5, r6, r7) <@ __butterfly64x (r0, r1, r2, r3, + r4, r5, r6, r7, zeta0, zeta0, zeta1, zeta1, qx16); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 0) (r0))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * 0) r0))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 1) (r1))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * 1) r1))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 2) (r2))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * 2) r2))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 3) (r3))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * 3) r3))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 8) (r4))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * 8) r4))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 9) (r5))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * 9) r5))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 10) (r6))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * 10) r6))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 11) (r7))); - r0 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 4)); - r1 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 5)); - r2 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 6)); - r3 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 7)); - r4 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 12)); - r5 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 13)); - r6 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 14)); - r7 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 15)); - (r0, r1, r2, r3, r4, r5, r6, r7) <@ __butterfly64x (r0, r1, r2, r3, r4, - r5, r6, r7, zeta0, zeta0, zeta1, zeta1, qx16); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * 11) r7))); + r0 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 4)); + r1 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 5)); + r2 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 6)); + r3 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 7)); + r4 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 12)); + r5 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 13)); + r6 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 14)); + r7 <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * 15)); + (r0, r1, r2, r3, r4, r5, r6, r7) <@ __butterfly64x (r0, r1, r2, r3, + r4, r5, r6, r7, zeta0, zeta0, zeta1, zeta1, qx16); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 12) (r4))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * 12) r4))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 13) (r5))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * 13) r5))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 14) (r6))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * 14) r6))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * 15) (r7))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * 15) r7))); i <- 0; - while (i < 2) { + while ((i < 2)) { zeta0 <- - VPBROADCAST_8u32 (get32_direct - (WArray800.init16 (fun i_0 => (zetasp).[i_0])) - (8 + (392 * i))); + (VPBROADCAST_8u32 + (get32_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) + (8 + (392 * i)))); zeta1 <- - VPBROADCAST_8u32 (get32_direct - (WArray800.init16 (fun i_0 => (zetasp).[i_0])) - (12 + (392 * i))); + (VPBROADCAST_8u32 + (get32_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) + (12 + (392 * i)))); if ((i = 0)) { r4 <- r0; r5 <- r1; @@ -4225,95 +4435,95 @@ module M(SC:Syscall_t) = { r7 <- r3; } else { r4 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 4) + (256 * i))); r5 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 5) + (256 * i))); r6 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 6) + (256 * i))); r7 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 7) + (256 * i))); } r0 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 0) + (256 * i))); r1 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 1) + (256 * i))); r2 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 2) + (256 * i))); r3 <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) + (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) ((32 * 3) + (256 * i))); - (r0, r1, r2, r3, r4, r5, r6, r7) <@ __butterfly64x (r0, r1, r2, r3, r4, - r5, r6, r7, zeta0, zeta0, zeta1, zeta1, qx16); + (r0, r1, r2, r3, r4, r5, r6, r7) <@ __butterfly64x (r0, r1, r2, + r3, r4, r5, r6, r7, zeta0, zeta0, zeta1, zeta1, qx16); zeta0 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (16 + (392 * i))); zeta1 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (48 + (392 * i))); (r0, r4) <@ __shuffle8 (r0, r4); (r1, r5) <@ __shuffle8 (r1, r5); (r2, r6) <@ __shuffle8 (r2, r6); (r3, r7) <@ __shuffle8 (r3, r7); - (r0, r4, r1, r5, r2, r6, r3, r7) <@ __butterfly64x (r0, r4, r1, r5, r2, - r6, r3, r7, zeta0, zeta0, zeta1, zeta1, qx16); + (r0, r4, r1, r5, r2, r6, r3, r7) <@ __butterfly64x (r0, r4, r1, + r5, r2, r6, r3, r7, zeta0, zeta0, zeta1, zeta1, qx16); zeta0 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (80 + (392 * i))); zeta1 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (112 + (392 * i))); (r0, r2) <@ __shuffle4 (r0, r2); (r4, r6) <@ __shuffle4 (r4, r6); (r1, r3) <@ __shuffle4 (r1, r3); (r5, r7) <@ __shuffle4 (r5, r7); - (r0, r2, r4, r6, r1, r3, r5, r7) <@ __butterfly64x (r0, r2, r4, r6, r1, - r3, r5, r7, zeta0, zeta0, zeta1, zeta1, qx16); + (r0, r2, r4, r6, r1, r3, r5, r7) <@ __butterfly64x (r0, r2, r4, + r6, r1, r3, r5, r7, zeta0, zeta0, zeta1, zeta1, qx16); zeta0 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (144 + (392 * i))); zeta1 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (176 + (392 * i))); (r0, r1) <@ __shuffle2 (r0, r1); (r2, r3) <@ __shuffle2 (r2, r3); (r4, r5) <@ __shuffle2 (r4, r5); (r6, r7) <@ __shuffle2 (r6, r7); - (r0, r1, r2, r3, r4, r5, r6, r7) <@ __butterfly64x (r0, r1, r2, r3, r4, - r5, r6, r7, zeta0, zeta0, zeta1, zeta1, qx16); + (r0, r1, r2, r3, r4, r5, r6, r7) <@ __butterfly64x (r0, r1, r2, + r3, r4, r5, r6, r7, zeta0, zeta0, zeta1, zeta1, qx16); zeta0 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (208 + (392 * i))); zeta1 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (240 + (392 * i))); (r0, r4) <@ __shuffle1 (r0, r4); (r1, r5) <@ __shuffle1 (r1, r5); (r2, r6) <@ __shuffle1 (r2, r6); (r3, r7) <@ __shuffle1 (r3, r7); - (r0, r4, r1, r5, r2, r6, r3, r7) <@ __butterfly64x (r0, r4, r1, r5, r2, - r6, r3, r7, zeta0, zeta0, zeta1, zeta1, qx16); + (r0, r4, r1, r5, r2, r6, r3, r7) <@ __butterfly64x (r0, r4, r1, + r5, r2, r6, r3, r7, zeta0, zeta0, zeta1, zeta1, qx16); zeta0 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (272 + (392 * i))); zeta2 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (304 + (392 * i))); zeta1 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (336 + (392 * i))); zeta3 <- - (get256_direct (WArray800.init16 (fun i_0 => (zetasp).[i_0])) + (get256_direct (WArray800.init16 (fun i_0 => zetasp.[i_0])) (368 + (392 * i))); - (r0, r4, r2, r6, r1, r5, r3, r7) <@ __butterfly64x (r0, r4, r2, r6, r1, - r5, r3, r7, zeta0, zeta1, zeta2, zeta3, qx16); - vx16 <- (get256 (WArray32.init16 (fun i_0 => (jvx16).[i_0])) 0); + (r0, r4, r2, r6, r1, r5, r3, r7) <@ __butterfly64x (r0, r4, r2, + r6, r1, r5, r3, r7, zeta0, zeta1, zeta2, zeta3, qx16); + vx16 <- (get256 (WArray32.init16 (fun i_0 => jvx16.[i_0])) 0); r0 <@ __red16x (r0, qx16, vx16); r4 <@ __red16x (r4, qx16, vx16); r2 <@ __red16x (r2, qx16, vx16); @@ -4323,84 +4533,93 @@ module M(SC:Syscall_t) = { r3 <@ __red16x (r3, qx16, vx16); r7 <@ __red16x (r7, qx16, vx16); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 0) + (256 * i)) (r0))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 0) + (256 * i)) r0))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 1) + (256 * i)) (r4))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 1) + (256 * i)) r4))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 2) + (256 * i)) (r1))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 2) + (256 * i)) r1))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 3) + (256 * i)) (r5))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 3) + (256 * i)) r5))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 4) + (256 * i)) (r2))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 4) + (256 * i)) r2))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 5) + (256 * i)) (r6))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 5) + (256 * i)) r6))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 6) + (256 * i)) (r3))); + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 6) + (256 * i)) r3))); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) ((32 * 7) + (256 * i)) (r7))); - i <- i + 1; + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + ((32 * 7) + (256 * i)) r7))); + i <- (i + 1); } - return (rp); + return rp; } - proc __poly_reduce (rp:W16.t Array256.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var qx16:W256.t; var vx16:W256.t; var i:int; var r:W256.t; - - qx16 <- (get256 (WArray32.init16 (fun i_0 => (jqx16).[i_0])) 0); - vx16 <- (get256 (WArray32.init16 (fun i_0 => (jvx16).[i_0])) 0); + qx16 <- (get256 (WArray32.init16 (fun i_0 => jqx16.[i_0])) 0); + vx16 <- (get256 (WArray32.init16 (fun i_0 => jvx16.[i_0])) 0); i <- 0; - while (i < 16) { - r <- - (get256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * i)); + while ((i < 16)) { + r <- (get256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) (32 * i)); r <@ __red16x (r, qx16, vx16); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * i) (r))); - i <- i + 1; + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * i) r))); + i <- (i + 1); } - return (rp); + return rp; } - proc _poly_sub (rp:W16.t Array256.t, ap:W16.t Array256.t, bp:W16.t Array256.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var i:int; var a:W256.t; var b:W256.t; var r:W256.t; - i <- 0; - while (i < 16) { - a <- - (get256_direct (WArray512.init16 (fun i_0 => (ap).[i_0])) (32 * i)); - b <- - (get256_direct (WArray512.init16 (fun i_0 => (bp).[i_0])) (32 * i)); - r <- VPSUB_16u16 a b; + while ((i < 16)) { + a <- (get256_direct (WArray512.init16 (fun i_0 => ap.[i_0])) (32 * i)); + b <- (get256_direct (WArray512.init16 (fun i_0 => bp.[i_0])) (32 * i)); + r <- (VPSUB_16u16 a b); rp <- - Array256.init - (WArray512.get16 (WArray512.set256_direct (WArray512.init16 (fun i_0 => (rp).[i_0])) (32 * i) (r))); - i <- i + 1; + (Array256.init + (WArray512.get16 + (WArray512.set256_direct (WArray512.init16 (fun i_0 => rp.[i_0])) + (32 * i) r))); + i <- (i + 1); } - return (rp); + return rp; } - proc _poly_tobytes (rp:W64.t, a:W16.t Array256.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var jqx16_p:W16.t Array16.t; var qx16:W256.t; var i:int; @@ -4416,33 +4635,33 @@ module M(SC:Syscall_t) = { var ttt:W256.t; jqx16_p <- witness; jqx16_p <- jqx16; - qx16 <- (get256 (WArray32.init16 (fun i_0 => (jqx16_p).[i_0])) 0); + qx16 <- (get256 (WArray32.init16 (fun i_0 => jqx16_p.[i_0])) 0); a <@ _poly_csubq (a); i <- 0; - while (i < 2) { - t0 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) (8 * i)); - t1 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) ((8 * i) + 1)); - t2 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) ((8 * i) + 2)); - t3 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) ((8 * i) + 3)); - t4 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) ((8 * i) + 4)); - t5 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) ((8 * i) + 5)); - t6 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) ((8 * i) + 6)); - t7 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) ((8 * i) + 7)); - tt <- VPSLL_16u16 t1 (W8.of_int 12); + while ((i < 2)) { + t0 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) (8 * i)); + t1 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) ((8 * i) + 1)); + t2 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) ((8 * i) + 2)); + t3 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) ((8 * i) + 3)); + t4 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) ((8 * i) + 4)); + t5 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) ((8 * i) + 5)); + t6 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) ((8 * i) + 6)); + t7 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) ((8 * i) + 7)); + tt <- (VPSLL_16u16 t1 (W8.of_int 12)); tt <- (tt `|` t0); - t0 <- VPSRL_16u16 t1 (W8.of_int 4); - t1 <- VPSLL_16u16 t2 (W8.of_int 8); + t0 <- (VPSRL_16u16 t1 (W8.of_int 4)); + t1 <- (VPSLL_16u16 t2 (W8.of_int 8)); t0 <- (t0 `|` t1); - t1 <- VPSRL_16u16 t2 (W8.of_int 8); - t2 <- VPSLL_16u16 t3 (W8.of_int 4); + t1 <- (VPSRL_16u16 t2 (W8.of_int 8)); + t2 <- (VPSLL_16u16 t3 (W8.of_int 4)); t1 <- (t1 `|` t2); - t2 <- VPSLL_16u16 t5 (W8.of_int 12); + t2 <- (VPSLL_16u16 t5 (W8.of_int 12)); t2 <- (t2 `|` t4); - t3 <- VPSRL_16u16 t5 (W8.of_int 4); - t4 <- VPSLL_16u16 t6 (W8.of_int 8); + t3 <- (VPSRL_16u16 t5 (W8.of_int 4)); + t4 <- (VPSLL_16u16 t6 (W8.of_int 8)); t3 <- (t3 `|` t4); - t4 <- VPSRL_16u16 t6 (W8.of_int 8); - t5 <- VPSLL_16u16 t7 (W8.of_int 4); + t4 <- (VPSRL_16u16 t6 (W8.of_int 8)); + t5 <- (VPSLL_16u16 t7 (W8.of_int 4)); t4 <- (t4 `|` t5); (ttt, t0) <@ __shuffle1 (tt, t0); (tt, t2) <@ __shuffle1 (t1, t2); @@ -4457,26 +4676,29 @@ module M(SC:Syscall_t) = { (t2, ttt) <@ __shuffle8 (t1, ttt); (t1, t4) <@ __shuffle8 (tt, t4); Glob.mem <- - storeW256 Glob.mem (W64.to_uint (rp + (W64.of_int (192 * i)))) (t0); + (storeW256 Glob.mem (W64.to_uint (rp + (W64.of_int (192 * i)))) t0); Glob.mem <- - storeW256 Glob.mem (W64.to_uint (rp + (W64.of_int ((192 * i) + 32)))) (t2); + (storeW256 Glob.mem (W64.to_uint (rp + (W64.of_int ((192 * i) + 32)))) + t2); Glob.mem <- - storeW256 Glob.mem (W64.to_uint (rp + (W64.of_int ((192 * i) + 64)))) (t1); + (storeW256 Glob.mem (W64.to_uint (rp + (W64.of_int ((192 * i) + 64)))) + t1); Glob.mem <- - storeW256 Glob.mem (W64.to_uint (rp + (W64.of_int ((192 * i) + 96)))) (t3); + (storeW256 Glob.mem (W64.to_uint (rp + (W64.of_int ((192 * i) + 96)))) + t3); Glob.mem <- - storeW256 Glob.mem (W64.to_uint (rp + (W64.of_int ((192 * i) + 128)))) (ttt); + (storeW256 Glob.mem (W64.to_uint (rp + (W64.of_int ((192 * i) + 128)))) + ttt); Glob.mem <- - storeW256 Glob.mem (W64.to_uint (rp + (W64.of_int ((192 * i) + 160)))) (t4); - i <- i + 1; + (storeW256 Glob.mem (W64.to_uint (rp + (W64.of_int ((192 * i) + 160)))) + t4); + i <- (i + 1); } - return (a); + return a; } - proc _poly_tomsg_1 (rp:W8.t Array32.t, a:W16.t Array256.t) : W8.t Array32.t * W16.t Array256.t = { - var aux: int; - + var aux:int; var px16:W16.t Array16.t; var hq:W256.t; var hhq:W256.t; @@ -4489,75 +4711,76 @@ module M(SC:Syscall_t) = { px16 <- witness; a <@ _poly_csubq (a); px16 <- hqx16_m1; - hq <- (get256 (WArray32.init16 (fun i_0 => (px16).[i_0])) 0); + hq <- (get256 (WArray32.init16 (fun i_0 => px16.[i_0])) 0); px16 <- hhqx16; - hhq <- (get256 (WArray32.init16 (fun i_0 => (px16).[i_0])) 0); + hhq <- (get256 (WArray32.init16 (fun i_0 => px16.[i_0])) 0); aux <- (256 %/ 32); i <- 0; - while (i < aux) { - f0 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) (2 * i)); - f1 <- (get256 (WArray512.init16 (fun i_0 => (a).[i_0])) ((2 * i) + 1)); - f0 <- VPSUB_16u16 hq f0; - f1 <- VPSUB_16u16 hq f1; - g0 <- VPSRA_16u16 f0 (W8.of_int 15); - g1 <- VPSRA_16u16 f1 (W8.of_int 15); - f0 <- VPXOR_256 f0 g0; - f1 <- VPXOR_256 f1 g1; - f0 <- VPSUB_16u16 f0 hhq; - f1 <- VPSUB_16u16 f1 hhq; - f0 <- VPACKSS_16u16 f0 f1; - f0 <- VPERMQ f0 (W8.of_int 216); - c <- VPMOVMSKB_u256u32 f0; + while ((i < aux)) { + f0 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) (2 * i)); + f1 <- (get256 (WArray512.init16 (fun i_0 => a.[i_0])) ((2 * i) + 1)); + f0 <- (VPSUB_16u16 hq f0); + f1 <- (VPSUB_16u16 hq f1); + g0 <- (VPSRA_16u16 f0 (W8.of_int 15)); + g1 <- (VPSRA_16u16 f1 (W8.of_int 15)); + f0 <- (VPXOR_256 f0 g0); + f1 <- (VPXOR_256 f1 g1); + f0 <- (VPSUB_16u16 f0 hhq); + f1 <- (VPSUB_16u16 f1 hhq); + f0 <- (VPACKSS_16u16 f0 f1); + f0 <- (VPERMQ f0 (W8.of_int 216)); + c <- (VPMOVMSKB_u256u32 f0); rp <- - Array32.init - (WArray32.get8 (WArray32.set32 (WArray32.init8 (fun i_0 => (rp).[i_0])) i (c))); - i <- i + 1; + (Array32.init + (WArray32.get8 + (WArray32.set32 (WArray32.init8 (fun i_0 => rp.[i_0])) i c))); + i <- (i + 1); } return (rp, a); } - proc __polyvec_add2 (r:W16.t Array768.t, b:W16.t Array768.t) : W16.t Array768.t = { - var aux: W16.t Array256.t; - - - - aux <@ _poly_add2 ((Array256.init (fun i => r.[0 + i])), - (Array256.init (fun i => b.[0 + i]))); - r <- Array768.init - (fun i => if 0 <= i < 0 + 256 then aux.[i-0] else r.[i]); - aux <@ _poly_add2 ((Array256.init (fun i => r.[256 + i])), - (Array256.init (fun i => b.[256 + i]))); - r <- Array768.init - (fun i => if 256 <= i < 256 + 256 then aux.[i-256] else r.[i]); - aux <@ _poly_add2 ((Array256.init (fun i => r.[(2 * 256) + i])), - (Array256.init (fun i => b.[(2 * 256) + i]))); - r <- Array768.init - (fun i => if (2 * 256) <= i < (2 * 256) + 256 then aux.[i-(2 * 256)] - else r.[i]); - return (r); - } - + var aux:W16.t Array256.t; + aux <@ _poly_add2 ((Array256.init (fun i => r.[(0 + i)])), + (Array256.init (fun i => b.[(0 + i)]))); + r <- + (Array768.init + (fun i => (if (0 <= i < (0 + 256)) then aux.[(i - 0)] else r.[i]))); + aux <@ _poly_add2 ((Array256.init (fun i => r.[(256 + i)])), + (Array256.init (fun i => b.[(256 + i)]))); + r <- + (Array768.init + (fun i => (if (256 <= i < (256 + 256)) then aux.[(i - 256)] else r.[i]))); + aux <@ _poly_add2 ((Array256.init (fun i => r.[((2 * 256) + i)])), + (Array256.init (fun i => b.[((2 * 256) + i)]))); + r <- + (Array768.init + (fun i => (if ((2 * 256) <= i < ((2 * 256) + 256)) then aux.[(i - + (2 * 256))] else + r.[i])) + ); + return r; + } proc __polyvec_csubq (r:W16.t Array768.t) : W16.t Array768.t = { - var aux: W16.t Array256.t; - - - - aux <@ _poly_csubq ((Array256.init (fun i => r.[0 + i]))); - r <- Array768.init - (fun i => if 0 <= i < 0 + 256 then aux.[i-0] else r.[i]); - aux <@ _poly_csubq ((Array256.init (fun i => r.[256 + i]))); - r <- Array768.init - (fun i => if 256 <= i < 256 + 256 then aux.[i-256] else r.[i]); - aux <@ _poly_csubq ((Array256.init (fun i => r.[(2 * 256) + i]))); - r <- Array768.init - (fun i => if (2 * 256) <= i < (2 * 256) + 256 then aux.[i-(2 * 256)] - else r.[i]); - return (r); - } - + var aux:W16.t Array256.t; + aux <@ _poly_csubq ((Array256.init (fun i => r.[(0 + i)]))); + r <- + (Array768.init + (fun i => (if (0 <= i < (0 + 256)) then aux.[(i - 0)] else r.[i]))); + aux <@ _poly_csubq ((Array256.init (fun i => r.[(256 + i)]))); + r <- + (Array768.init + (fun i => (if (256 <= i < (256 + 256)) then aux.[(i - 256)] else r.[i]))); + aux <@ _poly_csubq ((Array256.init (fun i => r.[((2 * 256) + i)]))); + r <- + (Array768.init + (fun i => (if ((2 * 256) <= i < ((2 * 256) + 256)) then aux.[(i - + (2 * 256))] else + r.[i])) + ); + return r; + } proc __polyvec_decompress (rp:W64.t) : W16.t Array768.t = { - var aux: int; - + var aux:int; var r:W16.t Array768.t; var q:W256.t; var shufbidx:W256.t; @@ -4567,37 +4790,38 @@ module M(SC:Syscall_t) = { var k:int; var f:W256.t; r <- witness; - q <- VPBROADCAST_8u32 pvd_q_s; + q <- (VPBROADCAST_8u32 pvd_q_s); shufbidx <- - (get256 (WArray32.init8 (fun i_0 => (pvd_shufbdidx_s).[i_0])) 0); - sllvdidx <- VPBROADCAST_4u64 pvd_sllvdidx_s; - mask <- VPBROADCAST_8u32 pvd_mask_s; + (get256 (WArray32.init8 (fun i_0 => pvd_shufbdidx_s.[i_0])) 0); + sllvdidx <- (VPBROADCAST_4u64 pvd_sllvdidx_s); + mask <- (VPBROADCAST_8u32 pvd_mask_s); k <- 0; - while (k < 3) { + while ((k < 3)) { aux <- (256 %/ 16); i <- 0; - while (i < aux) { + while ((i < aux)) { f <- - (loadW256 Glob.mem (W64.to_uint (rp + (W64.of_int ((320 * k) + (20 * i)))))); - f <- VPERMQ f (W8.of_int 148); - f <- VPSHUFB_256 f shufbidx; - f <- VPSLLV_8u32 f sllvdidx; - f <- VPSRL_16u16 f (W8.of_int 1); - f <- VPAND_256 f mask; - f <- VPMULHRS_16u16 f q; + (loadW256 Glob.mem + (W64.to_uint (rp + (W64.of_int ((320 * k) + (20 * i)))))); + f <- (VPERMQ f (W8.of_int 148)); + f <- (VPSHUFB_256 f shufbidx); + f <- (VPSLLV_8u32 f sllvdidx); + f <- (VPSRL_16u16 f (W8.of_int 1)); + f <- (VPAND_256 f mask); + f <- (VPMULHRS_16u16 f q); r <- - Array768.init - (WArray1536.get16 (WArray1536.set256 (WArray1536.init16 (fun i_0 => (r).[i_0])) ((16 * k) + i) (f))); - i <- i + 1; + (Array768.init + (WArray1536.get16 + (WArray1536.set256 (WArray1536.init16 (fun i_0 => r.[i_0])) + ((16 * k) + i) f))); + i <- (i + 1); } - k <- k + 1; + k <- (k + 1); } - return (r); + return r; } - proc __polyvec_compress (rp:W64.t, a:W16.t Array768.t) : unit = { - var aux: int; - + var aux:int; var x16p:W16.t Array16.t; var v:W256.t; var v8:W256.t; @@ -4616,50 +4840,48 @@ module M(SC:Syscall_t) = { x16p <- witness; a <@ __polyvec_csubq (a); x16p <- jvx16; - v <- (get256 (WArray32.init16 (fun i_0 => (x16p).[i_0])) 0); - v8 <- VPSLL_16u16 v (W8.of_int 3); - off <- VPBROADCAST_16u16 pvc_off_s; - shift1 <- VPBROADCAST_16u16 pvc_shift1_s; - mask <- VPBROADCAST_16u16 pvc_mask_s; - shift2 <- VPBROADCAST_4u64 pvc_shift2_s; - sllvdidx <- VPBROADCAST_4u64 pvc_sllvdidx_s; + v <- (get256 (WArray32.init16 (fun i_0 => x16p.[i_0])) 0); + v8 <- (VPSLL_16u16 v (W8.of_int 3)); + off <- (VPBROADCAST_16u16 pvc_off_s); + shift1 <- (VPBROADCAST_16u16 pvc_shift1_s); + mask <- (VPBROADCAST_16u16 pvc_mask_s); + shift2 <- (VPBROADCAST_4u64 pvc_shift2_s); + sllvdidx <- (VPBROADCAST_4u64 pvc_sllvdidx_s); shufbidx <- - (get256 (WArray32.init8 (fun i_0 => (pvc_shufbidx_s).[i_0])) 0); + (get256 (WArray32.init8 (fun i_0 => pvc_shufbidx_s.[i_0])) 0); aux <- ((3 * 256) %/ 16); i <- 0; - while (i < aux) { - f0 <- (get256 (WArray1536.init16 (fun i_0 => (a).[i_0])) i); - f1 <- VPMULL_16u16 f0 v8; - f2 <- VPADD_16u16 f0 off; - f0 <- VPSLL_16u16 f0 (W8.of_int 3); - f0 <- VPMULH_16u16 f0 v; - f2 <- VPSUB_16u16 f1 f2; - f1 <- VPANDN_256 f1 f2; - f1 <- VPSRL_16u16 f1 (W8.of_int 15); - f0 <- VPSUB_16u16 f0 f1; - f0 <- VPMULHRS_16u16 f0 shift1; - f0 <- VPAND_256 f0 mask; - f0 <- VPMADDWD_256 f0 shift2; - f0 <- VPSLLV_8u32 f0 sllvdidx; - f0 <- VPSRL_4u64 f0 (W8.of_int 12); - f0 <- VPSHUFB_256 f0 shufbidx; + while ((i < aux)) { + f0 <- (get256 (WArray1536.init16 (fun i_0 => a.[i_0])) i); + f1 <- (VPMULL_16u16 f0 v8); + f2 <- (VPADD_16u16 f0 off); + f0 <- (VPSLL_16u16 f0 (W8.of_int 3)); + f0 <- (VPMULH_16u16 f0 v); + f2 <- (VPSUB_16u16 f1 f2); + f1 <- (VPANDN_256 f1 f2); + f1 <- (VPSRL_16u16 f1 (W8.of_int 15)); + f0 <- (VPSUB_16u16 f0 f1); + f0 <- (VPMULHRS_16u16 f0 shift1); + f0 <- (VPAND_256 f0 mask); + f0 <- (VPMADDWD_256 f0 shift2); + f0 <- (VPSLLV_8u32 f0 sllvdidx); + f0 <- (VPSRL_4u64 f0 (W8.of_int 12)); + f0 <- (VPSHUFB_256 f0 shufbidx); t0 <- (truncateu128 f0); - t1 <- VEXTRACTI128 f0 (W8.of_int 1); - t0 <- VPBLEND_8u16 t0 t1 (W8.of_int 224); + t1 <- (VEXTRACTI128 f0 (W8.of_int 1)); + t0 <- (VPBLEND_8u16 t0 t1 (W8.of_int 224)); Glob.mem <- - storeW128 Glob.mem (W64.to_uint (rp + (W64.of_int (20 * i)))) (t0); + (storeW128 Glob.mem (W64.to_uint (rp + (W64.of_int (20 * i)))) t0); Glob.mem <- - storeW32 Glob.mem (W64.to_uint (rp + (W64.of_int ((20 * i) + 16)))) (VPEXTR_32 t1 - (W8.of_int 0)); - i <- i + 1; + (storeW32 Glob.mem (W64.to_uint (rp + (W64.of_int ((20 * i) + 16)))) + (VPEXTR_32 t1 (W8.of_int 0))); + i <- (i + 1); } return (); } - proc __polyvec_compress_1 (rp:W8.t Array960.t, a:W16.t Array768.t) : W8.t Array960.t = { - var aux: int; - + var aux:int; var x16p:W16.t Array16.t; var v:W256.t; var v8:W256.t; @@ -4678,226 +4900,227 @@ module M(SC:Syscall_t) = { x16p <- witness; a <@ __polyvec_csubq (a); x16p <- jvx16; - v <- (get256 (WArray32.init16 (fun i_0 => (x16p).[i_0])) 0); - v8 <- VPSLL_16u16 v (W8.of_int 3); - off <- VPBROADCAST_16u16 pvc_off_s; - shift1 <- VPBROADCAST_16u16 pvc_shift1_s; - mask <- VPBROADCAST_16u16 pvc_mask_s; - shift2 <- VPBROADCAST_4u64 pvc_shift2_s; - sllvdidx <- VPBROADCAST_4u64 pvc_sllvdidx_s; + v <- (get256 (WArray32.init16 (fun i_0 => x16p.[i_0])) 0); + v8 <- (VPSLL_16u16 v (W8.of_int 3)); + off <- (VPBROADCAST_16u16 pvc_off_s); + shift1 <- (VPBROADCAST_16u16 pvc_shift1_s); + mask <- (VPBROADCAST_16u16 pvc_mask_s); + shift2 <- (VPBROADCAST_4u64 pvc_shift2_s); + sllvdidx <- (VPBROADCAST_4u64 pvc_sllvdidx_s); shufbidx <- - (get256 (WArray32.init8 (fun i_0 => (pvc_shufbidx_s).[i_0])) 0); + (get256 (WArray32.init8 (fun i_0 => pvc_shufbidx_s.[i_0])) 0); aux <- ((3 * 256) %/ 16); i <- 0; - while (i < aux) { - f0 <- (get256 (WArray1536.init16 (fun i_0 => (a).[i_0])) i); - f1 <- VPMULL_16u16 f0 v8; - f2 <- VPADD_16u16 f0 off; - f0 <- VPSLL_16u16 f0 (W8.of_int 3); - f0 <- VPMULH_16u16 f0 v; - f2 <- VPSUB_16u16 f1 f2; - f1 <- VPANDN_256 f1 f2; - f1 <- VPSRL_16u16 f1 (W8.of_int 15); - f0 <- VPSUB_16u16 f0 f1; - f0 <- VPMULHRS_16u16 f0 shift1; - f0 <- VPAND_256 f0 mask; - f0 <- VPMADDWD_256 f0 shift2; - f0 <- VPSLLV_8u32 f0 sllvdidx; - f0 <- VPSRL_4u64 f0 (W8.of_int 12); - f0 <- VPSHUFB_256 f0 shufbidx; + while ((i < aux)) { + f0 <- (get256 (WArray1536.init16 (fun i_0 => a.[i_0])) i); + f1 <- (VPMULL_16u16 f0 v8); + f2 <- (VPADD_16u16 f0 off); + f0 <- (VPSLL_16u16 f0 (W8.of_int 3)); + f0 <- (VPMULH_16u16 f0 v); + f2 <- (VPSUB_16u16 f1 f2); + f1 <- (VPANDN_256 f1 f2); + f1 <- (VPSRL_16u16 f1 (W8.of_int 15)); + f0 <- (VPSUB_16u16 f0 f1); + f0 <- (VPMULHRS_16u16 f0 shift1); + f0 <- (VPAND_256 f0 mask); + f0 <- (VPMADDWD_256 f0 shift2); + f0 <- (VPSLLV_8u32 f0 sllvdidx); + f0 <- (VPSRL_4u64 f0 (W8.of_int 12)); + f0 <- (VPSHUFB_256 f0 shufbidx); t0 <- (truncateu128 f0); - t1 <- VEXTRACTI128 f0 (W8.of_int 1); - t0 <- VPBLEND_8u16 t0 t1 (W8.of_int 224); + t1 <- (VEXTRACTI128 f0 (W8.of_int 1)); + t0 <- (VPBLEND_8u16 t0 t1 (W8.of_int 224)); rp <- - Array960.init - (WArray960.get8 (WArray960.set128_direct (WArray960.init8 (fun i_0 => (rp).[i_0])) (20 * i) (t0))); + (Array960.init + (WArray960.get8 + (WArray960.set128_direct (WArray960.init8 (fun i_0 => rp.[i_0])) + (20 * i) t0))); rp <- - Array960.init - (WArray960.get8 (WArray960.set32_direct (WArray960.init8 (fun i_0 => (rp).[i_0])) ((20 * i) + 16) (VPEXTR_32 t1 - (W8.of_int 0)))); - i <- i + 1; + (Array960.init + (WArray960.get8 + (WArray960.set32_direct (WArray960.init8 (fun i_0 => rp.[i_0])) + ((20 * i) + 16) (VPEXTR_32 t1 (W8.of_int 0))))); + i <- (i + 1); } - return (rp); + return rp; } - proc __polyvec_frombytes (ap:W64.t) : W16.t Array768.t = { - var aux: W16.t Array256.t; - + var aux:W16.t Array256.t; var r:W16.t Array768.t; var pp:W64.t; r <- witness; pp <- ap; - aux <@ _poly_frombytes ((Array256.init (fun i => r.[0 + i])), pp); - r <- Array768.init - (fun i => if 0 <= i < 0 + 256 then aux.[i-0] else r.[i]); + aux <@ _poly_frombytes ((Array256.init (fun i => r.[(0 + i)])), pp); + r <- + (Array768.init + (fun i => (if (0 <= i < (0 + 256)) then aux.[(i - 0)] else r.[i]))); pp <- (pp + (W64.of_int 384)); - aux <@ _poly_frombytes ((Array256.init (fun i => r.[256 + i])), pp); - r <- Array768.init - (fun i => if 256 <= i < 256 + 256 then aux.[i-256] else r.[i]); + aux <@ _poly_frombytes ((Array256.init (fun i => r.[(256 + i)])), pp); + r <- + (Array768.init + (fun i => (if (256 <= i < (256 + 256)) then aux.[(i - 256)] else r.[i]))); pp <- (pp + (W64.of_int 384)); - aux <@ _poly_frombytes ((Array256.init (fun i => r.[(2 * 256) + i])), + aux <@ _poly_frombytes ((Array256.init (fun i => r.[((2 * 256) + i)])), pp); - r <- Array768.init - (fun i => if (2 * 256) <= i < (2 * 256) + 256 then aux.[i-(2 * 256)] - else r.[i]); - return (r); + r <- + (Array768.init + (fun i => (if ((2 * 256) <= i < ((2 * 256) + 256)) then aux.[(i - + (2 * 256))] else + r.[i])) + ); + return r; } - proc __polyvec_invntt (r:W16.t Array768.t) : W16.t Array768.t = { - var aux: W16.t Array256.t; - - - - aux <@ _poly_invntt ((Array256.init (fun i => r.[0 + i]))); - r <- Array768.init - (fun i => if 0 <= i < 0 + 256 then aux.[i-0] else r.[i]); - aux <@ _poly_invntt ((Array256.init (fun i => r.[256 + i]))); - r <- Array768.init - (fun i => if 256 <= i < 256 + 256 then aux.[i-256] else r.[i]); - aux <@ _poly_invntt ((Array256.init (fun i => r.[(2 * 256) + i]))); - r <- Array768.init - (fun i => if (2 * 256) <= i < (2 * 256) + 256 then aux.[i-(2 * 256)] - else r.[i]); - return (r); - } - + var aux:W16.t Array256.t; + aux <@ _poly_invntt ((Array256.init (fun i => r.[(0 + i)]))); + r <- + (Array768.init + (fun i => (if (0 <= i < (0 + 256)) then aux.[(i - 0)] else r.[i]))); + aux <@ _poly_invntt ((Array256.init (fun i => r.[(256 + i)]))); + r <- + (Array768.init + (fun i => (if (256 <= i < (256 + 256)) then aux.[(i - 256)] else r.[i]))); + aux <@ _poly_invntt ((Array256.init (fun i => r.