From 56424227da2a4d6bc1004cae1ad0694d331cf099 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Thu, 5 Dec 2024 07:34:36 +0000 Subject: [PATCH 01/27] wip; started cleanup hashing --- libcrux-ml-dsa/cg.yaml | 45 ++++++++------- libcrux-ml-dsa/cg/code_gen.txt | 2 +- libcrux-ml-dsa/cg/header.txt | 2 +- libcrux-ml-dsa/src/hash_functions.rs | 84 +++++++++++++++++++--------- libcrux-ml-dsa/src/ml_dsa_generic.rs | 12 ++-- libcrux-ml-dsa/src/polynomial.rs | 3 + libcrux-ml-dsa/src/sample.rs | 2 +- 7 files changed, 93 insertions(+), 57 deletions(-) diff --git a/libcrux-ml-dsa/cg.yaml b/libcrux-ml-dsa/cg.yaml index 76d5bf23d..717d14827 100644 --- a/libcrux-ml-dsa/cg.yaml +++ b/libcrux-ml-dsa/cg.yaml @@ -45,26 +45,6 @@ files: monomorphizations_using: - [libcrux_sha3, "*"] - # MLKEM: MISC NON-ARCHITECTURE SPECIFIC HEADERS - - name: libcrux_core - inline_static: true - private: - monomorphizations_of: - - [core, "*"] - - [libcrux_ml_dsa, types, "*"] - - [libcrux_ml_dsa, utils, "*" ] - monomorphizations_using: - - [Eurydice, "*" ] - - [libcrux_ml_dsa, types, "*"] - patterns: - - [core, "*"] - - [libcrux_ml_dsa, types, "*" ] - - [libcrux_ml_dsa, constants ] - - [libcrux_ml_dsa, utils, "*" ] - - [libcrux_ml_dsa, simd, traits ] - api: - - [Eurydice, "*"] - # MLDSA-65 - name: libcrux_mldsa65_avx2 @@ -78,6 +58,7 @@ files: - [libcrux_ml_dsa, hash_functions, simd256, "*"] - [libcrux_ml_dsa, ml_dsa_65, avx2, "*"] - [libcrux_ml_dsa, ml_dsa_generic, instantiations, avx2, "*"] + # - [core, option, Option_c4] # - [libcrux_ml_dsa, polynomial, "*" ] monomorphizations_of: - [libcrux_ml_dsa, simd, avx2, "*"] @@ -97,17 +78,41 @@ files: - [libcrux_ml_dsa, hash_functions, portable, "*"] - [libcrux_ml_dsa, ml_dsa_65, portable, "*"] - [libcrux_ml_dsa, ml_dsa_generic, instantiations, portable, "*"] + - [core, option, Option_84] monomorphizations_of: - [libcrux_ml_dsa, polynomial, "*" ] - [libcrux_ml_dsa, simd, "*"] - [libcrux_ml_dsa, hash_functions, portable, "*"] - [libcrux_ml_dsa, ml_dsa_65, portable] - [libcrux_ml_dsa, ml_dsa_generic, instantiations, portable, "*"] + - [core, option, Option_84] monomorphizations_using: - [libcrux_ml_dsa, polynomial, "*" ] - [libcrux_ml_dsa, simd, "*"] - [libcrux_ml_dsa, hash_functions, portable, "*"] - [libcrux_ml_dsa, ml_dsa_generic, instantiations, portable, "*"] + - [core, option, Option_84] + + + # MLKEM: MISC NON-ARCHITECTURE SPECIFIC HEADERS + - name: libcrux_core + inline_static: true + private: + monomorphizations_of: + - [core, "*"] + - [libcrux_ml_dsa, types, "*"] + - [libcrux_ml_dsa, utils, "*" ] + monomorphizations_using: + - [Eurydice, "*" ] + - [libcrux_ml_dsa, types, "*"] + patterns: + - [core, "*"] + - [libcrux_ml_dsa, types, "*" ] + - [libcrux_ml_dsa, constants ] + - [libcrux_ml_dsa, utils, "*" ] + - [libcrux_ml_dsa, simd, traits ] + api: + - [Eurydice, "*"] naming: skip_prefix: diff --git a/libcrux-ml-dsa/cg/code_gen.txt b/libcrux-ml-dsa/cg/code_gen.txt index 19672611e..c7ae67f4f 100644 --- a/libcrux-ml-dsa/cg/code_gen.txt +++ b/libcrux-ml-dsa/cg/code_gen.txt @@ -3,4 +3,4 @@ Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20 Karamel: 8c3612018c25889288da6857771be3ad03b75bcd F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty -Libcrux: ef3ee2539580595003c62a749034ae0c76d22a0d +Libcrux: ebd9959e4b3ba3155e1f0225ac0764b1a8657d7f diff --git a/libcrux-ml-dsa/cg/header.txt b/libcrux-ml-dsa/cg/header.txt index cd14c7d06..a2b69ee7f 100644 --- a/libcrux-ml-dsa/cg/header.txt +++ b/libcrux-ml-dsa/cg/header.txt @@ -8,5 +8,5 @@ * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20 * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: ef3ee2539580595003c62a749034ae0c76d22a0d + * Libcrux: ebd9959e4b3ba3155e1f0225ac0764b1a8657d7f */ diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index eff5d6aeb..3f79da352 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -6,7 +6,7 @@ pub(crate) mod shake256 { pub(crate) trait Xof { fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]); - fn init_absorb(input: &[u8]) -> Self; + fn init_absorb_final(input: &[u8]) -> Self; // TODO: There should only be a `squeeze_block` fn squeeze_first_block(&mut self) -> [u8; BLOCK_SIZE]; fn squeeze_next_block(&mut self) -> [u8; BLOCK_SIZE]; @@ -77,8 +77,10 @@ pub(crate) mod shake128 { /// A portable implementation of [`shake128::Xof`] and [`shake256::Xof`]. pub(crate) mod portable { use super::{shake128, shake256}; - use libcrux_sha3::portable::incremental; - use libcrux_sha3::portable::KeccakState; + use libcrux_sha3::portable::{ + incremental::{self, XofAbsorb, XofSqueeze}, + KeccakState, + }; /// Portable SHAKE 128 x4 state. /// @@ -206,7 +208,7 @@ pub(crate) mod portable { } #[inline(always)] - fn init_absorb_shake256(input: &[u8]) -> Shake256 { + fn init_absorb_final_shake256(input: &[u8]) -> Shake256 { let mut state = incremental::shake256_init(); incremental::shake256_absorb_final(&mut state, input); Shake256 { state } @@ -232,11 +234,21 @@ pub(crate) mod portable { shake256(input, out); } + #[inline(always)] + fn init_absorb_final(input: &[u8]) -> Self { + init_absorb_final_shake256(input) + } + #[inline(always)] fn init_absorb(input: &[u8]) -> Self { init_absorb_shake256(input) } + #[inline(always)] + fn absorb(input: &[u8]) -> Self { + absorb_shake256(self, input) + } + #[inline(always)] fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { squeeze_first_block_shake256(self) @@ -373,39 +385,39 @@ pub(crate) mod portable { #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256Absorb { - state: libcrux_sha3::portable::incremental::Shake256Absorb, + state: incremental::Shake256Absorb, } - #[cfg_attr(hax, hax_lib::opaque_type)] - pub(crate) struct Shake256Squeeze { - state: libcrux_sha3::portable::incremental::Shake256Squeeze, - } + impl Shake256Absorb { + #[inline(always)] + pub(crate) fn init() -> Shake256Absorb { + Shake256Absorb { + state: incremental::Shake256Absorb::new(), + } + } - use libcrux_sha3::portable::incremental::{XofAbsorb, XofSqueeze}; + #[inline(always)] + pub(crate) fn absorb(st: &mut Shake256Absorb, input: &[u8]) { + st.state.absorb(input) + } - #[inline(always)] - pub(crate) fn shake256_init() -> Shake256Absorb { - Shake256Absorb { - state: libcrux_sha3::portable::incremental::Shake256Absorb::new(), + #[inline(always)] + pub(crate) fn absorb_final(st: Shake256Absorb, input: &[u8]) -> Shake256Squeeze { + st.state.absorb_final(input) } } - #[inline(always)] - pub(crate) fn shake256_absorb(st: &mut Shake256Absorb, input: &[u8]) { - st.state.absorb(input) + #[cfg_attr(hax, hax_lib::opaque_type)] + pub(crate) struct Shake256Squeeze { + state: incremental::Shake256Squeeze, } - #[inline(always)] - pub(crate) fn shake256_absorb_final(st: Shake256Absorb, input: &[u8]) -> Shake256Squeeze { - Shake256Squeeze { - state: st.state.absorb_final(input), + impl Shake256Squeeze { + #[inline(always)] + pub(crate) fn shake256_squeeze(st: &mut Shake256Squeeze, out: &mut [u8]) { + st.state.squeeze(out) } } - - #[inline(always)] - pub(crate) fn shake256_squeeze(st: &mut Shake256Squeeze, out: &mut [u8]) { - st.state.squeeze(out) - } } /// A SIMD256 implementation of [`shake128::XofX4`] and [`shake256::Xof`] for AVX2. @@ -516,13 +528,21 @@ pub(crate) mod simd256 { } #[inline(always)] - fn init_absorb_shake256(input: &[u8]) -> Shake256 { + fn init_absorb_final_shake256(input: &[u8]) -> Shake256 { let mut state = libcrux_sha3::portable::incremental::shake256_init(); libcrux_sha3::portable::incremental::shake256_absorb_final(&mut state, input); Shake256 { state } } + #[inline(always)] + fn init_absorb_shake256(input: &[u8]) -> Shake256 { + let mut state = libcrux_sha3::portable::incremental::shake256_init(); + libcrux_sha3::portable::incremental::shake256_absorb(&mut state, input); + + Shake256 { state } + } + #[inline(always)] fn squeeze_first_block_shake256(state: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { let mut out = [0u8; shake256::BLOCK_SIZE]; @@ -549,11 +569,21 @@ pub(crate) mod simd256 { shake256(input, out) } + #[inline(always)] + fn init_absorb_final(input: &[u8]) -> Self { + init_absorb_final_shake256(input) + } + #[inline(always)] fn init_absorb(input: &[u8]) -> Self { init_absorb_shake256(input) } + #[inline(always)] + fn absorb(input: &[u8]) -> Self { + absorb_shake256(self, input) + } + #[inline(always)] fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { squeeze_first_block_shake256(self) diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index c39df87a9..2bbb00b30 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -4,10 +4,7 @@ use crate::{ }, constants::*, encoding::{self, signature::Signature}, - hash_functions::{ - portable::{shake256_absorb, shake256_absorb_final, shake256_init, shake256_squeeze}, - shake128, shake256, - }, + hash_functions::{portable::Shake256, shake128, shake256}, matrix::{ add_vectors, compute_A_times_mask, compute_As1_plus_s2, compute_w_approx, subtract_vectors, vector_times_ring_element, @@ -45,9 +42,10 @@ pub(crate) fn generate_key_pair< ) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { // 128 = SEED_FOR_A_SIZE + SEED_FOR_ERROR_VECTORS_SIZE + SEED_FOR_SIGNING_SIZE let mut seed_expanded = [0; 128]; - let mut shake = shake256_init(); - shake256_absorb(&mut shake, &randomness); - let mut shake = shake256_absorb_final(shake, &[ROWS_IN_A as u8, COLUMNS_IN_A as u8]); + let mut shake = Shake256::init_absorb(&randomness); + // let mut shake = shake256_absorb_final(shake, &[ROWS_IN_A as u8, COLUMNS_IN_A as u8]); + shake.absorb(&[ROWS_IN_A as u8, COLUMNS_IN_A as u8]); + shake256_squeeze(&mut shake, &mut seed_expanded); let (seed_for_a, seed_expanded) = seed_expanded.split_at(SEED_FOR_A_SIZE); diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index 205e2f7f6..26c033ad5 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -7,6 +7,9 @@ use crate::{ pub(crate) struct PolynomialRingElement { pub(crate) simd_units: [SIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], } + +pub type OptionalRingElement = Option>; + impl PolynomialRingElement { #[allow(non_snake_case)] pub(crate) fn ZERO() -> Self { diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index 16f2b1f65..f9de41a1b 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -459,7 +459,7 @@ pub(crate) fn sample_challenge_ring_element< >( seed: [u8; SEED_SIZE], ) -> PolynomialRingElement { - let mut state = Shake256::init_absorb(&seed); + let mut state = Shake256::init_absorb_final(&seed); let randomness = state.squeeze_first_block(); let mut signs = u64::from_le_bytes(randomness[0..8].try_into().unwrap()); From bf2b9009a05138d363549fa73628254f6e6a59ad Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Thu, 5 Dec 2024 12:25:08 +0000 Subject: [PATCH 02/27] added shake256 xof and use it everywhere --- libcrux-ml-dsa/src/encoding/signing_key.rs | 2 +- libcrux-ml-dsa/src/hash_functions.rs | 87 +++++++----------- libcrux-ml-dsa/src/ml_dsa_generic.rs | 92 ++++++++++--------- .../src/ml_dsa_generic/instantiations.rs | 10 +- .../src/ml_dsa_generic/instantiations/avx2.rs | 7 ++ libcrux-ml-dsa/src/sample.rs | 8 +- libcrux-sha3/src/lib.rs | 52 +++-------- 7 files changed, 116 insertions(+), 142 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/signing_key.rs b/libcrux-ml-dsa/src/encoding/signing_key.rs index 0d6537325..074fe41a6 100644 --- a/libcrux-ml-dsa/src/encoding/signing_key.rs +++ b/libcrux-ml-dsa/src/encoding/signing_key.rs @@ -13,7 +13,7 @@ use crate::{ #[inline(always)] pub(crate) fn generate_serialized< SIMDUnit: Operations, - Shake256: shake256::Xof, + Shake256: shake256::DsaXof, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, const ETA: usize, diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index 3f79da352..84ca5fbe9 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -4,7 +4,8 @@ pub(crate) mod shake256 { pub(crate) const BLOCK_SIZE: usize = 136; - pub(crate) trait Xof { + /// An ML-DSA specific Xof trait + pub(crate) trait DsaXof { fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]); fn init_absorb_final(input: &[u8]) -> Self; // TODO: There should only be a `squeeze_block` @@ -41,6 +42,21 @@ pub(crate) mod shake256 { out3: &mut [u8; OUT_LEN], ); } + + /// A generic Xof trait + pub(crate) trait Xof { + /// Initialize the state + fn init() -> Self; + + /// Absorb + fn absorb(&mut self, input: &[u8]); + + /// Absorb final input + fn absorb_final(&mut self, input: &[u8]); + + /// Squeeze output bytes + fn squeeze(&mut self, out: &mut [u8]); + } } /// Abstraction and platform multiplexing for SHAKE 128 @@ -78,7 +94,7 @@ pub(crate) mod shake128 { pub(crate) mod portable { use super::{shake128, shake256}; use libcrux_sha3::portable::{ - incremental::{self, XofAbsorb, XofSqueeze}, + incremental::{self, Xof}, KeccakState, }; @@ -228,7 +244,7 @@ pub(crate) mod portable { out } - impl shake256::Xof for Shake256 { + impl shake256::DsaXof for Shake256 { #[inline(always)] fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { shake256(input, out); @@ -239,16 +255,6 @@ pub(crate) mod portable { init_absorb_final_shake256(input) } - #[inline(always)] - fn init_absorb(input: &[u8]) -> Self { - init_absorb_shake256(input) - } - - #[inline(always)] - fn absorb(input: &[u8]) -> Self { - absorb_shake256(self, input) - } - #[inline(always)] fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { squeeze_first_block_shake256(self) @@ -384,38 +390,27 @@ pub(crate) mod portable { } #[cfg_attr(hax, hax_lib::opaque_type)] - pub(crate) struct Shake256Absorb { - state: incremental::Shake256Absorb, + pub(crate) struct Shake256Xof { + state: incremental::Shake256Xof, } - impl Shake256Absorb { - #[inline(always)] - pub(crate) fn init() -> Shake256Absorb { - Shake256Absorb { - state: incremental::Shake256Absorb::new(), + impl shake256::Xof for Shake256Xof { + fn init() -> Self { + Shake256Xof { + state: incremental::Shake256Xof::new(), } } - #[inline(always)] - pub(crate) fn absorb(st: &mut Shake256Absorb, input: &[u8]) { - st.state.absorb(input) + fn absorb(&mut self, input: &[u8]) { + self.state.absorb(input); } - #[inline(always)] - pub(crate) fn absorb_final(st: Shake256Absorb, input: &[u8]) -> Shake256Squeeze { - st.state.absorb_final(input) + fn absorb_final(&mut self, input: &[u8]) { + self.state.absorb_final(input); } - } - #[cfg_attr(hax, hax_lib::opaque_type)] - pub(crate) struct Shake256Squeeze { - state: incremental::Shake256Squeeze, - } - - impl Shake256Squeeze { - #[inline(always)] - pub(crate) fn shake256_squeeze(st: &mut Shake256Squeeze, out: &mut [u8]) { - st.state.squeeze(out) + fn squeeze(&mut self, out: &mut [u8]) { + self.state.squeeze(out) } } } @@ -535,14 +530,6 @@ pub(crate) mod simd256 { Shake256 { state } } - #[inline(always)] - fn init_absorb_shake256(input: &[u8]) -> Shake256 { - let mut state = libcrux_sha3::portable::incremental::shake256_init(); - libcrux_sha3::portable::incremental::shake256_absorb(&mut state, input); - - Shake256 { state } - } - #[inline(always)] fn squeeze_first_block_shake256(state: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { let mut out = [0u8; shake256::BLOCK_SIZE]; @@ -563,7 +550,7 @@ pub(crate) mod simd256 { out } - impl shake256::Xof for Shake256 { + impl shake256::DsaXof for Shake256 { #[inline(always)] fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { shake256(input, out) @@ -574,16 +561,6 @@ pub(crate) mod simd256 { init_absorb_final_shake256(input) } - #[inline(always)] - fn init_absorb(input: &[u8]) -> Self { - init_absorb_shake256(input) - } - - #[inline(always)] - fn absorb(input: &[u8]) -> Self { - absorb_shake256(self, input) - } - #[inline(always)] fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { squeeze_first_block_shake256(self) diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 2bbb00b30..0b1a314ba 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -4,7 +4,7 @@ use crate::{ }, constants::*, encoding::{self, signature::Signature}, - hash_functions::{portable::Shake256, shake128, shake256}, + hash_functions::{shake128, shake256}, matrix::{ add_vectors, compute_A_times_mask, compute_As1_plus_s2, compute_w_approx, subtract_vectors, vector_times_ring_element, @@ -29,7 +29,8 @@ pub(crate) mod multiplexing; pub(crate) fn generate_key_pair< SIMDUnit: Operations, Shake128X4: shake128::XofX4, - Shake256: shake256::Xof, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, Shake256X4: shake256::XofX4, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, @@ -42,11 +43,12 @@ pub(crate) fn generate_key_pair< ) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { // 128 = SEED_FOR_A_SIZE + SEED_FOR_ERROR_VECTORS_SIZE + SEED_FOR_SIGNING_SIZE let mut seed_expanded = [0; 128]; - let mut shake = Shake256::init_absorb(&randomness); - // let mut shake = shake256_absorb_final(shake, &[ROWS_IN_A as u8, COLUMNS_IN_A as u8]); - shake.absorb(&[ROWS_IN_A as u8, COLUMNS_IN_A as u8]); - - shake256_squeeze(&mut shake, &mut seed_expanded); + { + let mut shake = Shake256Xof::init(); + shake.absorb(&randomness); + shake.absorb_final(&[ROWS_IN_A as u8, COLUMNS_IN_A as u8]); + shake.squeeze(&mut seed_expanded); + } let (seed_for_a, seed_expanded) = seed_expanded.split_at(SEED_FOR_A_SIZE); let (seed_for_error_vectors, seed_for_signing) = @@ -94,7 +96,8 @@ pub(crate) fn generate_key_pair< pub(crate) fn sign_pre_hashed< SIMDUnit: Operations, Shake128X4: shake128::XofX4, - Shake256: shake256::Xof, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, Shake256X4: shake256::XofX4, PH: PreHash, const PH_DIGEST_LEN: usize, @@ -126,6 +129,7 @@ pub(crate) fn sign_pre_hashed< SIMDUnit, Shake128X4, Shake256, + Shake256Xof, Shake256X4, ROWS_IN_A, COLUMNS_IN_A, @@ -154,7 +158,8 @@ pub(crate) fn sign_pre_hashed< pub(crate) fn sign< SIMDUnit: Operations, Shake128X4: shake128::XofX4, - Shake256: shake256::Xof, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, Shake256X4: shake256::XofX4, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, @@ -181,6 +186,7 @@ pub(crate) fn sign< SIMDUnit, Shake128X4, Shake256, + Shake256Xof, Shake256X4, ROWS_IN_A, COLUMNS_IN_A, @@ -213,7 +219,8 @@ pub(crate) fn sign< pub(crate) fn sign_internal< SIMDUnit: Operations, Shake128X4: shake128::XofX4, - Shake256: shake256::Xof, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, Shake256X4: shake256::XofX4, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, @@ -249,7 +256,7 @@ pub(crate) fn sign_internal< samplex4::matrix_A::(into_padded_array(&seed_for_A)); let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; - derive_message_representative( + derive_message_representative::( verification_key_hash, domain_separation_context, message, @@ -258,12 +265,12 @@ pub(crate) fn sign_internal< let mut mask_seed = [0; MASK_SEED_SIZE]; { - let mut shake = shake256_init(); - shake256_absorb(&mut shake, &seed_for_signing); - shake256_absorb(&mut shake, &randomness); - let mut shake = shake256_absorb_final(shake, &message_representative); + let mut shake = Shake256Xof::init(); + shake.absorb(&seed_for_signing); + shake.absorb(&randomness); + shake.absorb_final(&message_representative); - shake256_squeeze(&mut shake, &mut mask_seed); + shake.squeeze(&mut mask_seed); } let mut domain_separator_for_mask: u16 = 0; @@ -304,11 +311,11 @@ pub(crate) fn