[((2 * 256) + i)]))); + r <- + (Array768.init + (fun i => (if ((2 * 256) <= i < ((2 * 256) + 256)) then aux.[(i - + (2 * 256))] else + r.[i])) + ); + return r; + } proc __polyvec_ntt (r:W16.t Array768.t) : W16.t Array768.t = { - var aux: W16.t Array256.t; - - - - aux <@ _poly_ntt ((Array256.init (fun i => r.[0 + i]))); - r <- Array768.init - (fun i => if 0 <= i < 0 + 256 then aux.[i-0] else r.[i]); - aux <@ _poly_ntt ((Array256.init (fun i => r.[256 + i]))); - r <- Array768.init - (fun i => if 256 <= i < 256 + 256 then aux.[i-256] else r.[i]); - aux <@ _poly_ntt ((Array256.init (fun i => r.[(2 * 256) + i]))); - r <- Array768.init - (fun i => if (2 * 256) <= i < (2 * 256) + 256 then aux.[i-(2 * 256)] - else r.[i]); - return (r); - } - + var aux:W16.t Array256.t; + aux <@ _poly_ntt ((Array256.init (fun i => r.[(0 + i)]))); + r <- + (Array768.init + (fun i => (if (0 <= i < (0 + 256)) then aux.[(i - 0)] else r.[i]))); + aux <@ _poly_ntt ((Array256.init (fun i => r.[(256 + i)]))); + r <- + (Array768.init + (fun i => (if (256 <= i < (256 + 256)) then aux.[(i - 256)] else r.[i]))); + aux <@ _poly_ntt ((Array256.init (fun i => r.[((2 * 256) + i)]))); + r <- + (Array768.init + (fun i => (if ((2 * 256) <= i < ((2 * 256) + 256)) then aux.[(i - + (2 * 256))] else + r.[i])) + ); + return r; + } proc __polyvec_reduce (r:W16.t Array768.t) : W16.t Array768.t = { - var aux: W16.t Array256.t; - - - - aux <@ __poly_reduce ((Array256.init (fun i => r.[0 + i]))); - r <- Array768.init - (fun i => if 0 <= i < 0 + 256 then aux.[i-0] else r.[i]); - aux <@ __poly_reduce ((Array256.init (fun i => r.[256 + i]))); - r <- Array768.init - (fun i => if 256 <= i < 256 + 256 then aux.[i-256] else r.[i]); - aux <@ __poly_reduce ((Array256.init (fun i => r.[(2 * 256) + i]))); - r <- Array768.init - (fun i => if (2 * 256) <= i < (2 * 256) + 256 then aux.[i-(2 * 256)] - else r.[i]); - return (r); - } - + var aux:W16.t Array256.t; + aux <@ __poly_reduce ((Array256.init (fun i => r.[(0 + i)]))); + r <- + (Array768.init + (fun i => (if (0 <= i < (0 + 256)) then aux.[(i - 0)] else r.[i]))); + aux <@ __poly_reduce ((Array256.init (fun i => r.[(256 + i)]))); + r <- + (Array768.init + (fun i => (if (256 <= i < (256 + 256)) then aux.[(i - 256)] else r.[i]))); + aux <@ __poly_reduce ((Array256.init (fun i => r.[((2 * 256) + i)]))); + r <- + (Array768.init + (fun i => (if ((2 * 256) <= i < ((2 * 256) + 256)) then aux.[(i - + (2 * 256))] else + r.[i])) + ); + return r; + } proc __polyvec_pointwise_acc (r:W16.t Array256.t, a:W16.t Array768.t, b:W16.t Array768.t) : W16.t Array256.t = { - var t:W16.t Array256.t; t <- witness; - r <@ _poly_basemul (r, (Array256.init (fun i => a.[0 + i])), - (Array256.init (fun i => b.[0 + i]))); - t <@ _poly_basemul (t, (Array256.init (fun i => a.[256 + i])), - (Array256.init (fun i => b.[256 + i]))); + r <@ _poly_basemul (r, (Array256.init (fun i => a.[(0 + i)])), + (Array256.init (fun i => b.[(0 + i)]))); + t <@ _poly_basemul (t, (Array256.init (fun i => a.[(256 + i)])), + (Array256.init (fun i => b.[(256 + i)]))); r <@ _poly_add2 (r, t); - t <@ _poly_basemul (t, (Array256.init (fun i => a.[(2 * 256) + i])), - (Array256.init (fun i => b.[(2 * 256) + i]))); + t <@ _poly_basemul (t, (Array256.init (fun i => a.[((2 * 256) + i)])), + (Array256.init (fun i => b.[((2 * 256) + i)]))); r <@ _poly_add2 (r, t); - return (r); + return r; } - proc __polyvec_tobytes (rp:W64.t, a:W16.t Array768.t) : unit = { - var aux: W16.t Array256.t; - + var aux:W16.t Array256.t; var pp:W64.t; - pp <- rp; - aux <@ _poly_tobytes (pp, (Array256.init (fun i => a.[0 + i]))); - a <- Array768.init - (fun i => if 0 <= i < 0 + 256 then aux.[i-0] else a.[i]); + aux <@ _poly_tobytes (pp, (Array256.init (fun i => a.[(0 + i)]))); + a <- + (Array768.init + (fun i => (if (0 <= i < (0 + 256)) then aux.[(i - 0)] else a.[i]))); pp <- (pp + (W64.of_int 384)); - aux <@ _poly_tobytes (pp, (Array256.init (fun i => a.[256 + i]))); - a <- Array768.init - (fun i => if 256 <= i < 256 + 256 then aux.[i-256] else a.[i]); + aux <@ _poly_tobytes (pp, (Array256.init (fun i => a.[(256 + i)]))); + a <- + (Array768.init + (fun i => (if (256 <= i < (256 + 256)) then aux.[(i - 256)] else a.[i]))); pp <- (pp + (W64.of_int 384)); - aux <@ _poly_tobytes (pp, (Array256.init (fun i => a.[(2 * 256) + i]))); - a <- Array768.init - (fun i => if (2 * 256) <= i < (2 * 256) + 256 then aux.[i-(2 * 256)] - else a.[i]); + aux <@ _poly_tobytes (pp, + (Array256.init (fun i => a.[((2 * 256) + i)]))); + a <- + (Array768.init + (fun i => (if ((2 * 256) <= i < ((2 * 256) + 256)) then aux.[(i - + (2 * 256))] else + a.[i])) + ); return (); } - proc keccakf1600_4x_theta_sum (a:W256.t Array25.t) : W256.t Array5.t = { - var aux: int; - + var aux:int; var c:W256.t Array5.t; var x:int; var y:int; c <- witness; x <- 0; - while (x < 5) { + while ((x < 5)) { c.[x] <- a.[(x + 0)]; - x <- x + 1; + x <- (x + 1); } y <- 1; - while (y < 5) { + while ((y < 5)) { x <- 0; - while (x < 5) { + while ((x < 5)) { c.[x] <- (c.[x] `^` a.[(x + (y * 5))]); - x <- x + 1; + x <- (x + 1); } - y <- y + 1; + y <- (y + 1); } - return (c); + return c; } - proc keccakf1600_4x_rol (a:W256.t Array5.t, x:int, r:int, r8:W256.t, r56:W256.t) : W256.t Array5.t = { - var t:W256.t; - if ((r = 8)) { - a.[x] <- VPSHUFB_256 a.[x] r8; + a.[x] <- (VPSHUFB_256 a.[x] r8); } else { if ((r = 56)) { - a.[x] <- VPSHUFB_256 a.[x] r56; + a.[x] <- (VPSHUFB_256 a.[x] r56); } else { - t <- VPSLL_4u64 a.[x] (W8.of_int r); - a.[x] <- VPSRL_4u64 a.[x] (W8.of_int (64 - r)); + t <- (VPSLL_4u64 a.[x] (W8.of_int r)); + a.[x] <- (VPSRL_4u64 a.[x] (W8.of_int (64 - r))); a.[x] <- (a.[x] `|` t); } } - return (a); + return a; } - proc keccakf1600_4x_theta_rol (c:W256.t Array5.t, r8:W256.t, r56:W256.t) : W256.t Array5.t = { - var aux: int; - + var aux:int; var d:W256.t Array5.t; var x:int; d <- witness; x <- 0; - while (x < 5) { + while ((x < 5)) { d.[x] <- c.[((x + 1) %% 5)]; d <@ keccakf1600_4x_rol (d, x, 1, r8, r56); d.[x] <- (d.[x] `^` c.[(((x - 1) + 5) %% 5)]); - x <- x + 1; + x <- (x + 1); } - return (d); + return d; } - proc keccakf1600_4x_rol_sum (a:W256.t Array25.t, d:W256.t Array5.t, y:int, r8:W256.t, r56:W256.t) : W256.t Array5.t = { - var aux: int; - + var aux:int; var b:W256.t Array5.t; var x:int; var x_:int; @@ -4905,7 +5128,7 @@ module M(SC:Syscall_t) = { var r:int; b <- witness; x <- 0; - while (x < 5) { + while ((x < 5)) { x_ <- ((x + (3 * y)) %% 5); y_ <- x; r <@ keccakf1600_rhotates (x_, y_); @@ -4916,25 +5139,22 @@ module M(SC:Syscall_t) = { } else { } - x <- x + 1; + x <- (x + 1); } - return (b); + return b; } - proc keccakf1600_4x_set_row (e:W256.t Array25.t, b:W256.t Array5.t, y:int, rc:W256.t) : W256.t Array25.t = { - var aux: int; - + var aux:int; var x:int; var x1:int; var x2:int; var t:W256.t; - x <- 0; - while (x < 5) { + while ((x < 5)) { x1 <- ((x + 1) %% 5); x2 <- ((x + 2) %% 5); - t <- VPANDN_256 b.[x1] b.[x2]; + t <- (VPANDN_256 b.[x1] b.[x2]); t <- (t `^` b.[x]); if (((x = 0) /\ (y = 0))) { t <- (t `^` rc); @@ -4942,15 +5162,13 @@ module M(SC:Syscall_t) = { } e.[(x + (y * 5))] <- t; - x <- x + 1; + x <- (x + 1); } - return (e); + return e; } - proc keccakf1600_4x_round (e:W256.t Array25.t, a:W256.t Array25.t, rc:W256.t, r8:W256.t, r56:W256.t) : W256.t Array25.t = { - var aux: int; - + var aux:int; var c:W256.t Array5.t; var d:W256.t Array5.t; var y:int; @@ -4961,16 +5179,14 @@ module M(SC:Syscall_t) = { c <@ keccakf1600_4x_theta_sum (a); d <@ keccakf1600_4x_theta_rol (c, r8, r56); y <- 0; - while (y < 5) { + while ((y < 5)) { b <@ keccakf1600_4x_rol_sum (a, d, y, r8, r56); e <@ keccakf1600_4x_set_row (e, b, y, rc); - y <- y + 1; + y <- (y + 1); } - return (e); + return e; } - proc __keccakf1600_4x (a:W256.t Array25.t) : W256.t Array25.t = { - var rC:W256.t Array24.t; var s_e:W256.t Array25.t; var e:W256.t Array25.t; @@ -4988,17 +5204,16 @@ module M(SC:Syscall_t) = { r8 <- rOL8; r56 <- rOL56; c <- (W64.of_int 0); - while ((c \ult (W64.of_int (24 * 32)))) { rc <- - (get256_direct (WArray768.init256 (fun i => (rC).[i])) (W64.to_uint c)); + (get256_direct (WArray768.init256 (fun i => rC.[i])) (W64.to_uint c)); e <@ keccakf1600_4x_round (e, a, rc, r8, r56); a_s <- a; s_e <- e; a <- a_s; e <- s_e; rc <- - (get256_direct (WArray768.init256 (fun i => (rC).[i])) + (get256_direct (WArray768.init256 (fun i => rC.[i])) ((W64.to_uint c) + 32)); a <@ keccakf1600_4x_round (a, e, rc, r8, r56); a_s <- a; @@ -5007,29 +5222,21 @@ module M(SC:Syscall_t) = { e <- s_e; c <- (c + (W64.of_int 64)); } - return (a); + return a; } - proc _keccakf1600_4x_ (a:W256.t Array25.t) : W256.t Array25.t = { - - a <@ __keccakf1600_4x (a); - return (a); + return a; } - proc _keccakf1600_4x (a:W256.t Array25.t) : W256.t Array25.t = { - - a <- a; a <@ _keccakf1600_4x_ (a); a <- a; - return (a); + return a; } - proc _keccakf1600_avx2 (state:W256.t Array7.t) : W256.t Array7.t = { - var iotas_p:W256.t Array24.t; var iotas_o:W64.t; var rhotates_left_p:W256.t Array6.t; @@ -5053,25 +5260,45 @@ module M(SC:Syscall_t) = { rhotates_left_p <- kECCAK_RHOTATES_LEFT; rhotates_right_p <- kECCAK_RHOTATES_RIGHT; r <- (W64.of_int 24); - c00 <- VPSHUFD_256 state.[2] - (W8.of_int (2 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * 1)))); + c00 <- + (VPSHUFD_256 state.[2] + (W8.of_int + ((2 %% (2 ^ 2)) + + ((2 ^ 2) * + ((3 %% (2 ^ 2)) + ((2 ^ 2) * ((0 %% (2 ^ 2)) + ((2 ^ 2) * 1)))))))); c14 <- (state.[5] `^` state.[3]); t.[2] <- (state.[4] `^` state.[6]); c14 <- (c14 `^` state.[1]); c14 <- (c14 `^` t.[2]); - t.[4] <- VPERMQ c14 - (W8.of_int (3 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * (1 %% 2^2 + 2^2 * 2)))); + t.[4] <- + (VPERMQ c14 + (W8.of_int + ((3 %% (2 ^ 2)) + + ((2 ^ 2) * + ((0 %% (2 ^ 2)) + ((2 ^ 2) * ((1 %% (2 ^ 2)) + ((2 ^ 2) * 2)))))))); c00 <- (c00 `^` state.[2]); - t.[0] <- VPERMQ c00 - (W8.of_int (2 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * 1)))); + t.[0] <- + (VPERMQ c00 + (W8.of_int + ((2 %% (2 ^ 2)) + + ((2 ^ 2) * + ((3 %% (2 ^ 2)) + ((2 ^ 2) * ((0 %% (2 ^ 2)) + ((2 ^ 2) * 1)))))))); t.[1] <- (c14 \vshr64u256 (W8.of_int 63)); t.[2] <- (c14 \vadd64u256 c14); t.[1] <- (t.[1] `|` t.[2]); - d14 <- VPERMQ t.[1] - (W8.of_int (1 %% 2^2 + 2^2 * (2 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * 0)))); + d14 <- + (VPERMQ t.[1] + (W8.of_int + ((1 %% (2 ^ 2)) + + ((2 ^ 2) * + ((2 %% (2 ^ 2)) + ((2 ^ 2) * ((3 %% (2 ^ 2)) + ((2 ^ 2) * 0)))))))); d00 <- (t.[1] `^` t.[4]); - d00 <- VPERMQ d00 - (W8.of_int (0 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * 0)))); + d00 <- + (VPERMQ d00 + (W8.of_int + ((0 %% (2 ^ 2)) + + ((2 ^ 2) * + ((0 %% (2 ^ 2)) + ((2 ^ 2) * ((0 %% (2 ^ 2)) + ((2 ^ 2) * 0)))))))); c00 <- (c00 `^` state.[0]); c00 <- (c00 `^` t.[0]); t.[0] <- (c00 \vshr64u256 (W8.of_int 63)); @@ -5079,363 +5306,661 @@ module M(SC:Syscall_t) = { t.[1] <- (t.[1] `|` t.[0]); state.[2] <- (state.[2] `^` d00); state.[0] <- (state.[0] `^` d00); - d14 <- VPBLEND_8u32 d14 t.[1] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t.[4] <- VPBLEND_8u32 t.[4] c00 - (W8.of_int (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); + d14 <- + (VPBLEND_8u32 d14 t.[1] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t.[4] <- + (VPBLEND_8u32 t.[4] c00 + (W8.of_int + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); d14 <- (d14 `^` t.[4]); - t.[3] <- VPSLLV_4u64 state.[2] rhotates_left_p.[0]; - state.[2] <- VPSRLV_4u64 state.[2] rhotates_right_p.[0]; + t.[3] <- (VPSLLV_4u64 state.[2] rhotates_left_p.[0]); + state.[2] <- (VPSRLV_4u64 state.[2] rhotates_right_p.[0]); state.[2] <- (state.[2] `|` t.[3]); state.[3] <- (state.[3] `^` d14); - t.[4] <- VPSLLV_4u64 state.[3] rhotates_left_p.[2]; - state.[3] <- VPSRLV_4u64 state.[3] rhotates_right_p.[2]; + t.[4] <- (VPSLLV_4u64 state.[3] rhotates_left_p.[2]); + state.[3] <- (VPSRLV_4u64 state.[3] rhotates_right_p.[2]); state.[3] <- (state.[3] `|` t.[4]); state.[4] <- (state.[4] `^` d14); - t.[5] <- VPSLLV_4u64 state.[4] rhotates_left_p.[3]; - state.[4] <- VPSRLV_4u64 state.[4] rhotates_right_p.[3]; + t.[5] <- (VPSLLV_4u64 state.[4] rhotates_left_p.[3]); + state.[4] <- (VPSRLV_4u64 state.[4] rhotates_right_p.[3]); state.[4] <- (state.[4] `|` t.[5]); state.[5] <- (state.[5] `^` d14); - t.[6] <- VPSLLV_4u64 state.[5] rhotates_left_p.[4]; - state.[5] <- VPSRLV_4u64 state.[5] rhotates_right_p.[4]; + t.[6] <- (VPSLLV_4u64 state.[5] rhotates_left_p.[4]); + state.[5] <- (VPSRLV_4u64 state.[5] rhotates_right_p.[4]); state.[5] <- (state.[5] `|` t.[6]); state.[6] <- (state.[6] `^` d14); - t.[3] <- VPERMQ state.[2] - (W8.of_int (1 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * 2)))); - t.[4] <- VPERMQ state.[3] - (W8.of_int (1 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * 2)))); - t.[7] <- VPSLLV_4u64 state.[6] rhotates_left_p.[5]; - t.[1] <- VPSRLV_4u64 state.[6] rhotates_right_p.[5]; + t.[3] <- + (VPERMQ state.[2] + (W8.of_int + ((1 %% (2 ^ 2)) + + ((2 ^ 2) * + ((3 %% (2 ^ 2)) + ((2 ^ 2) * ((0 %% (2 ^ 2)) + ((2 ^ 2) * 2)))))))); + t.[4] <- + (VPERMQ state.[3] + (W8.of_int + ((1 %% (2 ^ 2)) + + ((2 ^ 2) * + ((3 %% (2 ^ 2)) + ((2 ^ 2) * ((0 %% (2 ^ 2)) + ((2 ^ 2) * 2)))))))); + t.[7] <- (VPSLLV_4u64 state.[6] rhotates_left_p.[5]); + t.[1] <- (VPSRLV_4u64 state.[6] rhotates_right_p.[5]); t.[1] <- (t.[1] `|` t.[7]); state.[1] <- (state.[1] `^` d14); - t.[5] <- VPERMQ state.[4] - (W8.of_int (3 %% 2^2 + 2^2 * (2 %% 2^2 + 2^2 * (1 %% 2^2 + 2^2 * 0)))); - t.[6] <- VPERMQ state.[5] - (W8.of_int (2 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * 1)))); - t.[8] <- VPSLLV_4u64 state.[1] rhotates_left_p.[1]; - t.[2] <- VPSRLV_4u64 state.[1] rhotates_right_p.[1]; + t.[5] <- + (VPERMQ state.[4] + (W8.of_int + ((3 %% (2 ^ 2)) + + ((2 ^ 2) * + ((2 %% (2 ^ 2)) + ((2 ^ 2) * ((1 %% (2 ^ 2)) + ((2 ^ 2) * 0)))))))); + t.[6] <- + (VPERMQ state.[5] + (W8.of_int + ((2 %% (2 ^ 2)) + + ((2 ^ 2) * + ((0 %% (2 ^ 2)) + ((2 ^ 2) * ((3 %% (2 ^ 2)) + ((2 ^ 2) * 1)))))))); + t.[8] <- (VPSLLV_4u64 state.[1] rhotates_left_p.[1]); + t.[2] <- (VPSRLV_4u64 state.[1] rhotates_right_p.[1]); t.[2] <- (t.[2] `|` t.[8]); - t.[7] <- VPSRLDQ_256 t.[1] (W8.of_int 8); + t.[7] <- (VPSRLDQ_256 t.[1] (W8.of_int 8)); t.[0] <- ((invw t.[1]) `&` t.[7]); - state.[3] <- VPBLEND_8u32 t.[2] t.[6] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[8] <- VPBLEND_8u32 t.[4] t.[2] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[5] <- VPBLEND_8u32 t.[3] t.[4] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[7] <- VPBLEND_8u32 t.[2] t.[3] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[3] <- VPBLEND_8u32 state.[3] t.[4] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[8] <- VPBLEND_8u32 t.[8] t.[5] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[5] <- VPBLEND_8u32 state.[5] t.[2] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[7] <- VPBLEND_8u32 t.[7] t.[6] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[3] <- VPBLEND_8u32 state.[3] t.[5] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t.[8] <- VPBLEND_8u32 t.[8] t.[6] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - state.[5] <- VPBLEND_8u32 state.[5] t.[6] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t.[7] <- VPBLEND_8u32 t.[7] t.[4] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); + state.[3] <- + (VPBLEND_8u32 t.[2] t.[6] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[8] <- + (VPBLEND_8u32 t.[4] t.[2] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[5] <- + (VPBLEND_8u32 t.[3] t.[4] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[2] t.[3] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[3] <- + (VPBLEND_8u32 state.[3] t.[4] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[8] <- + (VPBLEND_8u32 t.[8] t.[5] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[5] <- + (VPBLEND_8u32 state.[5] t.[2] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[7] t.[6] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[3] <- + (VPBLEND_8u32 state.[3] t.[5] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t.[8] <- + (VPBLEND_8u32 t.[8] t.[6] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + state.[5] <- + (VPBLEND_8u32 state.[5] t.[6] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[7] t.[4] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); state.[3] <- ((invw state.[3]) `&` t.[8]); state.[5] <- ((invw state.[5]) `&` t.[7]); - state.[6] <- VPBLEND_8u32 t.[5] t.[2] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[8] <- VPBLEND_8u32 t.[3] t.[5] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); + state.[6] <- + (VPBLEND_8u32 t.[5] t.[2] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[8] <- + (VPBLEND_8u32 t.[3] t.[5] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); state.[3] <- (state.[3] `^` t.[3]); - state.[6] <- VPBLEND_8u32 state.[6] t.[3] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[8] <- VPBLEND_8u32 t.[8] t.[4] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); + state.[6] <- + (VPBLEND_8u32 state.[6] t.[3] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[8] <- + (VPBLEND_8u32 t.[8] t.[4] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); state.[5] <- (state.[5] `^` t.[5]); - state.[6] <- VPBLEND_8u32 state.[6] t.[4] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t.[8] <- VPBLEND_8u32 t.[8] t.[2] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); + state.[6] <- + (VPBLEND_8u32 state.[6] t.[4] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t.[8] <- + (VPBLEND_8u32 t.[8] t.[2] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); state.[6] <- ((invw state.[6]) `&` t.[8]); state.[6] <- (state.[6] `^` t.[6]); - state.[4] <- VPERMQ t.[1] - (W8.of_int (2 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * (1 %% 2^2 + 2^2 * 0)))); - t.[8] <- VPBLEND_8u32 state.[4] state.[0] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[1] <- VPERMQ t.[1] - (W8.of_int (1 %% 2^2 + 2^2 * (2 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * 0)))); - state.[1] <- VPBLEND_8u32 state.[1] state.[0] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); + state.[4] <- + (VPERMQ t.[1] + (W8.of_int + ((2 %% (2 ^ 2)) + + ((2 ^ 2) * + ((3 %% (2 ^ 2)) + ((2 ^ 2) * ((1 %% (2 ^ 2)) + ((2 ^ 2) * 0)))))))); + t.[8] <- + (VPBLEND_8u32 state.[4] state.[0] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[1] <- + (VPERMQ t.[1] + (W8.of_int + ((1 %% (2 ^ 2)) + + ((2 ^ 2) * + ((2 %% (2 ^ 2)) + ((2 ^ 2) * ((3 %% (2 ^ 2)) + ((2 ^ 2) * 0)))))))); + state.[1] <- + (VPBLEND_8u32 state.[1] state.[0] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); state.[1] <- ((invw state.[1]) `&` t.[8]); - state.[2] <- VPBLEND_8u32 t.[4] t.[5] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[7] <- VPBLEND_8u32 t.[6] t.[4] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[2] <- VPBLEND_8u32 state.[2] t.[6] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[7] <- VPBLEND_8u32 t.[7] t.[3] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[2] <- VPBLEND_8u32 state.[2] t.[3] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t.[7] <- VPBLEND_8u32 t.[7] t.[5] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); + state.[2] <- + (VPBLEND_8u32 t.[4] t.[5] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[6] t.[4] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[2] <- + (VPBLEND_8u32 state.[2] t.[6] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[7] t.[3] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[2] <- + (VPBLEND_8u32 state.[2] t.[3] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[7] t.[5] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); state.[2] <- ((invw state.[2]) `&` t.[7]); state.[2] <- (state.[2] `^` t.[2]); - t.[0] <- VPERMQ t.[0] - (W8.of_int (0 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * 0)))); - state.[3] <- VPERMQ state.[3] - (W8.of_int (3 %% 2^2 + 2^2 * (2 %% 2^2 + 2^2 * (1 %% 2^2 + 2^2 * 0)))); - state.[5] <- VPERMQ state.[5] - (W8.of_int (1 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * 2)))); - state.[6] <- VPERMQ state.[6] - (W8.of_int (2 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * 1)))); - state.[4] <- VPBLEND_8u32 t.[6] t.[3] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[7] <- VPBLEND_8u32 t.[5] t.[6] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[4] <- VPBLEND_8u32 state.[4] t.[5] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[7] <- VPBLEND_8u32 t.[7] t.[2] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[4] <- VPBLEND_8u32 state.[4] t.[2] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t.[7] <- VPBLEND_8u32 t.[7] t.[3] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); + t.[0] <- + (VPERMQ t.[0] + (W8.of_int + ((0 %% (2 ^ 2)) + + ((2 ^ 2) * + ((0 %% (2 ^ 2)) + ((2 ^ 2) * ((0 %% (2 ^ 2)) + ((2 ^ 2) * 0)))))))); + state.[3] <- + (VPERMQ state.[3] + (W8.of_int + ((3 %% (2 ^ 2)) + + ((2 ^ 2) * + ((2 %% (2 ^ 2)) + ((2 ^ 2) * ((1 %% (2 ^ 2)) + ((2 ^ 2) * 0)))))))); + state.[5] <- + (VPERMQ state.[5] + (W8.of_int + ((1 %% (2 ^ 2)) + + ((2 ^ 2) * + ((3 %% (2 ^ 2)) + ((2 ^ 2) * ((0 %% (2 ^ 2)) + ((2 ^ 2) * 2)))))))); + state.[6] <- + (VPERMQ state.[6] + (W8.of_int + ((2 %% (2 ^ 2)) + + ((2 ^ 2) * + ((0 %% (2 ^ 2)) + ((2 ^ 2) * ((3 %% (2 ^ 2)) + ((2 ^ 2) * 1)))))))); + state.[4] <- + (VPBLEND_8u32 t.[6] t.[3] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[5] t.[6] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[4] <- + (VPBLEND_8u32 state.[4] t.[5] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[7] t.[2] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[4] <- + (VPBLEND_8u32 state.[4] t.[2] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[7] t.[3] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); state.[4] <- ((invw state.[4]) `&` t.[7]); state.[0] <- (state.[0] `^` t.[0]); state.[1] <- (state.[1] `^` t.[1]); state.[4] <- (state.[4] `^` t.[4]); state.[0] <- - (state.[0] `^` (get256_direct - (WArray768.init256 (fun i => (iotas_p).[i])) - (W64.to_uint iotas_o))); + (state.[0] `^` + (get256_direct (WArray768.init256 (fun i => iotas_p.[i])) + (W64.to_uint iotas_o))); iotas_o <- (iotas_o + (W64.of_int 32)); - ( _0, _1, _2, zf, r) <- DEC_64 r; + ( _0, _1, _2, zf, r) <- (DEC_64 r); while ((! zf)) { - c00 <- VPSHUFD_256 state.[2] - (W8.of_int (2 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * 1)))); + c00 <- + (VPSHUFD_256 state.[2] + (W8.of_int + ((2 %% (2 ^ 2)) + + ((2 ^ 2) * + ((3 %% (2 ^ 2)) + ((2 ^ 2) * ((0 %% (2 ^ 2)) + ((2 ^ 2) * 1)))))))); c14 <- (state.[5] `^` state.[3]); t.[2] <- (state.[4] `^` state.[6]); c14 <- (c14 `^` state.[1]); c14 <- (c14 `^` t.[2]); - t.[4] <- VPERMQ c14 - (W8.of_int (3 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * (1 %% 2^2 + 2^2 * 2)))); + t.[4] <- + (VPERMQ c14 + (W8.of_int + ((3 %% (2 ^ 2)) + + ((2 ^ 2) * + ((0 %% (2 ^ 2)) + ((2 ^ 2) * ((1 %% (2 ^ 2)) + ((2 ^ 2) * 2)))))))); c00 <- (c00 `^` state.[2]); - t.[0] <- VPERMQ c00 - (W8.of_int (2 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * 1)))); + t.[0] <- + (VPERMQ c00 + (W8.of_int + ((2 %% (2 ^ 2)) + + ((2 ^ 2) * + ((3 %% (2 ^ 2)) + ((2 ^ 2) * ((0 %% (2 ^ 2)) + ((2 ^ 2) * 1)))))))); t.[1] <- (c14 \vshr64u256 (W8.of_int 63)); t.[2] <- (c14 \vadd64u256 c14); t.[1] <- (t.[1] `|` t.[2]); - d14 <- VPERMQ t.[1] - (W8.of_int (1 %% 2^2 + 2^2 * (2 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * 0)))); + d14 <- + (VPERMQ t.[1] + (W8.of_int + ((1 %% (2 ^ 2)) + + ((2 ^ 2) * + ((2 %% (2 ^ 2)) + ((2 ^ 2) * ((3 %% (2 ^ 2)) + ((2 ^ 2) * 0)))))))); d00 <- (t.[1] `^` t.[4]); - d00 <- VPERMQ d00 - (W8.of_int (0 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * 0)))); + d00 <- + (VPERMQ d00 + (W8.of_int + ((0 %% (2 ^ 2)) + + ((2 ^ 2) * + ((0 %% (2 ^ 2)) + ((2 ^ 2) * ((0 %% (2 ^ 2)) + ((2 ^ 2) * 0)))))))); c00 <- (c00 `^` state.[0]); c00 <- (c00 `^` t.[0]); t.[0] <- (c00 \vshr64u256 (W8.of_int 63)); @@ -5443,350 +5968,625 @@ module M(SC:Syscall_t) = { t.[1] <- (t.[1] `|` t.[0]); state.[2] <- (state.[2] `^` d00); state.[0] <- (state.[0] `^` d00); - d14 <- VPBLEND_8u32 d14 t.[1] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t.[4] <- VPBLEND_8u32 t.[4] c00 - (W8.of_int (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); + d14 <- + (VPBLEND_8u32 d14 t.[1] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t.[4] <- + (VPBLEND_8u32 t.[4] c00 + (W8.of_int + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); d14 <- (d14 `^` t.[4]); - t.[3] <- VPSLLV_4u64 state.[2] rhotates_left_p.[0]; - state.[2] <- VPSRLV_4u64 state.[2] rhotates_right_p.[0]; + t.[3] <- (VPSLLV_4u64 state.[2] rhotates_left_p.[0]); + state.[2] <- (VPSRLV_4u64 state.[2] rhotates_right_p.[0]); state.[2] <- (state.[2] `|` t.[3]); state.[3] <- (state.[3] `^` d14); - t.[4] <- VPSLLV_4u64 state.[3] rhotates_left_p.[2]; - state.[3] <- VPSRLV_4u64 state.[3] rhotates_right_p.[2]; + t.[4] <- (VPSLLV_4u64 state.[3] rhotates_left_p.[2]); + state.[3] <- (VPSRLV_4u64 state.[3] rhotates_right_p.[2]); state.[3] <- (state.[3] `|` t.[4]); state.[4] <- (state.[4] `^` d14); - t.[5] <- VPSLLV_4u64 state.[4] rhotates_left_p.[3]; - state.[4] <- VPSRLV_4u64 state.[4] rhotates_right_p.[3]; + t.[5] <- (VPSLLV_4u64 state.[4] rhotates_left_p.[3]); + state.[4] <- (VPSRLV_4u64 state.[4] rhotates_right_p.[3]); state.[4] <- (state.[4] `|` t.[5]); state.[5] <- (state.[5] `^` d14); - t.[6] <- VPSLLV_4u64 state.[5] rhotates_left_p.[4]; - state.[5] <- VPSRLV_4u64 state.[5] rhotates_right_p.[4]; + t.[6] <- (VPSLLV_4u64 state.[5] rhotates_left_p.[4]); + state.[5] <- (VPSRLV_4u64 state.[5] rhotates_right_p.[4]); state.[5] <- (state.[5] `|` t.[6]); state.[6] <- (state.[6] `^` d14); - t.[3] <- VPERMQ state.[2] - (W8.of_int (1 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * 2)))); - t.[4] <- VPERMQ state.[3] - (W8.of_int (1 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * 2)))); - t.[7] <- VPSLLV_4u64 state.[6] rhotates_left_p.[5]; - t.[1] <- VPSRLV_4u64 state.[6] rhotates_right_p.[5]; + t.[3] <- + (VPERMQ state.[2] + (W8.of_int + ((1 %% (2 ^ 2)) + + ((2 ^ 2) * + ((3 %% (2 ^ 2)) + ((2 ^ 2) * ((0 %% (2 ^ 2)) + ((2 ^ 2) * 2)))))))); + t.[4] <- + (VPERMQ state.[3] + (W8.of_int + ((1 %% (2 ^ 2)) + + ((2 ^ 2) * + ((3 %% (2 ^ 2)) + ((2 ^ 2) * ((0 %% (2 ^ 2)) + ((2 ^ 2) * 2)))))))); + t.[7] <- (VPSLLV_4u64 state.[6] rhotates_left_p.[5]); + t.[1] <- (VPSRLV_4u64 state.[6] rhotates_right_p.[5]); t.[1] <- (t.[1] `|` t.[7]); state.[1] <- (state.[1] `^` d14); - t.[5] <- VPERMQ state.[4] - (W8.of_int (3 %% 2^2 + 2^2 * (2 %% 2^2 + 2^2 * (1 %% 2^2 + 2^2 * 0)))); - t.[6] <- VPERMQ state.[5] - (W8.of_int (2 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * 1)))); - t.[8] <- VPSLLV_4u64 state.[1] rhotates_left_p.[1]; - t.[2] <- VPSRLV_4u64 state.[1] rhotates_right_p.[1]; + t.[5] <- + (VPERMQ state.[4] + (W8.of_int + ((3 %% (2 ^ 2)) + + ((2 ^ 2) * + ((2 %% (2 ^ 2)) + ((2 ^ 2) * ((1 %% (2 ^ 2)) + ((2 ^ 2) * 0)))))))); + t.[6] <- + (VPERMQ state.[5] + (W8.of_int + ((2 %% (2 ^ 2)) + + ((2 ^ 2) * + ((0 %% (2 ^ 2)) + ((2 ^ 2) * ((3 %% (2 ^ 2)) + ((2 ^ 2) * 1)))))))); + t.[8] <- (VPSLLV_4u64 state.[1] rhotates_left_p.[1]); + t.[2] <- (VPSRLV_4u64 state.[1] rhotates_right_p.[1]); t.[2] <- (t.[2] `|` t.[8]); - t.[7] <- VPSRLDQ_256 t.[1] (W8.of_int 8); + t.[7] <- (VPSRLDQ_256 t.[1] (W8.of_int 8)); t.[0] <- ((invw t.[1]) `&` t.[7]); - state.[3] <- VPBLEND_8u32 t.[2] t.[6] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[8] <- VPBLEND_8u32 t.[4] t.[2] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[5] <- VPBLEND_8u32 t.[3] t.[4] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[7] <- VPBLEND_8u32 t.[2] t.[3] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[3] <- VPBLEND_8u32 state.[3] t.[4] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[8] <- VPBLEND_8u32 t.[8] t.[5] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[5] <- VPBLEND_8u32 state.[5] t.[2] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[7] <- VPBLEND_8u32 t.[7] t.[6] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[3] <- VPBLEND_8u32 state.[3] t.[5] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t.[8] <- VPBLEND_8u32 t.[8] t.[6] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - state.[5] <- VPBLEND_8u32 state.[5] t.[6] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t.[7] <- VPBLEND_8u32 t.[7] t.[4] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); + state.[3] <- + (VPBLEND_8u32 t.[2] t.[6] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[8] <- + (VPBLEND_8u32 t.[4] t.[2] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[5] <- + (VPBLEND_8u32 t.[3] t.[4] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[2] t.[3] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[3] <- + (VPBLEND_8u32 state.[3] t.[4] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[8] <- + (VPBLEND_8u32 t.[8] t.[5] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[5] <- + (VPBLEND_8u32 state.[5] t.[2] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[7] t.[6] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[3] <- + (VPBLEND_8u32 state.[3] t.[5] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t.[8] <- + (VPBLEND_8u32 t.[8] t.[6] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + state.[5] <- + (VPBLEND_8u32 state.[5] t.[6] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[7] t.[4] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); state.[3] <- ((invw state.[3]) `&` t.[8]); state.[5] <- ((invw state.[5]) `&` t.[7]); - state.[6] <- VPBLEND_8u32 t.[5] t.[2] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[8] <- VPBLEND_8u32 t.[3] t.[5] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); + state.[6] <- + (VPBLEND_8u32 t.[5] t.[2] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[8] <- + (VPBLEND_8u32 t.[3] t.[5] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); state.[3] <- (state.[3] `^` t.[3]); - state.[6] <- VPBLEND_8u32 state.[6] t.[3] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[8] <- VPBLEND_8u32 t.[8] t.[4] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); + state.[6] <- + (VPBLEND_8u32 state.[6] t.[3] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[8] <- + (VPBLEND_8u32 t.[8] t.[4] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); state.[5] <- (state.[5] `^` t.[5]); - state.[6] <- VPBLEND_8u32 state.[6] t.[4] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t.[8] <- VPBLEND_8u32 t.[8] t.[2] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); + state.[6] <- + (VPBLEND_8u32 state.[6] t.[4] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t.[8] <- + (VPBLEND_8u32 t.[8] t.[2] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); state.[6] <- ((invw state.[6]) `&` t.[8]); state.[6] <- (state.[6] `^` t.[6]); - state.[4] <- VPERMQ t.[1] - (W8.of_int (2 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * (1 %% 2^2 + 2^2 * 0)))); - t.[8] <- VPBLEND_8u32 state.[4] state.[0] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[1] <- VPERMQ t.[1] - (W8.of_int (1 %% 2^2 + 2^2 * (2 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * 0)))); - state.[1] <- VPBLEND_8u32 state.[1] state.[0] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); + state.[4] <- + (VPERMQ t.[1] + (W8.of_int + ((2 %% (2 ^ 2)) + + ((2 ^ 2) * + ((3 %% (2 ^ 2)) + ((2 ^ 2) * ((1 %% (2 ^ 2)) + ((2 ^ 2) * 0)))))))); + t.[8] <- + (VPBLEND_8u32 state.[4] state.[0] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[1] <- + (VPERMQ t.[1] + (W8.of_int + ((1 %% (2 ^ 2)) + + ((2 ^ 2) * + ((2 %% (2 ^ 2)) + ((2 ^ 2) * ((3 %% (2 ^ 2)) + ((2 ^ 2) * 0)))))))); + state.[1] <- + (VPBLEND_8u32 state.[1] state.[0] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); state.[1] <- ((invw state.[1]) `&` t.[8]); - state.[2] <- VPBLEND_8u32 t.[4] t.[5] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[7] <- VPBLEND_8u32 t.[6] t.[4] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[2] <- VPBLEND_8u32 state.[2] t.[6] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[7] <- VPBLEND_8u32 t.[7] t.[3] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[2] <- VPBLEND_8u32 state.[2] t.[3] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t.[7] <- VPBLEND_8u32 t.[7] t.[5] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); + state.[2] <- + (VPBLEND_8u32 t.[4] t.[5] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[6] t.[4] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[2] <- + (VPBLEND_8u32 state.[2] t.[6] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[7] t.[3] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[2] <- + (VPBLEND_8u32 state.[2] t.[3] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[7] t.[5] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); state.[2] <- ((invw state.[2]) `&` t.[7]); state.[2] <- (state.[2] `^` t.[2]); - t.[0] <- VPERMQ t.[0] - (W8.of_int (0 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * 0)))); - state.[3] <- VPERMQ state.[3] - (W8.of_int (3 %% 2^2 + 2^2 * (2 %% 2^2 + 2^2 * (1 %% 2^2 + 2^2 * 0)))); - state.[5] <- VPERMQ state.[5] - (W8.of_int (1 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * 2)))); - state.[6] <- VPERMQ state.[6] - (W8.of_int (2 %% 2^2 + 2^2 * (0 %% 2^2 + 2^2 * (3 %% 2^2 + 2^2 * 1)))); - state.[4] <- VPBLEND_8u32 t.[6] t.[3] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[7] <- VPBLEND_8u32 t.[5] t.[6] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[4] <- VPBLEND_8u32 state.[4] t.[5] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - t.[7] <- VPBLEND_8u32 t.[7] t.[2] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + 2^1 * 0)))))))); - state.[4] <- VPBLEND_8u32 state.[4] t.[2] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t.[7] <- VPBLEND_8u32 t.[7] t.[3] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); + t.[0] <- + (VPERMQ t.[0] + (W8.of_int + ((0 %% (2 ^ 2)) + + ((2 ^ 2) * + ((0 %% (2 ^ 2)) + ((2 ^ 2) * ((0 %% (2 ^ 2)) + ((2 ^ 2) * 0)))))))); + state.[3] <- + (VPERMQ state.[3] + (W8.of_int + ((3 %% (2 ^ 2)) + + ((2 ^ 2) * + ((2 %% (2 ^ 2)) + ((2 ^ 2) * ((1 %% (2 ^ 2)) + ((2 ^ 2) * 0)))))))); + state.[5] <- + (VPERMQ state.[5] + (W8.of_int + ((1 %% (2 ^ 2)) + + ((2 ^ 2) * + ((3 %% (2 ^ 2)) + ((2 ^ 2) * ((0 %% (2 ^ 2)) + ((2 ^ 2) * 2)))))))); + state.[6] <- + (VPERMQ state.[6] + (W8.of_int + ((2 %% (2 ^ 2)) + + ((2 ^ 2) * + ((0 %% (2 ^ 2)) + ((2 ^ 2) * ((3 %% (2 ^ 2)) + ((2 ^ 2) * 1)))))))); + state.[4] <- + (VPBLEND_8u32 t.[6] t.[3] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[5] t.[6] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[4] <- + (VPBLEND_8u32 state.[4] t.[5] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[7] t.[2] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((0 %% (2 ^ 1)) + ((2 ^ 1) * 0)))))))))))))) + )); + state.[4] <- + (VPBLEND_8u32 state.[4] t.[2] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t.[7] <- + (VPBLEND_8u32 t.[7] t.[3] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); state.[4] <- ((invw state.[4]) `&` t.[7]); state.[0] <- (state.[0] `^` t.[0]); state.[1] <- (state.[1] `^` t.[1]); state.[4] <- (state.[4] `^` t.[4]); state.[0] <- - (state.[0] `^` (get256_direct - (WArray768.init256 (fun i => (iotas_p).[i])) - (W64.to_uint iotas_o))); + (state.[0] `^` + (get256_direct (WArray768.init256 (fun i => iotas_p.[i])) + (W64.to_uint iotas_o))); iotas_o <- (iotas_o + (W64.of_int 32)); - ( _0, _1, _2, zf, r) <- DEC_64 r; + ( _0, _1, _2, zf, r) <- (DEC_64 r); } - return (state); + return state; } - - proc comp_u64_l_int_and_u64_l_int (a:W64.t, b:int, c:W64.t, d:int) : - bool = { - + proc comp_u64_l_int_and_u64_l_int (a:W64.t, b:int, c:W64.t, d:int) : bool = { var c3:bool; var _of_:bool; var _cf_:bool; @@ -5799,45 +6599,39 @@ module M(SC:Syscall_t) = { var _0:bool; var _1:bool; var _2:bool; - - (_of_, _cf_, _sf_, _0, _zf_) <- CMP_64 a (W64.of_int b); + (_of_, _cf_, _sf_, _0, _zf_) <- (CMP_64 a (W64.of_int b)); c1 <- (_uLT _of_ _cf_ _sf_ _zf_); - bc1 <- SETcc c1; - (_of_, _cf_, _sf_, _1, _zf_) <- CMP_64 c (W64.of_int d); + bc1 <- (SETcc c1); + (_of_, _cf_, _sf_, _1, _zf_) <- (CMP_64 c (W64.of_int d)); c2 <- (_uLT _of_ _cf_ _sf_ _zf_); - bc2 <- SETcc c2; - (_of_, _cf_, _sf_, _2, _zf_) <- TEST_8 bc1 bc2; + bc2 <- (SETcc c2); + (_of_, _cf_, _sf_, _2, _zf_) <- (TEST_8 bc1 bc2); c3 <- (_NEQ _of_ _cf_ _sf_ _zf_); - return (c3); + return c3; } - proc _4u64x4_u256x4 (y0:W256.t, y1:W256.t, y2:W256.t, y3:W256.t) : W256.t * W256.t * W256.t * W256.t = { - var x0:W256.t; var x1:W256.t; var x2:W256.t; var x3:W256.t; - - x0 <- VPERM2I128 y0 y2 (W8.of_int 32); - x1 <- VPERM2I128 y1 y3 (W8.of_int 32); - x2 <- VPERM2I128 y0 y2 (W8.of_int 49); - x3 <- VPERM2I128 y1 y3 (W8.of_int 49); - y0 <- VPUNPCKL_4u64 x0 x1; - y1 <- VPUNPCKH_4u64 x0 x1; - y2 <- VPUNPCKL_4u64 x2 x3; - y3 <- VPUNPCKH_4u64 x2 x3; + x0 <- (VPERM2I128 y0 y2 (W8.of_int 32)); + x1 <- (VPERM2I128 y1 y3 (W8.of_int 32)); + x2 <- (VPERM2I128 y0 y2 (W8.of_int 49)); + x3 <- (VPERM2I128 y1 y3 (W8.of_int 49)); + y0 <- (VPUNPCKL_4u64 x0 x1); + y1 <- (VPUNPCKH_4u64 x0 x1); + y2 <- (VPUNPCKL_4u64 x2 x3); + y3 <- (VPUNPCKH_4u64 x2 x3); return (y0, y1, y2, y3); } - proc __st4x_unpack_at (buf0:W8.t Array536.t, buf1:W8.t Array536.t, buf2:W8.t Array536.t, buf3:W8.t Array536.t, st4x:W256.t Array25.t, offset:W64.t) : W8.t Array536.t * W8.t Array536.t * W8.t Array536.t * W8.t Array536.t = { - var aux: int; - + var aux:int; var i:int; var x0:W256.t; var x1:W256.t; @@ -5847,53 +6641,62 @@ module M(SC:Syscall_t) = { var t1:W64.t; var t2:W64.t; var t3:W64.t; - i <- 0; - while (i < 6) { + while ((i < 6)) { x0 <- st4x.[((4 * i) + 0)]; x1 <- st4x.[((4 * i) + 1)]; x2 <- st4x.[((4 * i) + 2)]; x3 <- st4x.[((4 * i) + 3)]; (x0, x1, x2, x3) <@ _4u64x4_u256x4 (x0, x1, x2, x3); buf0 <- - Array536.init - (WArray536.get8 (WArray536.set256_direct (WArray536.init8 (fun i_0 => (buf0).[i_0])) (W64.to_uint (offset + (W64.of_int ((4 * 8) * i)))) (x0))); + (Array536.init + (WArray536.get8 + (WArray536.set256_direct (WArray536.init8 (fun i_0 => buf0.[i_0])) + (W64.to_uint (offset + (W64.of_int ((4 * 8) * i)))) x0))); buf1 <- - Array536.init - (WArray536.get8 (WArray536.set256_direct (WArray536.init8 (fun i_0 => (buf1).[i_0])) (W64.to_uint (offset + (W64.of_int ((4 * 8) * i)))) (x1))); + (Array536.init + (WArray536.get8 + (WArray536.set256_direct (WArray536.init8 (fun i_0 => buf1.[i_0])) + (W64.to_uint (offset + (W64.of_int ((4 * 8) * i)))) x1))); buf2 <- - Array536.init - (WArray536.get8 (WArray536.set256_direct (WArray536.init8 (fun i_0 => (buf2).[i_0])) (W64.to_uint (offset + (W64.of_int ((4 * 8) * i)))) (x2))); + (Array536.init + (WArray536.get8 + (WArray536.set256_direct (WArray536.init8 (fun i_0 => buf2.[i_0])) + (W64.to_uint (offset + (W64.of_int ((4 * 8) * i)))) x2))); buf3 <- - Array536.init - (WArray536.get8 (WArray536.set256_direct (WArray536.init8 (fun i_0 => (buf3).[i_0])) (W64.to_uint (offset + (W64.of_int ((4 * 8) * i)))) (x3))); - i <- i + 1; + (Array536.init + (WArray536.get8 + (WArray536.set256_direct (WArray536.init8 (fun i_0 => buf3.[i_0])) + (W64.to_uint (offset + (W64.of_int ((4 * 8) * i)))) x3))); + i <- (i + 1); } - t0 <- - (get64 (WArray800.init256 (fun i_0 => (st4x).[i_0])) ((4 * 24) + 0)); - t1 <- - (get64 (WArray800.init256 (fun i_0 => (st4x).[i_0])) ((4 * 24) + 1)); - t2 <- - (get64 (WArray800.init256 (fun i_0 => (st4x).[i_0])) ((4 * 24) + 2)); - t3 <- - (get64 (WArray800.init256 (fun i_0 => (st4x).[i_0])) ((4 * 24) + 3)); + t0 <- (get64 (WArray800.init256 (fun i_0 => st4x.[i_0])) ((4 * 24) + 0)); + t1 <- (get64 (WArray800.init256 (fun i_0 => st4x.[i_0])) ((4 * 24) + 1)); + t2 <- (get64 (WArray800.init256 (fun i_0 => st4x.[i_0])) ((4 * 24) + 2)); + t3 <- (get64 (WArray800.init256 (fun i_0 => st4x.[i_0])) ((4 * 24) + 3)); buf0 <- - Array536.init - (WArray536.get8 (WArray536.set64_direct (WArray536.init8 (fun i_0 => (buf0).[i_0])) (W64.to_uint (offset + (W64.of_int (8 * 24)))) (t0))); + (Array536.init + (WArray536.get8 + (WArray536.set64_direct (WArray536.init8 (fun i_0 => buf0.[i_0])) + (W64.to_uint (offset + (W64.of_int (8 * 24)))) t0))); buf1 <- - Array536.init - (WArray536.get8 (WArray536.set64_direct (WArray536.init8 (fun i_0 => (buf1).[i_0])) (W64.to_uint (offset + (W64.of_int (8 * 24)))) (t1))); + (Array536.init + (WArray536.get8 + (WArray536.set64_direct (WArray536.init8 (fun i_0 => buf1.[i_0])) + (W64.to_uint (offset + (W64.of_int (8 * 24)))) t1))); buf2 <- - Array536.init - (WArray536.get8 (WArray536.set64_direct (WArray536.init8 (fun i_0 => (buf2).[i_0])) (W64.to_uint (offset + (W64.of_int (8 * 24)))) (t2))); + (Array536.init + (WArray536.get8 + (WArray536.set64_direct (WArray536.init8 (fun i_0 => buf2.[i_0])) + (W64.to_uint (offset + (W64.of_int (8 * 24)))) t2))); buf3 <- - Array536.init - (WArray536.get8 (WArray536.set64_direct (WArray536.init8 (fun i_0 => (buf3).[i_0])) (W64.to_uint (offset + (W64.of_int (8 * 24)))) (t3))); + (Array536.init + (WArray536.get8 + (WArray536.set64_direct (WArray536.init8 (fun i_0 => buf3.[i_0])) + (W64.to_uint (offset + (W64.of_int (8 * 24)))) t3))); return (buf0, buf1, buf2, buf3); } - proc __stavx2_pack_at (st:W8.t Array536.t, offset:W64.t) : W256.t Array7.t = { - var state:W256.t Array7.t; var t128_0:W128.t; var t128_1:W128.t; @@ -5903,118 +6706,174 @@ module M(SC:Syscall_t) = { var t256_2:W256.t; state <- witness; state.[0] <- - VPBROADCAST_4u64 (get64_direct (WArray536.init8 (fun i => (st).[i])) - (W64.to_uint ((W64.of_int (8 * 0)) + offset))); + (VPBROADCAST_4u64 + (get64_direct (WArray536.init8 (fun i => st.[i])) + (W64.to_uint ((W64.of_int (8 * 0)) + offset)))); state.[1] <- - (get256_direct (WArray536.init8 (fun i => (st).[i])) + (get256_direct (WArray536.init8 (fun i => st.[i])) (W64.to_uint ((W64.of_int (1 * 8)) + offset))); t128_0 <- - VMOV_64 (get64_direct (WArray536.init8 (fun i => (st).[i])) - (W64.to_uint ((W64.of_int (5 * 8)) + offset))); + (VMOV_64 + (get64_direct (WArray536.init8 (fun i => st.[i])) + (W64.to_uint ((W64.of_int (5 * 8)) + offset)))); state.[3] <- - (get256_direct (WArray536.init8 (fun i => (st).[i])) + (get256_direct (WArray536.init8 (fun i => st.[i])) (W64.to_uint ((W64.of_int (6 * 8)) + offset))); t128_1 <- - VMOV_64 (get64_direct (WArray536.init8 (fun i => (st).[i])) - (W64.to_uint ((W64.of_int (10 * 8)) + offset))); + (VMOV_64 + (get64_direct (WArray536.init8 (fun i => st.[i])) + (W64.to_uint ((W64.of_int (10 * 8)) + offset)))); state.[4] <- - (get256_direct (WArray536.init8 (fun i => (st).[i])) + (get256_direct (WArray536.init8 (fun i => st.[i])) (W64.to_uint ((W64.of_int (11 * 8)) + offset))); r <- - (get64_direct (WArray536.init8 (fun i => (st).[i])) + (get64_direct (WArray536.init8 (fun i => st.[i])) (W64.to_uint ((W64.of_int (15 * 8)) + offset))); - t128_0 <- VPINSR_2u64 t128_0 r (W8.of_int 1); + t128_0 <- (VPINSR_2u64 t128_0 r (W8.of_int 1)); state.[5] <- - (get256_direct (WArray536.init8 (fun i => (st).[i])) + (get256_direct (WArray536.init8 (fun i => st.[i])) (W64.to_uint ((W64.of_int (16 * 8)) + offset))); r <- - (get64_direct (WArray536.init8 (fun i => (st).[i])) + (get64_direct (WArray536.init8 (fun i => st.[i])) (W64.to_uint ((W64.of_int (20 * 8)) + offset))); - t128_1 <- VPINSR_2u64 t128_1 r (W8.of_int 1); + t128_1 <- (VPINSR_2u64 t128_1 r (W8.of_int 1)); state.[2] <- - (W256.of_int ((W128.to_uint t128_1) %% 2^128 + - 2^128 * (W128.to_uint t128_0))); + (W256.of_int + (((W128.to_uint t128_1) %% (2 ^ 128)) + + ((2 ^ 128) * (W128.to_uint t128_0)))); state.[6] <- - (get256_direct (WArray536.init8 (fun i => (st).[i])) + (get256_direct (WArray536.init8 (fun i => st.[i])) (W64.to_uint ((W64.of_int (21 * 8)) + offset))); - t256_0 <- VPBLEND_8u32 state.[3] state.[5] - (W8.of_int (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t256_1 <- VPBLEND_8u32 state.[6] state.[4] - (W8.of_int (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t256_2 <- VPBLEND_8u32 state.[4] state.[3] - (W8.of_int (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - state.[3] <- VPBLEND_8u32 t256_0 t256_1 - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - state.[4] <- VPBLEND_8u32 t256_1 t256_0 - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t256_0 <- VPBLEND_8u32 state.[5] state.[6] - (W8.of_int (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - state.[5] <- VPBLEND_8u32 t256_0 t256_2 - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - state.[6] <- VPBLEND_8u32 t256_2 t256_0 - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - return (state); - } - + t256_0 <- + (VPBLEND_8u32 state.[3] state.[5] + (W8.of_int + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t256_1 <- + (VPBLEND_8u32 state.[6] state.[4] + (W8.of_int + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t256_2 <- + (VPBLEND_8u32 state.[4] state.[3] + (W8.of_int + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + state.[3] <- + (VPBLEND_8u32 t256_0 t256_1 + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + state.[4] <- + (VPBLEND_8u32 t256_1 t256_0 + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t256_0 <- + (VPBLEND_8u32 state.[5] state.[6] + (W8.of_int + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + state.[5] <- + (VPBLEND_8u32 t256_0 t256_2 + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + state.[6] <- + (VPBLEND_8u32 t256_2 t256_0 + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + return state; + } proc _stavx2_pack_at (st:W8.t Array536.t, offset:W64.t) : W256.t Array7.t = { - var stavx2:W256.t Array7.t; stavx2 <- witness; stavx2 <@ __stavx2_pack_at (st, offset); - return (stavx2); + return stavx2; } - proc __stavx2_unpack_at (buf:W8.t Array536.t, offset:W64.t, state:W256.t Array7.t) : W8.t Array536.t = { - var t128_0:W128.t; var t256_0:W256.t; var t256_1:W256.t; @@ -6022,120 +6881,189 @@ module M(SC:Syscall_t) = { var t256_3:W256.t; var t128_1:W128.t; var t256_4:W256.t; - t128_0 <- (truncateu128 state.[0]); buf <- - Array536.init - (WArray536.get8 (WArray536.set64_direct (WArray536.init8 (fun i => (buf).[i])) (W64.to_uint ((W64.of_int (0 * 8)) + offset)) (VMOVLPD t128_0))); + (Array536.init + (WArray536.get8 + (WArray536.set64_direct (WArray536.init8 (fun i => buf.[i])) + (W64.to_uint ((W64.of_int (0 * 8)) + offset)) (VMOVLPD t128_0)))); buf <- - Array536.init - (WArray536.get8 (WArray536.set256_direct (WArray536.init8 (fun i => (buf).[i])) (W64.to_uint ((W64.of_int (1 * 8)) + offset)) ( - state.[1]))); - t256_0 <- VPBLEND_8u32 state.[3] state.[4] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t256_1 <- VPBLEND_8u32 state.[4] state.[3] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t256_2 <- VPBLEND_8u32 state.[5] state.[6] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t256_3 <- VPBLEND_8u32 state.[6] state.[5] - (W8.of_int (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); - t128_1 <- VEXTRACTI128 state.[2] (W8.of_int 1); + (Array536.init + (WArray536.get8 + (WArray536.set256_direct (WArray536.init8 (fun i => buf.[i])) + (W64.to_uint ((W64.of_int (1 * 8)) + offset)) state.[1]))); + t256_0 <- + (VPBLEND_8u32 state.[3] state.[4] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t256_1 <- + (VPBLEND_8u32 state.[4] state.[3] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t256_2 <- + (VPBLEND_8u32 state.[5] state.[6] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t256_3 <- + (VPBLEND_8u32 state.[6] state.[5] + (W8.of_int + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); + t128_1 <- (VEXTRACTI128 state.[2] (W8.of_int 1)); buf <- - Array536.init - (WArray536.get8 (WArray536.set64_direct (WArray536.init8 (fun i => (buf).[i])) (W64.to_uint ((W64.of_int (5 * 8)) + offset)) (VMOVLPD t128_1))); - t256_4 <- VPBLEND_8u32 t256_0 t256_3 - (W8.of_int (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); + (Array536.init + (WArray536.get8 + (WArray536.set64_direct (WArray536.init8 (fun i => buf.[i])) + (W64.to_uint ((W64.of_int (5 * 8)) + offset)) (VMOVLPD t128_1)))); + t256_4 <- + (VPBLEND_8u32 t256_0 t256_3 + (W8.of_int + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); buf <- - Array536.init - (WArray536.get8 (WArray536.set256_direct (WArray536.init8 (fun i => (buf).[i])) (W64.to_uint ((W64.of_int (6 * 8)) + offset)) (t256_4))); + (Array536.init + (WArray536.get8 + (WArray536.set256_direct (WArray536.init8 (fun i => buf.[i])) + (W64.to_uint ((W64.of_int (6 * 8)) + offset)) t256_4))); t128_0 <- (truncateu128 state.[2]); buf <- - Array536.init - (WArray536.get8 (WArray536.set64_direct (WArray536.init8 (fun i => (buf).[i])) (W64.to_uint ((W64.of_int (10 * 8)) + offset)) (VMOVLPD t128_0))); - t256_4 <- VPBLEND_8u32 t256_3 t256_1 - (W8.of_int (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); + (Array536.init + (WArray536.get8 + (WArray536.set64_direct (WArray536.init8 (fun i => buf.[i])) + (W64.to_uint ((W64.of_int (10 * 8)) + offset)) (VMOVLPD t128_0)))); + t256_4 <- + (VPBLEND_8u32 t256_3 t256_1 + (W8.of_int + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); buf <- - Array536.init - (WArray536.get8 (WArray536.set256_direct (WArray536.init8 (fun i => (buf).[i])) (W64.to_uint ((W64.of_int (11 * 8)) + offset)) (t256_4))); + (Array536.init + (WArray536.get8 + (WArray536.set256_direct (WArray536.init8 (fun i => buf.[i])) + (W64.to_uint ((W64.of_int (11 * 8)) + offset)) t256_4))); buf <- - Array536.init - (WArray536.get8 (WArray536.set64_direct (WArray536.init8 (fun i => (buf).[i])) (W64.to_uint ((W64.of_int (15 * 8)) + offset)) (VMOVHPD t128_1))); - t256_4 <- VPBLEND_8u32 t256_2 t256_0 - (W8.of_int (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); + (Array536.init + (WArray536.get8 + (WArray536.set64_direct (WArray536.init8 (fun i => buf.[i])) + (W64.to_uint ((W64.of_int (15 * 8)) + offset)) (VMOVHPD t128_1)))); + t256_4 <- + (VPBLEND_8u32 t256_2 t256_0 + (W8.of_int + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); buf <- - Array536.init - (WArray536.get8 (WArray536.set256_direct (WArray536.init8 (fun i => (buf).[i])) (W64.to_uint ((W64.of_int (16 * 8)) + offset)) (t256_4))); + (Array536.init + (WArray536.get8 + (WArray536.set256_direct (WArray536.init8 (fun i => buf.[i])) + (W64.to_uint ((W64.of_int (16 * 8)) + offset)) t256_4))); buf <- - Array536.init - (WArray536.get8 (WArray536.set64_direct (WArray536.init8 (fun i => (buf).[i])) (W64.to_uint ((W64.of_int (20 * 8)) + offset)) (VMOVHPD t128_0))); - t256_4 <- VPBLEND_8u32 t256_1 t256_2 - (W8.of_int (1 %% 2^1 + - 2^1 * (1 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (0 %% 2^1 + - 2^1 * (1 %% 2^1 + 2^1 * 1)))))))); + (Array536.init + (WArray536.get8 + (WArray536.set64_direct (WArray536.init8 (fun i => buf.[i])) + (W64.to_uint ((W64.of_int (20 * 8)) + offset)) (VMOVHPD t128_0)))); + t256_4 <- + (VPBLEND_8u32 t256_1 t256_2 + (W8.of_int + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((1 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + + ((2 ^ 1) * + ((0 %% (2 ^ 1)) + ((2 ^ 1) * ((1 %% (2 ^ 1)) + ((2 ^ 1) * 1)))))))))))))) + )); buf <- - Array536.init - (WArray536.get8 (WArray536.set256_direct (WArray536.init8 (fun i => (buf).[i])) (W64.to_uint ((W64.of_int (21 * 8)) + offset)) (t256_4))); - return (buf); + (Array536.init + (WArray536.get8 + (WArray536.set256_direct (WArray536.init8 (fun i => buf.[i])) + (W64.to_uint ((W64.of_int (21 * 8)) + offset)) t256_4))); + return buf; } - proc _stavx2_unpack_at (buf:W8.t Array536.t, offset:W64.t, state:W256.t Array7.t) : W8.t Array536.t = { - - buf <@ __stavx2_unpack_at (buf, offset, state); - return (buf); + return buf; } - proc xof_init_x4 (rho:W8.t Array32.t, indexes:W16.t Array4.t) : W256.t Array25.t = { - var aux: int; - + var aux:int; var state:W256.t Array25.t; var i:int; var t:W256.t; @@ -6144,38 +7072,37 @@ module M(SC:Syscall_t) = { state <- witness; temp <- witness; i <- 0; - while (i < 4) { + while ((i < 4)) { t <- - VPBROADCAST_4u64 (get64 (WArray32.init8 (fun i_0 => (rho).[i_0])) i); + (VPBROADCAST_4u64 (get64 (WArray32.init8 (fun i_0 => rho.[i_0])) i)); state.[i] <- t; - i <- i + 1; + i <- (i + 1); } i <- 0; - while (i < 4) { + while ((i < 4)) { r <- (zeroextu64 indexes.[i]); r <- (r `|` (W64.of_int 2031616)); temp <- - Array1.init - (WArray32.get256 (WArray32.set64 (WArray32.init256 (fun i_0 => (temp).[i_0])) i (r))); - i <- i + 1; + (Array1.init + (WArray32.get256 + (WArray32.set64 (WArray32.init256 (fun i_0 => temp.[i_0])) i r))); + i <- (i + 1); } t <- temp.[0]; state.[4] <- t; - t <- set0_256 ; + t <- (set0_256); i <- 5; - while (i < 25) { + while ((i < 25)) { state.[i] <- t; - i <- i + 1; + i <- (i + 1); } t <- rATE_BIT_x4.[0]; t <- (t `^` state.[20]); state.[20] <- t; - return (state); + return state; } - proc xof_init_avx2 (rho:W8.t Array32.t, index:W16.t) : W256.t Array7.t = { - var aux: int; - + var aux:int; var state:W256.t Array7.t; var r:W64.t; var temp:W256.t Array1.t; @@ -6185,37 +7112,40 @@ module M(SC:Syscall_t) = { state <- witness; temp <- witness; state.[0] <- - VPBROADCAST_4u64 (get64 (WArray32.init8 (fun i_0 => (rho).[i_0])) 0); - r <- (get64 (WArray32.init8 (fun i_0 => (rho).[i_0])) 1); + (VPBROADCAST_4u64 (get64 (WArray32.init8 (fun i_0 => rho.[i_0])) 0)); + r <- (get64 (WArray32.init8 (fun i_0 => rho.[i_0])) 1); temp <- - Array1.init - (WArray32.get256 (WArray32.set64 (WArray32.init256 (fun i_0 => (temp).[i_0])) 0 (r))); - r <- (get64 (WArray32.init8 (fun i_0 => (rho).[i_0])) 2); + (Array1.init + (WArray32.get256 + (WArray32.set64 (WArray32.init256 (fun i_0 => temp.[i_0])) 0 r))); + r <- (get64 (WArray32.init8 (fun i_0 => rho.[i_0])) 2); temp <- - Array1.init - (WArray32.get256 (WArray32.set64 (WArray32.init256 (fun i_0 => (temp).[i_0])) 1 (r))); - r <- (get64 (WArray32.init8 (fun i_0 => (rho).[i_0])) 3); + (Array1.init + (WArray32.get256 + (WArray32.set64 (WArray32.init256 (fun i_0 => temp.[i_0])) 1 r))); + r <- (get64 (WArray32.init8 (fun i_0 => rho.[i_0])) 3); temp <- - Array1.init - (WArray32.get256 (WArray32.set64 (WArray32.init256 (fun i_0 => (temp).[i_0])) 2 (r))); + (Array1.init + (WArray32.get256 + (WArray32.set64 (WArray32.init256 (fun i_0 => temp.[i_0])) 2 r))); r <- (zeroextu64 index); r <- (r `|` (W64.of_int 2031616)); temp <- - Array1.init - (WArray32.get256 (WArray32.set64 (WArray32.init256 (fun i_0 => (temp).[i_0])) 3 (r))); + (Array1.init + (WArray32.get256 + (WArray32.set64 (WArray32.init256 (fun i_0 => temp.[i_0])) 3 r))); state.[1] <- temp.[0]; - t <- set0_256 ; + t <- (set0_256); t128 <- (truncateu128 t); r <- (W64.of_int 9223372036854775808); - state.[2] <- zeroextu256(VPINSR_2u64 t128 r (W8.of_int 1)); + state.[2] <- (zeroextu256 (VPINSR_2u64 t128 r (W8.of_int 1))); i <- 3; - while (i < 7) { + while ((i < 7)) { state.[i] <- t; - i <- i + 1; + i <- (i + 1); } - return (state); + return state; } - proc __gen_matrix_buf_rejection_filter48 (pol:W16.t Array256.t, counter:W64.t, buf:W8.t Array536.t, @@ -6225,7 +7155,6 @@ module M(SC:Syscall_t) = { sst:W8.t Array2048.t, ones:W256.t, ms:W64.t) : W16.t Array256.t * W64.t = { - var f0:W256.t; var f1:W256.t; var g0:W256.t; @@ -6248,140 +7177,159 @@ module M(SC:Syscall_t) = { var _1:bool; var _2:bool; var _3:bool; - f0 <- - VPERMQ (get256_direct (WArray536.init8 (fun i => (buf).[i])) - ((W64.to_uint buf_offset) + 0)) - (W8.of_int (0 %% 2^2 + 2^2 * (1 %% 2^2 + 2^2 * (1 %% 2^2 + 2^2 * 2)))); + (VPERMQ + (get256_direct (WArray536.init8 (fun i => buf.[i])) + ((W64.to_uint buf_offset) + 0)) + (W8.of_int + ((0 %% (2 ^ 2)) + + ((2 ^ 2) * + ((1 %% (2 ^ 2)) + ((2 ^ 2) * ((1 %% (2 ^ 2)) + ((2 ^ 2) * 2)))))))); f1 <- - VPERMQ (get256_direct (WArray536.init8 (fun i => (buf).[i])) - ((W64.to_uint buf_offset) + 24)) - (W8.of_int (0 %% 2^2 + 2^2 * (1 %% 2^2 + 2^2 * (1 %% 2^2 + 2^2 * 2)))); - f0 <- VPSHUFB_256 f0 load_shuffle; - f1 <- VPSHUFB_256 f1 load_shuffle; - g0 <- VPSRL_16u16 f0 (W8.of_int 4); - g1 <- VPSRL_16u16 f1 (W8.of_int 4); - f0 <- VPBLEND_16u16 f0 g0 (W8.of_int 170); - f1 <- VPBLEND_16u16 f1 g1 (W8.of_int 170); - f0 <- VPAND_256 f0 mask; - f1 <- VPAND_256 f1 mask; - g0 <- VPCMPGT_16u16 bounds f0; - g1 <- VPCMPGT_16u16 bounds f1; - g0 <- VPACKSS_16u16 g0 g1; - good <- VPMOVMSKB_u256u64 g0; - good <- protect_64 good ms; + (VPERMQ + (get256_direct (WArray536.init8 (fun i => buf.[i])) + ((W64.to_uint buf_offset) + 24)) + (W8.of_int + ((0 %% (2 ^ 2)) + + ((2 ^ 2) * + ((1 %% (2 ^ 2)) + ((2 ^ 2) * ((1 %% (2 ^ 2)) + ((2 ^ 2) * 2)))))))); + f0 <- (VPSHUFB_256 f0 load_shuffle); + f1 <- (VPSHUFB_256 f1 load_shuffle); + g0 <- (VPSRL_16u16 f0 (W8.of_int 4)); + g1 <- (VPSRL_16u16 f1 (W8.of_int 4)); + f0 <- (VPBLEND_16u16 f0 g0 (W8.of_int 170)); + f1 <- (VPBLEND_16u16 f1 g1 (W8.of_int 170)); + f0 <- (VPAND_256 f0 mask); + f1 <- (VPAND_256 f1 mask); + g0 <- (VPCMPGT_16u16 bounds f0); + g1 <- (VPCMPGT_16u16 bounds f1); + g0 <- (VPACKSS_16u16 g0 g1); + good <- (VPMOVMSKB_u256u64 g0); + good <- (protect_64 good ms); t0_0 <- good; t0_0 <- (t0_0 `&` (W64.of_int 255)); shuffle_0 <- - zeroextu256(VMOV_64 (get64 (WArray2048.init8 (fun i => (sst).[i])) - (W64.to_uint t0_0))); - (_of_, _cf_, _sf_, _0, _zf_, t0_0) <- POPCNT_64 t0_0; + (zeroextu256 + (VMOV_64 (get64 (WArray2048.init8 (fun i => sst.[i])) (W64.to_uint t0_0)) + )); + (_of_, _cf_, _sf_, _0, _zf_, t0_0) <- (POPCNT_64 t0_0); t0_0 <- (t0_0 + counter); t0_1 <- good; t0_1 <- (t0_1 `>>` (W8.of_int 16)); t0_1 <- (t0_1 `&` (W64.of_int 255)); shuffle_0_1 <- - VMOV_64 (get64 (WArray2048.init8 (fun i => (sst).[i])) - (W64.to_uint t0_1)); - (_of_, _cf_, _sf_, _1, _zf_, t0_1) <- POPCNT_64 t0_1; + (VMOV_64 (get64 (WArray2048.init8 (fun i => sst.[i])) (W64.to_uint t0_1)) + ); + (_of_, _cf_, _sf_, _1, _zf_, t0_1) <- (POPCNT_64 t0_1); t0_1 <- (t0_1 + t0_0); t1_0 <- good; t1_0 <- (t1_0 `>>` (W8.of_int 8)); t1_0 <- (t1_0 `&` (W64.of_int 255)); shuffle_1 <- - zeroextu256(VMOV_64 (get64 (WArray2048.init8 (fun i => (sst).[i])) - (W64.to_uint t1_0))); - (_of_, _cf_, _sf_, _2, _zf_, t1_0) <- POPCNT_64 t1_0; + (zeroextu256 + (VMOV_64 (get64 (WArray2048.init8 (fun i => sst.[i])) (W64.to_uint t1_0)) + )); + (_of_, _cf_, _sf_, _2, _zf_, t1_0) <- (POPCNT_64 t1_0); t1_0 <- (t1_0 + t0_1); t1_1 <- good; t1_1 <- (t1_1 `>>` (W8.of_int 24)); t1_1 <- (t1_1 `&` (W64.of_int 255)); shuffle_1_1 <- - VMOV_64 (get64 (WArray2048.init8 (fun i => (sst).[i])) - (W64.to_uint t1_1)); - (_of_, _cf_, _sf_, _3, _zf_, t1_1) <- POPCNT_64 t1_1; + (VMOV_64 (get64 (WArray2048.init8 (fun i => sst.[i])) (W64.to_uint t1_1)) + ); + (_of_, _cf_, _sf_, _3, _zf_, t1_1) <- (POPCNT_64 t1_1); t1_1 <- (t1_1 + t1_0); - shuffle_0 <- VINSERTI128 shuffle_0 shuffle_0_1 (W8.of_int 1); - shuffle_1 <- VINSERTI128 shuffle_1 shuffle_1_1 (W8.of_int 1); - shuffle_t <- VPADD_32u8 shuffle_0 ones; - shuffle_0 <- VPUNPCKL_32u8 shuffle_0 shuffle_t; - shuffle_t <- VPADD_32u8 shuffle_1 ones; - shuffle_1 <- VPUNPCKL_32u8 shuffle_1 shuffle_t; - f0 <- VPSHUFB_256 f0 shuffle_0; - f1 <- VPSHUFB_256 f1 shuffle_1; + shuffle_0 <- (VINSERTI128 shuffle_0 shuffle_0_1 (W8.of_int 1)); + shuffle_1 <- (VINSERTI128 shuffle_1 shuffle_1_1 (W8.of_int 1)); + shuffle_t <- (VPADD_32u8 shuffle_0 ones); + shuffle_0 <- (VPUNPCKL_32u8 shuffle_0 shuffle_t); + shuffle_t <- (VPADD_32u8 shuffle_1 ones); + shuffle_1 <- (VPUNPCKL_32u8 shuffle_1 shuffle_t); + f0 <- (VPSHUFB_256 f0 shuffle_0); + f1 <- (VPSHUFB_256 f1 shuffle_1); pol <- - Array256.init - (WArray512.get16 (WArray512.set128_direct (WArray512.init16 (fun i => (pol).[i])) (W64.to_uint ((W64.of_int 2) * counter)) ((truncateu128 f0)))); + (Array256.init + (WArray512.get16 + (WArray512.set128_direct (WArray512.init16 (fun i => pol.[i])) + (W64.to_uint ((W64.of_int 2) * counter)) (truncateu128 f0)))); pol <- - Array256.init - (WArray512.get16 (WArray512.set128_direct (WArray512.init16 (fun i => (pol).[i])) (W64.to_uint ((W64.of_int 2) * t0_0)) (VEXTRACTI128 f0 - (W8.of_int 1)))); + (Array256.init + (WArray512.get16 + (WArray512.set128_direct (WArray512.init16 (fun i => pol.[i])) + (W64.to_uint ((W64.of_int 2) * t0_0)) (VEXTRACTI128 f0 (W8.of_int 1))))); pol <- - Array256.init - (WArray512.get16 (WArray512.set128_direct (WArray512.init16 (fun i => (pol).[i])) (W64.to_uint ((W64.of_int 2) * t0_1)) ((truncateu128 f1)))); + (Array256.init + (WArray512.get16 + (WArray512.set128_direct (WArray512.init16 (fun i => pol.[i])) + (W64.to_uint ((W64.of_int 2) * t0_1)) (truncateu128 f1)))); pol <- - Array256.init - (WArray512.get16 (WArray512.set128_direct (WArray512.init16 (fun i => (pol).[i])) (W64.to_uint ((W64.of_int 2) * t1_0)) (VEXTRACTI128 f1 - (W8.of_int 1)))); + (Array256.init + (WArray512.get16 + (WArray512.set128_direct (WArray512.init16 (fun i => pol.[i])) + (W64.to_uint ((W64.of_int 2) * t1_0)) (VEXTRACTI128 f1 (W8.of_int 1))))); counter <- t1_1; return (pol, counter); } - proc __write_u128_boundchk (pol:W16.t Array256.t, ctr:W64.t, data:W128.t, ms:W64.t) : W16.t Array256.t * W64.t * W64.t = { - var condition_8:bool; var data_u64:W64.t; var condition_4:bool; var condition_2:bool; var condition_1:bool; - condition_8 <- (ctr \ule (W64.of_int (256 - 8))); if (condition_8) { - ms <- update_msf condition_8 ms; + ms <- (update_msf condition_8 ms); pol <- - Array256.init - (WArray512.get16 (WArray512.set128_direct (WArray512.init16 (fun i => (pol).[i])) (2 * (W64.to_uint ctr)) (data))); + (Array256.init + (WArray512.get16 + (WArray512.set128_direct (WArray512.init16 (fun i => pol.[i])) + (2 * (W64.to_uint ctr)) data))); ctr <- (ctr + (W64.of_int 8)); } else { - ms <- update_msf (! condition_8) ms; - data_u64 <- MOVV_64 (truncateu64 data); + ms <- (update_msf (! condition_8) ms); + data_u64 <- (MOVV_64 (truncateu64 data)); condition_4 <- (ctr \ule (W64.of_int (256 - 4))); if (condition_4) { - ms <- update_msf condition_4 ms; + ms <- (update_msf condition_4 ms); pol <- - Array256.init - (WArray512.get16 (WArray512.set64_direct (WArray512.init16 (fun i => (pol).[i])) (2 * (W64.to_uint ctr)) (data_u64))); - data_u64 <- VPEXTR_64 data (W8.of_int 1); + (Array256.init + (WArray512.get16 + (WArray512.set64_direct (WArray512.init16 (fun i => pol.[i])) + (2 * (W64.to_uint ctr)) data_u64))); + data_u64 <- (VPEXTR_64 data (W8.of_int 1)); ctr <- (ctr + (W64.of_int 4)); } else { - ms <- update_msf (! condition_4) ms; + ms <- (update_msf (! condition_4) ms); } condition_2 <- (ctr \ule (W64.of_int (256 - 2))); if (condition_2) { - ms <- update_msf condition_2 ms; + ms <- (update_msf condition_2 ms); pol <- - Array256.init - (WArray512.get16 (WArray512.set32_direct (WArray512.init16 (fun i => (pol).[i])) (2 * (W64.to_uint ctr)) ((truncateu32 data_u64)))); + (Array256.init + (WArray512.get16 + (WArray512.set32_direct (WArray512.init16 (fun i => pol.[i])) + (2 * (W64.to_uint ctr)) (truncateu32 data_u64)))); data_u64 <- (data_u64 `>>` (W8.of_int 32)); ctr <- (ctr + (W64.of_int 2)); } else { - ms <- update_msf (! condition_2) ms; + ms <- (update_msf (! condition_2) ms); } condition_1 <- (ctr \ule (W64.of_int (256 - 1))); if (condition_1) { - ms <- update_msf condition_1 ms; + ms <- (update_msf condition_1 ms); pol <- - Array256.init - (WArray512.get16 (WArray512.set16_direct (WArray512.init16 (fun i => (pol).[i])) (2 * (W64.to_uint ctr)) ((truncateu16 data_u64)))); + (Array256.init + (WArray512.get16 + (WArray512.set16_direct (WArray512.init16 (fun i => pol.[i])) + (2 * (W64.to_uint ctr)) (truncateu16 data_u64)))); ctr <- (ctr + (W64.of_int 1)); } else { - ms <- update_msf (! condition_1) ms; + ms <- (update_msf (! condition_1) ms); } } return (pol, ctr, ms); } - proc __gen_matrix_buf_rejection_filter24 (pol:W16.t Array256.t, counter:W64.t, buf:W8.t Array536.t, @@ -6391,7 +7339,6 @@ module M(SC:Syscall_t) = { sst:W8.t Array2048.t, ones:W256.t, ms:W64.t) : W16.t Array256.t * W64.t * W64.t = { - var f0:W256.t; var g0:W256.t; var g1:W256.t; @@ -6408,51 +7355,53 @@ module M(SC:Syscall_t) = { var t128:W128.t; var _0:bool; var _1:bool; - f0 <- - VPERMQ (get256_direct (WArray536.init8 (fun i => (buf).[i])) - ((W64.to_uint buf_offset) + 0)) - (W8.of_int (0 %% 2^2 + 2^2 * (1 %% 2^2 + 2^2 * (1 %% 2^2 + 2^2 * 2)))); - f0 <- VPSHUFB_256 f0 load_shuffle; - g0 <- VPSRL_16u16 f0 (W8.of_int 4); - f0 <- VPBLEND_16u16 f0 g0 (W8.of_int 170); - f0 <- VPAND_256 f0 mask; - g0 <- VPCMPGT_16u16 bounds f0; - g1 <- set0_256 ; - g0 <- VPACKSS_16u16 g0 g1; - good <- VPMOVMSKB_u256u64 g0; - good <- protect_64 good ms; + (VPERMQ + (get256_direct (WArray536.init8 (fun i => buf.[i])) + ((W64.to_uint buf_offset) + 0)) + (W8.of_int + ((0 %% (2 ^ 2)) + + ((2 ^ 2) * + ((1 %% (2 ^ 2)) + ((2 ^ 2) * ((1 %% (2 ^ 2)) + ((2 ^ 2) * 2)))))))); + f0 <- (VPSHUFB_256 f0 load_shuffle); + g0 <- (VPSRL_16u16 f0 (W8.of_int 4)); + f0 <- (VPBLEND_16u16 f0 g0 (W8.of_int 170)); + f0 <- (VPAND_256 f0 mask); + g0 <- (VPCMPGT_16u16 bounds f0); + g1 <- (set0_256); + g0 <- (VPACKSS_16u16 g0 g1); + good <- (VPMOVMSKB_u256u64 g0); + good <- (protect_64 good ms); t0_0 <- good; t0_0 <- (t0_0 `&` (W64.of_int 255)); shuffle_0 <- - zeroextu256(VMOV_64 (get64 (WArray2048.init8 (fun i => (sst).[i])) - (W64.to_uint t0_0))); - (_of_, _cf_, _sf_, _0, _zf_, t0_0) <- POPCNT_64 t0_0; + (zeroextu256 + (VMOV_64 (get64 (WArray2048.init8 (fun i => sst.[i])) (W64.to_uint t0_0)) + )); + (_of_, _cf_, _sf_, _0, _zf_, t0_0) <- (POPCNT_64 t0_0); t0_0 <- (t0_0 + counter); t0_1 <- good; t0_1 <- (t0_1 `>>` (W8.of_int 16)); t0_1 <- (t0_1 `&` (W64.of_int 255)); shuffle_0_1 <- - VMOV_64 (get64 (WArray2048.init8 (fun i => (sst).[i])) - (W64.to_uint t0_1)); - (_of_, _cf_, _sf_, _1, _zf_, t0_1) <- POPCNT_64 t0_1; + (VMOV_64 (get64 (WArray2048.init8 (fun i => sst.[i])) (W64.to_uint t0_1)) + ); + (_of_, _cf_, _sf_, _1, _zf_, t0_1) <- (POPCNT_64 t0_1); t0_1 <- (t0_1 + t0_0); - shuffle_0 <- VINSERTI128 shuffle_0 shuffle_0_1 (W8.of_int 1); - shuffle_t <- VPADD_32u8 shuffle_0 ones; - shuffle_0 <- VPUNPCKL_32u8 shuffle_0 shuffle_t; - f0 <- VPSHUFB_256 f0 shuffle_0; + shuffle_0 <- (VINSERTI128 shuffle_0 shuffle_0_1 (W8.of_int 1)); + shuffle_t <- (VPADD_32u8 shuffle_0 ones); + shuffle_0 <- (VPUNPCKL_32u8 shuffle_0 shuffle_t); + f0 <- (VPSHUFB_256 f0 shuffle_0); t128 <- (truncateu128 f0); (pol, counter, ms) <@ __write_u128_boundchk (pol, counter, t128, ms); - t128 <- VEXTRACTI128 f0 (W8.of_int 1); + t128 <- (VEXTRACTI128 f0 (W8.of_int 1)); (pol, counter, ms) <@ __write_u128_boundchk (pol, t0_0, t128, ms); counter <- t0_1; return (pol, counter, ms); } - proc _gen_matrix_buf_rejection (pol:W16.t Array256.t, counter:W64.t, buf:W8.t Array536.t, buf_offset:W64.t) : W16.t Array256.t * W64.t = { - var ms:W64.t; var load_shuffle:W256.t; var mask:W256.t; @@ -6461,9 +7410,9 @@ module M(SC:Syscall_t) = { var sst:W8.t Array2048.t; var condition_loop:bool; sst <- witness; - ms <- init_msf ; + ms <- (init_msf); load_shuffle <- - (get256 (WArray32.init8 (fun i => (sample_load_shuffle).[i])) 0); + (get256 (WArray32.init8 (fun i => sample_load_shuffle.[i])) 0); mask <- sample_mask; bounds <- sample_q; ones <- sample_ones; @@ -6472,29 +7421,28 @@ module M(SC:Syscall_t) = { condition_loop <@ comp_u64_l_int_and_u64_l_int (buf_offset, (((3 * 168) - 48) + 1), counter, ((256 - 32) + 1)); while (condition_loop) { - ms <- update_msf condition_loop ms; + ms <- (update_msf condition_loop ms); (pol, counter) <@ __gen_matrix_buf_rejection_filter48 (pol, counter, buf, buf_offset, load_shuffle, mask, bounds, sst, ones, ms); buf_offset <- (buf_offset + (W64.of_int 48)); condition_loop <@ comp_u64_l_int_and_u64_l_int (buf_offset, (((3 * 168) - 48) + 1), counter, ((256 - 32) + 1)); } - ms <- update_msf (! condition_loop) ms; + ms <- (update_msf (! condition_loop) ms); condition_loop <@ comp_u64_l_int_and_u64_l_int (buf_offset, (((3 * 168) - 24) + 1), counter, 256); while (condition_loop) { - ms <- update_msf condition_loop ms; + ms <- (update_msf condition_loop ms); (pol, counter, ms) <@ __gen_matrix_buf_rejection_filter24 (pol, - counter, buf, buf_offset, load_shuffle, mask, bounds, sst, ones, ms); + counter, buf, buf_offset, load_shuffle, mask, bounds, sst, ones, + ms); buf_offset <- (buf_offset + (W64.of_int 24)); condition_loop <@ comp_u64_l_int_and_u64_l_int (buf_offset, (((3 * 168) - 24) + 1), counter, 256); } return (pol, counter); } - proc gen_matrix_get_indexes (b:W64.t, _t:W64.t) : W16.t Array4.t = { - var idx:W16.t Array4.t; var gmi:W16.t Array16.t; var t:W64.t; @@ -6508,13 +7456,11 @@ module M(SC:Syscall_t) = { idx.[1] <- gmi.[((W64.to_uint b) + 1)]; idx.[2] <- gmi.[((W64.to_uint b) + 2)]; idx.[3] <- gmi.[((W64.to_uint b) + 3)]; - return (idx); + return idx; } - proc __gen_matrix_fill_polynomial (pol:W16.t Array256.t, buf:W8.t Array536.t) : W16.t Array256.t * W8.t Array536.t = { - var buf_offset:W64.t; var counter:W64.t; var stavx2:W256.t Array7.t; @@ -6524,7 +7470,6 @@ module M(SC:Syscall_t) = { (pol, counter) <@ _gen_matrix_buf_rejection (pol, counter, buf, buf_offset); buf_offset <- (W64.of_int (2 * 168)); - while ((counter \ult (W64.of_int 256))) { stavx2 <@ _stavx2_pack_at (buf, buf_offset); stavx2 <@ _keccakf1600_avx2 (stavx2); @@ -6534,18 +7479,16 @@ module M(SC:Syscall_t) = { } return (pol, buf); } - proc _gen_matrix_sample_four_polynomials (polx4:W16.t Array1024.t, buf:W8.t Array2144.t, rho:W8.t Array32.t, mat_entry:W64.t, transposed:W64.t) : W16.t Array1024.t * W8.t Array2144.t = { - var aux_2: W8.t Array536.t; - var aux_1: W8.t Array536.t; - var aux_0: W8.t Array536.t; - var aux: W8.t Array536.t; - var aux_3: W16.t Array256.t; - + var aux_2:W8.t Array536.t; + var aux_1:W8.t Array536.t; + var aux_0:W8.t Array536.t; + var aux:W8.t Array536.t; + var aux_3:W16.t Array256.t; var indexes:W16.t Array4.t; var state:W256.t Array25.t; var stx4:W256.t Array25.t; @@ -6559,82 +7502,117 @@ module M(SC:Syscall_t) = { stx4 <- state; stx4 <@ xof_init_x4 (rho, indexes); buf_offset <- (W64.of_int 0); - while ((buf_offset \ult (W64.of_int (3 * 168)))) { stx4 <@ _keccakf1600_4x (stx4); - (aux_2, aux_1, aux_0, - aux) <@ __st4x_unpack_at ((Array536.init (fun i => buf.[(536 * 0) + i])), - (Array536.init (fun i => buf.[(536 * 1) + i])), - (Array536.init (fun i => buf.[(536 * 2) + i])), - (Array536.init (fun i => buf.[(536 * 3) + i])), stx4, buf_offset); - buf <- Array2144.init - (fun i => if (536 * 0) <= i < (536 * 0) + 536 - then aux_2.[i-(536 * 0)] else buf.[i]); - buf <- Array2144.init - (fun i => if (536 * 1) <= i < (536 * 1) + 536 - then aux_1.[i-(536 * 1)] else buf.[i]); - buf <- Array2144.init - (fun i => if (536 * 2) <= i < (536 * 2) + 536 - then aux_0.[i-(536 * 2)] else buf.[i]); - buf <- Array2144.init - (fun i => if (536 * 3) <= i < (536 * 3) + 536 - then aux.[i-(536 * 3)] else buf.[i]); + (aux_2, aux_1, aux_0, aux) <@ __st4x_unpack_at ((Array536.init + (fun i => buf.[ + ((536 * 0) + + i)]) + ), + (Array536.init (fun i => buf.[((536 * 1) + i)])), + (Array536.init (fun i => buf.[((536 * 2) + i)])), + (Array536.init (fun i => buf.[((536 * 3) + i)])), stx4, buf_offset); + buf <- + (Array2144.init + (fun i => (if ((536 * 0) <= i < ((536 * 0) + 536)) then aux_2.[ + (i - (536 * 0))] else + buf.[i])) + ); + buf <- + (Array2144.init + (fun i => (if ((536 * 1) <= i < ((536 * 1) + 536)) then aux_1.[ + (i - (536 * 1))] else + buf.[i])) + ); + buf <- + (Array2144.init + (fun i => (if ((536 * 2) <= i < ((536 * 2) + 536)) then aux_0.[ + (i - (536 * 2))] else + buf.[i])) + ); + buf <- + (Array2144.init + (fun i => (if ((536 * 3) <= i < ((536 * 3) + 536)) then aux.[(i - + (536 * 3))] else + buf.[i])) + ); buf_offset <- (buf_offset + (W64.of_int 168)); } - pol <- (Array256.init (fun i => polx4.[(0 * 256) + i])); + pol <- (Array256.init (fun i => polx4.[((0 * 256) + i)])); (aux_3, aux_2) <@ __gen_matrix_fill_polynomial (pol, - (Array536.init (fun i => buf.[(536 * 0) + i]))); + (Array536.init (fun i => buf.[((536 * 0) + i)]))); pol <- aux_3; - buf <- Array2144.init - (fun i => if (536 * 0) <= i < (536 * 0) + 536 - then aux_2.[i-(536 * 0)] else buf.[i]); - polx4 <- Array1024.init - (fun i => if (0 * 256) <= i < (0 * 256) + 256 - then pol.[i-(0 * 256)] else polx4.[i]); - pol <- (Array256.init (fun i => polx4.[(1 * 256) + i])); + buf <- + (Array2144.init + (fun i => (if ((536 * 0) <= i < ((536 * 0) + 536)) then aux_2.[(i - + (536 * 0))] else + buf.[i])) + ); + polx4 <- + (Array1024.init + (fun i => (if ((0 * 256) <= i < ((0 * 256) + 256)) then pol.[(i - + (0 * 256))] else + polx4.[i])) + ); + pol <- (Array256.init (fun i => polx4.[((1 * 256) + i)])); (aux_3, aux_2) <@ __gen_matrix_fill_polynomial (pol, - (Array536.init (fun i => buf.[(536 * 1) + i]))); + (Array536.init (fun i => buf.[((536 * 1) + i)]))); pol <- aux_3; - buf <- Array2144.init - (fun i => if (536 * 1) <= i < (536 * 1) + 536 - then aux_2.[i-(536 * 1)] else buf.[i]); - polx4 <- Array1024.init - (fun i => if (1 * 256) <= i < (1 * 256) + 256 - then pol.[i-(1 * 256)] else polx4.[i]); - pol <- (Array256.init (fun i => polx4.[(2 * 256) + i])); + buf <- + (Array2144.init + (fun i => (if ((536 * 1) <= i < ((536 * 1) + 536)) then aux_2.[(i - + (536 * 1))] else + buf.[i])) + ); + polx4 <- + (Array1024.init + (fun i => (if ((1 * 256) <= i < ((1 * 256) + 256)) then pol.[(i - + (1 * 256))] else + polx4.[i])) + ); + pol <- (Array256.init (fun i => polx4.[((2 * 256) + i)])); (aux_3, aux_2) <@ __gen_matrix_fill_polynomial (pol, - (Array536.init (fun i => buf.[(536 * 2) + i]))); + (Array536.init (fun i => buf.[((536 * 2) + i)]))); pol <- aux_3; - buf <- Array2144.init - (fun i => if (536 * 2) <= i < (536 * 2) + 536 - then aux_2.[i-(536 * 2)] else buf.[i]); - polx4 <- Array1024.init - (fun i => if (2 * 256) <= i < (2 * 256) + 256 - then pol.[i-(2 * 256)] else polx4.[i]); - pol <- (Array256.init (fun i => polx4.[(3 * 256) + i])); + buf <- + (Array2144.init + (fun i => (if ((536 * 2) <= i < ((536 * 2) + 536)) then aux_2.[(i - + (536 * 2))] else + buf.[i])) + ); + polx4 <- + (Array1024.init + (fun i => (if ((2 * 256) <= i < ((2 * 256) + 256)) then pol.[(i - + (2 * 256))] else + polx4.[i])) + ); + pol <- (Array256.init (fun i => polx4.[((3 * 256) + i)])); (aux_3, aux_2) <@ __gen_matrix_fill_polynomial (pol, - (Array536.init (fun i => buf.[(536 * 3) + i]))); + (Array536.init (fun i => buf.[((536 * 3) + i)]))); pol <- aux_3; - buf <- Array2144.init - (fun i => if (536 * 3) <= i < (536 * 3) + 536 - then aux_2.[i-(536 * 3)] else buf.[i]); - polx4 <- Array1024.init - (fun i => if (3 * 256) <= i < (3 * 256) + 256 - then pol.[i-(3 * 256)] else polx4.[i]); + buf <- + (Array2144.init + (fun i => (if ((536 * 3) <= i < ((536 * 3) + 536)) then aux_2.[(i - + (536 * 3))] else + buf.[i])) + ); + polx4 <- + (Array1024.init + (fun i => (if ((3 * 256) <= i < ((3 * 256) + 256)) then pol.[(i - + (3 * 256))] else + polx4.[i])) + ); return (polx4, buf); } - proc __gen_matrix_sample_one_polynomial (pol:W16.t Array256.t, buf:W8.t Array536.t, rho:W8.t Array32.t, rc:W16.t) : W16.t Array256.t * W8.t Array536.t = { - var stavx2:W256.t Array7.t; var buf_offset:W64.t; stavx2 <- witness; stavx2 <@ xof_init_avx2 (rho, rc); buf_offset <- (W64.of_int 0); - while ((buf_offset \ult (W64.of_int (3 * 168)))) { stavx2 <@ _keccakf1600_avx2 (stavx2); buf <@ _stavx2_unpack_at (buf, buf_offset, stavx2); @@ -6643,13 +7621,11 @@ module M(SC:Syscall_t) = { (pol, buf) <@ __gen_matrix_fill_polynomial (pol, buf); return (pol, buf); } - proc _gen_matrix_avx2 (matrix:W16.t Array2304.t, rho:W8.t Array32.t, transposed:W64.t) : W16.t Array2304.t = { - var aux: int; - var aux_1: W8.t Array536.t; - var aux_0: W16.t Array256.t; - + var aux:int; + var aux_1:W8.t Array536.t; + var aux_0:W16.t Array256.t; var buf_s:W8.t Array2144.t; var buf:W8.t Array2144.t; var i:int; @@ -6665,51 +7641,70 @@ module M(SC:Syscall_t) = { (* Erased call to spill *) buf <- buf_s; i <- 0; - while (i < 2) { + while ((i < 2)) { mat_entry <- (W64.of_int (4 * i)); - polx4 <- (Array1024.init (fun i_0 => matrix.[((4 * i) * 256) + i_0])); + polx4 <- + (Array1024.init (fun i_0 => matrix.[(((4 * i) * 256) + i_0)])); (* Erased call to unspill *) - (polx4, buf) <@ _gen_matrix_sample_four_polynomials (polx4, buf, rho, - mat_entry, transposed); - matrix <- Array2304.init - (fun i_0 => if ((i * 4) * 256) <= i_0 < ((i * 4) * 256) + 1024 - then polx4.[i_0-((i * 4) * 256)] else matrix.[i_0]); - i <- i + 1; + (polx4, buf) <@ _gen_matrix_sample_four_polynomials (polx4, buf, + rho, mat_entry, transposed); + matrix <- + (Array2304.init + (fun i_0 => (if (((i * 4) * 256) <= i_0 < (((i * 4) * 256) + 1024)) then + polx4.[(i_0 - ((i * 4) * 256))] else matrix.[i_0])) + ); + i <- (i + 1); } - pol <- (Array256.init (fun i_0 => matrix.[(8 * 256) + i_0])); + pol <- (Array256.init (fun i_0 => matrix.[((8 * 256) + i_0)])); rc <- (W16.of_int 514); (aux_0, aux_1) <@ __gen_matrix_sample_one_polynomial (pol, - (Array536.init (fun i_0 => buf.[(536 * 0) + i_0])), rho, rc); + (Array536.init (fun i_0 => buf.[((536 * 0) + i_0)])), rho, rc); pol <- aux_0; - buf <- Array2144.init - (fun i_0 => if (536 * 0) <= i_0 < (536 * 0) + 536 - then aux_1.[i_0-(536 * 0)] else buf.[i_0]); - matrix <- Array2304.init - (fun i_0 => if (8 * 256) <= i_0 < (8 * 256) + 256 - then pol.[i_0-(8 * 256)] else matrix.[i_0]); + buf <- + (Array2144.init + (fun i_0 => (if ((536 * 0) <= i_0 < ((536 * 0) + 536)) then aux_1.[ + (i_0 - + (536 * 0))] else + buf.[i_0])) + ); + matrix <- + (Array2304.init + (fun i_0 => (if ((8 * 256) <= i_0 < ((8 * 256) + 256)) then pol.[ + (i_0 - + (8 * 256))] else + matrix.[i_0])) + ); i <- 0; - while (i < 3) { + while ((i < 3)) { j <- 0; - while (j < 3) { - aux_0 <@ _nttunpack ((Array256.init (fun i_0 => matrix.[((i * (3 * 256)) + (j * 256)) + i_0]))); - matrix <- Array2304.init - (fun i_0 => if ((i * (3 * 256)) + (j * 256)) <= i_0 < ((i * (3 * 256)) + (j * 256)) + 256 - then aux_0.[i_0-((i * (3 * 256)) + (j * 256))] - else matrix.[i_0]); - j <- j + 1; + while ((j < 3)) { + aux_0 <@ _nttunpack ((Array256.init + (fun i_0 => matrix.[(((i * (3 * 256)) + + (j * 256)) + + i_0)]) + )); + matrix <- + (Array2304.init + (fun i_0 => (if (((i * (3 * 256)) + (j * 256)) <= i_0 < (((i * + (3 * 256)) + + (j * 256)) + + 256)) then + aux_0.[(i_0 - ((i * (3 * 256)) + (j * 256)))] else + matrix.[i_0])) + ); + j <- (j + 1); } - i <- i + 1; + i <- (i + 1); } - return (matrix); - } - - proc __indcpa_keypair (pkp:W64.t, skp:W64.t, randomnessp:W8.t Array32.t) : unit = { - var aux: int; - var aux_3: W16.t Array256.t; - var aux_2: W16.t Array256.t; - var aux_1: W16.t Array256.t; - var aux_0: W16.t Array256.t; - + return matrix; + } + proc __indcpa_keypair (pkp:W64.t, skp:W64.t, randomnessp:W8.t Array32.t) : + unit = { + var aux:int; + var aux_3:W16.t Array256.t; + var aux_2:W16.t Array256.t; + var aux_1:W16.t Array256.t; + var aux_0:W16.t Array256.t; var i:int; var t64:W64.t; var inbuf:W8.t Array32.t; @@ -6733,79 +7728,116 @@ module M(SC:Syscall_t) = { (* Erased call to spill *) aux <- (32 %/ 8); i <- 0; - while (i < aux) { - t64 <- (get64 (WArray32.init8 (fun i_0 => (randomnessp).[i_0])) i); + while ((i < aux)) { + t64 <- (get64 (WArray32.init8 (fun i_0 => randomnessp.[i_0])) i); inbuf <- - Array32.init - (WArray32.get8 (WArray32.set64 (WArray32.init8 (fun i_0 => (inbuf).[i_0])) i (t64))); - i <- i + 1; + (Array32.init + (WArray32.get8 + (WArray32.set64 (WArray32.init8 (fun i_0 => inbuf.[i_0])) i t64))); + i <- (i + 1); } buf <@ _sha3_512_32 (buf, inbuf); aux <- (32 %/ 8); i <- 0; - while (i < aux) { - t64 <- (get64 (WArray64.init8 (fun i_0 => (buf).[i_0])) i); + while ((i < aux)) { + t64 <- (get64 (WArray64.init8 (fun i_0 => buf.[i_0])) i); publicseed <- - Array32.init - (WArray32.get8 (WArray32.set64 (WArray32.init8 (fun i_0 => (publicseed).[i_0])) i (t64))); - t64 <- - (get64 (WArray64.init8 (fun i_0 => (buf).[i_0])) (i + (32 %/ 8))); + (Array32.init + (WArray32.get8 + (WArray32.set64 (WArray32.init8 (fun i_0 => publicseed.[i_0])) i t64))); + t64 <- (get64 (WArray64.init8 (fun i_0 => buf.[i_0])) (i + (32 %/ 8))); noiseseed <- - Array32.init - (WArray32.get8 (WArray32.set64 (WArray32.init8 (fun i_0 => (noiseseed).[i_0])) i (t64))); - i <- i + 1; + (Array32.init + (WArray32.get8 + (WArray32.set64 (WArray32.init8 (fun i_0 => noiseseed.[i_0])) i t64))); + i <- (i + 1); } transposed <- (W64.of_int 0); aa <@ _gen_matrix_avx2 (aa, publicseed, transposed); nonce <- (W8.of_int 0); - (aux_3, aux_2, aux_1, - aux_0) <@ _poly_getnoise_eta1_4x ((Array256.init (fun i_0 => skpv.[0 + i_0])), - (Array256.init (fun i_0 => skpv.[256 + i_0])), - (Array256.init (fun i_0 => skpv.[(2 * 256) + i_0])), - (Array256.init (fun i_0 => e.[0 + i_0])), noiseseed, nonce); - skpv <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux_3.[i_0-0] - else skpv.[i_0]); - skpv <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux_2.[i_0-256] - else skpv.[i_0]); - skpv <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux_1.[i_0-(2 * 256)] else skpv.[i_0]); - e <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux_0.[i_0-0] else e.[i_0]); + (aux_3, aux_2, aux_1, aux_0) <@ _poly_getnoise_eta1_4x ((Array256.init + (fun i_0 => + skpv.[(0 + i_0)]) + ), + (Array256.init (fun i_0 => skpv.[(256 + i_0)])), + (Array256.init (fun i_0 => skpv.[((2 * 256) + i_0)])), + (Array256.init (fun i_0 => e.[(0 + i_0)])), noiseseed, nonce); + skpv <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux_3.[(i_0 - 0)] else + skpv.[i_0])) + ); + skpv <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux_2.[(i_0 - 256)] else + skpv.[i_0])) + ); + skpv <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux_1.[ + (i_0 - + (2 * 256))] else + skpv.[i_0])) + ); + e <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux_0.[(i_0 - 0)] else + e.[i_0])) + ); nonce <- (W8.of_int 4); - (aux_3, aux_2, aux_1, - aux_0) <@ _poly_getnoise_eta1_4x ((Array256.init (fun i_0 => e.[256 + i_0])), - (Array256.init (fun i_0 => e.[(2 * 256) + i_0])), - (Array256.init (fun i_0 => pkpv.[0 + i_0])), - (Array256.init (fun i_0 => pkpv.[256 + i_0])), noiseseed, nonce); - e <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux_3.[i_0-256] - else e.[i_0]); - e <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux_2.[i_0-(2 * 256)] else e.[i_0]); - pkpv <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux_1.[i_0-0] - else pkpv.[i_0]); - pkpv <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux_0.[i_0-256] - else pkpv.[i_0]); + (aux_3, aux_2, aux_1, aux_0) <@ _poly_getnoise_eta1_4x ((Array256.init + (fun i_0 => + e.[(256 + i_0)])), + (Array256.init (fun i_0 => e.[((2 * 256) + i_0)])), + (Array256.init (fun i_0 => pkpv.[(0 + i_0)])), + (Array256.init (fun i_0 => pkpv.[(256 + i_0)])), noiseseed, nonce); + e <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux_3.[(i_0 - 256)] else + e.[i_0])) + ); + e <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux_2.[ + (i_0 - + (2 * 256))] else + e.[i_0])) + ); + pkpv <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux_1.[(i_0 - 0)] else + pkpv.[i_0])) + ); + pkpv <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux_0.[(i_0 - 256)] else + pkpv.[i_0])) + ); skpv <@ __polyvec_ntt (skpv); e <@ __polyvec_ntt (e); i <- 0; - while (i < 3) { - aux_3 <@ __polyvec_pointwise_acc ((Array256.init (fun i_0 => pkpv.[(i * 256) + i_0])), - (Array768.init (fun i_0 => aa.[(i * (3 * 256)) + i_0])), skpv); - pkpv <- Array768.init - (fun i_0 => if (i * 256) <= i_0 < (i * 256) + 256 - then aux_3.[i_0-(i * 256)] else pkpv.[i_0]); - aux_3 <@ _poly_frommont ((Array256.init (fun i_0 => pkpv.[(i * 256) + i_0]))); - pkpv <- Array768.init - (fun i_0 => if (i * 256) <= i_0 < (i * 256) + 256 - then aux_3.[i_0-(i * 256)] else pkpv.[i_0]); - i <- i + 1; + while ((i < 3)) { + aux_3 <@ __polyvec_pointwise_acc ((Array256.init + (fun i_0 => pkpv.[((i * 256) + i_0)]) + ), + (Array768.init (fun i_0 => aa.[((i * (3 * 256)) + i_0)])), skpv); + pkpv <- + (Array768.init + (fun i_0 => (if ((i * 256) <= i_0 < ((i * 256) + 256)) then aux_3.[ + (i_0 - + (i * 256))] else + pkpv.[i_0])) + ); + aux_3 <@ _poly_frommont ((Array256.init + (fun i_0 => pkpv.[((i * 256) + i_0)]))); + pkpv <- + (Array768.init + (fun i_0 => (if ((i * 256) <= i_0 < ((i * 256) + 256)) then aux_3.[ + (i_0 - + (i * 256))] else + pkpv.[i_0])) + ); + i <- (i + 1); } pkpv <@ __polyvec_add2 (pkpv, e); pkpv <@ __polyvec_reduce (pkpv); @@ -6815,24 +7847,22 @@ module M(SC:Syscall_t) = { pkp <- (pkp + (W64.of_int (3 * 384))); aux <- (32 %/ 8); i <- 0; - while (i < aux) { - t64 <- (get64 (WArray32.init8 (fun i_0 => (publicseed).[i_0])) i); + while ((i < aux)) { + t64 <- (get64 (WArray32.init8 (fun i_0 => publicseed.[i_0])) i); Glob.mem <- - storeW64 Glob.mem (W64.to_uint (pkp + (W64.of_int 0))) (t64); + (storeW64 Glob.mem (W64.to_uint (pkp + (W64.of_int 0))) t64); pkp <- (pkp + (W64.of_int 8)); - i <- i + 1; + i <- (i + 1); } return (); } - proc __indcpa_enc_0 (sctp:W64.t, msgp:W8.t Array32.t, pkp:W64.t, noiseseed:W8.t Array32.t) : unit = { - var aux_3: int; - var aux_2: W16.t Array256.t; - var aux_1: W16.t Array256.t; - var aux_0: W16.t Array256.t; - var aux: W16.t Array256.t; - + var aux_3:int; + var aux_2:W16.t Array256.t; + var aux_1:W16.t Array256.t; + var aux_0:W16.t Array256.t; + var aux:W16.t Array256.t; var pkpv:W16.t Array768.t; var i:W64.t; var t64:W64.t; @@ -6864,12 +7894,13 @@ module M(SC:Syscall_t) = { pkpv <@ __polyvec_frombytes (pkp); i <- (W64.of_int 0); pkp <- (pkp + (W64.of_int (3 * 384))); - while ((i \ult (W64.of_int (32 %/ 8)))) { t64 <- (loadW64 Glob.mem (W64.to_uint (pkp + (W64.of_int 0)))); publicseed <- - Array32.init - (WArray32.get8 (WArray32.set64_direct (WArray32.init8 (fun i_0 => (publicseed).[i_0])) (8 * (W64.to_uint i)) (t64))); + (Array32.init + (WArray32.get8 + (WArray32.set64_direct (WArray32.init8 (fun i_0 => publicseed.[i_0])) + (8 * (W64.to_uint i)) t64))); pkp <- (pkp + (W64.of_int 8)); i <- (i + (W64.of_int 1)); } @@ -6879,45 +7910,72 @@ module M(SC:Syscall_t) = { aat <@ _gen_matrix_avx2 (aat, publicseed, transposed); lnoiseseed <- s_noiseseed; nonce <- (W8.of_int 0); - (aux_2, aux_1, aux_0, - aux) <@ _poly_getnoise_eta1_4x ((Array256.init (fun i_0 => sp_0.[0 + i_0])), - (Array256.init (fun i_0 => sp_0.[256 + i_0])), - (Array256.init (fun i_0 => sp_0.[(2 * 256) + i_0])), - (Array256.init (fun i_0 => ep.[0 + i_0])), lnoiseseed, nonce); - sp_0 <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux_2.[i_0-0] - else sp_0.[i_0]); - sp_0 <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux_1.[i_0-256] - else sp_0.[i_0]); - sp_0 <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux_0.[i_0-(2 * 256)] else sp_0.[i_0]); - ep <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux.[i_0-0] else ep.[i_0]); + (aux_2, aux_1, aux_0, aux) <@ _poly_getnoise_eta1_4x ((Array256.init + (fun i_0 => + sp_0.[(0 + i_0)])), + (Array256.init (fun i_0 => sp_0.[(256 + i_0)])), + (Array256.init (fun i_0 => sp_0.[((2 * 256) + i_0)])), + (Array256.init (fun i_0 => ep.[(0 + i_0)])), lnoiseseed, nonce); + sp_0 <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux_2.[(i_0 - 0)] else + sp_0.[i_0])) + ); + sp_0 <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux_1.[(i_0 - 256)] else + sp_0.[i_0])) + ); + sp_0 <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux_0.[ + (i_0 - + (2 * 256))] else + sp_0.[i_0])) + ); + ep <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux.[(i_0 - 0)] else + ep.[i_0])) + ); nonce <- (W8.of_int 4); - (aux_2, aux_1, aux_0, - aux) <@ _poly_getnoise_eta1_4x ((Array256.init (fun i_0 => ep.[256 + i_0])), - (Array256.init (fun i_0 => ep.[(2 * 256) + i_0])), epp, - (Array256.init (fun i_0 => bp.[0 + i_0])), lnoiseseed, nonce); - ep <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux_2.[i_0-256] - else ep.[i_0]); - ep <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux_1.[i_0-(2 * 256)] else ep.[i_0]); + (aux_2, aux_1, aux_0, aux) <@ _poly_getnoise_eta1_4x ((Array256.init + (fun i_0 => + ep.[(256 + i_0)])), + (Array256.init (fun i_0 => ep.[((2 * 256) + i_0)])), epp, + (Array256.init (fun i_0 => bp.[(0 + i_0)])), lnoiseseed, nonce); + ep <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux_2.[(i_0 - 256)] else + ep.[i_0])) + ); + ep <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux_1.[ + (i_0 - + (2 * 256))] else + ep.[i_0])) + ); epp <- aux_0; - bp <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux.[i_0-0] else bp.[i_0]); + bp <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux.[(i_0 - 0)] else + bp.[i_0])) + ); sp_0 <@ __polyvec_ntt (sp_0); w <- 0; - while (w < 3) { - aux_2 <@ __polyvec_pointwise_acc ((Array256.init (fun i_0 => bp.[(w * 256) + i_0])), - (Array768.init (fun i_0 => aat.[(w * (3 * 256)) + i_0])), sp_0); - bp <- Array768.init - (fun i_0 => if (w * 256) <= i_0 < (w * 256) + 256 - then aux_2.[i_0-(w * 256)] else bp.[i_0]); - w <- w + 1; + while ((w < 3)) { + aux_2 <@ __polyvec_pointwise_acc ((Array256.init + (fun i_0 => bp.[((w * 256) + i_0)])), + (Array768.init (fun i_0 => aat.[((w * (3 * 256)) + i_0)])), sp_0); + bp <- + (Array768.init + (fun i_0 => (if ((w * 256) <= i_0 < ((w * 256) + 256)) then aux_2.[ + (i_0 - + (w * 256))] else + bp.[i_0])) + ); + w <- (w + 1); } v <@ __polyvec_pointwise_acc (v, pkpv, sp_0); bp <@ __polyvec_invntt (bp); @@ -6933,17 +7991,15 @@ module M(SC:Syscall_t) = { v <@ _poly_compress (ctp, v); return (); } - proc __indcpa_enc_1 (ctp:W8.t Array1088.t, msgp:W8.t Array32.t, pkp:W64.t, noiseseed:W8.t Array32.t) : W8.t Array1088.t = { - var aux_3: int; - var aux_5: W8.t Array128.t; - var aux_4: W8.t Array960.t; - var aux_2: W16.t Array256.t; - var aux_1: W16.t Array256.t; - var aux_0: W16.t Array256.t; - var aux: W16.t Array256.t; - + var aux_3:int; + var aux_5:W8.t Array128.t; + var aux_4:W8.t Array960.t; + var aux_2:W16.t Array256.t; + var aux_1:W16.t Array256.t; + var aux_0:W16.t Array256.t; + var aux:W16.t Array256.t; var pkpv:W16.t Array768.t; var i:W64.t; var t64:W64.t; @@ -6974,12 +8030,13 @@ module M(SC:Syscall_t) = { pkpv <@ __polyvec_frombytes (pkp); i <- (W64.of_int 0); pkp <- (pkp + (W64.of_int (3 * 384))); - while ((i \ult (W64.of_int (32 %/ 8)))) { t64 <- (loadW64 Glob.mem (W64.to_uint (pkp + (W64.of_int 0)))); publicseed <- - Array32.init - (WArray32.get8 (WArray32.set64_direct (WArray32.init8 (fun i_0 => (publicseed).[i_0])) (8 * (W64.to_uint i)) (t64))); + (Array32.init + (WArray32.get8 + (WArray32.set64_direct (WArray32.init8 (fun i_0 => publicseed.[i_0])) + (8 * (W64.to_uint i)) t64))); pkp <- (pkp + (W64.of_int 8)); i <- (i + (W64.of_int 1)); } @@ -6989,45 +8046,72 @@ module M(SC:Syscall_t) = { aat <@ _gen_matrix_avx2 (aat, publicseed, transposed); lnoiseseed <- s_noiseseed; nonce <- (W8.of_int 0); - (aux_2, aux_1, aux_0, - aux) <@ _poly_getnoise_eta1_4x ((Array256.init (fun i_0 => sp_0.[0 + i_0])), - (Array256.init (fun i_0 => sp_0.[256 + i_0])), - (Array256.init (fun i_0 => sp_0.[(2 * 256) + i_0])), - (Array256.init (fun i_0 => ep.[0 + i_0])), lnoiseseed, nonce); - sp_0 <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux_2.[i_0-0] - else sp_0.[i_0]); - sp_0 <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux_1.[i_0-256] - else sp_0.[i_0]); - sp_0 <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux_0.[i_0-(2 * 256)] else sp_0.[i_0]); - ep <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux.[i_0-0] else ep.[i_0]); + (aux_2, aux_1, aux_0, aux) <@ _poly_getnoise_eta1_4x ((Array256.init + (fun i_0 => + sp_0.[(0 + i_0)])), + (Array256.init (fun i_0 => sp_0.[(256 + i_0)])), + (Array256.init (fun i_0 => sp_0.[((2 * 256) + i_0)])), + (Array256.init (fun i_0 => ep.[(0 + i_0)])), lnoiseseed, nonce); + sp_0 <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux_2.[(i_0 - 0)] else + sp_0.[i_0])) + ); + sp_0 <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux_1.[(i_0 - 256)] else + sp_0.[i_0])) + ); + sp_0 <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux_0.[ + (i_0 - + (2 * 256))] else + sp_0.[i_0])) + ); + ep <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux.[(i_0 - 0)] else + ep.[i_0])) + ); nonce <- (W8.of_int 4); - (aux_2, aux_1, aux_0, - aux) <@ _poly_getnoise_eta1_4x ((Array256.init (fun i_0 => ep.[256 + i_0])), - (Array256.init (fun i_0 => ep.[(2 * 256) + i_0])), epp, - (Array256.init (fun i_0 => bp.[0 + i_0])), lnoiseseed, nonce); - ep <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux_2.[i_0-256] - else ep.[i_0]); - ep <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux_1.[i_0-(2 * 256)] else ep.[i_0]); + (aux_2, aux_1, aux_0, aux) <@ _poly_getnoise_eta1_4x ((Array256.init + (fun i_0 => + ep.[(256 + i_0)])), + (Array256.init (fun i_0 => ep.[((2 * 256) + i_0)])), epp, + (Array256.init (fun i_0 => bp.[(0 + i_0)])), lnoiseseed, nonce); + ep <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux_2.[(i_0 - 256)] else + ep.[i_0])) + ); + ep <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux_1.[ + (i_0 - + (2 * 256))] else + ep.[i_0])) + ); epp <- aux_0; - bp <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux.[i_0-0] else bp.[i_0]); + bp <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux.[(i_0 - 0)] else + bp.[i_0])) + ); sp_0 <@ __polyvec_ntt (sp_0); w <- 0; - while (w < 3) { - aux_2 <@ __polyvec_pointwise_acc ((Array256.init (fun i_0 => bp.[(w * 256) + i_0])), - (Array768.init (fun i_0 => aat.[(w * (3 * 256)) + i_0])), sp_0); - bp <- Array768.init - (fun i_0 => if (w * 256) <= i_0 < (w * 256) + 256 - then aux_2.[i_0-(w * 256)] else bp.[i_0]); - w <- w + 1; + while ((w < 3)) { + aux_2 <@ __polyvec_pointwise_acc ((Array256.init + (fun i_0 => bp.[((w * 256) + i_0)])), + (Array768.init (fun i_0 => aat.[((w * (3 * 256)) + i_0)])), sp_0); + bp <- + (Array768.init + (fun i_0 => (if ((w * 256) <= i_0 < ((w * 256) + 256)) then aux_2.[ + (i_0 - + (w * 256))] else + bp.[i_0])) + ); + w <- (w + 1); } v <@ __polyvec_pointwise_acc (v, pkpv, sp_0); bp <@ __polyvec_invntt (bp); @@ -7037,23 +8121,28 @@ module M(SC:Syscall_t) = { v <@ _poly_add2 (v, k); bp <@ __polyvec_reduce (bp); v <@ __poly_reduce (v); - aux_4 <@ __polyvec_compress_1 ((Array960.init (fun i_0 => ctp.[0 + i_0])), + aux_4 <@ __polyvec_compress_1 ((Array960.init + (fun i_0 => ctp.[(0 + i_0)])), bp); - ctp <- Array1088.init - (fun i_0 => if 0 <= i_0 < 0 + 960 then aux_4.[i_0-0] - else ctp.[i_0]); - (aux_5, - aux_2) <@ _poly_compress_1 ((Array128.init (fun i_0 => ctp.[(3 * 320) + i_0])), + ctp <- + (Array1088.init + (fun i_0 => (if (0 <= i_0 < (0 + 960)) then aux_4.[(i_0 - 0)] else + ctp.[i_0])) + ); + (aux_5, aux_2) <@ _poly_compress_1 ((Array128.init + (fun i_0 => ctp.[((3 * 320) + i_0)])), v); - ctp <- Array1088.init - (fun i_0 => if (3 * 320) <= i_0 < (3 * 320) + 128 - then aux_5.[i_0-(3 * 320)] else ctp.[i_0]); + ctp <- + (Array1088.init + (fun i_0 => (if ((3 * 320) <= i_0 < ((3 * 320) + 128)) then aux_5.[ + (i_0 - + (3 * 320))] else + ctp.[i_0])) + ); v <- aux_2; - return (ctp); + return ctp; } - proc __indcpa_dec_1 (msgp:W8.t Array32.t, ctp:W64.t, skp:W64.t) : W8.t Array32.t = { - var bp:W16.t Array768.t; var v:W16.t Array256.t; var skpv:W16.t Array768.t; @@ -7074,12 +8163,10 @@ module M(SC:Syscall_t) = { mp <@ _poly_sub (mp, v, t); mp <@ __poly_reduce (mp); (msgp, mp) <@ _poly_tomsg_1 (msgp, mp); - return (msgp); + return msgp; } - proc __verify (ctp:W64.t, ctpc:W8.t Array1088.t) : W64.t = { - var aux: int; - + var aux:int; var cnd:W64.t; var t64:W64.t; var h:W256.t; @@ -7094,41 +8181,38 @@ module M(SC:Syscall_t) = { var _1:bool; var _2:bool; var _3:bool; - cnd <- (W64.of_int 0); t64 <- (W64.of_int 1); - h <- set0_256 ; + h <- (set0_256); aux <- (((3 * 320) + 128) %/ 32); i <- 0; - while (i < aux) { + while ((i < aux)) { f <- - (get256_direct (WArray1088.init8 (fun i_0 => (ctpc).[i_0])) (32 * i)); + (get256_direct (WArray1088.init8 (fun i_0 => ctpc.[i_0])) (32 * i)); g <- (loadW256 Glob.mem (W64.to_uint (ctp + (W64.of_int (32 * i))))); - f <- VPXOR_256 f g; - h <- VPOR_256 h f; - i <- i + 1; + f <- (VPXOR_256 f g); + h <- (VPOR_256 h f); + i <- (i + 1); } - ( _0, _1, _2, _3, zf) <- VPTEST_256 h h; + ( _0, _1, _2, _3, zf) <- (VPTEST_256 h h); cnd <- ((! zf) ? t64 : cnd); off <- ((((3 * 320) + 128) %/ 32) * 32); aux <- ((3 * 320) + 128); i <- off; - while (i < aux) { - t1 <- (get8_direct (WArray1088.init8 (fun i_0 => (ctpc).[i_0])) i); + while ((i < aux)) { + t1 <- (get8_direct (WArray1088.init8 (fun i_0 => ctpc.[i_0])) i); t2 <- (loadW8 Glob.mem (W64.to_uint (ctp + (W64.of_int i)))); t1 <- (t1 `^` t2); t64 <- (zeroextu64 t1); cnd <- (cnd `|` t64); - i <- i + 1; + i <- (i + 1); } cnd <- (- cnd); cnd <- (cnd `>>` (W8.of_int 63)); - return (cnd); + return cnd; } - proc __cmov (dst:W64.t, src:W8.t Array32.t, cnd:W64.t) : unit = { - var aux: int; - + var aux:int; var scnd:W64.t; var m:W256.t; var i:int; @@ -7138,40 +8222,36 @@ module M(SC:Syscall_t) = { var bcond:W8.t; var t2:W8.t; var t1:W8.t; - cnd <- (- cnd); scnd <- cnd; - m <- VPBROADCAST_4u64 scnd; + m <- (VPBROADCAST_4u64 scnd); aux <- (32 %/ 32); i <- 0; - while (i < aux) { - f <- - (get256_direct (WArray32.init8 (fun i_0 => (src).[i_0])) (32 * i)); + while ((i < aux)) { + f <- (get256_direct (WArray32.init8 (fun i_0 => src.[i_0])) (32 * i)); g <- (loadW256 Glob.mem (W64.to_uint (dst + (W64.of_int (32 * i))))); - f <- VPBLENDVB_256 f g m; + f <- (VPBLENDVB_256 f g m); Glob.mem <- - storeW256 Glob.mem (W64.to_uint (dst + (W64.of_int (32 * i)))) (f); - i <- i + 1; + (storeW256 Glob.mem (W64.to_uint (dst + (W64.of_int (32 * i)))) f); + i <- (i + 1); } off <- ((32 %/ 32) * 32); bcond <- (truncateu8 cnd); i <- off; - while (i < 32) { + while ((i < 32)) { t2 <- (loadW8 Glob.mem (W64.to_uint (dst + (W64.of_int i)))); t1 <- src.[i]; t2 <- (t2 `^` t1); t2 <- (t2 `&` (truncateu8 cnd)); t1 <- (t1 `^` t2); - Glob.mem <- storeW8 Glob.mem (W64.to_uint (dst + (W64.of_int i))) (t1); - i <- i + 1; + Glob.mem <- (storeW8 Glob.mem (W64.to_uint (dst + (W64.of_int i))) t1); + i <- (i + 1); } return (); } - proc __crypto_kem_keypair_jazz (pkp:W64.t, skp:W64.t, randomnessp:W8.t Array64.t) : unit = { - var aux: int; - + var aux:int; var s_randomnessp:W8.t Array64.t; var s_pkp:W64.t; var s_skp:W64.t; @@ -7187,19 +8267,19 @@ module M(SC:Syscall_t) = { s_randomnessp <- randomnessp; s_pkp <- pkp; s_skp <- skp; - randomnessp1 <- (Array32.init (fun i_0 => randomnessp.[0 + i_0])); + randomnessp1 <- (Array32.init (fun i_0 => randomnessp.[(0 + i_0)])); __indcpa_keypair (pkp, skp, randomnessp1); skp <- s_skp; skp <- (skp + (W64.of_int (3 * 384))); pkp <- s_pkp; aux <- (((3 * 384) + 32) %/ 8); i <- 0; - while (i < aux) { + while ((i < aux)) { t64 <- (loadW64 Glob.mem (W64.to_uint (pkp + (W64.of_int (8 * i))))); Glob.mem <- - storeW64 Glob.mem (W64.to_uint (skp + (W64.of_int 0))) (t64); + (storeW64 Glob.mem (W64.to_uint (skp + (W64.of_int 0))) t64); skp <- (skp + (W64.of_int 8)); - i <- i + 1; + i <- (i + 1); } s_skp <- skp; pkp <- s_pkp; @@ -7207,32 +8287,30 @@ module M(SC:Syscall_t) = { h_pk <@ _isha3_256 (h_pk, pkp, t64); skp <- s_skp; i <- 0; - while (i < 4) { - t64 <- (get64 (WArray32.init8 (fun i_0 => (h_pk).[i_0])) i); + while ((i < 4)) { + t64 <- (get64 (WArray32.init8 (fun i_0 => h_pk.[i_0])) i); Glob.mem <- - storeW64 Glob.mem (W64.to_uint (skp + (W64.of_int 0))) (t64); + (storeW64 Glob.mem (W64.to_uint (skp + (W64.of_int 0))) t64); skp <- (skp + (W64.of_int 8)); - i <- i + 1; + i <- (i + 1); } randomnessp <- s_randomnessp; - randomnessp2 <- (Array32.init (fun i_0 => randomnessp.[32 + i_0])); + randomnessp2 <- (Array32.init (fun i_0 => randomnessp.[(32 + i_0)])); aux <- (32 %/ 8); i <- 0; - while (i < aux) { - t64 <- (get64 (WArray32.init8 (fun i_0 => (randomnessp2).[i_0])) i); + while ((i < aux)) { + t64 <- (get64 (WArray32.init8 (fun i_0 => randomnessp2.[i_0])) i); Glob.mem <- - storeW64 Glob.mem (W64.to_uint (skp + (W64.of_int 0))) (t64); + (storeW64 Glob.mem (W64.to_uint (skp + (W64.of_int 0))) t64); skp <- (skp + (W64.of_int 8)); - i <- i + 1; + i <- (i + 1); } return (); } - proc __crypto_kem_enc_jazz (ctp:W64.t, shkp:W64.t, pkp:W64.t, randomnessp:W8.t Array32.t) : unit = { - var aux: int; - var aux_0: W8.t Array32.t; - + var aux:int; + var aux_0:W8.t Array32.t; var s_pkp:W64.t; var s_ctp:W64.t; var s_shkp:W64.t; @@ -7247,39 +8325,40 @@ module M(SC:Syscall_t) = { s_shkp <- shkp; aux <- (32 %/ 8); i <- 0; - while (i < aux) { - t64 <- (get64 (WArray32.init8 (fun i_0 => (randomnessp).[i_0])) i); + while ((i < aux)) { + t64 <- (get64 (WArray32.init8 (fun i_0 => randomnessp.[i_0])) i); buf <- - Array64.init - (WArray64.get8 (WArray64.set64 (WArray64.init8 (fun i_0 => (buf).[i_0])) i (t64))); - i <- i + 1; + (Array64.init + (WArray64.get8 + (WArray64.set64 (WArray64.init8 (fun i_0 => buf.[i_0])) i t64))); + i <- (i + 1); } t64 <- (W64.of_int ((3 * 384) + 32)); - aux_0 <@ _isha3_256 ((Array32.init (fun i_0 => buf.[32 + i_0])), pkp, - t64); - buf <- Array64.init - (fun i_0 => if 32 <= i_0 < 32 + 32 then aux_0.[i_0-32] - else buf.[i_0]); + aux_0 <@ _isha3_256 ((Array32.init (fun i_0 => buf.[(32 + i_0)])), + pkp, t64); + buf <- + (Array64.init + (fun i_0 => (if (32 <= i_0 < (32 + 32)) then aux_0.[(i_0 - 32)] else + buf.[i_0])) + ); kr <@ _sha3_512_64 (kr, buf); pkp <- s_pkp; - __indcpa_enc_0 (s_ctp, (Array32.init (fun i_0 => buf.[0 + i_0])), pkp, - (Array32.init (fun i_0 => kr.[32 + i_0]))); + __indcpa_enc_0 (s_ctp, (Array32.init (fun i_0 => buf.[(0 + i_0)])), + pkp, (Array32.init (fun i_0 => kr.[(32 + i_0)]))); shkp <- s_shkp; aux <- (32 %/ 8); i <- 0; - while (i < aux) { - t64 <- (get64 (WArray64.init8 (fun i_0 => (kr).[i_0])) i); + while ((i < aux)) { + t64 <- (get64 (WArray64.init8 (fun i_0 => kr.[i_0])) i); Glob.mem <- - storeW64 Glob.mem (W64.to_uint (shkp + (W64.of_int (8 * i)))) (t64); - i <- i + 1; + (storeW64 Glob.mem (W64.to_uint (shkp + (W64.of_int (8 * i)))) t64); + i <- (i + 1); } return (); } - proc __crypto_kem_dec_jazz (shkp:W64.t, ctp:W64.t, skp:W64.t) : unit = { - var aux_0: int; - var aux: W8.t Array32.t; - + var aux_0:int; + var aux:W8.t Array32.t; var s_shkp:W64.t; var s_ctp:W64.t; var buf:W8.t Array64.t; @@ -7298,27 +8377,32 @@ module M(SC:Syscall_t) = { kr <- witness; s_shkp <- shkp; s_ctp <- ctp; - aux <@ __indcpa_dec_1 ((Array32.init (fun i_0 => buf.[0 + i_0])), ctp, - skp); - buf <- Array64.init - (fun i_0 => if 0 <= i_0 < 0 + 32 then aux.[i_0-0] else buf.[i_0]); + aux <@ __indcpa_dec_1 ((Array32.init (fun i_0 => buf.[(0 + i_0)])), + ctp, skp); + buf <- + (Array64.init + (fun i_0 => (if (0 <= i_0 < (0 + 32)) then aux.[(i_0 - 0)] else buf.[i_0])) + ); hp <- skp; hp <- (hp + (W64.of_int (32 + (((24 * 3) * 256) `|>>` 3)))); aux_0 <- (32 %/ 8); i <- 0; - while (i < aux_0) { + while ((i < aux_0)) { t64 <- (loadW64 Glob.mem (W64.to_uint (hp + (W64.of_int (8 * i))))); buf <- - Array64.init - (WArray64.get8 (WArray64.set64_direct (WArray64.init8 (fun i_0 => (buf).[i_0])) (32 + (8 * i)) (t64))); - i <- i + 1; + (Array64.init + (WArray64.get8 + (WArray64.set64_direct (WArray64.init8 (fun i_0 => buf.[i_0])) + (32 + (8 * i)) t64))); + i <- (i + 1); } s_skp <- skp; kr <@ _sha3_512_64 (kr, buf); pkp <- s_skp; pkp <- (pkp + (W64.of_int (((12 * 3) * 256) `|>>` 3))); - ctpc <@ __indcpa_enc_1 (ctpc, (Array32.init (fun i_0 => buf.[0 + i_0])), - pkp, (Array32.init (fun i_0 => kr.[32 + i_0]))); + ctpc <@ __indcpa_enc_1 (ctpc, + (Array32.init (fun i_0 => buf.[(0 + i_0)])), pkp, + (Array32.init (fun i_0 => kr.[(32 + i_0)]))); ctp <- s_ctp; cnd <@ __verify (ctp, ctpc); s_cnd <- cnd; @@ -7330,14 +8414,12 @@ module M(SC:Syscall_t) = { _shake256_1120_32 (shkp, zp, ctp); shkp <- s_shkp; cnd <- s_cnd; - __cmov (shkp, (Array32.init (fun i_0 => kr.[0 + i_0])), cnd); + __cmov (shkp, (Array32.init (fun i_0 => kr.[(0 + i_0)])), cnd); return (); } - proc jade_kem_mlkem_mlkem768_amd64_avx2_keypair (public_key:W64.t, secret_key:W64.t) : W64.t = { - var r:W64.t; var randomness:W8.t Array64.t; var randomnessp:W8.t Array64.t; @@ -7353,16 +8435,14 @@ module M(SC:Syscall_t) = { secret_key <- secret_key; randomnessp <- randomness; randomnessp <@ SC.randombytes_64 (randomnessp); - _0 <- init_msf ; + _0 <- (init_msf); __crypto_kem_keypair_jazz (public_key, secret_key, randomnessp); - (_of_, _cf_, _sf_, _1, _zf_, r) <- set0_64 ; - return (r); + (_of_, _cf_, _sf_, _1, _zf_, r) <- (set0_64); + return r; } - proc jade_kem_mlkem_mlkem768_amd64_avx2_enc (ciphertext:W64.t, shared_secret:W64.t, public_key:W64.t) : W64.t = { - var r:W64.t; var randomness:W8.t Array32.t; var randomnessp:W8.t Array32.t; @@ -7379,17 +8459,15 @@ module M(SC:Syscall_t) = { public_key <- public_key; randomnessp <- randomness; randomnessp <@ SC.randombytes_32 (randomnessp); - _0 <- init_msf ; + _0 <- (init_msf); __crypto_kem_enc_jazz (ciphertext, shared_secret, public_key, randomnessp); - (_of_, _cf_, _sf_, _1, _zf_, r) <- set0_64 ; - return (r); + (_of_, _cf_, _sf_, _1, _zf_, r) <- (set0_64); + return r; } - proc jade_kem_mlkem_mlkem768_amd64_avx2_dec (shared_secret:W64.t, ciphertext:W64.t, secret_key:W64.t) : W64.t = { - var r:W64.t; var _of_:bool; var _cf_:bool; @@ -7397,11 +8475,9 @@ module M(SC:Syscall_t) = { var _zf_:bool; var _0:W64.t; var _1:bool; - - _0 <- init_msf ; + _0 <- (init_msf); __crypto_kem_dec_jazz (shared_secret, ciphertext, secret_key); - (_of_, _cf_, _sf_, _1, _zf_, r) <- set0_64 ; - return (r); + (_of_, _cf_, _sf_, _1, _zf_, r) <- (set0_64); + return r; } }. - diff --git a/code/jasmin/mlkem_ref/extraction/jkem.ec b/code/jasmin/mlkem_ref/extraction/jkem.ec index 631d5d3b..30b5808c 100644 --- a/code/jasmin/mlkem_ref/extraction/jkem.ec +++ b/code/jasmin/mlkem_ref/extraction/jkem.ec @@ -1,127 +1,132 @@ require import AllCore IntDiv CoreMap List Distr. -from Jasmin require import JModel_x86. -import SLH64. - -require import Array4 Array5 Array24 Array25 Array32 Array33 Array34 Array64 - Array128 Array168 Array256 Array768 Array960 Array1088 - Array2304. -require import WArray20 WArray32 WArray33 WArray34 WArray40 WArray64 - WArray128 WArray168 WArray192 WArray200 WArray256 WArray512 - WArray960 WArray1088 WArray1536 WArray4608. +from Jasmin require import JModel_x86. -abbrev jzetas_inv = Array128.of_list witness [W16.of_int 1701; -W16.of_int 1807; W16.of_int 1460; W16.of_int 2371; W16.of_int 2338; -W16.of_int 2333; W16.of_int 308; W16.of_int 108; W16.of_int 2851; -W16.of_int 870; W16.of_int 854; W16.of_int 1510; W16.of_int 2535; -W16.of_int 1278; W16.of_int 1530; W16.of_int 1185; W16.of_int 1659; -W16.of_int 1187; W16.of_int 3109; W16.of_int 874; W16.of_int 1335; -W16.of_int 2111; W16.of_int 136; W16.of_int 1215; W16.of_int 2945; -W16.of_int 1465; W16.of_int 1285; W16.of_int 2007; W16.of_int 2719; -W16.of_int 2726; W16.of_int 2232; W16.of_int 2512; W16.of_int 75; -W16.of_int 156; W16.of_int 3000; W16.of_int 2911; W16.of_int 2980; -W16.of_int 872; W16.of_int 2685; W16.of_int 1590; W16.of_int 2210; -W16.of_int 602; W16.of_int 1846; W16.of_int 777; W16.of_int 147; -W16.of_int 2170; W16.of_int 2551; W16.of_int 246; W16.of_int 1676; -W16.of_int 1755; W16.of_int 460; W16.of_int 291; W16.of_int 235; -W16.of_int 3152; W16.of_int 2742; W16.of_int 2907; W16.of_int 3224; -W16.of_int 1779; W16.of_int 2458; W16.of_int 1251; W16.of_int 2486; -W16.of_int 2774; W16.of_int 2899; W16.of_int 1103; W16.of_int 1275; -W16.of_int 2652; W16.of_int 1065; W16.of_int 2881; W16.of_int 725; -W16.of_int 1508; W16.of_int 2368; W16.of_int 398; W16.of_int 951; -W16.of_int 247; W16.of_int 1421; W16.of_int 3222; W16.of_int 2499; -W16.of_int 271; W16.of_int 90; W16.of_int 853; W16.of_int 1860; -W16.of_int 3203; W16.of_int 1162; W16.of_int 1618; W16.of_int 666; -W16.of_int 320; W16.of_int 8; W16.of_int 2813; W16.of_int 1544; -W16.of_int 282; W16.of_int 1838; W16.of_int 1293; W16.of_int 2314; -W16.of_int 552; W16.of_int 2677; W16.of_int 2106; W16.of_int 1571; -W16.of_int 205; W16.of_int 2918; W16.of_int 1542; W16.of_int 2721; -W16.of_int 2597; W16.of_int 2312; W16.of_int 681; W16.of_int 130; -W16.of_int 1602; W16.of_int 1871; W16.of_int 829; W16.of_int 2946; -W16.of_int 3065; W16.of_int 1325; W16.of_int 2756; W16.of_int 1861; -W16.of_int 1474; W16.of_int 1202; W16.of_int 2367; W16.of_int 3147; -W16.of_int 1752; W16.of_int 2707; W16.of_int 171; W16.of_int 3127; -W16.of_int 3042; W16.of_int 1907; W16.of_int 1836; W16.of_int 1517; -W16.of_int 359; W16.of_int 758; W16.of_int 1441]. +import SLH64. +require import +Array4 Array5 Array24 Array25 Array32 Array33 Array34 Array64 Array128 +Array168 Array256 Array768 Array960 Array1088 Array2304. -abbrev jzetas = Array128.of_list witness [W16.of_int 2285; W16.of_int 2571; -W16.of_int 2970; W16.of_int 1812; W16.of_int 1493; W16.of_int 1422; -W16.of_int 287; W16.of_int 202; W16.of_int 3158; W16.of_int 622; -W16.of_int 1577; W16.of_int 182; W16.of_int 962; W16.of_int 2127; -W16.of_int 1855; W16.of_int 1468; W16.of_int 573; W16.of_int 2004; -W16.of_int 264; W16.of_int 383; W16.of_int 2500; W16.of_int 1458; -W16.of_int 1727; W16.of_int 3199; W16.of_int 2648; W16.of_int 1017; -W16.of_int 732; W16.of_int 608; W16.of_int 1787; W16.of_int 411; -W16.of_int 3124; W16.of_int 1758; W16.of_int 1223; W16.of_int 652; -W16.of_int 2777; W16.of_int 1015; W16.of_int 2036; W16.of_int 1491; -W16.of_int 3047; W16.of_int 1785; W16.of_int 516; W16.of_int 3321; -W16.of_int 3009; W16.of_int 2663; W16.of_int 1711; W16.of_int 2167; -W16.of_int 126; W16.of_int 1469; W16.of_int 2476; W16.of_int 3239; -W16.of_int 3058; W16.of_int 830; W16.of_int 107; W16.of_int 1908; -W16.of_int 3082; W16.of_int 2378; W16.of_int 2931; W16.of_int 961; -W16.of_int 1821; W16.of_int 2604; W16.of_int 448; W16.of_int 2264; -W16.of_int 677; W16.of_int 2054; W16.of_int 2226; W16.of_int 430; -W16.of_int 555; W16.of_int 843; W16.of_int 2078; W16.of_int 871; -W16.of_int 1550; W16.of_int 105; W16.of_int 422; W16.of_int 587; -W16.of_int 177; W16.of_int 3094; W16.of_int 3038; W16.of_int 2869; -W16.of_int 1574; W16.of_int 1653; W16.of_int 3083; W16.of_int 778; -W16.of_int 1159; W16.of_int 3182; W16.of_int 2552; W16.of_int 1483; -W16.of_int 2727; W16.of_int 1119; W16.of_int 1739; W16.of_int 644; -W16.of_int 2457; W16.of_int 349; W16.of_int 418; W16.of_int 329; -W16.of_int 3173; W16.of_int 3254; W16.of_int 817; W16.of_int 1097; -W16.of_int 603; W16.of_int 610; W16.of_int 1322; W16.of_int 2044; -W16.of_int 1864; W16.of_int 384; W16.of_int 2114; W16.of_int 3193; -W16.of_int 1218; W16.of_int 1994; W16.of_int 2455; W16.of_int 220; -W16.of_int 2142; W16.of_int 1670; W16.of_int 2144; W16.of_int 1799; -W16.of_int 2051; W16.of_int 794; W16.of_int 1819; W16.of_int 2475; -W16.of_int 2459; W16.of_int 478; W16.of_int 3221; W16.of_int 3021; -W16.of_int 996; W16.of_int 991; W16.of_int 958; W16.of_int 1869; -W16.of_int 1522; W16.of_int 1628]. +require import +WArray20 WArray32 WArray33 WArray34 WArray40 WArray64 WArray128 WArray168 +WArray192 WArray200 WArray256 WArray512 WArray960 WArray1088 WArray1536 +WArray4608. +abbrev jzetas_inv = +(Array128.of_list witness +[(W16.of_int 1701); (W16.of_int 1807); (W16.of_int 1460); (W16.of_int 2371); +(W16.of_int 2338); (W16.of_int 2333); (W16.of_int 308); (W16.of_int 108); +(W16.of_int 2851); (W16.of_int 870); (W16.of_int 854); (W16.of_int 1510); +(W16.of_int 2535); (W16.of_int 1278); (W16.of_int 1530); (W16.of_int 1185); +(W16.of_int 1659); (W16.of_int 1187); (W16.of_int 3109); (W16.of_int 874); +(W16.of_int 1335); (W16.of_int 2111); (W16.of_int 136); (W16.of_int 1215); +(W16.of_int 2945); (W16.of_int 1465); (W16.of_int 1285); (W16.of_int 2007); +(W16.of_int 2719); (W16.of_int 2726); (W16.of_int 2232); (W16.of_int 2512); +(W16.of_int 75); (W16.of_int 156); (W16.of_int 3000); (W16.of_int 2911); +(W16.of_int 2980); (W16.of_int 872); (W16.of_int 2685); (W16.of_int 1590); +(W16.of_int 2210); (W16.of_int 602); (W16.of_int 1846); (W16.of_int 777); +(W16.of_int 147); (W16.of_int 2170); (W16.of_int 2551); (W16.of_int 246); +(W16.of_int 1676); (W16.of_int 1755); (W16.of_int 460); (W16.of_int 291); +(W16.of_int 235); (W16.of_int 3152); (W16.of_int 2742); (W16.of_int 2907); +(W16.of_int 3224); (W16.of_int 1779); (W16.of_int 2458); (W16.of_int 1251); +(W16.of_int 2486); (W16.of_int 2774); (W16.of_int 2899); (W16.of_int 1103); +(W16.of_int 1275); (W16.of_int 2652); (W16.of_int 1065); (W16.of_int 2881); +(W16.of_int 725); (W16.of_int 1508); (W16.of_int 2368); (W16.of_int 398); +(W16.of_int 951); (W16.of_int 247); (W16.of_int 1421); (W16.of_int 3222); +(W16.of_int 2499); (W16.of_int 271); (W16.of_int 90); (W16.of_int 853); +(W16.of_int 1860); (W16.of_int 3203); (W16.of_int 1162); (W16.of_int 1618); +(W16.of_int 666); (W16.of_int 320); (W16.of_int 8); (W16.of_int 2813); +(W16.of_int 1544); (W16.of_int 282); (W16.of_int 1838); (W16.of_int 1293); +(W16.of_int 2314); (W16.of_int 552); (W16.of_int 2677); (W16.of_int 2106); +(W16.of_int 1571); (W16.of_int 205); (W16.of_int 2918); (W16.of_int 1542); +(W16.of_int 2721); (W16.of_int 2597); (W16.of_int 2312); (W16.of_int 681); +(W16.of_int 130); (W16.of_int 1602); (W16.of_int 1871); (W16.of_int 829); +(W16.of_int 2946); (W16.of_int 3065); (W16.of_int 1325); (W16.of_int 2756); +(W16.of_int 1861); (W16.of_int 1474); (W16.of_int 1202); (W16.of_int 2367); +(W16.of_int 3147); (W16.of_int 1752); (W16.of_int 2707); (W16.of_int 171); +(W16.of_int 3127); (W16.of_int 3042); (W16.of_int 1907); (W16.of_int 1836); +(W16.of_int 1517); (W16.of_int 359); (W16.of_int 758); (W16.of_int 1441)]). -abbrev kECCAK1600_RC = Array24.of_list witness [W64.of_int 1; -W64.of_int 32898; W64.of_int (-9223372036854742902); -W64.of_int (-9223372034707259392); W64.of_int 32907; W64.of_int 2147483649; -W64.of_int (-9223372034707259263); W64.of_int (-9223372036854743031); -W64.of_int 138; W64.of_int 136; W64.of_int 2147516425; W64.of_int 2147483658; -W64.of_int 2147516555; W64.of_int (-9223372036854775669); -W64.of_int (-9223372036854742903); W64.of_int (-9223372036854743037); -W64.of_int (-9223372036854743038); W64.of_int (-9223372036854775680); -W64.of_int 32778; W64.of_int (-9223372034707292150); -W64.of_int (-9223372034707259263); W64.of_int (-9223372036854742912); -W64.of_int 2147483649; W64.of_int (-9223372034707259384)]. +abbrev jzetas = +(Array128.of_list witness +[(W16.of_int 2285); (W16.of_int 2571); (W16.of_int 2970); (W16.of_int 1812); +(W16.of_int 1493); (W16.of_int 1422); (W16.of_int 287); (W16.of_int 202); +(W16.of_int 3158); (W16.of_int 622); (W16.of_int 1577); (W16.of_int 182); +(W16.of_int 962); (W16.of_int 2127); (W16.of_int 1855); (W16.of_int 1468); +(W16.of_int 573); (W16.of_int 2004); (W16.of_int 264); (W16.of_int 383); +(W16.of_int 2500); (W16.of_int 1458); (W16.of_int 1727); (W16.of_int 3199); +(W16.of_int 2648); (W16.of_int 1017); (W16.of_int 732); (W16.of_int 608); +(W16.of_int 1787); (W16.of_int 411); (W16.of_int 3124); (W16.of_int 1758); +(W16.of_int 1223); (W16.of_int 652); (W16.of_int 2777); (W16.of_int 1015); +(W16.of_int 2036); (W16.of_int 1491); (W16.of_int 3047); (W16.of_int 1785); +(W16.of_int 516); (W16.of_int 3321); (W16.of_int 3009); (W16.of_int 2663); +(W16.of_int 1711); (W16.of_int 2167); (W16.of_int 126); (W16.of_int 1469); +(W16.of_int 2476); (W16.of_int 3239); (W16.of_int 3058); (W16.of_int 830); +(W16.of_int 107); (W16.of_int 1908); (W16.of_int 3082); (W16.of_int 2378); +(W16.of_int 2931); (W16.of_int 961); (W16.of_int 1821); (W16.of_int 2604); +(W16.of_int 448); (W16.of_int 2264); (W16.of_int 677); (W16.of_int 2054); +(W16.of_int 2226); (W16.of_int 430); (W16.of_int 555); (W16.of_int 843); +(W16.of_int 2078); (W16.of_int 871); (W16.of_int 1550); (W16.of_int 105); +(W16.of_int 422); (W16.of_int 587); (W16.of_int 177); (W16.of_int 3094); +(W16.of_int 3038); (W16.of_int 2869); (W16.of_int 1574); (W16.of_int 1653); +(W16.of_int 3083); (W16.of_int 778); (W16.of_int 1159); (W16.of_int 3182); +(W16.of_int 2552); (W16.of_int 1483); (W16.of_int 2727); (W16.of_int 1119); +(W16.of_int 1739); (W16.of_int 644); (W16.of_int 2457); (W16.of_int 349); +(W16.of_int 418); (W16.of_int 329); (W16.of_int 3173); (W16.of_int 3254); +(W16.of_int 817); (W16.of_int 1097); (W16.of_int 603); (W16.of_int 610); +(W16.of_int 1322); (W16.of_int 2044); (W16.of_int 1864); (W16.of_int 384); +(W16.of_int 2114); (W16.of_int 3193); (W16.of_int 1218); (W16.of_int 1994); +(W16.of_int 2455); (W16.of_int 220); (W16.of_int 2142); (W16.of_int 1670); +(W16.of_int 2144); (W16.of_int 1799); (W16.of_int 2051); (W16.of_int 794); +(W16.of_int 1819); (W16.of_int 2475); (W16.of_int 2459); (W16.of_int 478); +(W16.of_int 3221); (W16.of_int 3021); (W16.of_int 996); (W16.of_int 991); +(W16.of_int 958); (W16.of_int 1869); (W16.of_int 1522); (W16.of_int 1628)]). +abbrev kECCAK1600_RC = +(Array24.of_list witness +[(W64.of_int 1); (W64.of_int 32898); (W64.of_int (-9223372036854742902)); +(W64.of_int (-9223372034707259392)); (W64.of_int 32907); +(W64.of_int 2147483649); (W64.of_int (-9223372034707259263)); +(W64.of_int (-9223372036854743031)); (W64.of_int 138); (W64.of_int 136); +(W64.of_int 2147516425); (W64.of_int 2147483658); (W64.of_int 2147516555); +(W64.of_int (-9223372036854775669)); (W64.of_int (-9223372036854742903)); +(W64.of_int (-9223372036854743037)); (W64.of_int (-9223372036854743038)); +(W64.of_int (-9223372036854775680)); (W64.of_int 32778); +(W64.of_int (-9223372034707292150)); (W64.of_int (-9223372034707259263)); +(W64.of_int (-9223372036854742912)); (W64.of_int 2147483649); +(W64.of_int (-9223372034707259384))]). module type Syscall_t = { - proc randombytes_32(_:W8.t Array32.t) : W8.t Array32.t - proc randombytes_64(_:W8.t Array64.t) : W8.t Array64.t + proc randombytes_32 (_:W8.t Array32.t) : W8.t Array32.t + proc randombytes_64 (_:W8.t Array64.t) : W8.t Array64.t }. module Syscall : Syscall_t = { - proc randombytes_32(a:W8.t Array32.t) : W8.t Array32.t = { - a <$ dmap WArray32.darray - (fun a => Array32.init (fun i => WArray32.get8 a i)); + proc randombytes_32 (a:W8.t Array32.t) : W8.t Array32.t = { + + a <$ + (dmap WArray32.darray + (fun a => (Array32.init (fun i => (WArray32.get8 a i))))); return a; } - - proc randombytes_64(a:W8.t Array64.t) : W8.t Array64.t = { - a <$ dmap WArray64.darray - (fun a => Array64.init (fun i => WArray64.get8 a i)); + proc randombytes_64 (a:W8.t Array64.t) : W8.t Array64.t = { + + a <$ + (dmap WArray64.darray + (fun a => (Array64.init (fun i => (WArray64.get8 a i))))); return a; } }. module M(SC:Syscall_t) = { proc __fqmul (a:W16.t, b:W16.t) : W16.t = { - var r:W16.t; var ad:W32.t; var bd:W32.t; var c:W32.t; var u:W32.t; var t:W32.t; - ad <- (sigextu32 a); bd <- (sigextu32 b); c <- (ad * bd); @@ -131,14 +136,11 @@ module M(SC:Syscall_t) = { t <- (t + c); t <- (t `|>>` (W8.of_int 16)); r <- (truncateu16 t); - return (r); + return r; } - proc __barrett_reduce (a:W16.t) : W16.t = { - var r:W16.t; var t:W32.t; - t <- (sigextu32 a); t <- (t * (W32.of_int 20159)); t <- (t `|>>` (W8.of_int 26)); @@ -146,31 +148,25 @@ module M(SC:Syscall_t) = { r <- (truncateu16 t); r <- a; r <- (r - (truncateu16 t)); - return (r); + return r; } - proc keccakf1600_index (x:int, y:int) : int = { - var r:int; - r <- ((x %% 5) + (5 * (y %% 5))); - return (r); + return r; } - proc keccakf1600_rho_offsets (i:int) : int = { - var aux: int; - + var aux:int; var r:int; var x:int; var y:int; var t:int; var z:int; - r <- 0; x <- 1; y <- 0; t <- 0; - while (t < 24) { + while ((t < 24)) { if ((i = (x + (5 * y)))) { r <- ((((t + 1) * (t + 2)) %/ 2) %% 64); } else { @@ -179,76 +175,67 @@ module M(SC:Syscall_t) = { z <- (((2 * x) + (3 * y)) %% 5); x <- y; y <- z; - t <- t + 1; + t <- (t + 1); } - return (r); + return r; } - proc keccakf1600_rhotates (x:int, y:int) : int = { - var r:int; var i:int; - i <@ keccakf1600_index (x, y); r <@ keccakf1600_rho_offsets (i); - return (r); + return r; } - proc keccakf1600_theta_sum (a:W64.t Array25.t) : W64.t Array5.t = { - var aux: int; - + var aux:int; var c:W64.t Array5.t; var x:int; var y:int; c <- witness; x <- 0; - while (x < 5) { + while ((x < 5)) { c.[x] <- a.[(x + 0)]; - x <- x + 1; + x <- (x + 1); } y <- 1; - while (y < 5) { + while ((y < 5)) { x <- 0; - while (x < 5) { + while ((x < 5)) { c.[x] <- (c.[x] `^` a.[(x + (y * 5))]); - x <- x + 1; + x <- (x + 1); } - y <- y + 1; + y <- (y + 1); } - return (c); + return c; } - proc keccakf1600_theta_rol (c:W64.t Array5.t) : W64.t Array5.t = { - var aux_1: bool; - var aux_0: bool; - var aux: int; - var aux_2: W64.t; - + var aux_1:bool; + var aux_0:bool; + var aux:int; + var aux_2:W64.t; var d:W64.t Array5.t; var x:int; var _0:bool; var _1:bool; d <- witness; x <- 0; - while (x < 5) { + while ((x < 5)) { d.[x] <- c.[((x + 1) %% 5)]; - (aux_1, aux_0, aux_2) <- ROL_64 d.[x] (W8.of_int 1); + (aux_1, aux_0, aux_2) <- (ROL_64 d.[x] (W8.of_int 1)); _0 <- aux_1; _1 <- aux_0; d.[x] <- aux_2; d.[x] <- (d.[x] `^` c.[(((x - 1) + 5) %% 5)]); - x <- x + 1; + x <- (x + 1); } - return (d); + return d; } - proc keccakf1600_rol_sum (a:W64.t Array25.t, d:W64.t Array5.t, y:int) : W64.t Array5.t = { - var aux_1: bool; - var aux_0: bool; - var aux: int; - var aux_2: W64.t; - + var aux_1:bool; + var aux_0:bool; + var aux:int; + var aux_2:W64.t; var b:W64.t Array5.t; var x:int; var x_:int; @@ -258,36 +245,33 @@ module M(SC:Syscall_t) = { var _1:bool; b <- witness; x <- 0; - while (x < 5) { + while ((x < 5)) { x_ <- ((x + (3 * y)) %% 5); y_ <- x; r <@ keccakf1600_rhotates (x_, y_); b.[x] <- a.[(x_ + (y_ * 5))]; b.[x] <- (b.[x] `^` d.[x_]); if ((r <> 0)) { - (aux_1, aux_0, aux_2) <- ROL_64 b.[x] (W8.of_int r); + (aux_1, aux_0, aux_2) <- (ROL_64 b.[x] (W8.of_int r)); _0 <- aux_1; _1 <- aux_0; b.[x] <- aux_2; } else { } - x <- x + 1; + x <- (x + 1); } - return (b); + return b; } - proc keccakf1600_set_row (e:W64.t Array25.t, b:W64.t Array5.t, y:int, s_rc:W64.t) : W64.t Array25.t = { - var aux: int; - + var aux:int; var x:int; var x1:int; var x2:int; var t:W64.t; - x <- 0; - while (x < 5) { + while ((x < 5)) { x1 <- ((x + 1) %% 5); x2 <- ((x + 2) %% 5); t <- b.[x1]; @@ -300,15 +284,13 @@ module M(SC:Syscall_t) = { } e.[(x + (y * 5))] <- t; - x <- x + 1; + x <- (x + 1); } - return (e); + return e; } - proc keccakf1600_round (e:W64.t Array25.t, a:W64.t Array25.t, rc:W64.t) : W64.t Array25.t = { - var aux: int; - + var aux:int; var s_rc:W64.t; var c:W64.t Array5.t; var d:W64.t Array5.t; @@ -321,16 +303,14 @@ module M(SC:Syscall_t) = { c <@ keccakf1600_theta_sum (a); d <@ keccakf1600_theta_rol (c); y <- 0; - while (y < 5) { + while ((y < 5)) { b <@ keccakf1600_rol_sum (a, d, y); e <@ keccakf1600_set_row (e, b, y, s_rc); - y <- y + 1; + y <- (y + 1); } - return (e); + return e; } - proc __keccakf1600 (a:W64.t Array25.t) : W64.t Array25.t = { - var rC:W64.t Array24.t; var s_e:W64.t Array25.t; var e:W64.t Array25.t; @@ -342,7 +322,6 @@ module M(SC:Syscall_t) = { rC <- kECCAK1600_RC; e <- s_e; c <- (W64.of_int 0); - while ((c \ult (W64.of_int (24 - 1)))) { rc <- rC.[(W64.to_uint c)]; e <@ keccakf1600_round (e, a, rc); @@ -350,51 +329,38 @@ module M(SC:Syscall_t) = { a <@ keccakf1600_round (a, e, rc); c <- (c + (W64.of_int 2)); } - return (a); + return a; } - proc _keccakf1600 (a:W64.t Array25.t) : W64.t Array25.t = { - - a <@ __keccakf1600 (a); - return (a); + return a; } - proc _keccakf1600_ (a:W64.t Array25.t) : W64.t Array25.t = { - - a <- a; a <@ _keccakf1600 (a); a <- a; - return (a); + return a; } - proc __st0 (state:W64.t Array25.t) : W64.t Array25.t = { - var aux: int; - + var aux:int; var i:int; - i <- 0; - while (i < 25) { + while ((i < 25)) { state.[i] <- (W64.of_int 0); - i <- i + 1; + i <- (i + 1); } - return (state); + return state; } - proc __add_full_block (state:W64.t Array25.t, in_0:W64.t, inlen:W64.t, r8:W64.t) : W64.t Array25.t * W64.t * W64.t = { - var r64:W64.t; var i:W64.t; var t:W64.t; - r64 <- r8; r64 <- (r64 `>>` (W8.of_int 3)); i <- (W64.of_int 0); - while ((i \ult r64)) { t <- (loadW64 Glob.mem (W64.to_uint (in_0 + ((W64.of_int 8) * i)))); state.[(W64.to_uint i)] <- (state.[(W64.to_uint i)] `^` t); @@ -404,51 +370,53 @@ module M(SC:Syscall_t) = { inlen <- (inlen - r8); return (state, in_0, inlen); } - proc __add_final_block (state:W64.t Array25.t, in_0:W64.t, inlen:W64.t, trail_byte:W8.t, r8:W64.t) : W64.t Array25.t = { - var inlen8:W64.t; var i:W64.t; var t:W64.t; var c:W8.t; - inlen8 <- inlen; inlen8 <- (inlen8 `>>` (W8.of_int 3)); i <- (W64.of_int 0); - while ((i \ult inlen8)) { t <- (loadW64 Glob.mem (W64.to_uint (in_0 + ((W64.of_int 8) * i)))); state.[(W64.to_uint i)] <- (state.[(W64.to_uint i)] `^` t); i <- (i + (W64.of_int 1)); } i <- (i `<<` (W8.of_int 3)); - while ((i \ult inlen)) { c <- (loadW8 Glob.mem (W64.to_uint (in_0 + i))); state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) (W64.to_uint i) (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) (W64.to_uint i)) `^` c)))); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) + (W64.to_uint i) + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) (W64.to_uint i)) `^` + c)))); i <- (i + (W64.of_int 1)); } state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) (W64.to_uint i) (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) (W64.to_uint i)) `^` trail_byte)))); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) + (W64.to_uint i) + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) (W64.to_uint i)) `^` + trail_byte)))); i <- r8; i <- (i - (W64.of_int 1)); state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) (W64.to_uint i) (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) (W64.to_uint i)) `^` (W8.of_int 128))))); - return (state); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) + (W64.to_uint i) + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) (W64.to_uint i)) `^` + (W8.of_int 128))))); + return state; } - proc _shake256_128_33 (out:W8.t Array128.t, in_0:W8.t Array33.t) : W8.t Array128.t = { - var aux: int; - + var aux:int; var state:W64.t Array25.t; var i:int; var c:W8.t; @@ -456,36 +424,39 @@ module M(SC:Syscall_t) = { (* Erased call to spill *) state <@ __st0 (state); i <- 0; - while (i < 33) { + while ((i < 33)) { c <- in_0.[i]; state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) i (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) i) `^` c)))); - i <- i + 1; + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) i + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) i) `^` c)))); + i <- (i + 1); } state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) 33 (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) 33) `^` (W8.of_int 31))))); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) 33 + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) 33) `^` + (W8.of_int 31))))); state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) (136 - 1) (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) (136 - 1)) `^` (W8.of_int 128))))); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) (136 - 1) + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) (136 - 1)) `^` + (W8.of_int 128))))); state <@ _keccakf1600_ (state); (* Erased call to unspill *) i <- 0; - while (i < 128) { - c <- (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) i); + while ((i < 128)) { + c <- (get8 (WArray200.init64 (fun i_0 => state.[i_0])) i); out.[i] <- c; - i <- i + 1; + i <- (i + 1); } - return (out); + return out; } - proc _shake256_1120_32 (out:W64.t, in0:W64.t, in1:W64.t) : unit = { - var aux: int; - + var aux:int; var state:W64.t Array25.t; var i:int; var t64:W64.t; @@ -497,18 +468,19 @@ module M(SC:Syscall_t) = { state <@ __st0 (state); aux <- (32 %/ 8); i <- 0; - while (i < aux) { + while ((i < aux)) { t64 <- (loadW64 Glob.mem (W64.to_uint (in0 + (W64.of_int (i * 8))))); state.[i] <- (state.[i] `^` t64); - i <- i + 1; + i <- (i + 1); } aux <- (136 %/ 8); i <- (32 %/ 8); - while (i < aux) { + while ((i < aux)) { t64 <- - (loadW64 Glob.mem (W64.to_uint (in1 + (W64.of_int ((i - (32 %/ 8)) * 8))))); + (loadW64 Glob.mem + (W64.to_uint (in1 + (W64.of_int ((i - (32 %/ 8)) * 8))))); state.[i] <- (state.[i] `^` t64); - i <- i + 1; + i <- (i + 1); } (* Erased call to spill *) state <@ _keccakf1600_ (state); @@ -516,7 +488,6 @@ module M(SC:Syscall_t) = { r8 <- (W64.of_int 136); ilen <- (W64.of_int (((3 * 320) + 128) - (136 - 32))); in1 <- (in1 + (W64.of_int (136 - 32))); - while ((r8 \ule ilen)) { (state, in1, ilen) <@ __add_full_block (state, in1, ilen, r8); (* Erased call to spill *) @@ -529,18 +500,16 @@ module M(SC:Syscall_t) = { (* Erased call to unspill *) aux <- (32 %/ 8); i <- 0; - while (i < aux) { + while ((i < aux)) { t64 <- state.[i]; Glob.mem <- - storeW64 Glob.mem (W64.to_uint (out + (W64.of_int (8 * i)))) (t64); - i <- i + 1; + (storeW64 Glob.mem (W64.to_uint (out + (W64.of_int (8 * i)))) t64); + i <- (i + 1); } return (); } - proc _sha3512_32 (out:W8.t Array64.t, in_0:W8.t Array32.t) : W8.t Array64.t = { - var aux: int; - + var aux:int; var state:W64.t Array25.t; var i:int; var c:W8.t; @@ -548,83 +517,85 @@ module M(SC:Syscall_t) = { (* Erased call to spill *) state <@ __st0 (state); i <- 0; - while (i < 32) { + while ((i < 32)) { c <- in_0.[i]; state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) i (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) i) `^` c)))); - i <- i + 1; + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) i + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) i) `^` c)))); + i <- (i + 1); } state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) 32 (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) 32) `^` (W8.of_int 6))))); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) 32 + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) 32) `^` (W8.of_int 6)) + ))); state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) (72 - 1) (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) (72 - 1)) `^` (W8.of_int 128))))); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) (72 - 1) + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) (72 - 1)) `^` + (W8.of_int 128))))); state <@ _keccakf1600_ (state); (* Erased call to unspill *) i <- 0; - while (i < 64) { - c <- (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) i); + while ((i < 64)) { + c <- (get8 (WArray200.init64 (fun i_0 => state.[i_0])) i); out.[i] <- c; - i <- i + 1; + i <- (i + 1); } - return (out); + return out; } - proc _shake128_absorb34 (state:W64.t Array25.t, in_0:W8.t Array34.t) : W64.t Array25.t = { - var aux: int; - + var aux:int; var i:int; var c:W8.t; - state <@ __st0 (state); i <- 0; - while (i < 34) { + while ((i < 34)) { c <- in_0.[i]; state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) i (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) i) `^` c)))); - i <- i + 1; + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) i + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) i) `^` c)))); + i <- (i + 1); } state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) 34 (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) 34) `^` (W8.of_int 31))))); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) 34 + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) 34) `^` + (W8.of_int 31))))); state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) (168 - 1) (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) (168 - 1)) `^` (W8.of_int 128))))); - return (state); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) (168 - 1) + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) (168 - 1)) `^` + (W8.of_int 128))))); + return state; } - proc _shake128_squeezeblock (state:W64.t Array25.t, out:W8.t Array168.t) : W64.t Array25.t * W8.t Array168.t = { - var aux: int; - + var aux:int; var i:int; var c:W8.t; - (* Erased call to spill *) state <@ _keccakf1600_ (state); (* Erased call to unspill *) i <- 0; - while (i < 168) { - c <- (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) i); + while ((i < 168)) { + c <- (get8 (WArray200.init64 (fun i_0 => state.[i_0])) i); out.[i] <- c; - i <- i + 1; + i <- (i + 1); } return (state, out); } - proc _isha3_256 (out:W8.t Array32.t, in_0:W64.t, inlen:W64.t) : W8.t Array32.t = { - var aux: int; - + var aux:int; var state:W64.t Array25.t; var r8:W64.t; var ilen:W64.t; @@ -636,7 +607,6 @@ module M(SC:Syscall_t) = { state <@ __st0 (state); r8 <- (W64.of_int 136); ilen <- inlen; - while ((r8 \ule ilen)) { (state, in_0, ilen) <@ __add_full_block (state, in_0, ilen, r8); (* Erased call to spill *) @@ -648,61 +618,61 @@ module M(SC:Syscall_t) = { state <@ _keccakf1600_ (state); (* Erased call to unspill *) i <- 0; - while (i < 4) { + while ((i < 4)) { t64 <- state.[i]; out <- - Array32.init - (WArray32.get8 (WArray32.set64 (WArray32.init8 (fun i_0 => (out).[i_0])) i (t64))); - i <- i + 1; + (Array32.init + (WArray32.get8 + (WArray32.set64 (WArray32.init8 (fun i_0 => out.[i_0])) i t64))); + i <- (i + 1); } - return (out); + return out; } - proc _sha3_512_64 (out:W8.t Array64.t, in_0:W8.t Array64.t) : W8.t Array64.t = { - var aux: int; - + var aux:int; var state:W64.t Array25.t; var i:int; var t64:W64.t; state <- witness; state <@ __st0 (state); i <- 0; - while (i < 8) { - t64 <- (get64 (WArray64.init8 (fun i_0 => (in_0).[i_0])) i); + while ((i < 8)) { + t64 <- (get64 (WArray64.init8 (fun i_0 => in_0.[i_0])) i); state.[i] <- (state.[i] `^` t64); - i <- i + 1; + i <- (i + 1); } state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) 64 (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) 64) `^` (W8.of_int 6))))); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) 64 + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) 64) `^` (W8.of_int 6)) + ))); state <- - Array25.init - (WArray200.get64 (WArray200.set8 (WArray200.init64 (fun i_0 => (state).[i_0])) (72 - 1) (( - (get8 (WArray200.init64 (fun i_0 => (state).[i_0])) (72 - 1)) `^` (W8.of_int 128))))); + (Array25.init + (WArray200.get64 + (WArray200.set8 (WArray200.init64 (fun i_0 => state.[i_0])) (72 - 1) + ((get8 (WArray200.init64 (fun i_0 => state.[i_0])) (72 - 1)) `^` + (W8.of_int 128))))); (* Erased call to spill *) state <@ _keccakf1600_ (state); (* Erased call to unspill *) i <- 0; - while (i < 8) { + while ((i < 8)) { t64 <- state.[i]; out <- - Array64.init - (WArray64.get8 (WArray64.set64 (WArray64.init8 (fun i_0 => (out).[i_0])) i (t64))); - i <- i + 1; + (Array64.init + (WArray64.get8 + (WArray64.set64 (WArray64.init8 (fun i_0 => out.[i_0])) i t64))); + i <- (i + 1); } - return (out); + return out; } - proc _poly_add2 (rp:W16.t Array256.t, bp:W16.t Array256.t) : W16.t Array256.t = { - var i:W64.t; var a:W16.t; var b:W16.t; var r:W16.t; - i <- (W64.of_int 0); - while ((i \ult (W64.of_int 256))) { a <- rp.[(W64.to_uint i)]; b <- bp.[(W64.to_uint i)]; @@ -710,17 +680,13 @@ module M(SC:Syscall_t) = { rp.[(W64.to_uint i)] <- r; i <- (i + (W64.of_int 1)); } - return (rp); + return rp; } - proc _poly_csubq (rp:W16.t Array256.t) : W16.t Array256.t = { - var i:W64.t; var t:W16.t; var b:W16.t; - i <- (W64.of_int 0); - while ((i \ult (W64.of_int 256))) { t <- rp.[(W64.to_uint i)]; t <- (t - (W16.of_int 3329)); @@ -731,12 +697,10 @@ module M(SC:Syscall_t) = { rp.[(W64.to_uint i)] <- t; i <- (i + (W64.of_int 1)); } - return (rp); + return rp; } - proc _poly_basemul (rp:W16.t Array256.t, ap:W16.t Array256.t, bp:W16.t Array256.t) : W16.t Array256.t = { - var srp:W16.t Array256.t; var i:W64.t; var zetasp:W16.t Array64.t; @@ -753,9 +717,8 @@ module M(SC:Syscall_t) = { zetasp <- witness; srp <- rp; i <- (W64.of_int 0); - while ((i \ult (W64.of_int (256 - 3)))) { - zetasp <- (Array64.init (fun i_0 => jzetas.[64 + i_0])); + zetasp <- (Array64.init (fun i_0 => jzetas.[(64 + i_0)])); zetasctr <- i; zetasctr <- (zetasctr `>>` (W8.of_int 2)); zeta_0 <- zetasp.[(W64.to_uint zetasctr)]; @@ -799,34 +762,26 @@ module M(SC:Syscall_t) = { srp <- rp; i <- (i + (W64.of_int 1)); } - return (rp); + return rp; } - proc __poly_reduce (rp:W16.t Array256.t) : W16.t Array256.t = { - var j:W64.t; var t:W16.t; - j <- (W64.of_int 0); - while ((j \ult (W64.of_int 256))) { t <- rp.[(W64.to_uint j)]; t <@ __barrett_reduce (t); rp.[(W64.to_uint j)] <- t; j <- (j + (W64.of_int 1)); } - return (rp); + return rp; } - proc _poly_compress (rp:W64.t, a:W16.t Array256.t) : W16.t Array256.t = { - var i:W64.t; var d0:W32.t; var d1:W32.t; - a <@ _poly_csubq (a); i <- (W64.of_int 0); - while ((i \ult (W64.of_int 128))) { d0 <- (zeroextu32 a.[(W64.to_uint ((W64.of_int 2) * i))]); d1 <- @@ -843,22 +798,18 @@ module M(SC:Syscall_t) = { d1 <- (d1 `&` (W32.of_int 15)); d1 <- (d1 `<<` (W8.of_int 4)); d0 <- (d0 `|` d1); - Glob.mem <- storeW8 Glob.mem (W64.to_uint (rp + i)) ((truncateu8 d0)); + Glob.mem <- (storeW8 Glob.mem (W64.to_uint (rp + i)) (truncateu8 d0)); i <- (i + (W64.of_int 1)); } - return (a); + return a; } - proc _i_poly_compress (rp:W8.t Array128.t, a:W16.t Array256.t) : W8.t Array128.t * W16.t Array256.t = { - var i:W64.t; var d0:W32.t; var d1:W32.t; - a <@ _poly_csubq (a); i <- (W64.of_int 0); - while ((i \ult (W64.of_int 128))) { d0 <- (zeroextu32 a.[(W64.to_uint ((W64.of_int 2) * i))]); d1 <- @@ -880,16 +831,12 @@ module M(SC:Syscall_t) = { } return (rp, a); } - proc _poly_decompress (rp:W16.t Array256.t, ap:W64.t) : W16.t Array256.t = { - var i:W64.t; var t:W8.t; var d0:W16.t; var d1:W16.t; - i <- (W64.of_int 0); - while ((i \ult (W64.of_int 128))) { t <- (loadW8 Glob.mem (W64.to_uint (ap + i))); d0 <- (zeroextu16 t); @@ -906,12 +853,10 @@ module M(SC:Syscall_t) = { rp.[(W64.to_uint (((W64.of_int 2) * i) + (W64.of_int 1)))] <- d1; i <- (i + (W64.of_int 1)); } - return (rp); + return rp; } - proc _poly_frombytes (rp:W16.t Array256.t, ap:W64.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var i:int; var c0:W8.t; var c1:W8.t; @@ -919,10 +864,9 @@ module M(SC:Syscall_t) = { var d0:W16.t; var t:W16.t; var d1:W16.t; - aux <- (256 %/ 2); i <- 0; - while (i < aux) { + while ((i < aux)) { c0 <- (loadW8 Glob.mem (W64.to_uint (ap + (W64.of_int (3 * i))))); c1 <- (loadW8 Glob.mem (W64.to_uint (ap + (W64.of_int ((3 * i) + 1))))); @@ -940,38 +884,31 @@ module M(SC:Syscall_t) = { d1 <- (d1 `|` t); rp.[(2 * i)] <- d0; rp.[((2 * i) + 1)] <- d1; - i <- i + 1; + i <- (i + 1); } - return (rp); + return rp; } - proc _poly_frommont (rp:W16.t Array256.t) : W16.t Array256.t = { - var dmont:W16.t; var i:W64.t; var r:W16.t; - dmont <- (W16.of_int 1353); i <- (W64.of_int 0); - while ((i \ult (W64.of_int 256))) { r <- rp.[(W64.to_uint i)]; r <@ __fqmul (r, dmont); rp.[(W64.to_uint i)] <- r; i <- (i + (W64.of_int 1)); } - return (rp); + return rp; } - proc _i_poly_frommsg (rp:W16.t Array256.t, ap:W8.t Array32.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var i:int; var c:W8.t; var t:W16.t; - i <- 0; - while (i < 32) { + while ((i < 32)) { c <- ap.[i]; t <- (zeroextu16 c); t <- (t `&` (W16.of_int 1)); @@ -1013,15 +950,13 @@ module M(SC:Syscall_t) = { t <- (t * (W16.of_int ((3329 + 1) %/ 2))); rp.[((8 * i) + 7)] <- t; c <- (c `>>` (W8.of_int 1)); - i <- i + 1; + i <- (i + 1); } - return (rp); + return rp; } - proc _poly_getnoise (rp:W16.t Array256.t, s_seed:W8.t Array32.t, nonce:W8.t) : W16.t Array256.t = { - var aux: int; - + var aux:int; var seed:W8.t Array32.t; var k:int; var c:W8.t; @@ -1037,16 +972,15 @@ module M(SC:Syscall_t) = { (* Erased call to spill *) seed <- s_seed; k <- 0; - while (k < 32) { + while ((k < 32)) { c <- seed.[k]; extseed.[k] <- c; - k <- k + 1; + k <- (k + 1); } extseed.[32] <- nonce; buf <@ _shake256_128_33 (buf, extseed); (* Erased call to unspill *) i <- (W64.of_int 0); - while ((i \ult (W64.of_int 128))) { c <- buf.[(W64.to_uint i)]; a <- c; @@ -1072,11 +1006,9 @@ module M(SC:Syscall_t) = { rp.[(W64.to_uint (((W64.of_int 2) * i) + (W64.of_int 1)))] <- t; i <- (i + (W64.of_int 1)); } - return (rp); + return rp; } - proc _poly_invntt (rp:W16.t Array256.t) : W16.t Array256.t = { - var zetasp:W16.t Array128.t; var zetasctr:W64.t; var len:W64.t; @@ -1092,17 +1024,14 @@ module M(SC:Syscall_t) = { zetasp <- jzetas_inv; zetasctr <- (W64.of_int 0); len <- (W64.of_int 2); - while ((len \ule (W64.of_int 128))) { start <- (W64.of_int 0); - while ((start \ult (W64.of_int 256))) { zeta_0 <- zetasp.[(W64.to_uint zetasctr)]; zetasctr <- (zetasctr + (W64.of_int 1)); j <- start; cmp <- start; cmp <- (cmp + len); - while ((j \ult cmp)) { t <- rp.[(W64.to_uint j)]; offset <- j; @@ -1124,18 +1053,15 @@ module M(SC:Syscall_t) = { } zeta_0 <- zetasp.[127]; j <- (W64.of_int 0); - while ((j \ult (W64.of_int 256))) { t <- rp.[(W64.to_uint j)]; t <@ __fqmul (t, zeta_0); rp.[(W64.to_uint j)] <- t; j <- (j + (W64.of_int 1)); } - return (rp); + return rp; } - proc _poly_ntt (rp:W16.t Array256.t) : W16.t Array256.t = { - var zetasp:W16.t Array128.t; var zetasctr:W64.t; var len:W64.t; @@ -1151,17 +1077,14 @@ module M(SC:Syscall_t) = { zetasp <- jzetas; zetasctr <- (W64.of_int 0); len <- (W64.of_int 128); - while (((W64.of_int 2) \ule len)) { start <- (W64.of_int 0); - while ((start \ult (W64.of_int 256))) { zetasctr <- (zetasctr + (W64.of_int 1)); zeta_0 <- zetasp.[(W64.to_uint zetasctr)]; j <- start; cmp <- start; cmp <- (cmp + len); - while ((j \ult cmp)) { s <- rp.[(W64.to_uint j)]; m <- s; @@ -1181,19 +1104,15 @@ module M(SC:Syscall_t) = { len <- (len `>>` (W8.of_int 1)); } rp <@ __poly_reduce (rp); - return (rp); + return rp; } - proc _poly_sub (rp:W16.t Array256.t, ap:W16.t Array256.t, bp:W16.t Array256.t) : W16.t Array256.t = { - var i:W64.t; var a:W16.t; var b:W16.t; var r:W16.t; - i <- (W64.of_int 0); - while ((i \ult (W64.of_int 256))) { a <- ap.[(W64.to_uint i)]; b <- bp.[(W64.to_uint i)]; @@ -1201,21 +1120,17 @@ module M(SC:Syscall_t) = { rp.[(W64.to_uint i)] <- r; i <- (i + (W64.of_int 1)); } - return (rp); + return rp; } - proc _poly_tobytes (rp:W64.t, a:W16.t Array256.t) : W16.t Array256.t = { - var i:W64.t; var j:W64.t; var t0:W16.t; var t1:W16.t; var d:W16.t; - a <@ _poly_csubq (a); i <- (W64.of_int 0); j <- (W64.of_int 0); - while ((i \ult (W64.of_int 256))) { t0 <- a.[(W64.to_uint i)]; i <- (i + (W64.of_int 1)); @@ -1223,38 +1138,35 @@ module M(SC:Syscall_t) = { i <- (i + (W64.of_int 1)); d <- t0; d <- (d `&` (W16.of_int 255)); - Glob.mem <- storeW8 Glob.mem (W64.to_uint (rp + j)) ((truncateu8 d)); + Glob.mem <- (storeW8 Glob.mem (W64.to_uint (rp + j)) (truncateu8 d)); j <- (j + (W64.of_int 1)); t0 <- (t0 `>>` (W8.of_int 8)); d <- t1; d <- (d `&` (W16.of_int 15)); d <- (d `<<` (W8.of_int 4)); d <- (d `|` t0); - Glob.mem <- storeW8 Glob.mem (W64.to_uint (rp + j)) ((truncateu8 d)); + Glob.mem <- (storeW8 Glob.mem (W64.to_uint (rp + j)) (truncateu8 d)); j <- (j + (W64.of_int 1)); t1 <- (t1 `>>` (W8.of_int 4)); - Glob.mem <- storeW8 Glob.mem (W64.to_uint (rp + j)) ((truncateu8 t1)); + Glob.mem <- (storeW8 Glob.mem (W64.to_uint (rp + j)) (truncateu8 t1)); j <- (j + (W64.of_int 1)); } - return (a); + return a; } - proc _i_poly_tomsg (rp:W8.t Array32.t, a:W16.t Array256.t) : W8.t Array32.t * W16.t Array256.t = { - var aux: int; - + var aux:int; var r:W8.t; var j:int; var i:int; var t:W16.t; var d:W32.t; - a <@ _poly_csubq (a); i <- 0; - while (i < 32) { + while ((i < 32)) { r <- (W8.of_int 0); j <- 0; - while (j < 8) { + while ((j < 8)) { t <- a.[((8 * i) + j)]; d <- (zeroextu32 t); d <- (d `<<` (W8.of_int 1)); @@ -1264,56 +1176,56 @@ module M(SC:Syscall_t) = { d <- (d `&` (W32.of_int 1)); d <- (d `<<` (W8.of_int j)); r <- (r `|` (truncateu8 d)); - j <- j + 1; + j <- (j + 1); } rp.[i] <- r; - i <- i + 1; + i <- (i + 1); } return (rp, a); } - proc __polyvec_add2 (r:W16.t Array768.t, b:W16.t Array768.t) : W16.t Array768.t = { - var aux: W16.t Array256.t; - - - - aux <@ _poly_add2 ((Array256.init (fun i => r.[0 + i])), - (Array256.init (fun i => b.[0 + i]))); - r <- Array768.init - (fun i => if 0 <= i < 0 + 256 then aux.[i-0] else r.[i]); - aux <@ _poly_add2 ((Array256.init (fun i => r.[256 + i])), - (Array256.init (fun i => b.[256 + i]))); - r <- Array768.init - (fun i => if 256 <= i < 256 + 256 then aux.[i-256] else r.[i]); - aux <@ _poly_add2 ((Array256.init (fun i => r.[(2 * 256) + i])), - (Array256.init (fun i => b.[(2 * 256) + i]))); - r <- Array768.init - (fun i => if (2 * 256) <= i < (2 * 256) + 256 then aux.[i-(2 * 256)] - else r.[i]); - return (r); - } - + var aux:W16.t Array256.t; + aux <@ _poly_add2 ((Array256.init (fun i => r.[(0 + i)])), + (Array256.init (fun i => b.[(0 + i)]))); + r <- + (Array768.init + (fun i => (if (0 <= i < (0 + 256)) then aux.[(i - 0)] else r.[i]))); + aux <@ _poly_add2 ((Array256.init (fun i => r.[(256 + i)])), + (Array256.init (fun i => b.[(256 + i)]))); + r <- + (Array768.init + (fun i => (if (256 <= i < (256 + 256)) then aux.[(i - 256)] else r.[i]))); + aux <@ _poly_add2 ((Array256.init (fun i => r.[((2 * 256) + i)])), + (Array256.init (fun i => b.[((2 * 256) + i)]))); + r <- + (Array768.init + (fun i => (if ((2 * 256) <= i < ((2 * 256) + 256)) then aux.[(i - + (2 * 256))] else + r.[i])) + ); + return r; + } proc __polyvec_csubq (r:W16.t Array768.t) : W16.t Array768.t = { - var aux: W16.t Array256.t; - - - - aux <@ _poly_csubq ((Array256.init (fun i => r.[0 + i]))); - r <- Array768.init - (fun i => if 0 <= i < 0 + 256 then aux.[i-0] else r.[i]); - aux <@ _poly_csubq ((Array256.init (fun i => r.[256 + i]))); - r <- Array768.init - (fun i => if 256 <= i < 256 + 256 then aux.[i-256] else r.[i]); - aux <@ _poly_csubq ((Array256.init (fun i => r.[(2 * 256) + i]))); - r <- Array768.init - (fun i => if (2 * 256) <= i < (2 * 256) + 256 then aux.[i-(2 * 256)] - else r.[i]); - return (r); - } - + var aux:W16.t Array256.t; + aux <@ _poly_csubq ((Array256.init (fun i => r.[(0 + i)]))); + r <- + (Array768.init + (fun i => (if (0 <= i < (0 + 256)) then aux.[(i - 0)] else r.[i]))); + aux <@ _poly_csubq ((Array256.init (fun i => r.[(256 + i)]))); + r <- + (Array768.init + (fun i => (if (256 <= i < (256 + 256)) then aux.[(i - 256)] else r.[i]))); + aux <@ _poly_csubq ((Array256.init (fun i => r.[((2 * 256) + i)]))); + r <- + (Array768.init + (fun i => (if ((2 * 256) <= i < ((2 * 256) + 256)) then aux.[(i - + (2 * 256))] else + r.[i])) + ); + return r; + } proc __polyvec_compress (rp:W64.t, a:W16.t Array768.t) : unit = { - var aux: int; - + var aux:int; var i:W64.t; var j:W64.t; var aa:W16.t Array768.t; @@ -1326,10 +1238,9 @@ module M(SC:Syscall_t) = { i <- (W64.of_int 0); j <- (W64.of_int 0); aa <@ __polyvec_csubq (a); - while ((i \ult (W64.of_int ((3 * 256) - 3)))) { k <- 0; - while (k < 4) { + while ((k < 4)) { t.[k] <- (zeroextu64 aa.[(W64.to_uint i)]); i <- (i + (W64.of_int 1)); t.[k] <- (t.[k] `<<` (W8.of_int 10)); @@ -1337,45 +1248,43 @@ module M(SC:Syscall_t) = { t.[k] <- (t.[k] * (W64.of_int 1290167)); t.[k] <- (t.[k] `>>` (W8.of_int 32)); t.[k] <- (t.[k] `&` (W64.of_int 1023)); - k <- k + 1; + k <- (k + 1); } c <- (truncateu16 t.[0]); c <- (c `&` (W16.of_int 255)); - Glob.mem <- storeW8 Glob.mem (W64.to_uint (rp + j)) ((truncateu8 c)); + Glob.mem <- (storeW8 Glob.mem (W64.to_uint (rp + j)) (truncateu8 c)); j <- (j + (W64.of_int 1)); b <- (truncateu16 t.[0]); b <- (b `>>` (W8.of_int 8)); c <- (truncateu16 t.[1]); c <- (c `<<` (W8.of_int 2)); c <- (c `|` b); - Glob.mem <- storeW8 Glob.mem (W64.to_uint (rp + j)) ((truncateu8 c)); + Glob.mem <- (storeW8 Glob.mem (W64.to_uint (rp + j)) (truncateu8 c)); j <- (j + (W64.of_int 1)); b <- (truncateu16 t.[1]); b <- (b `>>` (W8.of_int 6)); c <- (truncateu16 t.[2]); c <- (c `<<` (W8.of_int 4)); c <- (c `|` b); - Glob.mem <- storeW8 Glob.mem (W64.to_uint (rp + j)) ((truncateu8 c)); + Glob.mem <- (storeW8 Glob.mem (W64.to_uint (rp + j)) (truncateu8 c)); j <- (j + (W64.of_int 1)); b <- (truncateu16 t.[2]); b <- (b `>>` (W8.of_int 4)); c <- (truncateu16 t.[3]); c <- (c `<<` (W8.of_int 6)); c <- (c `|` b); - Glob.mem <- storeW8 Glob.mem (W64.to_uint (rp + j)) ((truncateu8 c)); + Glob.mem <- (storeW8 Glob.mem (W64.to_uint (rp + j)) (truncateu8 c)); j <- (j + (W64.of_int 1)); t.[3] <- (t.[3] `>>` (W8.of_int 2)); Glob.mem <- - storeW8 Glob.mem (W64.to_uint (rp + j)) ((truncateu8 t.[3])); + (storeW8 Glob.mem (W64.to_uint (rp + j)) (truncateu8 t.[3])); j <- (j + (W64.of_int 1)); } return (); } - proc __i_polyvec_compress (rp:W8.t Array960.t, a:W16.t Array768.t) : W8.t Array960.t = { - var aux: int; - + var aux:int; var i:W64.t; var j:W64.t; var aa:W16.t Array768.t; @@ -1388,10 +1297,9 @@ module M(SC:Syscall_t) = { i <- (W64.of_int 0); j <- (W64.of_int 0); aa <@ __polyvec_csubq (a); - while ((i \ult (W64.of_int ((3 * 256) - 3)))) { k <- 0; - while (k < 4) { + while ((k < 4)) { t.[k] <- (zeroextu64 aa.[(W64.to_uint i)]); i <- (i + (W64.of_int 1)); t.[k] <- (t.[k] `<<` (W8.of_int 10)); @@ -1399,7 +1307,7 @@ module M(SC:Syscall_t) = { t.[k] <- (t.[k] * (W64.of_int 1290167)); t.[k] <- (t.[k] `>>` (W8.of_int 32)); t.[k] <- (t.[k] `&` (W64.of_int 1023)); - k <- k + 1; + k <- (k + 1); } c <- (truncateu16 t.[0]); c <- (c `&` (W16.of_int 255)); @@ -1430,12 +1338,10 @@ module M(SC:Syscall_t) = { rp.[(W64.to_uint j)] <- (truncateu8 t.[3]); j <- (j + (W64.of_int 1)); } - return (rp); + return rp; } - proc __polyvec_decompress (ap:W64.t) : W16.t Array768.t = { - var aux: int; - + var aux:int; var r:W16.t Array768.t; var i:W64.t; var j:W64.t; @@ -1446,13 +1352,12 @@ module M(SC:Syscall_t) = { t <- witness; i <- (W64.of_int 0); j <- (W64.of_int 0); - while ((i \ult (W64.of_int ((3 * 256) - 3)))) { k <- 0; - while (k < 5) { + while ((k < 5)) { t.[k] <- (zeroextu32 (loadW8 Glob.mem (W64.to_uint (ap + j)))); j <- (j + (W64.of_int 1)); - k <- k + 1; + k <- (k + 1); } d <- t.[1]; t.[1] <- (t.[1] `>>` (W8.of_int 2)); @@ -1473,138 +1378,143 @@ module M(SC:Syscall_t) = { d <- (d `<<` (W8.of_int 2)); t.[3] <- (t.[3] `|` d); k <- 0; - while (k < 4) { + while ((k < 4)) { t.[k] <- (t.[k] * (W32.of_int 3329)); t.[k] <- (t.[k] + (W32.of_int 512)); t.[k] <- (t.[k] `>>` (W8.of_int 10)); r.[(W64.to_uint i)] <- (truncateu16 t.[k]); i <- (i + (W64.of_int 1)); - k <- k + 1; + k <- (k + 1); } } - return (r); + return r; } - proc __polyvec_frombytes (ap:W64.t) : W16.t Array768.t = { - var aux: W16.t Array256.t; - + var aux:W16.t Array256.t; var r:W16.t Array768.t; var pp:W64.t; r <- witness; pp <- ap; - aux <@ _poly_frombytes ((Array256.init (fun i => r.[0 + i])), pp); - r <- Array768.init - (fun i => if 0 <= i < 0 + 256 then aux.[i-0] else r.[i]); + aux <@ _poly_frombytes ((Array256.init (fun i => r.[(0 + i)])), pp); + r <- + (Array768.init + (fun i => (if (0 <= i < (0 + 256)) then aux.[(i - 0)] else r.[i]))); pp <- (pp + (W64.of_int 384)); - aux <@ _poly_frombytes ((Array256.init (fun i => r.[256 + i])), pp); - r <- Array768.init - (fun i => if 256 <= i < 256 + 256 then aux.[i-256] else r.[i]); + aux <@ _poly_frombytes ((Array256.init (fun i => r.[(256 + i)])), pp); + r <- + (Array768.init + (fun i => (if (256 <= i < (256 + 256)) then aux.[(i - 256)] else r.[i]))); pp <- (pp + (W64.of_int 384)); - aux <@ _poly_frombytes ((Array256.init (fun i => r.[(2 * 256) + i])), + aux <@ _poly_frombytes ((Array256.init (fun i => r.[((2 * 256) + i)])), pp); - r <- Array768.init - (fun i => if (2 * 256) <= i < (2 * 256) + 256 then aux.[i-(2 * 256)] - else r.[i]); - return (r); + r <- + (Array768.init + (fun i => (if ((2 * 256) <= i < ((2 * 256) + 256)) then aux.[(i - + (2 * 256))] else + r.[i])) + ); + return r; } - proc __polyvec_invntt (r:W16.t Array768.t) : W16.t Array768.t = { - var aux: W16.t Array256.t; - - - - aux <@ _poly_invntt ((Array256.init (fun i => r.[0 + i]))); - r <- Array768.init - (fun i => if 0 <= i < 0 + 256 then aux.[i-0] else r.[i]); - aux <@ _poly_invntt ((Array256.init (fun i => r.[256 + i]))); - r <- Array768.init - (fun i => if 256 <= i < 256 + 256 then aux.[i-256] else r.[i]); - aux <@ _poly_invntt ((Array256.init (fun i => r.[(2 * 256) + i]))); - r <- Array768.init - (fun i => if (2 * 256) <= i < (2 * 256) + 256 then aux.[i-(2 * 256)] - else r.[i]); - return (r); - } - + var aux:W16.t Array256.t; + aux <@ _poly_invntt ((Array256.init (fun i => r.[(0 + i)]))); + r <- + (Array768.init + (fun i => (if (0 <= i < (0 + 256)) then aux.[(i - 0)] else r.[i]))); + aux <@ _poly_invntt ((Array256.init (fun i => r.[(256 + i)]))); + r <- + (Array768.init + (fun i => (if (256 <= i < (256 + 256)) then aux.[(i - 256)] else r.[i]))); + aux <@ _poly_invntt ((Array256.init (fun i => r.[((2 * 256) + i)]))); + r <- + (Array768.init + (fun i => (if ((2 * 256) <= i < ((2 * 256) + 256)) then aux.[(i - + (2 * 256))] else + r.[i])) + ); + return r; + } proc __polyvec_ntt (r:W16.t Array768.t) : W16.t Array768.t = { - var aux: W16.t Array256.t; - - - - aux <@ _poly_ntt ((Array256.init (fun i => r.[0 + i]))); - r <- Array768.init - (fun i => if 0 <= i < 0 + 256 then aux.[i-0] else r.[i]); - aux <@ _poly_ntt ((Array256.init (fun i => r.[256 + i]))); - r <- Array768.init - (fun i => if 256 <= i < 256 + 256 then aux.[i-256] else r.[i]); - aux <@ _poly_ntt ((Array256.init (fun i => r.[(2 * 256) + i]))); - r <- Array768.init - (fun i => if (2 * 256) <= i < (2 * 256) + 256 then aux.[i-(2 * 256)] - else r.[i]); - return (r); - } - + var aux:W16.t Array256.t; + aux <@ _poly_ntt ((Array256.init (fun i => r.[(0 + i)]))); + r <- + (Array768.init + (fun i => (if (0 <= i < (0 + 256)) then aux.[(i - 0)] else r.[i]))); + aux <@ _poly_ntt ((Array256.init (fun i => r.[(256 + i)]))); + r <- + (Array768.init + (fun i => (if (256 <= i < (256 + 256)) then aux.[(i - 256)] else r.[i]))); + aux <@ _poly_ntt ((Array256.init (fun i => r.[((2 * 256) + i)]))); + r <- + (Array768.init + (fun i => (if ((2 * 256) <= i < ((2 * 256) + 256)) then aux.[(i - + (2 * 256))] else + r.[i])) + ); + return r; + } proc __polyvec_pointwise_acc (a:W16.t Array768.t, b:W16.t Array768.t) : W16.t Array256.t = { - var r:W16.t Array256.t; var t:W16.t Array256.t; r <- witness; t <- witness; - r <@ _poly_basemul (r, (Array256.init (fun i => a.[0 + i])), - (Array256.init (fun i => b.[0 + i]))); - t <@ _poly_basemul (t, (Array256.init (fun i => a.[256 + i])), - (Array256.init (fun i => b.[256 + i]))); + r <@ _poly_basemul (r, (Array256.init (fun i => a.[(0 + i)])), + (Array256.init (fun i => b.[(0 + i)]))); + t <@ _poly_basemul (t, (Array256.init (fun i => a.[(256 + i)])), + (Array256.init (fun i => b.[(256 + i)]))); r <@ _poly_add2 (r, t); - t <@ _poly_basemul (t, (Array256.init (fun i => a.[(2 * 256) + i])), - (Array256.init (fun i => b.[(2 * 256) + i]))); + t <@ _poly_basemul (t, (Array256.init (fun i => a.[((2 * 256) + i)])), + (Array256.init (fun i => b.[((2 * 256) + i)]))); r <@ _poly_add2 (r, t); r <@ __poly_reduce (r); - return (r); + return r; } - proc __polyvec_reduce (r:W16.t Array768.t) : W16.t Array768.t = { - var aux: W16.t Array256.t; - - - - aux <@ __poly_reduce ((Array256.init (fun i => r.[0 + i]))); - r <- Array768.init - (fun i => if 0 <= i < 0 + 256 then aux.[i-0] else r.[i]); - aux <@ __poly_reduce ((Array256.init (fun i => r.[256 + i]))); - r <- Array768.init - (fun i => if 256 <= i < 256 + 256 then aux.[i-256] else r.[i]); - aux <@ __poly_reduce ((Array256.init (fun i => r.[(2 * 256) + i]))); - r <- Array768.init - (fun i => if (2 * 256) <= i < (2 * 256) + 256 then aux.[i-(2 * 256)] - else r.[i]); - return (r); - } - + var aux:W16.t Array256.t; + aux <@ __poly_reduce ((Array256.init (fun i => r.[(0 + i)]))); + r <- + (Array768.init + (fun i => (if (0 <= i < (0 + 256)) then aux.[(i - 0)] else r.[i]))); + aux <@ __poly_reduce ((Array256.init (fun i => r.[(256 + i)]))); + r <- + (Array768.init + (fun i => (if (256 <= i < (256 + 256)) then aux.[(i - 256)] else r.[i]))); + aux <@ __poly_reduce ((Array256.init (fun i => r.[((2 * 256) + i)]))); + r <- + (Array768.init + (fun i => (if ((2 * 256) <= i < ((2 * 256) + 256)) then aux.[(i - + (2 * 256))] else + r.[i])) + ); + return r; + } proc __polyvec_tobytes (rp:W64.t, a:W16.t Array768.t) : unit = { - var aux: W16.t Array256.t; - + var aux:W16.t Array256.t; var pp:W64.t; - pp <- rp; - aux <@ _poly_tobytes (pp, (Array256.init (fun i => a.[0 + i]))); - a <- Array768.init - (fun i => if 0 <= i < 0 + 256 then aux.[i-0] else a.[i]); + aux <@ _poly_tobytes (pp, (Array256.init (fun i => a.[(0 + i)]))); + a <- + (Array768.init + (fun i => (if (0 <= i < (0 + 256)) then aux.[(i - 0)] else a.[i]))); pp <- (pp + (W64.of_int 384)); - aux <@ _poly_tobytes (pp, (Array256.init (fun i => a.[256 + i]))); - a <- Array768.init - (fun i => if 256 <= i < 256 + 256 then aux.[i-256] else a.[i]); + aux <@ _poly_tobytes (pp, (Array256.init (fun i => a.[(256 + i)]))); + a <- + (Array768.init + (fun i => (if (256 <= i < (256 + 256)) then aux.[(i - 256)] else a.[i]))); pp <- (pp + (W64.of_int 384)); - aux <@ _poly_tobytes (pp, (Array256.init (fun i => a.[(2 * 256) + i]))); - a <- Array768.init - (fun i => if (2 * 256) <= i < (2 * 256) + 256 then aux.[i-(2 * 256)] - else a.[i]); + aux <@ _poly_tobytes (pp, + (Array256.init (fun i => a.[((2 * 256) + i)]))); + a <- + (Array768.init + (fun i => (if ((2 * 256) <= i < ((2 * 256) + 256)) then aux.[(i - + (2 * 256))] else + a.[i])) + ); return (); } - proc __rej_uniform (rp:W16.t Array256.t, offset:W64.t, buf:W8.t Array168.t) : W64.t * W16.t Array256.t = { - var ctr:W64.t; var ms:W64.t; var pos:W64.t; @@ -1612,64 +1522,61 @@ module M(SC:Syscall_t) = { var val1:W16.t; var t:W16.t; var val2:W16.t; - - ms <- init_msf ; + ms <- (init_msf); ctr <- offset; pos <- (W64.of_int 0); cond <- (pos \ult (W64.of_int (168 - 2))); while (cond) { - ms <- update_msf cond ms; + ms <- (update_msf cond ms); cond <- (ctr \ult (W64.of_int 256)); if (cond) { - ms <- update_msf cond ms; + ms <- (update_msf cond ms); val1 <- (zeroextu16 buf.[(W64.to_uint pos)]); - val1 <- protect_16 val1 ms; + val1 <- (protect_16 val1 ms); t <- (zeroextu16 buf.[(W64.to_uint (pos + (W64.of_int 1)))]); - t <- protect_16 t ms; + t <- (protect_16 t ms); val2 <- t; val2 <- (val2 `>>` (W8.of_int 4)); t <- (t `&` (W16.of_int 15)); t <- (t `<<` (W8.of_int 8)); val1 <- (val1 `|` t); t <- (zeroextu16 buf.[(W64.to_uint (pos + (W64.of_int 2)))]); - t <- protect_16 t ms; + t <- (protect_16 t ms); t <- (t `<<` (W8.of_int 4)); val2 <- (val2 `|` t); pos <- (pos + (W64.of_int 3)); cond <- (val1 \ult (W16.of_int 3329)); if (cond) { - ms <- update_msf cond ms; + ms <- (update_msf cond ms); rp.[(W64.to_uint ctr)] <- val1; ctr <- (ctr + (W64.of_int 1)); } else { - ms <- update_msf (! cond) ms; + ms <- (update_msf (! cond) ms); } cond <- (val2 \ult (W16.of_int 3329)); if (cond) { - ms <- update_msf cond ms; + ms <- (update_msf cond ms); cond <- (ctr \ult (W64.of_int 256)); if (cond) { - ms <- update_msf cond ms; + ms <- (update_msf cond ms); rp.[(W64.to_uint ctr)] <- val2; ctr <- (ctr + (W64.of_int 1)); } else { - ms <- update_msf (! cond) ms; + ms <- (update_msf (! cond) ms); } } else { - ms <- update_msf (! cond) ms; + ms <- (update_msf (! cond) ms); } } else { - ms <- update_msf (! cond) ms; + ms <- (update_msf (! cond) ms); pos <- (W64.of_int 168); } cond <- (pos \ult (W64.of_int (168 - 2))); } return (ctr, rp); } - proc __gen_matrix (seed:W8.t Array32.t, transposed:W64.t) : W16.t Array2304.t = { - var aux: int; - + var aux:int; var r:W16.t Array2304.t; var stransposed:W64.t; var j:int; @@ -1692,15 +1599,15 @@ module M(SC:Syscall_t) = { state <- witness; stransposed <- transposed; j <- 0; - while (j < 32) { + while ((j < 32)) { c <- seed.[j]; extseed.[j] <- c; - j <- j + 1; + j <- (j + 1); } i <- 0; - while (i < 3) { + while ((i < 3)) { j <- 0; - while (j < 3) { + while ((j < 3)) { transposed <- stransposed; if ((transposed = (W64.of_int 0))) { extseed.[32] <- (W8.of_int j); @@ -1711,7 +1618,6 @@ module M(SC:Syscall_t) = { } state <@ _shake128_absorb34 (state, extseed); ctr <- (W64.of_int 0); - while ((ctr \ult (W64.of_int 256))) { sctr <- ctr; (state, buf) <@ _shake128_squeezeblock (state, buf); @@ -1720,27 +1626,32 @@ module M(SC:Syscall_t) = { } k <- (W64.of_int 0); rij <- - (Array256.init (fun i_0 => r.[((i * (3 * 256)) + (j * 256)) + i_0])); - + (Array256.init (fun i_0 => r.[(((i * (3 * 256)) + (j * 256)) + i_0)]) + ); while ((k \ult (W64.of_int 256))) { t <- poly.[(W64.to_uint k)]; rij.[(W64.to_uint k)] <- t; k <- (k + (W64.of_int 1)); } - r <- Array2304.init - (fun i_0 => if ((i * (3 * 256)) + (j * 256)) <= i_0 < ((i * (3 * 256)) + (j * 256)) + 256 - then rij.[i_0-((i * (3 * 256)) + (j * 256))] else r.[i_0]); - j <- j + 1; + r <- + (Array2304.init + (fun i_0 => (if (((i * (3 * 256)) + (j * 256)) <= i_0 < (((i * + (3 * 256)) + + (j * 256)) + + 256)) then + rij.[(i_0 - ((i * (3 * 256)) + (j * 256)))] else + r.[i_0])) + ); + j <- (j + 1); } - i <- i + 1; + i <- (i + 1); } - return (r); + return r; } - - proc __indcpa_keypair (spkp:W64.t, sskp:W64.t, randomnessp:W8.t Array32.t) : unit = { - var aux: int; - var aux_0: W16.t Array256.t; - + proc __indcpa_keypair (spkp:W64.t, sskp:W64.t, randomnessp:W8.t Array32.t) : + unit = { + var aux:int; + var aux_0:W16.t Array256.t; var i:int; var t64:W64.t; var inbuf:W8.t Array32.t; @@ -1769,96 +1680,138 @@ module M(SC:Syscall_t) = { skpv <- witness; aux <- (32 %/ 8); i <- 0; - while (i < aux) { - t64 <- (get64 (WArray32.init8 (fun i_0 => (randomnessp).[i_0])) i); + while ((i < aux)) { + t64 <- (get64 (WArray32.init8 (fun i_0 => randomnessp.[i_0])) i); inbuf <- - Array32.init - (WArray32.get8 (WArray32.set64 (WArray32.init8 (fun i_0 => (inbuf).[i_0])) i (t64))); - i <- i + 1; + (Array32.init + (WArray32.get8 + (WArray32.set64 (WArray32.init8 (fun i_0 => inbuf.[i_0])) i t64))); + i <- (i + 1); } buf <@ _sha3512_32 (buf, inbuf); aux <- (32 %/ 8); i <- 0; - while (i < aux) { - t64 <- (get64 (WArray64.init8 (fun i_0 => (buf).[i_0])) i); + while ((i < aux)) { + t64 <- (get64 (WArray64.init8 (fun i_0 => buf.[i_0])) i); publicseed <- - Array32.init - (WArray32.get8 (WArray32.set64 (WArray32.init8 (fun i_0 => (publicseed).[i_0])) i (t64))); - t64 <- - (get64 (WArray64.init8 (fun i_0 => (buf).[i_0])) (i + (32 %/ 8))); + (Array32.init + (WArray32.get8 + (WArray32.set64 (WArray32.init8 (fun i_0 => publicseed.[i_0])) i t64))); + t64 <- (get64 (WArray64.init8 (fun i_0 => buf.[i_0])) (i + (32 %/ 8))); noiseseed <- - Array32.init - (WArray32.get8 (WArray32.set64 (WArray32.init8 (fun i_0 => (noiseseed).[i_0])) i (t64))); - i <- i + 1; + (Array32.init + (WArray32.get8 + (WArray32.set64 (WArray32.init8 (fun i_0 => noiseseed.[i_0])) i t64))); + i <- (i + 1); } r_noiseseed <- noiseseed; s_noiseseed <- r_noiseseed; zero <- (W64.of_int 0); a <@ __gen_matrix (publicseed, zero); nonce <- (W8.of_int 0); - aux_0 <@ _poly_getnoise ((Array256.init (fun i_0 => skpv.[0 + i_0])), + aux_0 <@ _poly_getnoise ((Array256.init (fun i_0 => skpv.[(0 + i_0)])), s_noiseseed, nonce); - skpv <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux_0.[i_0-0] - else skpv.[i_0]); + skpv <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux_0.[(i_0 - 0)] else + skpv.[i_0])) + ); nonce <- (W8.of_int 1); - aux_0 <@ _poly_getnoise ((Array256.init (fun i_0 => skpv.[256 + i_0])), + aux_0 <@ _poly_getnoise ((Array256.init (fun i_0 => skpv.[(256 + i_0)])), s_noiseseed, nonce); - skpv <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux_0.[i_0-256] - else skpv.[i_0]); + skpv <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux_0.[(i_0 - 256)] else + skpv.[i_0])) + ); nonce <- (W8.of_int 2); - aux_0 <@ _poly_getnoise ((Array256.init (fun i_0 => skpv.[(2 * 256) + i_0])), + aux_0 <@ _poly_getnoise ((Array256.init + (fun i_0 => skpv.[((2 * 256) + i_0)])), s_noiseseed, nonce); - skpv <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux_0.[i_0-(2 * 256)] else skpv.[i_0]); + skpv <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux_0.[ + (i_0 - + (2 * 256))] else + skpv.[i_0])) + ); nonce <- (W8.of_int 3); - aux_0 <@ _poly_getnoise ((Array256.init (fun i_0 => e.[0 + i_0])), + aux_0 <@ _poly_getnoise ((Array256.init (fun i_0 => e.[(0 + i_0)])), s_noiseseed, nonce); - e <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux_0.[i_0-0] else e.[i_0]); + e <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux_0.[(i_0 - 0)] else + e.[i_0])) + ); nonce <- (W8.of_int 4); - aux_0 <@ _poly_getnoise ((Array256.init (fun i_0 => e.[256 + i_0])), + aux_0 <@ _poly_getnoise ((Array256.init (fun i_0 => e.[(256 + i_0)])), s_noiseseed, nonce); - e <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux_0.[i_0-256] - else e.[i_0]); + e <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux_0.[(i_0 - 256)] else + e.[i_0])) + ); nonce <- (W8.of_int 5); - aux_0 <@ _poly_getnoise ((Array256.init (fun i_0 => e.[(2 * 256) + i_0])), + aux_0 <@ _poly_getnoise ((Array256.init + (fun i_0 => e.[((2 * 256) + i_0)])), s_noiseseed, nonce); - e <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux_0.[i_0-(2 * 256)] else e.[i_0]); + e <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux_0.[ + (i_0 - + (2 * 256))] else + e.[i_0])) + ); skpv <@ __polyvec_ntt (skpv); e <@ __polyvec_ntt (e); - aux_0 <@ __polyvec_pointwise_acc ((Array768.init (fun i_0 => a.[0 + i_0])), + aux_0 <@ __polyvec_pointwise_acc ((Array768.init + (fun i_0 => a.[(0 + i_0)])), skpv); - pkpv <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux_0.[i_0-0] - else pkpv.[i_0]); - aux_0 <@ _poly_frommont ((Array256.init (fun i_0 => pkpv.[0 + i_0]))); - pkpv <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux_0.[i_0-0] - else pkpv.[i_0]); - aux_0 <@ __polyvec_pointwise_acc ((Array768.init (fun i_0 => a.[(3 * 256) + i_0])), + pkpv <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux_0.[(i_0 - 0)] else + pkpv.[i_0])) + ); + aux_0 <@ _poly_frommont ((Array256.init (fun i_0 => pkpv.[(0 + i_0)]))); + pkpv <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux_0.[(i_0 - 0)] else + pkpv.[i_0])) + ); + aux_0 <@ __polyvec_pointwise_acc ((Array768.init + (fun i_0 => a.[((3 * 256) + i_0)])), skpv); - pkpv <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux_0.[i_0-256] - else pkpv.[i_0]); - aux_0 <@ _poly_frommont ((Array256.init (fun i_0 => pkpv.[256 + i_0]))); - pkpv <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux_0.[i_0-256] - else pkpv.[i_0]); - aux_0 <@ __polyvec_pointwise_acc ((Array768.init (fun i_0 => a.[(2 * (3 * 256)) + i_0])), + pkpv <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux_0.[(i_0 - 256)] else + pkpv.[i_0])) + ); + aux_0 <@ _poly_frommont ((Array256.init (fun i_0 => pkpv.[(256 + i_0)]))); + pkpv <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux_0.[(i_0 - 256)] else + pkpv.[i_0])) + ); + aux_0 <@ __polyvec_pointwise_acc ((Array768.init + (fun i_0 => a.[((2 * (3 * 256)) + i_0)]) + ), skpv); - pkpv <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux_0.[i_0-(2 * 256)] else pkpv.[i_0]); - aux_0 <@ _poly_frommont ((Array256.init (fun i_0 => pkpv.[(2 * 256) + i_0]))); - pkpv <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux_0.[i_0-(2 * 256)] else pkpv.[i_0]); + pkpv <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux_0.[ + (i_0 - + (2 * 256))] else + pkpv.[i_0])) + ); + aux_0 <@ _poly_frommont ((Array256.init + (fun i_0 => pkpv.[((2 * 256) + i_0)]))); + pkpv <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux_0.[ + (i_0 - + (2 * 256))] else + pkpv.[i_0])) + ); pkpv <@ __polyvec_add2 (pkpv, e); pkpv <@ __polyvec_reduce (pkpv); pkp <- spkp; @@ -1868,20 +1821,18 @@ module M(SC:Syscall_t) = { pkp <- (pkp + (W64.of_int (3 * 384))); aux <- (32 %/ 8); i <- 0; - while (i < aux) { - t64 <- (get64 (WArray32.init8 (fun i_0 => (publicseed).[i_0])) i); + while ((i < aux)) { + t64 <- (get64 (WArray32.init8 (fun i_0 => publicseed.[i_0])) i); Glob.mem <- - storeW64 Glob.mem (W64.to_uint (pkp + (W64.of_int 0))) (t64); + (storeW64 Glob.mem (W64.to_uint (pkp + (W64.of_int 0))) t64); pkp <- (pkp + (W64.of_int 8)); - i <- i + 1; + i <- (i + 1); } return (); } - proc __indcpa_enc (sctp:W64.t, msgp:W8.t Array32.t, pkp:W64.t, noiseseed:W8.t Array32.t) : unit = { - var aux: W16.t Array256.t; - + var aux:W16.t Array256.t; var s_noiseseed:W8.t Array32.t; var pkpv:W16.t Array768.t; var i:W64.t; @@ -1910,69 +1861,102 @@ module M(SC:Syscall_t) = { pkpv <@ __polyvec_frombytes (pkp); i <- (W64.of_int 0); pkp <- (pkp + (W64.of_int (3 * 384))); - while ((i \ult (W64.of_int (32 %/ 8)))) { t64 <- (loadW64 Glob.mem (W64.to_uint (pkp + (W64.of_int 0)))); publicseed <- - Array32.init - (WArray32.get8 (WArray32.set64_direct (WArray32.init8 (fun i_0 => (publicseed).[i_0])) (8 * (W64.to_uint i)) (t64))); + (Array32.init + (WArray32.get8 + (WArray32.set64_direct (WArray32.init8 (fun i_0 => publicseed.[i_0])) + (8 * (W64.to_uint i)) t64))); pkp <- (pkp + (W64.of_int 8)); i <- (i + (W64.of_int 1)); } k <@ _i_poly_frommsg (k, msgp); aat <@ __gen_matrix (publicseed, (W64.of_int 1)); nonce <- (W8.of_int 0); - aux <@ _poly_getnoise ((Array256.init (fun i_0 => sp_0.[0 + i_0])), + aux <@ _poly_getnoise ((Array256.init (fun i_0 => sp_0.[(0 + i_0)])), s_noiseseed, nonce); - sp_0 <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux.[i_0-0] - else sp_0.[i_0]); + sp_0 <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux.[(i_0 - 0)] else + sp_0.[i_0])) + ); nonce <- (W8.of_int 1); - aux <@ _poly_getnoise ((Array256.init (fun i_0 => sp_0.[256 + i_0])), + aux <@ _poly_getnoise ((Array256.init (fun i_0 => sp_0.[(256 + i_0)])), s_noiseseed, nonce); - sp_0 <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux.[i_0-256] - else sp_0.[i_0]); + sp_0 <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux.[(i_0 - 256)] else + sp_0.[i_0])) + ); nonce <- (W8.of_int 2); - aux <@ _poly_getnoise ((Array256.init (fun i_0 => sp_0.[(2 * 256) + i_0])), + aux <@ _poly_getnoise ((Array256.init + (fun i_0 => sp_0.[((2 * 256) + i_0)])), s_noiseseed, nonce); - sp_0 <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux.[i_0-(2 * 256)] else sp_0.[i_0]); + sp_0 <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux.[ + (i_0 - + (2 * 256))] else + sp_0.[i_0])) + ); nonce <- (W8.of_int 3); - aux <@ _poly_getnoise ((Array256.init (fun i_0 => ep.[0 + i_0])), + aux <@ _poly_getnoise ((Array256.init (fun i_0 => ep.[(0 + i_0)])), s_noiseseed, nonce); - ep <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux.[i_0-0] else ep.[i_0]); + ep <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux.[(i_0 - 0)] else + ep.[i_0])) + ); nonce <- (W8.of_int 4); - aux <@ _poly_getnoise ((Array256.init (fun i_0 => ep.[256 + i_0])), + aux <@ _poly_getnoise ((Array256.init (fun i_0 => ep.[(256 + i_0)])), s_noiseseed, nonce); - ep <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux.[i_0-256] - else ep.[i_0]); + ep <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux.[(i_0 - 256)] else + ep.[i_0])) + ); nonce <- (W8.of_int 5); - aux <@ _poly_getnoise ((Array256.init (fun i_0 => ep.[(2 * 256) + i_0])), + aux <@ _poly_getnoise ((Array256.init (fun i_0 => ep.[((2 * 256) + i_0)]) + ), s_noiseseed, nonce); - ep <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux.[i_0-(2 * 256)] else ep.[i_0]); + ep <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux.[ + (i_0 - + (2 * 256))] else + ep.[i_0])) + ); nonce <- (W8.of_int 6); epp <@ _poly_getnoise (epp, s_noiseseed, nonce); sp_0 <@ __polyvec_ntt (sp_0); - aux <@ __polyvec_pointwise_acc ((Array768.init (fun i_0 => aat.[0 + i_0])), + aux <@ __polyvec_pointwise_acc ((Array768.init + (fun i_0 => aat.[(0 + i_0)])), sp_0); - bp <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux.[i_0-0] else bp.[i_0]); - aux <@ __polyvec_pointwise_acc ((Array768.init (fun i_0 => aat.[(3 * 256) + i_0])), + bp <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux.[(i_0 - 0)] else + bp.[i_0])) + ); + aux <@ __polyvec_pointwise_acc ((Array768.init + (fun i_0 => aat.[((3 * 256) + i_0)])), sp_0); - bp <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux.[i_0-256] - else bp.[i_0]); - aux <@ __polyvec_pointwise_acc ((Array768.init (fun i_0 => aat.[(2 * (3 * 256)) + i_0])), + bp <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux.[(i_0 - 256)] else + bp.[i_0])) + ); + aux <@ __polyvec_pointwise_acc ((Array768.init + (fun i_0 => aat.[((2 * (3 * 256)) + i_0)]) + ), sp_0); - bp <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux.[i_0-(2 * 256)] else bp.[i_0]); + bp <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux.[ + (i_0 - + (2 * 256))] else + bp.[i_0])) + ); v <@ __polyvec_pointwise_acc (pkpv, sp_0); bp <@ __polyvec_invntt (bp); v <@ _poly_invntt (v); @@ -1987,13 +1971,11 @@ module M(SC:Syscall_t) = { v <@ _poly_compress (ctp, v); return (); } - proc __iindcpa_enc (ctp:W8.t Array1088.t, msgp:W8.t Array32.t, pkp:W64.t, noiseseed:W8.t Array32.t) : W8.t Array1088.t = { - var aux_1: W8.t Array128.t; - var aux_0: W8.t Array960.t; - var aux: W16.t Array256.t; - + var aux_1:W8.t Array128.t; + var aux_0:W8.t Array960.t; + var aux:W16.t Array256.t; var s_noiseseed:W8.t Array32.t; var sctp:W8.t Array1088.t; var pkpv:W16.t Array768.t; @@ -2024,69 +2006,102 @@ module M(SC:Syscall_t) = { pkpv <@ __polyvec_frombytes (pkp); i <- (W64.of_int 0); pkp <- (pkp + (W64.of_int (3 * 384))); - while ((i \ult (W64.of_int (32 %/ 8)))) { t64 <- (loadW64 Glob.mem (W64.to_uint (pkp + (W64.of_int 0)))); publicseed <- - Array32.init - (WArray32.get8 (WArray32.set64_direct (WArray32.init8 (fun i_0 => (publicseed).[i_0])) (8 * (W64.to_uint i)) (t64))); + (Array32.init + (WArray32.get8 + (WArray32.set64_direct (WArray32.init8 (fun i_0 => publicseed.[i_0])) + (8 * (W64.to_uint i)) t64))); pkp <- (pkp + (W64.of_int 8)); i <- (i + (W64.of_int 1)); } k <@ _i_poly_frommsg (k, msgp); aat <@ __gen_matrix (publicseed, (W64.of_int 1)); nonce <- (W8.of_int 0); - aux <@ _poly_getnoise ((Array256.init (fun i_0 => sp_0.[0 + i_0])), + aux <@ _poly_getnoise ((Array256.init (fun i_0 => sp_0.[(0 + i_0)])), s_noiseseed, nonce); - sp_0 <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux.[i_0-0] - else sp_0.[i_0]); + sp_0 <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux.[(i_0 - 0)] else + sp_0.[i_0])) + ); nonce <- (W8.of_int 1); - aux <@ _poly_getnoise ((Array256.init (fun i_0 => sp_0.[256 + i_0])), + aux <@ _poly_getnoise ((Array256.init (fun i_0 => sp_0.[(256 + i_0)])), s_noiseseed, nonce); - sp_0 <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux.[i_0-256] - else sp_0.[i_0]); + sp_0 <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux.[(i_0 - 256)] else + sp_0.[i_0])) + ); nonce <- (W8.of_int 2); - aux <@ _poly_getnoise ((Array256.init (fun i_0 => sp_0.[(2 * 256) + i_0])), + aux <@ _poly_getnoise ((Array256.init + (fun i_0 => sp_0.[((2 * 256) + i_0)])), s_noiseseed, nonce); - sp_0 <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux.[i_0-(2 * 256)] else sp_0.[i_0]); + sp_0 <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux.[ + (i_0 - + (2 * 256))] else + sp_0.[i_0])) + ); nonce <- (W8.of_int 3); - aux <@ _poly_getnoise ((Array256.init (fun i_0 => ep.[0 + i_0])), + aux <@ _poly_getnoise ((Array256.init (fun i_0 => ep.[(0 + i_0)])), s_noiseseed, nonce); - ep <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux.[i_0-0] else ep.[i_0]); + ep <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux.[(i_0 - 0)] else + ep.[i_0])) + ); nonce <- (W8.of_int 4); - aux <@ _poly_getnoise ((Array256.init (fun i_0 => ep.[256 + i_0])), + aux <@ _poly_getnoise ((Array256.init (fun i_0 => ep.[(256 + i_0)])), s_noiseseed, nonce); - ep <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux.[i_0-256] - else ep.[i_0]); + ep <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux.[(i_0 - 256)] else + ep.[i_0])) + ); nonce <- (W8.of_int 5); - aux <@ _poly_getnoise ((Array256.init (fun i_0 => ep.[(2 * 256) + i_0])), + aux <@ _poly_getnoise ((Array256.init (fun i_0 => ep.[((2 * 256) + i_0)]) + ), s_noiseseed, nonce); - ep <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux.[i_0-(2 * 256)] else ep.[i_0]); + ep <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux.[ + (i_0 - + (2 * 256))] else + ep.[i_0])) + ); nonce <- (W8.of_int 6); epp <@ _poly_getnoise (epp, s_noiseseed, nonce); sp_0 <@ __polyvec_ntt (sp_0); - aux <@ __polyvec_pointwise_acc ((Array768.init (fun i_0 => aat.[0 + i_0])), + aux <@ __polyvec_pointwise_acc ((Array768.init + (fun i_0 => aat.[(0 + i_0)])), sp_0); - bp <- Array768.init - (fun i_0 => if 0 <= i_0 < 0 + 256 then aux.[i_0-0] else bp.[i_0]); - aux <@ __polyvec_pointwise_acc ((Array768.init (fun i_0 => aat.[(3 * 256) + i_0])), + bp <- + (Array768.init + (fun i_0 => (if (0 <= i_0 < (0 + 256)) then aux.[(i_0 - 0)] else + bp.[i_0])) + ); + aux <@ __polyvec_pointwise_acc ((Array768.init + (fun i_0 => aat.[((3 * 256) + i_0)])), sp_0); - bp <- Array768.init - (fun i_0 => if 256 <= i_0 < 256 + 256 then aux.[i_0-256] - else bp.[i_0]); - aux <@ __polyvec_pointwise_acc ((Array768.init (fun i_0 => aat.[(2 * (3 * 256)) + i_0])), + bp <- + (Array768.init + (fun i_0 => (if (256 <= i_0 < (256 + 256)) then aux.[(i_0 - 256)] else + bp.[i_0])) + ); + aux <@ __polyvec_pointwise_acc ((Array768.init + (fun i_0 => aat.[((2 * (3 * 256)) + i_0)]) + ), sp_0); - bp <- Array768.init - (fun i_0 => if (2 * 256) <= i_0 < (2 * 256) + 256 - then aux.[i_0-(2 * 256)] else bp.[i_0]); + bp <- + (Array768.init + (fun i_0 => (if ((2 * 256) <= i_0 < ((2 * 256) + 256)) then aux.[ + (i_0 - + (2 * 256))] else + bp.[i_0])) + ); v <@ __polyvec_pointwise_acc (pkpv, sp_0); bp <@ __polyvec_invntt (bp); v <@ _poly_invntt (v); @@ -2096,23 +2111,28 @@ module M(SC:Syscall_t) = { bp <@ __polyvec_reduce (bp); v <@ __poly_reduce (v); ctp <- sctp; - aux_0 <@ __i_polyvec_compress ((Array960.init (fun i_0 => ctp.[0 + i_0])), + aux_0 <@ __i_polyvec_compress ((Array960.init + (fun i_0 => ctp.[(0 + i_0)])), bp); - ctp <- Array1088.init - (fun i_0 => if 0 <= i_0 < 0 + 960 then aux_0.[i_0-0] - else ctp.[i_0]); - (aux_1, - aux) <@ _i_poly_compress ((Array128.init (fun i_0 => ctp.[(3 * 320) + i_0])), + ctp <- + (Array1088.init + (fun i_0 => (if (0 <= i_0 < (0 + 960)) then aux_0.[(i_0 - 0)] else + ctp.[i_0])) + ); + (aux_1, aux) <@ _i_poly_compress ((Array128.init + (fun i_0 => ctp.[((3 * 320) + i_0)])), v); - ctp <- Array1088.init - (fun i_0 => if (3 * 320) <= i_0 < (3 * 320) + 128 - then aux_1.[i_0-(3 * 320)] else ctp.[i_0]); + ctp <- + (Array1088.init + (fun i_0 => (if ((3 * 320) <= i_0 < ((3 * 320) + 128)) then aux_1.[ + (i_0 - + (3 * 320))] else + ctp.[i_0])) + ); v <- aux; - return (ctp); + return ctp; } - proc __indcpa_dec (msgp:W8.t Array32.t, ctp:W64.t, skp:W64.t) : W8.t Array32.t = { - var bp:W16.t Array768.t; var v:W16.t Array256.t; var skpv:W16.t Array768.t; @@ -2133,59 +2153,51 @@ module M(SC:Syscall_t) = { mp <@ _poly_sub (mp, v, t); mp <@ __poly_reduce (mp); (msgp, mp) <@ _i_poly_tomsg (msgp, mp); - return (msgp); + return msgp; } - proc __verify (ctp:W64.t, ctpc:W8.t Array1088.t) : W64.t = { - var aux: int; - + var aux:int; var cnd:W64.t; var i:int; var t1:W8.t; var t2:W8.t; var t64:W64.t; - cnd <- (W64.of_int 0); aux <- ((3 * 320) + 128); i <- 0; - while (i < aux) { - t1 <- (get8_direct (WArray1088.init8 (fun i_0 => (ctpc).[i_0])) i); + while ((i < aux)) { + t1 <- (get8_direct (WArray1088.init8 (fun i_0 => ctpc.[i_0])) i); t2 <- (loadW8 Glob.mem (W64.to_uint (ctp + (W64.of_int i)))); t1 <- (t1 `^` t2); t64 <- (zeroextu64 t1); cnd <- (cnd `|` t64); - i <- i + 1; + i <- (i + 1); } cnd <- (- cnd); cnd <- (cnd `>>` (W8.of_int 63)); - return (cnd); + return cnd; } - proc __cmov (dst:W64.t, src:W8.t Array32.t, cnd:W64.t) : unit = { - var aux: int; - + var aux:int; var i:int; var t2:W8.t; var t1:W8.t; - cnd <- (- cnd); i <- 0; - while (i < 32) { + while ((i < 32)) { t2 <- (loadW8 Glob.mem (W64.to_uint (dst + (W64.of_int i)))); - t1 <- (get8_direct (WArray32.init8 (fun i_0 => (src).[i_0])) i); + t1 <- (get8_direct (WArray32.init8 (fun i_0 => src.[i_0])) i); t2 <- (t2 `^` t1); t2 <- (t2 `&` (truncateu8 cnd)); t1 <- (t1 `^` t2); - Glob.mem <- storeW8 Glob.mem (W64.to_uint (dst + (W64.of_int i))) (t1); - i <- i + 1; + Glob.mem <- (storeW8 Glob.mem (W64.to_uint (dst + (W64.of_int i))) t1); + i <- (i + 1); } return (); } - proc __crypto_kem_keypair_jazz (pkp:W64.t, skp:W64.t, randomnessp:W8.t Array64.t) : unit = { - var aux: int; - + var aux:int; var s_randomnessp:W8.t Array64.t; var s_pkp:W64.t; var s_skp:W64.t; @@ -2201,19 +2213,19 @@ module M(SC:Syscall_t) = { s_randomnessp <- randomnessp; s_pkp <- pkp; s_skp <- skp; - randomnessp1 <- (Array32.init (fun i_0 => randomnessp.[0 + i_0])); + randomnessp1 <- (Array32.init (fun i_0 => randomnessp.[(0 + i_0)])); __indcpa_keypair (s_pkp, s_skp, randomnessp1); skp <- s_skp; skp <- (skp + (W64.of_int (3 * 384))); pkp <- s_pkp; aux <- (((3 * 384) + 32) %/ 8); i <- 0; - while (i < aux) { + while ((i < aux)) { t64 <- (loadW64 Glob.mem (W64.to_uint (pkp + (W64.of_int (8 * i))))); Glob.mem <- - storeW64 Glob.mem (W64.to_uint (skp + (W64.of_int 0))) (t64); + (storeW64 Glob.mem (W64.to_uint (skp + (W64.of_int 0))) t64); skp <- (skp + (W64.of_int 8)); - i <- i + 1; + i <- (i + 1); } s_skp <- skp; pkp <- s_pkp; @@ -2221,32 +2233,30 @@ module M(SC:Syscall_t) = { h_pk <@ _isha3_256 (h_pk, pkp, t64); skp <- s_skp; i <- 0; - while (i < 4) { - t64 <- (get64 (WArray32.init8 (fun i_0 => (h_pk).[i_0])) i); + while ((i < 4)) { + t64 <- (get64 (WArray32.init8 (fun i_0 => h_pk.[i_0])) i); Glob.mem <- - storeW64 Glob.mem (W64.to_uint (skp + (W64.of_int 0))) (t64); + (storeW64 Glob.mem (W64.to_uint (skp + (W64.of_int 0))) t64); skp <- (skp + (W64.of_int 8)); - i <- i + 1; + i <- (i + 1); } randomnessp <- s_randomnessp; - randomnessp2 <- (Array32.init (fun i_0 => randomnessp.[32 + i_0])); + randomnessp2 <- (Array32.init (fun i_0 => randomnessp.[(32 + i_0)])); aux <- (32 %/ 8); i <- 0; - while (i < aux) { - t64 <- (get64 (WArray32.init8 (fun i_0 => (randomnessp2).[i_0])) i); + while ((i < aux)) { + t64 <- (get64 (WArray32.init8 (fun i_0 => randomnessp2.[i_0])) i); Glob.mem <- - storeW64 Glob.mem (W64.to_uint (skp + (W64.of_int 0))) (t64); + (storeW64 Glob.mem (W64.to_uint (skp + (W64.of_int 0))) t64); skp <- (skp + (W64.of_int 8)); - i <- i + 1; + i <- (i + 1); } return (); } - proc __crypto_kem_enc_jazz (ctp:W64.t, shkp:W64.t, pkp:W64.t, randomnessp:W8.t Array32.t) : unit = { - var aux: int; - var aux_0: W8.t Array32.t; - + var aux:int; + var aux_0:W8.t Array32.t; var s_pkp:W64.t; var s_ctp:W64.t; var s_shkp:W64.t; @@ -2261,40 +2271,41 @@ module M(SC:Syscall_t) = { s_shkp <- shkp; aux <- (32 %/ 8); i <- 0; - while (i < aux) { - t64 <- (get64 (WArray32.init8 (fun i_0 => (randomnessp).[i_0])) i); + while ((i < aux)) { + t64 <- (get64 (WArray32.init8 (fun i_0 => randomnessp.[i_0])) i); buf <- - Array64.init - (WArray64.get8 (WArray64.set64 (WArray64.init8 (fun i_0 => (buf).[i_0])) i (t64))); - i <- i + 1; + (Array64.init + (WArray64.get8 + (WArray64.set64 (WArray64.init8 (fun i_0 => buf.[i_0])) i t64))); + i <- (i + 1); } pkp <- s_pkp; t64 <- (W64.of_int ((3 * 384) + 32)); - aux_0 <@ _isha3_256 ((Array32.init (fun i_0 => buf.[32 + i_0])), pkp, - t64); - buf <- Array64.init - (fun i_0 => if 32 <= i_0 < 32 + 32 then aux_0.[i_0-32] - else buf.[i_0]); + aux_0 <@ _isha3_256 ((Array32.init (fun i_0 => buf.[(32 + i_0)])), + pkp, t64); + buf <- + (Array64.init + (fun i_0 => (if (32 <= i_0 < (32 + 32)) then aux_0.[(i_0 - 32)] else + buf.[i_0])) + ); kr <@ _sha3_512_64 (kr, buf); pkp <- s_pkp; - __indcpa_enc (s_ctp, (Array32.init (fun i_0 => buf.[0 + i_0])), pkp, - (Array32.init (fun i_0 => kr.[32 + i_0]))); + __indcpa_enc (s_ctp, (Array32.init (fun i_0 => buf.[(0 + i_0)])), + pkp, (Array32.init (fun i_0 => kr.[(32 + i_0)]))); shkp <- s_shkp; aux <- (32 %/ 8); i <- 0; - while (i < aux) { - t64 <- (get64 (WArray64.init8 (fun i_0 => (kr).[i_0])) i); + while ((i < aux)) { + t64 <- (get64 (WArray64.init8 (fun i_0 => kr.[i_0])) i); Glob.mem <- - storeW64 Glob.mem (W64.to_uint (shkp + (W64.of_int (8 * i)))) (t64); - i <- i + 1; + (storeW64 Glob.mem (W64.to_uint (shkp + (W64.of_int (8 * i)))) t64); + i <- (i + 1); } return (); } - proc __crypto_kem_dec_jazz (shkp:W64.t, ctp:W64.t, skp:W64.t) : unit = { - var aux_0: int; - var aux: W8.t Array32.t; - + var aux_0:int; + var aux:W8.t Array32.t; var s_shkp:W64.t; var s_ctp:W64.t; var buf:W8.t Array64.t; @@ -2313,27 +2324,31 @@ module M(SC:Syscall_t) = { kr <- witness; s_shkp <- shkp; s_ctp <- ctp; - aux <@ __indcpa_dec ((Array32.init (fun i_0 => buf.[0 + i_0])), ctp, - skp); - buf <- Array64.init - (fun i_0 => if 0 <= i_0 < 0 + 32 then aux.[i_0-0] else buf.[i_0]); + aux <@ __indcpa_dec ((Array32.init (fun i_0 => buf.[(0 + i_0)])), + ctp, skp); + buf <- + (Array64.init + (fun i_0 => (if (0 <= i_0 < (0 + 32)) then aux.[(i_0 - 0)] else buf.[i_0])) + ); hp <- skp; hp <- (hp + (W64.of_int (32 + (((24 * 3) * 256) `|>>` 3)))); aux_0 <- (32 %/ 8); i <- 0; - while (i < aux_0) { + while ((i < aux_0)) { t64 <- (loadW64 Glob.mem (W64.to_uint (hp + (W64.of_int (8 * i))))); buf <- - Array64.init - (WArray64.get8 (WArray64.set64_direct (WArray64.init8 (fun i_0 => (buf).[i_0])) (32 + (8 * i)) (t64))); - i <- i + 1; + (Array64.init + (WArray64.get8 + (WArray64.set64_direct (WArray64.init8 (fun i_0 => buf.[i_0])) + (32 + (8 * i)) t64))); + i <- (i + 1); } s_skp <- skp; kr <@ _sha3_512_64 (kr, buf); pkp <- s_skp; pkp <- (pkp + (W64.of_int (((12 * 3) * 256) `|>>` 3))); - ctpc <@ __iindcpa_enc (ctpc, (Array32.init (fun i_0 => buf.[0 + i_0])), - pkp, (Array32.init (fun i_0 => kr.[32 + i_0]))); + ctpc <@ __iindcpa_enc (ctpc, (Array32.init (fun i_0 => buf.[(0 + i_0)])), + pkp, (Array32.init (fun i_0 => kr.[(32 + i_0)]))); ctp <- s_ctp; cnd <@ __verify (ctp, ctpc); s_cnd <- cnd; @@ -2344,14 +2359,12 @@ module M(SC:Syscall_t) = { _shake256_1120_32 (shkp, zp, ctp); shkp <- s_shkp; cnd <- s_cnd; - __cmov (shkp, (Array32.init (fun i_0 => kr.[0 + i_0])), cnd); + __cmov (shkp, (Array32.init (fun i_0 => kr.[(0 + i_0)])), cnd); return (); } - proc jade_kem_mlkem_mlkem768_amd64_ref_keypair (public_key:W64.t, secret_key:W64.t) : W64.t = { - var r:W64.t; var randomness:W8.t Array64.t; var randomnessp:W8.t Array64.t; @@ -2367,16 +2380,14 @@ module M(SC:Syscall_t) = { secret_key <- secret_key; randomnessp <- randomness; randomnessp <@ SC.randombytes_64 (randomnessp); - _0 <- init_msf ; + _0 <- (init_msf); __crypto_kem_keypair_jazz (public_key, secret_key, randomnessp); - (_of_, _cf_, _sf_, _1, _zf_, r) <- set0_64 ; - return (r); + (_of_, _cf_, _sf_, _1, _zf_, r) <- (set0_64); + return r; } - proc jade_kem_mlkem_mlkem768_amd64_ref_enc (ciphertext:W64.t, shared_secret:W64.t, public_key:W64.t) : W64.t = { - var r:W64.t; var randomness:W8.t Array32.t; var randomnessp:W8.t Array32.t; @@ -2393,17 +2404,15 @@ module M(SC:Syscall_t) = { public_key <- public_key; randomnessp <- randomness; randomnessp <@ SC.randombytes_32 (randomnessp); - _0 <- init_msf ; + _0 <- (init_msf); __crypto_kem_enc_jazz (ciphertext, shared_secret, public_key, randomnessp); - (_of_, _cf_, _sf_, _1, _zf_, r) <- set0_64 ; - return (r); + (_of_, _cf_, _sf_, _1, _zf_, r) <- (set0_64); + return r; } - proc jade_kem_mlkem_mlkem768_amd64_ref_dec (shared_secret:W64.t, ciphertext:W64.t, secret_key:W64.t) : W64.t = { - var r:W64.t; var _of_:bool; var _cf_:bool; @@ -2411,11 +2420,9 @@ module M(SC:Syscall_t) = { var _zf_:bool; var _0:W64.t; var _1:bool; - - _0 <- init_msf ; + _0 <- (init_msf); __crypto_kem_dec_jazz (shared_secret, ciphertext, secret_key); - (_of_, _cf_, _sf_, _1, _zf_, r) <- set0_64 ; - return (r); + (_of_, _cf_, _sf_, _1, _zf_, r) <- (set0_64); + return r; } }. - diff --git a/crypto-specs b/crypto-specs index 9466a64b..a020b495 160000 --- a/crypto-specs +++ b/crypto-specs @@ -1 +1 @@ -Subproject commit 9466a64b699a104f4a65f064bee73f048c5f5235 +Subproject commit a020b495ffae498a4faaf3988ee7a3df7c9c5a0a diff --git a/jasmin b/jasmin index 9f85d3d2..1bd46f65 160000 --- a/jasmin +++ b/jasmin @@ -1 +1 @@ -Subproject commit 9f85d3d2f96366e00028074914862d66bed32c7f +Subproject commit 1bd46f6542c32c4ad0243f7bccedfa26590f6dc6 diff --git a/proof/correctness/Fq.ec b/proof/correctness/Fq.ec index 15a94a1e..b0b422f9 100644 --- a/proof/correctness/Fq.ec +++ b/proof/correctness/Fq.ec @@ -19,7 +19,7 @@ clone import SignedReductions with op Rinv <- 169 proof q_bnd by (rewrite /R qE => />) proof q_odd1 by (rewrite qE => />) - proof q_odd2 by (rewrite qE => />) +(* proof q_odd2 by (rewrite qE => />) *) proof qqinv by (rewrite /R qE => />) proof Rinv_gt0 by (auto => />) proof RRinv by (rewrite /R qE => />) diff --git a/proof/correctness/avx2/MLKEM_genmatrix_avx2.ec b/proof/correctness/avx2/MLKEM_genmatrix_avx2.ec index 01b3bdf4..08bf4b79 100644 --- a/proof/correctness/avx2/MLKEM_genmatrix_avx2.ec +++ b/proof/correctness/avx2/MLKEM_genmatrix_avx2.ec @@ -993,6 +993,68 @@ op pack4poly ['a] (ps: 'a Array256.t * 'a Array256.t * 'a Array256.t * 'a Array2 op buf_ok (buf: W8.t Array536.t) (l: W8.t list, st: state): bool = buf_subl buf 0 504 = l /\ sub buf 336 200 = state2bytes st. +require import Array2144. + +abbrev pack4buf (b:W8.t Array2144.t) (b0 b1 b2 b3: W8.t Array536.t) = + Array2144.init + (fun i => + if 1608 <= i && i < 2144 + then b3.[i - 1608] + else (Array2144.init + (fun i0 => + if 1072 <= i0 && i0 < 1608 + then b2.[i0 - 1072] + else (Array2144.init + (fun i1 => + if 536 <= i1 && i1 < 1072 + then b1.[i1 - 536] + else (Array2144.init + (fun i2 => + if 0 <= i2 && i2 < 536 + then b0.[i2] + else b.[i2])).[i1])).[i0])).[i]). + +op buf4x_buf (bufx4 : W8.t Array2144.t) (pos : int) : W8.t Array536.t = + Array536.init (fun i => bufx4.[pos*536+i]). + +lemma buf4x_buf_0 bufx4 b0 b1 b2 b3: + buf4x_buf (pack4buf bufx4 b0 b1 b2 b3) 0 = b0. +proof. +apply Array536.ext_eq => i Hi /=. +rewrite initiE 1:/# /= initiE 1:/# /=. +rewrite ifF 1:/# initiE 1:/# /=. +rewrite ifF 1:/# initiE 1:/# /=. +rewrite ifF 1:/# initiE 1:/# /=. +by rewrite ifT /#. +qed. + +lemma buf4x_buf_1 bufx4 b0 b1 b2 b3: + buf4x_buf (pack4buf bufx4 b0 b1 b2 b3) 1 = b1. +proof. +apply Array536.ext_eq => i Hi /=. +rewrite initiE 1:/# /= initiE 1:/# /=. +rewrite ifF 1:/# initiE 1:/# /=. +rewrite ifF 1:/# initiE 1:/# /=. +by rewrite ifT /#. +qed. + +lemma buf4x_buf_2 bufx4 b0 b1 b2 b3: + buf4x_buf (pack4buf bufx4 b0 b1 b2 b3) 2 = b2. +proof. +apply Array536.ext_eq => i Hi /=. +rewrite initiE 1:/# /= initiE 1:/# /=. +rewrite ifF 1:/# initiE 1:/# /=. +by rewrite ifT /#. +qed. + +lemma buf4x_buf_3 bufx4 b0 b1 b2 b3: + buf4x_buf (pack4buf bufx4 b0 b1 b2 b3) 3 = b3. +proof. +apply Array536.ext_eq => i Hi /=. +rewrite initiE 1:/# /= initiE 1:/# /=. +by rewrite ifT /#. +qed. + lemma stx4_bytes_squeeze at st0 st1 st2 st3 stx4 (buf0 buf1 buf2 buf3: W8.t Array536.t): match_state4x st0 st1 st2 st3 stx4 => sub buf0 at 200 = state2bytes st0 => @@ -1040,59 +1102,79 @@ transitivity ParseFilter.sample3buf_x4 by exists (rho{2},pos{2},t{2}) => /#. + by move => />. proc; simplify. -seq 9 27: ( buf_ok buf0{1} buf0{2} st0{2} - /\ buf_ok buf1{1} buf1{2} st1{2} - /\ buf_ok buf2{1} buf2{2} st2{2} - /\ buf_ok buf3{1} buf3{2} st3{2} ). +seq 9 27: ( buf_ok (buf4x_buf buf{1} 0) buf0{2} st0{2} + /\ buf_ok (buf4x_buf buf{1} 1) buf1{2} st1{2} + /\ buf_ok (buf4x_buf buf{1} 2) buf2{2} st2{2} + /\ buf_ok (buf4x_buf buf{1} 3) buf3{2} st3{2} ). seq 7 7: ( match_state4x st0{2} st1{2} st2{2} st3{2} stx4{1} ). wp; ecall {1} (xof_init_x4_ph rho{1} indexes{1}). inline*; auto => /> &1 &2 Ht Hpos stavx. rewrite to_uintD to_uint_shl !of_uintK 1:/# !modz_small 1..15:/# Ht /= addzC -!addzA. by rewrite !gen_matrix_indexesE; auto => /#. rcondt {1} 2; first by auto. - seq 4 4: ( buf_offset{1} = W64.of_int 168 + seq 8 4: ( buf_offset{1} = W64.of_int 168 /\ match_state4x st0{2} st1{2} st2{2} st3{2} stx4{1} - /\ buf_subl buf0{1} 0 168 = buf0{2} - /\ buf_subl buf1{1} 0 168 = buf1{2} - /\ buf_subl buf2{1} 0 168 = buf2{2} - /\ buf_subl buf3{1} 0 168 = buf3{2} ). + /\ buf_subl (buf4x_buf buf{1} 0) 0 168 = buf0{2} + /\ buf_subl (buf4x_buf buf{1} 1) 0 168 = buf1{2} + /\ buf_subl (buf4x_buf buf{1} 2) 0 168 = buf2{2} + /\ buf_subl (buf4x_buf buf{1} 3) 0 168 = buf3{2} ). sp 0 4; elim* => _st3 _st2 _st1 _st0; simplify. - wp; ecall{1} (st4x_unpack_at_ph st0{2} st1{2} st2{2} st3{2} buf0{1} buf1{1} buf2{1} buf3{1} buf_offset{1}). + wp; ecall{1} (st4x_unpack_at_ph st0{2} st1{2} st2{2} st3{2} + (Array536.init (fun i => buf.[536 * 0 + i])){1} + (Array536.init (fun i => buf.[536 * 1 + i])){1} + (Array536.init (fun i => buf.[536 * 2 + i])){1} + (Array536.init (fun i => buf.[536 * 3 + i])){1} + buf_offset{1}). ecall{1} (keccakf1600_4x_ph stx4{1}). auto => /> &1 &2; rewrite /st_i !iter1; split. by apply stx4_map_keccakf. move=> Hst [b0 b1 b2 b3] _ _ _ _ /= H0 H1 H2 H3. + rewrite buf4x_buf_0 buf4x_buf_1 buf4x_buf_2 buf4x_buf_3. smt(stx4_bytes_squeeze iter1). rcondt {1} 1; first by auto. - seq 3 8: ( buf_offset{1} = W64.of_int (2*168) + seq 7 8: ( buf_offset{1} = W64.of_int (2*168) /\ match_state4x st0{2} st1{2} st2{2} st3{2} stx4{1} - /\ buf_subl buf0{1} 0 (2*168) = buf0{2} - /\ buf_subl buf1{1} 0 (2*168) = buf1{2} - /\ buf_subl buf2{1} 0 (2*168) = buf2{2} - /\ buf_subl buf3{1} 0 (2*168) = buf3{2} ). + /\ buf_subl (buf4x_buf buf{1} 0) 0 (2*168) = buf0{2} + /\ buf_subl (buf4x_buf buf{1} 1) 0 (2*168) = buf1{2} + /\ buf_subl (buf4x_buf buf{1} 2) 0 (2*168) = buf2{2} + /\ buf_subl (buf4x_buf buf{1} 3) 0 (2*168) = buf3{2} ). sp 0 8; elim* => _buf3 _st3 _buf2 _st2 _buf1 _st1 _buf0 _st0; simplify. - wp; ecall{1} (st4x_unpack_at_ph st0{2} st1{2} st2{2} st3{2} buf0{1} buf1{1} buf2{1} buf3{1} buf_offset{1}). + wp; ecall{1} (st4x_unpack_at_ph st0{2} st1{2} st2{2} st3{2} + (Array536.init (fun i => buf.[536 * 0 + i])){1} + (Array536.init (fun i => buf.[536 * 1 + i])){1} + (Array536.init (fun i => buf.[536 * 2 + i])){1} + (Array536.init (fun i => buf.[536 * 3 + i])){1} + buf_offset{1}). ecall{1} (keccakf1600_4x_ph stx4{1}). auto => /> &1 &2; rewrite /st_i !iter1; split. by apply stx4_map_keccakf. - move=> Hst1 [b0 b1 b2 b3] /= Hb0 Hb1 Hb2 Hb3 /= H0 H1 H2 H3. + move=> Hst1 [b0 b1 b2 b3] /=. + rewrite -/(buf4x_buf buf{1} 0) -/(buf4x_buf buf{1} 1) -/(buf4x_buf buf{1} 2) -/(buf4x_buf buf{1} 3) => Hb0 Hb1 Hb2 Hb3 H0 H1 H2 H3. + rewrite buf4x_buf_0 buf4x_buf_1 buf4x_buf_2 buf4x_buf_3. rewrite -!(buf_subl_cat _ 0 168 336) //. - rewrite !(buf_sublE _ 0 168) //. + rewrite !(buf_sublE _ 0 168) //=. smt(stx4_bytes_squeeze iter1). rcondt {1} 1; first by auto. - seq 3 8: ( buf_offset{1} = W64.of_int (3*168) - /\ buf_ok buf0{1} buf0{2} st0{2} - /\ buf_ok buf1{1} buf1{2} st1{2} - /\ buf_ok buf2{1} buf2{2} st2{2} - /\ buf_ok buf3{1} buf3{2} st3{2} ). + seq 7 8: ( buf_offset{1} = W64.of_int (3*168) + /\ buf_ok (buf4x_buf buf{1} 0) buf0{2} st0{2} + /\ buf_ok (buf4x_buf buf{1} 1) buf1{2} st1{2} + /\ buf_ok (buf4x_buf buf{1} 2) buf2{2} st2{2} + /\ buf_ok (buf4x_buf buf{1} 3) buf3{2} st3{2} ). sp 0 8; elim* => _buf3 _st3 _buf2 _st2 _buf1 _st1 _buf0 _st0; simplify. - wp; ecall{1} (st4x_unpack_at_ph st0{2} st1{2} st2{2} st3{2} buf0{1} buf1{1} buf2{1} buf3{1} buf_offset{1}). + wp; ecall{1} (st4x_unpack_at_ph st0{2} st1{2} st2{2} st3{2} + (Array536.init (fun i => buf.[536 * 0 + i])){1} + (Array536.init (fun i => buf.[536 * 1 + i])){1} + (Array536.init (fun i => buf.[536 * 2 + i])){1} + (Array536.init (fun i => buf.[536 * 3 + i])){1} + buf_offset{1}). ecall{1} (keccakf1600_4x_ph stx4{1}). auto => /> &1 &2; rewrite /st_i !iter1; split. by apply stx4_map_keccakf. - move=> Hst1 [b0 b1 b2 b3] /= Hb0 Hb1 Hb2 Hb3 /= H0 H1 H2 H3. + move=> Hst1 [b0 b1 b2 b3] /=. + rewrite -/(buf4x_buf buf{1} 0) -/(buf4x_buf buf{1} 1) -/(buf4x_buf buf{1} 2) -/(buf4x_buf buf{1} 3) => Hb0 Hb1 Hb2 Hb3 H0 H1 H2 H3. + rewrite buf4x_buf_0 buf4x_buf_1 buf4x_buf_2 buf4x_buf_3. rewrite -!(buf_subl_cat _ 0 336 504) //. - rewrite !(buf_sublE _ 0 336) //. + rewrite !(buf_sublE _ 0 336) //=. smt(stx4_bytes_squeeze iter1). rcondf {1} 1; first by auto. by auto => />. @@ -1100,11 +1182,29 @@ wp; call fill_poly_eq. wp; call fill_poly_eq. wp; call fill_poly_eq. wp; call fill_poly_eq. -auto => /> &1 &2 Hst0 Hst1 Hst2 Hst3. +auto => /> &1 &2 Hst0 Hst1 Hst2 Hst3 _ _. move=> [p0 buf0] p0R /= Hp0. -move=> [p1 buf1] p1R /= Hp1. -move=> [p2 buf2] p2R /= Hp2. -move=> [p3 buf3] p3R /= Hp3. +pose B1:= Array536.init _. +have ->: B1 = buf4x_buf buf{1} 1. + apply Array536.ext_eq => i Hi /=. + rewrite initiE //= initiE 1:/# /= ifF 1:/#. + by rewrite /buf4x_buf /= initiE // /=. +split; first done. +move=> _ _ {B1} [p1 buf1] p1R /= Hp1. +pose B2:= Array536.init _. +have ->: B2 = buf4x_buf buf{1} 2. + apply Array536.ext_eq => i Hi /=. + rewrite initiE //= initiE 1:/# initiE 1:/# /= ifF 1:/#. + by rewrite /buf4x_buf /= initiE /#. +split; first done. +move=> _ _ {B2} [p2 buf2] p2R /= Hp2. +pose B3:= Array536.init _. +have ->: B3 = buf4x_buf buf{1} 3. + apply Array536.ext_eq => i Hi /=. + rewrite initiE //= initiE 1:/# initiE 1:/# /= ifF 1:/#. + by rewrite /buf4x_buf initiE 1:/# /= ifF 1:/# initiE /#. +split; first done. +move=> _ _ {B3} [p3 buf3] p3R /= Hp3. rewrite /pack4poly /=. apply Array1024.ext_eq => i Hi. rewrite initiE //= get_of_list //=. @@ -1289,7 +1389,7 @@ while (0<=i<=3 /\ rho = _sd /\ rewrite /subarray256 /subarray768 tP => *. by rewrite initiE //= initiE 1:/# /= initiE 1:/# /= ifF 1:/# initiE 1:/# /= initiE /#. -wp 21. +wp 13. conseq (_: (forall kk, 0 <= kk < 3 => subarray768 matrix kk = (subarray768 (unlift_matrix (if b then trmx (sampleA _sd) else (sampleA _sd))) kk))). move =>/> m0 H; split;1:smt(). case b => hb. @@ -1310,7 +1410,7 @@ case (768 <= k && k < 1536). + by move =>? kbb;rewrite -H0 1:/# /subarray768 initiE 1:/# /=. by move =>? kbb;rewrite -H0 1:/# /subarray768 initiE 1:/# /=. -unroll for 16. +unroll for 7. wp;call (sample_last _sd). wp;call (sample_four _sd 4 b _). wp;call (sample_four _sd 0 b _). diff --git a/proof/security/FO_MLKEM.ec b/proof/security/FO_MLKEM.ec index 6f270f1b..698c599f 100644 --- a/proof/security/FO_MLKEM.ec +++ b/proof/security/FO_MLKEM.ec @@ -395,7 +395,7 @@ have -> : Pr[KEMROMx2.RO2.MainD(DKK2(A),RO2.RO).distinguish() @ &m : res] = ={res} /\ (CCA.sk{1}, CCA.cstar{1}, RO1.RO.m{1}, (glob A){1}) = (CCA.sk{2}, CCA.cstar{2}, RO1.RO.m{2}, (glob A){2})) => //. - apply(RO2.FullEager.RO_LRO (DKK2(A)) _). + conseq (RO2.FullEager.RO_LRO (DKK2(A)) _) => //. by move => *;rewrite dkey_ll. have <- : Pr[KEMROMx2.RO1.MainD(DKK1(A),RO1.RO).distinguish() @ &m : res] = @@ -405,7 +405,7 @@ have <- : Pr[KEMROMx2.RO1.MainD(DKK1(A),RO1.RO).distinguish() @ &m : res] = ={res} /\ (CCA.sk{1}, CCA.cstar{1}, RO2.RO.m{1}, (glob A){1}) = (CCA.sk{2}, CCA.cstar{2}, RO2.RO.m{2}, (glob A){2})) => //. - apply(RO1.FullEager.RO_LRO (DKK1(A)) _). + conseq (RO1.FullEager.RO_LRO (DKK1(A)) _) => //. by move => *;rewrite randd_ll. byequiv => //;proc;inline {1} 2; inline {2} 2. @@ -456,7 +456,11 @@ call(: ={glob CCA} /\ B1x2._pk{1} = CCA.sk{2}.`1.`1 /\ case (m'{1} = None). + rcondf{1} 8; 1: by auto. rcondt{1} 8; 1: by auto. - by auto => />;smt(get_setE). + auto => /> &1 &2 *. + split; first smt(get_setE). + move=> *; split; first smt(get_setE). + move=> *; split; first smt(get_setE). + by move=> *; smt(get_setE). rcondt{1} 8; 1: by auto. inline *. rcondf{1} 10; 1: by auto;smt(mem_set). diff --git a/proof/security/FO_TT.ec b/proof/security/FO_TT.ec index 1d26dab7..48636a7d 100644 --- a/proof/security/FO_TT.ec +++ b/proof/security/FO_TT.ec @@ -1,5 +1,5 @@ -require import AllCore Distr List Real SmtMap FSet DInterval FinType. -require (****) PKE_ROM PlugAndPray Hybrid FelTactic. +require import AllCore Distr List Real SmtMap FSet DInterval. +require (****) FinType PKE_ROM PlugAndPray Hybrid FelTactic. (******************************************************************) (* FIXME: Where should these live. *) @@ -59,7 +59,7 @@ type plaintext. op [full lossless uniform]dplaintext : plaintext distr. -clone import FinType as FinT with +clone import FinType.FinType as FinT with type t <- plaintext. type randomness. @@ -667,10 +667,10 @@ lemma corr_pnp &m : (* print glob Correctness_Adv1(RO.RO,A). *) pose phi := fun (g: (glob Correctness_Adv1(RO.RO,A))) (_:unit) => has (fun m => - Some m <> dec g.`1 (enc (oget g.`7.[m]) g.`2 m)) g.`6. + Some m <> dec g.`7 (enc (oget g.`8.[m]) g.`5 m)) g.`6. pose psi := fun (g: (glob Correctness_Adv1(RO.RO,A))) (_:unit) => let i = find - (fun m => Some m <> dec g.`1 (enc (oget g.`7.[m]) g.`2 m)) g.`6 + (fun m => Some m <> dec g.`7 (enc (oget g.`8.[m]) g.`5 m)) g.`6 in if 0 <= i < qHC + 1 then i else 0. have := PAPC.PBound (Correctness_Adv1(RO.RO,A)) phi psi tt &m _. + smt (ge0_qHC mem_iota). @@ -1814,10 +1814,10 @@ proof. move => qHPn0. rewrite RField.mulrC -StdOrder.RealOrder.ler_pdivr_mulr; 1: smt (ge0_qH ge0_qP). -(* print glob G3. *) - pose phi := fun (g:glob G3) (b:bool) => dec g.`7.`2 g.`8 = Some g.`2 /\ g.`2 \in g.`9. +(* print glob G3.*) + pose phi := fun (g:glob G3) (b:bool) => dec g.`9.`2 g.`8 = Some g.`5 /\ g.`5 \in g.`10. pose psi := fun (g:glob G3) (_:bool) => - let i = find (pred1 g.`2) (elems (fdom g.`9)) in + let i = find (pred1 g.`5) (elems (fdom g.`10)) in if 0 <= i < qH + qP then i else 0. have := PAP1.PBound G3 phi psi tt &m _. + smt (ge0_qH ge0_qP mem_iota).