sign_internal< COMMITMENT_VECTOR_SIZE, >(commitment); - let mut shake = shake256_init(); - shake256_absorb(&mut shake, &message_representative); - let mut shake = shake256_absorb_final(shake, &commitment_serialized); + let mut shake = Shake256Xof::init(); + shake.absorb(&message_representative); + shake.absorb_final(&commitment_serialized); - shake256_squeeze(&mut shake, &mut commitment_hash_candidate); + shake.squeeze(&mut commitment_hash_candidate); } let verifier_challenge_as_ntt = ntt(sample_challenge_ring_element::< @@ -416,31 +423,25 @@ pub(crate) fn sign_internal< /// 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation for the HashMl-DSA /// variant. #[inline(always)] -fn derive_message_representative( +fn derive_message_representative( verification_key_hash: [u8; 64], domain_separation_context: Option, message: &[u8], message_representative: &mut [u8; 64], ) { - let mut shake = shake256_init(); - shake256_absorb(&mut shake, &verification_key_hash); + let mut shake = Shake256Xof::init(); + shake.absorb(&verification_key_hash); if let Some(domain_separation_context) = domain_separation_context { - shake256_absorb( - &mut shake, - &[domain_separation_context.pre_hash_oid().is_some() as u8], - ); - shake256_absorb( - &mut shake, - &[domain_separation_context.context().len() as u8], - ); - shake256_absorb(&mut shake, domain_separation_context.context()); + shake.absorb(&[domain_separation_context.pre_hash_oid().is_some() as u8]); + shake.absorb(&[domain_separation_context.context().len() as u8]); + shake.absorb(domain_separation_context.context()); if let Some(pre_hash_oid) = domain_separation_context.pre_hash_oid() { - shake256_absorb(&mut shake, pre_hash_oid) + shake.absorb(pre_hash_oid) } } - let mut shake = shake256_absorb_final(shake, message); - shake256_squeeze(&mut shake, message_representative); + shake.absorb_final(message); + shake.squeeze(message_representative); } /// The internal verification API. @@ -452,7 +453,8 @@ fn derive_message_representative( pub(crate) fn verify_internal< SIMDUnit: Operations, Shake128X4: shake128::XofX4, - Shake256: shake256::Xof, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, const SIGNATURE_SIZE: usize, @@ -499,7 +501,7 @@ pub(crate) fn verify_internal< &mut verification_key_hash, ); let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; - derive_message_representative( + derive_message_representative::( verification_key_hash, domain_separation_context, message, @@ -530,11 +532,11 @@ pub(crate) fn verify_internal< COMMITMENT_VECTOR_SIZE, >(commitment); - let mut shake = shake256_init(); - shake256_absorb(&mut shake, &message_representative); - let mut shake = shake256_absorb_final(shake, &commitment_serialized); + let mut shake = Shake256Xof::init(); + shake.absorb(&message_representative); + shake.absorb_final(&commitment_serialized); - shake256_squeeze(&mut shake, &mut commitment_hash); + shake.squeeze(&mut commitment_hash); } if signature.commitment_hash != commitment_hash { @@ -552,7 +554,8 @@ pub(crate) fn verify_internal< pub(crate) fn verify< SIMDUnit: Operations, Shake128X4: shake128::XofX4, - Shake256: shake256::Xof, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, const SIGNATURE_SIZE: usize, @@ -577,6 +580,7 @@ pub(crate) fn verify< SIMDUnit, Shake128X4, Shake256, + Shake256Xof, ROWS_IN_A, COLUMNS_IN_A, SIGNATURE_SIZE, @@ -603,7 +607,8 @@ pub(crate) fn verify< pub(crate) fn verify_pre_hashed< SIMDUnit: Operations, Shake128X4: shake128::XofX4, - Shake256: shake256::Xof, + Shake256: shake256::DsaXof, + Shake256Xof: shake256::Xof, PH: PreHash, const PH_DIGEST_LEN: usize, const ROWS_IN_A: usize, @@ -631,6 +636,7 @@ pub(crate) fn verify_pre_hashed< SIMDUnit, Shake128X4, Shake256, + Shake256Xof, ROWS_IN_A, COLUMNS_IN_A, SIGNATURE_SIZE, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index 15936617b..e5df772bc 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -1,5 +1,5 @@ macro_rules! instantiate { - ($modp:ident, $simdunit:path, $shake128x4:path, $shake256:path, $shake256x4:path) => { + ($modp:ident, $simdunit:path, $shake128x4:path, $shake256:path, $shake256xof:path, $shake256x4:path) => { pub mod $modp { use crate::{ constants::*, @@ -23,6 +23,7 @@ macro_rules! instantiate { $simdunit, $shake128x4, $shake256, + $shake256xof, $shake256x4, ROWS_IN_A, COLUMNS_IN_A, @@ -59,6 +60,7 @@ macro_rules! instantiate { $simdunit, $shake128x4, $shake256, + $shake256xof, $shake256x4, ROWS_IN_A, COLUMNS_IN_A, @@ -103,6 +105,7 @@ macro_rules! instantiate { $simdunit, $shake128x4, $shake256, + $shake256xof, $shake256x4, ROWS_IN_A, COLUMNS_IN_A, @@ -147,6 +150,7 @@ macro_rules! instantiate { $simdunit, $shake128x4, $shake256, + $shake256xof, $shake256x4, SHAKE128_PH, 256, @@ -192,6 +196,7 @@ macro_rules! instantiate { $simdunit, $shake128x4, $shake256, + $shake256xof, ROWS_IN_A, COLUMNS_IN_A, SIGNATURE_SIZE, @@ -233,6 +238,7 @@ macro_rules! instantiate { $simdunit, $shake128x4, $shake256, + $shake256xof, ROWS_IN_A, COLUMNS_IN_A, SIGNATURE_SIZE, @@ -274,6 +280,7 @@ macro_rules! instantiate { $simdunit, $shake128x4, $shake256, + $shake256xof, SHAKE128_PH, 256, ROWS_IN_A, @@ -300,6 +307,7 @@ instantiate! {portable, crate::simd::portable::PortableSIMDUnit, crate::hash_functions::portable::Shake128X4, crate::hash_functions::portable::Shake256, + crate::hash_functions::portable::Shake256Xof, crate::hash_functions::portable::Shake256X4 } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs index 6f3a754a2..5c4dd2fe1 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -25,6 +25,7 @@ mod avx2_feature { crate::simd::avx2::AVX2SIMDUnit, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, + crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 crate::hash_functions::simd256::Shake256x4, ROWS_IN_A, COLUMNS_IN_A, @@ -63,6 +64,7 @@ mod avx2_feature { crate::simd::avx2::AVX2SIMDUnit, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, + crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 crate::hash_functions::simd256::Shake256x4, ROWS_IN_A, COLUMNS_IN_A, @@ -109,6 +111,7 @@ mod avx2_feature { crate::simd::avx2::AVX2SIMDUnit, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, + crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 crate::hash_functions::simd256::Shake256x4, ROWS_IN_A, COLUMNS_IN_A, @@ -155,6 +158,7 @@ mod avx2_feature { crate::simd::avx2::AVX2SIMDUnit, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, + crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 crate::hash_functions::simd256::Shake256x4, SHAKE128_PH, 256, @@ -202,6 +206,7 @@ mod avx2_feature { crate::simd::avx2::AVX2SIMDUnit, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, + crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 ROWS_IN_A, COLUMNS_IN_A, SIGNATURE_SIZE, @@ -245,6 +250,7 @@ mod avx2_feature { crate::simd::avx2::AVX2SIMDUnit, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, + crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 ROWS_IN_A, COLUMNS_IN_A, SIGNATURE_SIZE, @@ -288,6 +294,7 @@ mod avx2_feature { crate::simd::avx2::AVX2SIMDUnit, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, + crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 SHAKE128_PH, 256, ROWS_IN_A, diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index f9de41a1b..14bcdca69 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -339,7 +339,7 @@ fn update_seed(mut seed: [u8; 66], domain_separator: &mut u16) -> [u8; 66] { #[inline(always)] fn sample_mask_ring_element< SIMDUnit: Operations, - Shake256: shake256::Xof, + Shake256: shake256::DsaXof, const GAMMA1_EXPONENT: usize, >( seed: [u8; 66], @@ -362,7 +362,7 @@ fn sample_mask_ring_element< #[inline(always)] pub(crate) fn sample_mask_vector< SIMDUnit: Operations, - Shake256: shake256::Xof, + Shake256: shake256::DsaXof, Shake256X4: shake256::XofX4, const DIMENSION: usize, const GAMMA1_EXPONENT: usize, @@ -453,7 +453,7 @@ fn inside_out_shuffle( #[inline(always)] pub(crate) fn sample_challenge_ring_element< SIMDUnit: Operations, - Shake256: shake256::Xof, + Shake256: shake256::DsaXof, const NUMBER_OF_ONES: usize, const SEED_SIZE: usize, >( @@ -669,7 +669,7 @@ mod tests { ); } - fn test_sample_challenge_ring_element_generic() { + fn test_sample_challenge_ring_element_generic() { // When TAU = 39 let seed: [u8; 32] = [ 3, 9, 159, 119, 236, 6, 207, 7, 103, 108, 187, 137, 222, 35, 37, 30, 79, 224, 204, 186, diff --git a/libcrux-sha3/src/lib.rs b/libcrux-sha3/src/lib.rs index c1395155d..0d5d02d8c 100644 --- a/libcrux-sha3/src/lib.rs +++ b/libcrux-sha3/src/lib.rs @@ -265,35 +265,23 @@ pub mod portable { mod private { pub trait Sealed {} - impl Sealed for super::Shake128Absorb {} - impl Sealed for super::Shake128Squeeze {} - impl Sealed for super::Shake256Absorb {} - impl Sealed for super::Shake256Squeeze {} + impl Sealed for super::Shake128Xof {} + impl Sealed for super::Shake256Xof {} } use super::*; /// SHAKE128 in absorb state - pub struct Shake128Absorb { - state: KeccakXofState<1, 168, u64>, - } - /// SHAKE128 in squeeze state - pub struct Shake128Squeeze { + pub struct Shake128Xof { state: KeccakXofState<1, 168, u64>, } + /// SHAKE256 in absorb state - pub struct Shake256Absorb { - state: KeccakXofState<1, 136, u64>, - } - /// SHAKE256 in squeeze state - pub struct Shake256Squeeze { + pub struct Shake256Xof { state: KeccakXofState<1, 136, u64>, } /// An XOF in absorb state - pub trait XofAbsorb: private::Sealed { - /// The state after final input absorption - type Squeeze; - + pub trait Xof: private::Sealed { /// Create new absorb state fn new() -> Self; @@ -301,11 +289,13 @@ pub mod portable { fn absorb(&mut self, input: &[u8]); /// Absorb final input (may be empty) - fn absorb_final(self, input: &[u8]) -> Self::Squeeze; + fn absorb_final(&mut self, input: &[u8]); + + /// Squeeze output bytes + fn squeeze(&mut self, out: &mut [u8]); } - impl XofAbsorb<168> for Shake128Absorb { - type Squeeze = Shake128Squeeze; + impl Xof<168> for Shake128Xof { fn new() -> Self { Self { state: KeccakXofState::<1, 168, u64>::new(), @@ -316,19 +306,10 @@ pub mod portable { self.state.absorb([input]); } - fn absorb_final(mut self, input: &[u8]) -> Shake128Squeeze { + fn absorb_final(&mut self, input: &[u8]) { self.state.absorb_final::<0x1fu8>([input]); - Shake128Squeeze { state: self.state } } - } - /// An XOF in squeeze state - pub trait XofSqueeze: private::Sealed { - /// Squeeze output bytes - fn squeeze(&mut self, out: &mut [u8]); - } - /// Shake128 XOF in squeeze state - impl XofSqueeze<168> for Shake128Squeeze { /// Shake128 squeeze fn squeeze(&mut self, out: &mut [u8]) { self.state.squeeze([out]); @@ -336,8 +317,7 @@ pub mod portable { } /// Shake256 XOF in absorb state - impl XofAbsorb<136> for Shake256Absorb { - type Squeeze = Shake256Squeeze; + impl Xof<136> for Shake256Xof { /// Shake256 new state fn new() -> Self { Self { @@ -351,14 +331,10 @@ pub mod portable { } /// Shake256 absorb final - fn absorb_final(mut self, input: &[u8]) -> Shake256Squeeze { + fn absorb_final(&mut self, input: &[u8]) { self.state.absorb_final::<0x1fu8>([input]); - Shake256Squeeze { state: self.state } } - } - /// Shake256 XOF in squeeze state - impl XofSqueeze<136> for Shake256Squeeze { /// Shake256 squeeze fn squeeze(&mut self, out: &mut [u8]) { self.state.squeeze([out]); From 7bf825af76a34466b18ead540bb08b9631dbfd13 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Thu, 5 Dec 2024 13:11:49 +0000 Subject: [PATCH 03/27] F* extraction --- .../Libcrux_ml_dsa.Encoding.Signing_key.fst | 2 +- .../Libcrux_ml_dsa.Encoding.Signing_key.fsti | 2 +- ...ibcrux_ml_dsa.Hash_functions.Portable.fsti | 22 +- ...ibcrux_ml_dsa.Hash_functions.Shake256.fsti | 34 +- ...Libcrux_ml_dsa.Hash_functions.Simd256.fsti | 4 +- ...neric.Instantiations.Avx2.Avx2_feature.fst | 14 +- ...eric.Instantiations.Avx2.Avx2_feature.fsti | 1 + ...dsa.Ml_dsa_generic.Instantiations.Neon.fst | 13 +- ...Ml_dsa_generic.Instantiations.Portable.fst | 13 +- .../Libcrux_ml_dsa.Ml_dsa_generic.fst | 304 +++++++++++------- .../Libcrux_ml_dsa.Ml_dsa_generic.fsti | 77 +++-- .../extraction/Libcrux_ml_dsa.Sample.fst | 8 +- .../extraction/Libcrux_ml_dsa.Sample.fsti | 6 +- .../src/ml_dsa_generic/instantiations.rs | 1 + 14 files changed, 311 insertions(+), 190 deletions(-) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst index 1394c5939..7088fe927 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst @@ -102,7 +102,7 @@ let generate_serialized Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (seed_for_A seed_for_signing verification_key: t_Slice u8) (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti index b8a8f2d90..bad7c34f3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti @@ -27,7 +27,7 @@ val generate_serialized (#v_SIMDUnit #v_Shake256: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} (seed_for_A seed_for_signing verification_key: t_Slice u8) (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti index 0a59a5cc8..b2a04571e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti @@ -17,9 +17,7 @@ val t_Shake256:Type0 /// We\'re using a portable implementation so this is actually sequential. val t_Shake256X4:Type0 -val t_Shake256Absorb:Type0 - -val t_Shake256Squeeze:Type0 +val t_Shake256Xof:Type0 [@@ FStar.Tactics.Typeclasses.tcinstance] val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 @@ -28,15 +26,18 @@ val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 val impl_1:Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128 [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 +val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256 [@@ FStar.Tactics.Typeclasses.tcinstance] val impl_3:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_4:Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256Xof + val init_absorb (input0 input1 input2 input3: t_Slice u8) : Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True) -val init_absorb_shake256 (input: t_Slice u8) +val init_absorb_final_shake256 (input: t_Slice u8) : Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True) val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) @@ -48,17 +49,6 @@ val shake128 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUT val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) -val shake256_absorb (st: t_Shake256Absorb) (input: t_Slice u8) - : Prims.Pure t_Shake256Absorb Prims.l_True (fun _ -> Prims.l_True) - -val shake256_absorb_final (st: t_Shake256Absorb) (input: t_Slice u8) - : Prims.Pure t_Shake256Squeeze Prims.l_True (fun _ -> Prims.l_True) - -val shake256_init: Prims.unit -> Prims.Pure t_Shake256Absorb Prims.l_True (fun _ -> Prims.l_True) - -val shake256_squeeze (st: t_Shake256Squeeze) (out: t_Slice u8) - : Prims.Pure (t_Shake256Squeeze & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - val squeeze_first_block_shake256 (state: t_Shake256) : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti index bd150aa95..4f08af6fa 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti @@ -3,7 +3,8 @@ module Libcrux_ml_dsa.Hash_functions.Shake256 open Core open FStar.Mul -class t_Xof (v_Self: Type0) = { +/// An ML-DSA specific Xof trait +class t_DsaXof (v_Self: Type0) = { f_shake256_pre:v_OUTPUT_LENGTH: usize -> t_Slice u8 -> t_Array u8 v_OUTPUT_LENGTH -> Type0; f_shake256_post: v_OUTPUT_LENGTH: usize -> @@ -15,10 +16,12 @@ class t_Xof (v_Self: Type0) = { -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) (f_shake256_pre v_OUTPUT_LENGTH x0 x1) (fun result -> f_shake256_post v_OUTPUT_LENGTH x0 x1 result); - f_init_absorb_pre:t_Slice u8 -> Type0; - f_init_absorb_post:t_Slice u8 -> v_Self -> Type0; - f_init_absorb:x0: t_Slice u8 - -> Prims.Pure v_Self (f_init_absorb_pre x0) (fun result -> f_init_absorb_post x0 result); + f_init_absorb_final_pre:t_Slice u8 -> Type0; + f_init_absorb_final_post:t_Slice u8 -> v_Self -> Type0; + f_init_absorb_final:x0: t_Slice u8 + -> Prims.Pure v_Self + (f_init_absorb_final_pre x0) + (fun result -> f_init_absorb_final_post x0 result); f_squeeze_first_block_pre:v_Self -> Type0; f_squeeze_first_block_post:v_Self -> (v_Self & t_Array u8 (sz 136)) -> Type0; f_squeeze_first_block:x0: v_Self @@ -33,6 +36,27 @@ class t_Xof (v_Self: Type0) = { (fun result -> f_squeeze_next_block_post x0 result) } +/// A generic Xof trait +class t_Xof (v_Self: Type0) = { + f_init_pre:Prims.unit -> Type0; + f_init_post:Prims.unit -> v_Self -> Type0; + f_init:x0: Prims.unit -> Prims.Pure v_Self (f_init_pre x0) (fun result -> f_init_post x0 result); + f_absorb_pre:v_Self -> t_Slice u8 -> Type0; + f_absorb_post:v_Self -> t_Slice u8 -> v_Self -> Type0; + f_absorb:x0: v_Self -> x1: t_Slice u8 + -> Prims.Pure v_Self (f_absorb_pre x0 x1) (fun result -> f_absorb_post x0 x1 result); + f_absorb_final_pre:v_Self -> t_Slice u8 -> Type0; + f_absorb_final_post:v_Self -> t_Slice u8 -> v_Self -> Type0; + f_absorb_final:x0: v_Self -> x1: t_Slice u8 + -> Prims.Pure v_Self (f_absorb_final_pre x0 x1) (fun result -> f_absorb_final_post x0 x1 result); + f_squeeze_pre:v_Self -> t_Slice u8 -> Type0; + f_squeeze_post:v_Self -> t_Slice u8 -> (v_Self & t_Slice u8) -> Type0; + f_squeeze:x0: v_Self -> x1: t_Slice u8 + -> Prims.Pure (v_Self & t_Slice u8) + (f_squeeze_pre x0 x1) + (fun result -> f_squeeze_post x0 x1 result) +} + class t_XofX4 (v_Self: Type0) = { f_init_absorb_x4_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; f_init_absorb_x4_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0; diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti index 32174758b..c40649c70 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti @@ -18,7 +18,7 @@ val t_Shake256:Type0 val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1:Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 +val impl_1:Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256 [@@ FStar.Tactics.Typeclasses.tcinstance] val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 @@ -27,7 +27,7 @@ val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 val init_absorb (input0 input1 input2 input3: t_Slice u8) : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) -val init_absorb_shake256 (input: t_Slice u8) +val init_absorb_final_shake256 (input: t_Slice u8) : Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True) val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst index db410963c..ccfe9b578 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst @@ -6,6 +6,7 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Hash_functions.Simd256 in @@ -22,6 +23,7 @@ let generate_key_pair Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness @@ -37,6 +39,7 @@ let sign Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT @@ -55,6 +58,7 @@ let sign_pre_hashed_shake128 Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE @@ -73,9 +77,10 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE - v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 + v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature let verify_pre_hashed_shake128 @@ -90,7 +95,8 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti index f5492bbb9..d24fb5ad1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti @@ -6,6 +6,7 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Hash_functions.Simd256 in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst index 9e12c192d..d8354ab2f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst @@ -23,6 +23,7 @@ let generate_key_pair Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness @@ -38,6 +39,7 @@ let sign Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT @@ -56,6 +58,7 @@ let sign_pre_hashed_shake128 Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE @@ -74,9 +77,10 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE - v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 + v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature let verify_pre_hashed_shake128 @@ -91,7 +95,8 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst index 3ed0bdc8f..8672a8e98 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst @@ -22,6 +22,7 @@ let generate_key_pair Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness @@ -37,6 +38,7 @@ let sign Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT @@ -55,6 +57,7 @@ let sign_pre_hashed_shake128 Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE @@ -73,9 +76,10 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE - v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 + v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature let verify_pre_hashed_shake128 @@ -90,7 +94,8 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst index 0af8aebcb..21226d0c1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -13,24 +13,32 @@ let _ = () let derive_message_representative + (#v_Shake256Xof: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) (verification_key_hash: t_Array u8 (sz 64)) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (message: t_Slice u8) (message_representative: t_Array u8 (sz 64)) = - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake (verification_key_hash <: t_Slice u8) in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + let shake:v_Shake256Xof = match domain_separation_context with | Core.Option.Option_Some domain_separation_context -> - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake ((let list = [ cast (Core.Option.impl__is_some #(t_Array u8 (sz 11)) @@ -48,8 +56,10 @@ let derive_message_representative <: t_Slice u8) in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake ((let list = [ cast (Core.Slice.impl__len #u8 @@ -67,44 +77,58 @@ let derive_message_representative <: t_Slice u8) in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake (Libcrux_ml_dsa.Pre_hash.impl_1__context domain_separation_context <: t_Slice u8) in (match Libcrux_ml_dsa.Pre_hash.impl_1__pre_hash_oid domain_separation_context with | Core.Option.Option_Some pre_hash_oid -> - Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (pre_hash_oid <: t_Slice u8) + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (pre_hash_oid <: t_Slice u8) | _ -> shake) | _ -> shake in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake message + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + message in - let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 (sz 64)) = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake message_representative + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + message_representative in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in + let shake:v_Shake256Xof = tmp0 in let message_representative:t_Array u8 (sz 64) = tmp1 in let _:Prims.unit = () in message_representative let sign_internal - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message: t_Slice u8) @@ -139,29 +163,41 @@ let sign_internal in let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in let message_representative:t_Array u8 (sz 64) = - derive_message_representative verification_key_hash + derive_message_representative #v_Shake256Xof + verification_key_hash domain_separation_context message message_representative in let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (seed_for_signing <: t_Slice u8) + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (seed_for_signing <: t_Slice u8) in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (randomness <: t_Slice u8) + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake (message_representative <: t_Slice u8) in - let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 (sz 64)) = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake mask_seed + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + mask_seed in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in + let shake:v_Shake256Xof = tmp0 in let mask_seed:t_Array u8 (sz 64) = tmp1 in let _:Prims.unit = () in let _:Prims.unit = () in @@ -258,22 +294,30 @@ let sign_internal v_COMMITMENT_VECTOR_SIZE commitment in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake (message_representative <: t_Slice u8) in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake (commitment_serialized <: t_Slice u8) in - let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & - t_Array u8 v_COMMITMENT_HASH_SIZE) = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake commitment_hash_candidate + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 v_COMMITMENT_HASH_SIZE) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + commitment_hash_candidate in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in + let shake:v_Shake256Xof = tmp0 in let commitment_hash_candidate:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp1 in let _:Prims.unit = () in let _:Prims.unit = () in @@ -504,22 +548,25 @@ let sign_internal Libcrux_ml_dsa.Types.t_SigningError let sign - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) @@ -530,11 +577,11 @@ let sign (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) with | Core.Result.Result_Ok hoist36 -> - sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A - v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE - v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key - message + sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 v_ROWS_IN_A + v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message (Core.Option.Option_Some hoist36 <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness @@ -549,26 +596,29 @@ let sign Libcrux_ml_dsa.Types.t_SigningError let sign_pre_hashed - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 #v_PH: Type0) + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) @@ -595,11 +645,11 @@ let sign_pre_hashed Core.Option.t_Option (t_Array u8 (sz 11))) with | Core.Result.Result_Ok hoist39 -> - sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A - v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE - v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE - signing_key (pre_hashed_message <: t_Slice u8) + sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 v_ROWS_IN_A + v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key (pre_hashed_message <: t_Slice u8) (Core.Option.Option_Some hoist39 <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness @@ -614,21 +664,24 @@ let sign_pre_hashed Libcrux_ml_dsa.Types.t_SigningError let verify_internal - (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: + i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: + i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + i6: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) (message: t_Slice u8) (domain_separation_context: @@ -682,7 +735,8 @@ let verify_internal in let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in let message_representative:t_Array u8 (sz 64) = - derive_message_representative verification_key_hash + derive_message_representative #v_Shake256Xof + verification_key_hash domain_separation_context message message_representative @@ -725,22 +779,30 @@ let verify_internal v_COMMITMENT_VECTOR_SIZE commitment in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake (message_representative <: t_Slice u8) in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake (commitment_serialized <: t_Slice u8) in - let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & - t_Array u8 v_COMMITMENT_HASH_SIZE) = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake commitment_hash + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 v_COMMITMENT_HASH_SIZE) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + commitment_hash in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in + let shake:v_Shake256Xof = tmp0 in let commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp1 in let _:Prims.unit = () in let _:Prims.unit = () in @@ -769,21 +831,24 @@ let verify_internal Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError let verify - (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: + i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: + i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + i6: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) @@ -793,7 +858,7 @@ let verify (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) with | Core.Result.Result_Ok hoist41 -> - verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A + verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message @@ -810,23 +875,26 @@ let verify Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError let verify_pre_hashed - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_PH: Type0) + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) @@ -845,7 +913,7 @@ let verify_pre_hashed Core.Option.t_Option (t_Array u8 (sz 11))) with | Core.Result.Result_Ok hoist43 -> - verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A + verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized @@ -863,44 +931,56 @@ let verify_pre_hashed Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError let generate_key_pair - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) (randomness: t_Array u8 (sz 32)) = let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (randomness <: t_Slice u8) + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake ((let list = [cast (v_ROWS_IN_A <: usize) <: u8; cast (v_COLUMNS_IN_A <: usize) <: u8] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); Rust_primitives.Hax.array_of_list 2 list) <: t_Slice u8) in - let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 (sz 128)) = - Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake seed_expanded + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_expanded in - let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in + let shake:v_Shake256Xof = tmp0 in let seed_expanded:t_Array u8 (sz 128) = tmp1 in let _:Prims.unit = () in + let _:Prims.unit = () in let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 (seed_expanded <: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti index abf9c8d7c..574ce29b4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti @@ -30,6 +30,8 @@ let _ = /// 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation for the HashMl-DSA /// variant. val derive_message_representative + (#v_Shake256Xof: Type0) + {| i1: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} (verification_key_hash: t_Array u8 (sz 64)) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) @@ -41,15 +43,16 @@ val derive_message_representative /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. val sign_internal - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) - {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} - {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message: t_Slice u8) (domain_separation_context: @@ -60,15 +63,16 @@ val sign_internal Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) val sign - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) - {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} - {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) @@ -77,17 +81,18 @@ val sign Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) val sign_pre_hashed - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 #v_PH: Type0) + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) - {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i6: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - {| i9: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i11: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) @@ -99,15 +104,16 @@ val sign_pre_hashed /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. val verify_internal - (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) - {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i4: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) (message: t_Slice u8) (domain_separation_context: @@ -118,15 +124,16 @@ val verify_internal (fun _ -> Prims.l_True) val verify - (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) - {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i4: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) @@ -135,16 +142,17 @@ val verify (fun _ -> Prims.l_True) val verify_pre_hashed - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_PH: Type0) + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) - {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} - {| i7: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i9: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) @@ -154,13 +162,14 @@ val verify_pre_hashed /// Generate a key pair. val generate_key_pair - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) - {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} - {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} (randomness: t_Array u8 (sz 32)) : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) Prims.l_True diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst index 2c3c28d2f..2a6b43436 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst @@ -281,11 +281,11 @@ let sample_challenge_ring_element Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (seed: t_Array u8 v_SEED_SIZE) = let state:v_Shake256 = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb #v_Shake256 + Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb_final #v_Shake256 #FStar.Tactics.Typeclasses.solve (seed <: t_Slice u8) in @@ -1047,7 +1047,7 @@ let sample_mask_ring_element Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (seed: t_Array u8 (sz 66)) = match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with @@ -1085,7 +1085,7 @@ let sample_mask_vector Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] i4: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti index 6f4c4d09d..02905d2e7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti @@ -59,7 +59,7 @@ val sample_challenge_ring_element (#v_SIMDUnit #v_Shake256: Type0) (v_NUMBER_OF_ONES v_SEED_SIZE: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} (seed: t_Array u8 v_SEED_SIZE) : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True @@ -97,7 +97,7 @@ val sample_mask_ring_element (#v_SIMDUnit #v_Shake256: Type0) (v_GAMMA1_EXPONENT: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} (seed: t_Array u8 (sz 66)) : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True @@ -107,7 +107,7 @@ val sample_mask_vector (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0) (v_DIMENSION v_GAMMA1_EXPONENT: usize) {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i4: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i4: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} (seed: t_Array u8 (sz 66)) (domain_separator: u16) diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index e5df772bc..e91d18387 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -321,5 +321,6 @@ instantiate! {neon, crate::simd::portable::PortableSIMDUnit, crate::hash_functions::neon::Shake128x4, crate::hash_functions::portable::Shake256, + crate::hash_functions::portable::Shake256Xof, crate::hash_functions::neon::Shake256x4 } From 38bf4698b35566ed740556f03e998f1b78e38096 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Thu, 5 Dec 2024 15:35:17 +0000 Subject: [PATCH 04/27] wip core.option.Option_c4 (found in file libcrux_core) mentions libcrux_ml_dsa.polynomial.PolynomialRingElement_24 (found in file libcrux_mldsa65_avx2) --- libcrux-ml-dsa/cg.yaml | 41 +++++++++---------- libcrux-ml-dsa/cg/code_gen.txt | 10 ++--- libcrux-ml-dsa/cg/header.txt | 10 ++--- libcrux-ml-dsa/src/ml_dsa_generic.rs | 6 ++- .../src/ml_dsa_generic/instantiations.rs | 6 ++- .../src/ml_dsa_generic/instantiations/avx2.rs | 2 + libcrux-ml-dsa/src/polynomial.rs | 2 - libcrux-ml-dsa/src/pre_hash.rs | 12 +++--- 8 files changed, 48 insertions(+), 41 deletions(-) diff --git a/libcrux-ml-dsa/cg.yaml b/libcrux-ml-dsa/cg.yaml index 717d14827..3162d75b4 100644 --- a/libcrux-ml-dsa/cg.yaml +++ b/libcrux-ml-dsa/cg.yaml @@ -45,6 +45,26 @@ files: monomorphizations_using: - [libcrux_sha3, "*"] + # MLKEM: MISC NON-ARCHITECTURE SPECIFIC HEADERS + - name: libcrux_core + inline_static: true + private: + monomorphizations_of: + - [core, "*"] + - [libcrux_ml_dsa, types, "*"] + - [libcrux_ml_dsa, utils, "*" ] + monomorphizations_using: + - [Eurydice, "*" ] + - [libcrux_ml_dsa, types, "*"] + patterns: + - [core, "*"] + - [libcrux_ml_dsa, types ] + - [libcrux_ml_dsa, constants ] + - [libcrux_ml_dsa, utils, "*" ] + # - [libcrux_ml_dsa, simd, traits ] + api: + - [Eurydice, "*"] + # MLDSA-65 - name: libcrux_mldsa65_avx2 @@ -93,27 +113,6 @@ files: - [libcrux_ml_dsa, ml_dsa_generic, instantiations, portable, "*"] - [core, option, Option_84] - - # MLKEM: MISC NON-ARCHITECTURE SPECIFIC HEADERS - - name: libcrux_core - inline_static: true - private: - monomorphizations_of: - - [core, "*"] - - [libcrux_ml_dsa, types, "*"] - - [libcrux_ml_dsa, utils, "*" ] - monomorphizations_using: - - [Eurydice, "*" ] - - [libcrux_ml_dsa, types, "*"] - patterns: - - [core, "*"] - - [libcrux_ml_dsa, types, "*" ] - - [libcrux_ml_dsa, constants ] - - [libcrux_ml_dsa, utils, "*" ] - - [libcrux_ml_dsa, simd, traits ] - api: - - [Eurydice, "*"] - naming: skip_prefix: - [ core, core_arch, arm_shared, neon ] diff --git a/libcrux-ml-dsa/cg/code_gen.txt b/libcrux-ml-dsa/cg/code_gen.txt index c7ae67f4f..9a67e7142 100644 --- a/libcrux-ml-dsa/cg/code_gen.txt +++ b/libcrux-ml-dsa/cg/code_gen.txt @@ -1,6 +1,6 @@ This code was generated with the following revisions: -Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 -Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20 -Karamel: 8c3612018c25889288da6857771be3ad03b75bcd -F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty -Libcrux: ebd9959e4b3ba3155e1f0225ac0764b1a8657d7f +Charon: a68994d00017b76a805d0115ca06c1f2c1805e79 +Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 +Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 +F*: b0961063393215ca65927f017720cb365a193833-dirty +Libcrux: 7bf825af76a34466b18ead540bb08b9631dbfd13 diff --git a/libcrux-ml-dsa/cg/header.txt b/libcrux-ml-dsa/cg/header.txt index a2b69ee7f..5415927f3 100644 --- a/libcrux-ml-dsa/cg/header.txt +++ b/libcrux-ml-dsa/cg/header.txt @@ -4,9 +4,9 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 - * Eurydice: e2db6e88adc9995ca9d3dedf7fa9bc4095e9ca20 - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: ebd9959e4b3ba3155e1f0225ac0764b1a8657d7f + * Charon: a68994d00017b76a805d0115ca06c1f2c1805e79 + * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 + * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 + * F*: b0961063393215ca65927f017720cb365a193833-dirty + * Libcrux: 7bf825af76a34466b18ead540bb08b9631dbfd13 */ diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 0b1a314ba..da26619ea 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -95,6 +95,7 @@ pub(crate) fn generate_key_pair< #[inline(always)] pub(crate) fn sign_pre_hashed< SIMDUnit: Operations, + Shake128: shake128::Xof, Shake128X4: shake128::XofX4, Shake256: shake256::DsaXof, Shake256Xof: shake256::Xof, @@ -124,7 +125,7 @@ pub(crate) fn sign_pre_hashed< if context.len() > CONTEXT_MAX_LEN { return Err(SigningError::ContextTooLongError); } - let pre_hashed_message = PH::hash(message); + let pre_hashed_message = PH::hash::(message); sign_internal::< SIMDUnit, Shake128X4, @@ -606,6 +607,7 @@ pub(crate) fn verify< #[inline(always)] pub(crate) fn verify_pre_hashed< SIMDUnit: Operations, + Shake128: shake128::Xof, Shake128X4: shake128::XofX4, Shake256: shake256::DsaXof, Shake256Xof: shake256::Xof, @@ -630,7 +632,7 @@ pub(crate) fn verify_pre_hashed< context: &[u8], signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { - let pre_hashed_message = PH::hash(message); + let pre_hashed_message = PH::hash::(message); verify_internal::< SIMDUnit, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index e91d18387..07920de39 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -1,5 +1,5 @@ macro_rules! instantiate { - ($modp:ident, $simdunit:path, $shake128x4:path, $shake256:path, $shake256xof:path, $shake256x4:path) => { + ($modp:ident, $simdunit:path, $shake128:path, $shake128x4:path, $shake256:path, $shake256xof:path, $shake256x4:path) => { pub mod $modp { use crate::{ constants::*, @@ -148,6 +148,7 @@ macro_rules! instantiate { ) -> Result, SigningError> { crate::ml_dsa_generic::sign_pre_hashed::< $simdunit, + $shake128, $shake128x4, $shake256, $shake256xof, @@ -278,6 +279,7 @@ macro_rules! instantiate { ) -> Result<(), VerificationError> { crate::ml_dsa_generic::verify_pre_hashed::< $simdunit, + $shake128, $shake128x4, $shake256, $shake256xof, @@ -305,6 +307,7 @@ macro_rules! instantiate { // Portable generic implementations. instantiate! {portable, crate::simd::portable::PortableSIMDUnit, + crate::hash_functions::portable::Shake128, crate::hash_functions::portable::Shake128X4, crate::hash_functions::portable::Shake256, crate::hash_functions::portable::Shake256Xof, @@ -319,6 +322,7 @@ pub mod avx2; #[cfg(feature = "simd128")] instantiate! {neon, crate::simd::portable::PortableSIMDUnit, + crate::hash_functions::portable::Shake128, crate::hash_functions::neon::Shake128x4, crate::hash_functions::portable::Shake256, crate::hash_functions::portable::Shake256Xof, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs index 5c4dd2fe1..92d06ad8d 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -156,6 +156,7 @@ mod avx2_feature { ) -> Result, SigningError> { crate::ml_dsa_generic::sign_pre_hashed::< crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::portable::Shake128, // XXX: Use simd256 crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 @@ -292,6 +293,7 @@ mod avx2_feature { ) -> Result<(), VerificationError> { crate::ml_dsa_generic::verify_pre_hashed::< crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::portable::Shake128, // XXX: Use simd256 crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index 26c033ad5..2b2884abe 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -8,8 +8,6 @@ pub(crate) struct PolynomialRingElement { pub(crate) simd_units: [SIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], } -pub type OptionalRingElement = Option>; - impl PolynomialRingElement { #[allow(non_snake_case)] pub(crate) fn ZERO() -> Self { diff --git a/libcrux-ml-dsa/src/pre_hash.rs b/libcrux-ml-dsa/src/pre_hash.rs index 06855c0f9..480d96eb0 100644 --- a/libcrux-ml-dsa/src/pre_hash.rs +++ b/libcrux-ml-dsa/src/pre_hash.rs @@ -6,7 +6,7 @@ //! pre-hash trait for SHAKE-128, with a digest length of 256 bytes. use crate::{ constants::CONTEXT_MAX_LEN, - hash_functions::shake128::Xof, + hash_functions, types::{SigningError, VerificationError}, }; @@ -19,7 +19,7 @@ pub(crate) trait PreHash { fn oid() -> PreHashOID; /// Used to derive the pre-hash PH of the message before signing. - fn hash(message: &[u8]) -> [u8; DIGEST_LEN]; + fn hash(message: &[u8]) -> [u8; DIGEST_LEN]; } #[allow(non_camel_case_types)] @@ -34,9 +34,9 @@ impl PreHash<256> for SHAKE128_PH { ] } - fn hash(message: &[u8]) -> [u8; 256] { + fn hash(message: &[u8]) -> [u8; 256] { let mut output = [0u8; 256]; - crate::hash_functions::portable::Shake128::shake128(message, &mut output); + Shake128::shake128(message, &mut output); output } @@ -53,12 +53,14 @@ pub(crate) enum DomainSeparationError { ContextTooLongError, } +pub(crate) type PreHashResult<'a> = Result, DomainSeparationError>; + impl<'a> DomainSeparationContext<'a> { /// `context` must be at most 255 bytes long. pub(crate) fn new( context: &'a [u8], pre_hash_oid: Option<&'a PreHashOID>, - ) -> Result { + ) -> PreHashResult<'a> { if context.len() > CONTEXT_MAX_LEN { Err(DomainSeparationError::ContextTooLongError) } else { From 5a0f22fa8387080e4c4e4ac018aaddcdf944e4be Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Thu, 5 Dec 2024 19:32:56 +0000 Subject: [PATCH 05/27] more wip eurydice changes --- libcrux-ml-dsa/cg.yaml | 53 +++++++++++++--------- libcrux-ml-dsa/cg/code_gen.txt | 2 +- libcrux-ml-dsa/cg/header.txt | 2 +- libcrux-ml-dsa/src/encoding/signing_key.rs | 35 ++++++++------ libcrux-ml-dsa/src/helper.rs | 53 +++++++++++++--------- libcrux-ml-dsa/src/ml_dsa_generic.rs | 26 +++++++++-- libcrux-ml-dsa/src/pre_hash.rs | 22 +-------- 7 files changed, 108 insertions(+), 85 deletions(-) diff --git a/libcrux-ml-dsa/cg.yaml b/libcrux-ml-dsa/cg.yaml index 3162d75b4..8989a1168 100644 --- a/libcrux-ml-dsa/cg.yaml +++ b/libcrux-ml-dsa/cg.yaml @@ -45,26 +45,6 @@ files: monomorphizations_using: - [libcrux_sha3, "*"] - # MLKEM: MISC NON-ARCHITECTURE SPECIFIC HEADERS - - name: libcrux_core - inline_static: true - private: - monomorphizations_of: - - [core, "*"] - - [libcrux_ml_dsa, types, "*"] - - [libcrux_ml_dsa, utils, "*" ] - monomorphizations_using: - - [Eurydice, "*" ] - - [libcrux_ml_dsa, types, "*"] - patterns: - - [core, "*"] - - [libcrux_ml_dsa, types ] - - [libcrux_ml_dsa, constants ] - - [libcrux_ml_dsa, utils, "*" ] - # - [libcrux_ml_dsa, simd, traits ] - api: - - [Eurydice, "*"] - # MLDSA-65 - name: libcrux_mldsa65_avx2 @@ -88,6 +68,8 @@ files: monomorphizations_using: - [libcrux_ml_dsa, simd, avx2, "*"] - [libcrux_ml_dsa, hash_functions, simd256, "*"] + # monomorphizations_exact: + # - [core, option, Option_c4] - name: libcrux_mldsa65_portable inline_static: true @@ -98,21 +80,48 @@ files: - [libcrux_ml_dsa, hash_functions, portable, "*"] - [libcrux_ml_dsa, ml_dsa_65, portable, "*"] - [libcrux_ml_dsa, ml_dsa_generic, instantiations, portable, "*"] - - [core, option, Option_84] + # - [libcrux_ml_dsa, pre_hash, PreHashResult] + # - [core, option, Option_84] monomorphizations_of: - [libcrux_ml_dsa, polynomial, "*" ] - [libcrux_ml_dsa, simd, "*"] - [libcrux_ml_dsa, hash_functions, portable, "*"] - [libcrux_ml_dsa, ml_dsa_65, portable] - [libcrux_ml_dsa, ml_dsa_generic, instantiations, portable, "*"] - - [core, option, Option_84] + # - [libcrux_ml_dsa, pre_hash, PreHashResult] + # - [core, option, Option_84] monomorphizations_using: - [libcrux_ml_dsa, polynomial, "*" ] - [libcrux_ml_dsa, simd, "*"] - [libcrux_ml_dsa, hash_functions, portable, "*"] - [libcrux_ml_dsa, ml_dsa_generic, instantiations, portable, "*"] + # - [libcrux_ml_dsa, pre_hash, PreHashResult] + monomorphizations_exact: + - [libcrux_ml_dsa, pre_hash, PreHashResult] + - [core, result, Result_a8] - [core, option, Option_84] + + # MLKEM: MISC NON-ARCHITECTURE SPECIFIC HEADERS + - name: libcrux_core + inline_static: true + private: + monomorphizations_of: + - [core, "*"] + - [libcrux_ml_dsa, types, "*"] + - [libcrux_ml_dsa, utils, "*" ] + monomorphizations_using: + - [Eurydice, "*" ] + - [libcrux_ml_dsa, types, "*"] + patterns: + - [core, "*"] + - [libcrux_ml_dsa, types ] + - [libcrux_ml_dsa, constants ] + - [libcrux_ml_dsa, utils, "*" ] + # - [libcrux_ml_dsa, simd, traits ] + api: + - [Eurydice, "*"] + naming: skip_prefix: - [ core, core_arch, arm_shared, neon ] diff --git a/libcrux-ml-dsa/cg/code_gen.txt b/libcrux-ml-dsa/cg/code_gen.txt index 9a67e7142..497ab14f5 100644 --- a/libcrux-ml-dsa/cg/code_gen.txt +++ b/libcrux-ml-dsa/cg/code_gen.txt @@ -3,4 +3,4 @@ Charon: a68994d00017b76a805d0115ca06c1f2c1805e79 Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 F*: b0961063393215ca65927f017720cb365a193833-dirty -Libcrux: 7bf825af76a34466b18ead540bb08b9631dbfd13 +Libcrux: 38bf4698b35566ed740556f03e998f1b78e38096 diff --git a/libcrux-ml-dsa/cg/header.txt b/libcrux-ml-dsa/cg/header.txt index 5415927f3..335d58baa 100644 --- a/libcrux-ml-dsa/cg/header.txt +++ b/libcrux-ml-dsa/cg/header.txt @@ -8,5 +8,5 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 7bf825af76a34466b18ead540bb08b9631dbfd13 + * Libcrux: 38bf4698b35566ed740556f03e998f1b78e38096 */ diff --git a/libcrux-ml-dsa/src/encoding/signing_key.rs b/libcrux-ml-dsa/src/encoding/signing_key.rs index 074fe41a6..6a33c4ecc 100644 --- a/libcrux-ml-dsa/src/encoding/signing_key.rs +++ b/libcrux-ml-dsa/src/encoding/signing_key.rs @@ -5,6 +5,7 @@ use crate::{ }, encoding, hash_functions::shake256, + helper::cloop, polynomial::PolynomialRingElement, simd::traits::Operations, }; @@ -46,24 +47,30 @@ pub(crate) fn generate_serialized< .copy_from_slice(&verification_key_hash); offset += BYTES_FOR_VERIFICATION_KEY_HASH; - for ring_element in s1.iter() { - signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE].copy_from_slice( - &encoding::error::serialize::(*ring_element), - ); - offset += ERROR_RING_ELEMENT_SIZE; + cloop! { + for ring_element in s1.iter() { + signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE].copy_from_slice( + &encoding::error::serialize::(*ring_element), + ); + offset += ERROR_RING_ELEMENT_SIZE; + } } - for ring_element in s2.iter() { - signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE].copy_from_slice( - &encoding::error::serialize::(*ring_element), - ); - offset += ERROR_RING_ELEMENT_SIZE; + cloop! { + for ring_element in s2.iter() { + signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE].copy_from_slice( + &encoding::error::serialize::(*ring_element), + ); + offset += ERROR_RING_ELEMENT_SIZE; + } } - for ring_element in t0.iter() { - signing_key_serialized[offset..offset + RING_ELEMENT_OF_T0S_SIZE] - .copy_from_slice(&encoding::t0::serialize::(*ring_element)); - offset += RING_ELEMENT_OF_T0S_SIZE; + cloop! { + for ring_element in t0.iter() { + signing_key_serialized[offset..offset + RING_ELEMENT_OF_T0S_SIZE] + .copy_from_slice(&encoding::t0::serialize::(*ring_element)); + offset += RING_ELEMENT_OF_T0S_SIZE; + } } signing_key_serialized diff --git a/libcrux-ml-dsa/src/helper.rs b/libcrux-ml-dsa/src/helper.rs index 1dbb5dd22..ef66362c3 100644 --- a/libcrux-ml-dsa/src/helper.rs +++ b/libcrux-ml-dsa/src/helper.rs @@ -1,7 +1,7 @@ /// The following macros are defined so that the extraction from Rust to C code /// can go through. -#[cfg(eurydice)] +// #[cfg(eurydice)] macro_rules! cloop { (for ($i:ident, $chunk:ident) in $val:ident.$values:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => { for $i in 0..$val.$values.len() / ($($chunk_size)*) { @@ -21,6 +21,12 @@ macro_rules! cloop { $body } }; + (for $item:ident in $val:ident.iter() $body:block) => { + for _cloop_i in 0..$val.len() { + let $item = &$val[_cloop_i]; + $body + } + }; (for ($i:ident, $item:ident) in $self:ident.$val:ident.iter().enumerate() $body:block) => { for $i in 0..$self.$val.len() { let $item = &$self.$val[$i]; @@ -41,26 +47,29 @@ macro_rules! cloop { }; } -#[cfg(not(eurydice))] -macro_rules! cloop { - (for ($i:ident, $chunk:ident) in $val:ident.$values:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => { - for ($i, $chunk) in $val.$values.chunks_exact($($chunk_size),*).enumerate() $body - }; - (for ($i:ident, $chunk:ident) in $val:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => { - for ($i, $chunk) in $val.chunks_exact($($chunk_size),*).enumerate() $body - }; - (for ($i:ident, $item:ident) in $val:ident.iter().enumerate() $body:block) => { - for ($i, $item) in $val.iter().enumerate() $body - }; - (for ($i:ident, $item:ident) in $self:ident.$val:ident.iter().enumerate() $body:block) => { - for ($i, $item) in $self.$val.iter().enumerate() $body - }; - (for ($i:ident, $item:ident) in $val:ident.into_iter().enumerate() $body:block) => { - for ($i, $item) in $val.into_iter().enumerate() $body - }; - (for $i:ident in ($start:literal..$end:expr).step_by($step:literal) $body:block) => { - for $i in ($start..$end).step_by($step) $body - }; -} +// #[cfg(not(eurydice))] +// macro_rules! cloop { +// (for ($i:ident, $chunk:ident) in $val:ident.$values:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => { +// for ($i, $chunk) in $val.$values.chunks_exact($($chunk_size),*).enumerate() $body +// }; +// (for ($i:ident, $chunk:ident) in $val:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => { +// for ($i, $chunk) in $val.chunks_exact($($chunk_size),*).enumerate() $body +// }; +// (for ($i:ident, $item:ident) in $val:ident.iter().enumerate() $body:block) => { +// for ($i, $item) in $val.iter().enumerate() $body +// }; +// (for $item:ident in $val:ident.iter() $body:block) => { +// for $item in $val.iter() $body +// }; +// (for ($i:ident, $item:ident) in $self:ident.$val:ident.iter().enumerate() $body:block) => { +// for ($i, $item) in $self.$val.iter().enumerate() $body +// }; +// (for ($i:ident, $item:ident) in $val:ident.into_iter().enumerate() $body:block) => { +// for ($i, $item) in $val.into_iter().enumerate() $body +// }; +// (for $i:ident in ($start:literal..$end:expr).step_by($step:literal) $body:block) => { +// for $i in ($start..$end).step_by($step) $body +// }; +// } pub(crate) use cloop; diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index da26619ea..e2d47a15f 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -126,6 +126,11 @@ pub(crate) fn sign_pre_hashed< return Err(SigningError::ContextTooLongError); } let pre_hashed_message = PH::hash::(message); + let oid = PH::oid(); + let domain_separation_context = match DomainSeparationContext::new(context, Some(&oid)) { + Ok(domain_separation_context) => domain_separation_context, + Err(_) => return Err(SigningError::ContextTooLongError), + }; sign_internal::< SIMDUnit, Shake128X4, @@ -149,7 +154,7 @@ pub(crate) fn sign_pre_hashed< >( &signing_key, &pre_hashed_message, - Some(DomainSeparationContext::new(context, Some(&PH::oid()))?), + Some(domain_separation_context), randomness, ) } @@ -183,6 +188,10 @@ pub(crate) fn sign< randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { // TODO: Support implicit into() in ? so that this match becomes unnecessary + let domain_separation_context = match DomainSeparationContext::new(context, None) { + Ok(domain_separation_context) => domain_separation_context, + Err(_) => return Err(SigningError::ContextTooLongError), + }; sign_internal::< SIMDUnit, Shake128X4, @@ -206,7 +215,7 @@ pub(crate) fn sign< >( &signing_key, message, - Some(DomainSeparationContext::new(context, None)?), + Some(domain_separation_context), randomness, ) } @@ -577,6 +586,10 @@ pub(crate) fn verify< signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { // TODO: Support implicit into() in ? so that this match becomes unnecessary + let domain_separation_context = match DomainSeparationContext::new(context, None) { + Ok(domain_separation_context) => domain_separation_context, + Err(_) => return Err(VerificationError::ContextTooLongError), + }; verify_internal::< SIMDUnit, Shake128X4, @@ -598,7 +611,7 @@ pub(crate) fn verify< >( &verification_key_serialized, message, - Some(DomainSeparationContext::new(context, None)?), + Some(domain_separation_context), &signature_serialized, ) } @@ -633,6 +646,11 @@ pub(crate) fn verify_pre_hashed< signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { let pre_hashed_message = PH::hash::(message); + let oid = PH::oid(); + let domain_separation_context = match DomainSeparationContext::new(context, Some(&oid)) { + Ok(domain_separation_context) => domain_separation_context, + Err(_) => return Err(VerificationError::ContextTooLongError), + }; verify_internal::< SIMDUnit, @@ -655,7 +673,7 @@ pub(crate) fn verify_pre_hashed< >( &verification_key_serialized, &pre_hashed_message, - Some(DomainSeparationContext::new(context, Some(&PH::oid()))?), + Some(domain_separation_context), &signature_serialized, ) } diff --git a/libcrux-ml-dsa/src/pre_hash.rs b/libcrux-ml-dsa/src/pre_hash.rs index 480d96eb0..ff635536c 100644 --- a/libcrux-ml-dsa/src/pre_hash.rs +++ b/libcrux-ml-dsa/src/pre_hash.rs @@ -4,11 +4,7 @@ //! of FIPS 204, any NIST-approved hash function or XOF can be used to //!/perform the pre-hash of the message. This module implements the //! pre-hash trait for SHAKE-128, with a digest length of 256 bytes. -use crate::{ - constants::CONTEXT_MAX_LEN, - hash_functions, - types::{SigningError, VerificationError}, -}; +use crate::{constants::CONTEXT_MAX_LEN, hash_functions}; pub(crate) const PRE_HASH_OID_LEN: usize = 11; pub(crate) type PreHashOID = [u8; PRE_HASH_OID_LEN]; @@ -81,19 +77,3 @@ impl<'a> DomainSeparationContext<'a> { self.pre_hash_oid } } - -impl From for SigningError { - fn from(e: DomainSeparationError) -> SigningError { - match e { - DomainSeparationError::ContextTooLongError => SigningError::ContextTooLongError, - } - } -} - -impl From for VerificationError { - fn from(e: DomainSeparationError) -> VerificationError { - match e { - DomainSeparationError::ContextTooLongError => VerificationError::ContextTooLongError, - } - } -} From 76e8015f066ed8c431a7eab8985c2bfb03ad7e93 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 6 Dec 2024 12:31:19 +0000 Subject: [PATCH 06/27] update for C extraction --- libcrux-ml-dsa/cg/code_gen.txt | 2 +- libcrux-ml-dsa/cg/header.txt | 2 +- libcrux-ml-dsa/src/ml_dsa_generic.rs | 25 +++++----------------- libcrux-ml-dsa/src/pre_hash.rs | 31 +++++++++++++++++++++------- libcrux-ml-dsa/src/types.rs | 4 +++- 5 files changed, 34 insertions(+), 30 deletions(-) diff --git a/libcrux-ml-dsa/cg/code_gen.txt b/libcrux-ml-dsa/cg/code_gen.txt index 497ab14f5..33600f72a 100644 --- a/libcrux-ml-dsa/cg/code_gen.txt +++ b/libcrux-ml-dsa/cg/code_gen.txt @@ -3,4 +3,4 @@ Charon: a68994d00017b76a805d0115ca06c1f2c1805e79 Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 F*: b0961063393215ca65927f017720cb365a193833-dirty -Libcrux: 38bf4698b35566ed740556f03e998f1b78e38096 +Libcrux: 5a0f22fa8387080e4c4e4ac018aaddcdf944e4be diff --git a/libcrux-ml-dsa/cg/header.txt b/libcrux-ml-dsa/cg/header.txt index 335d58baa..5d85f31d0 100644 --- a/libcrux-ml-dsa/cg/header.txt +++ b/libcrux-ml-dsa/cg/header.txt @@ -8,5 +8,5 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 38bf4698b35566ed740556f03e998f1b78e38096 + * Libcrux: 5a0f22fa8387080e4c4e4ac018aaddcdf944e4be */ diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index e2d47a15f..3883b01e0 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -126,11 +126,7 @@ pub(crate) fn sign_pre_hashed< return Err(SigningError::ContextTooLongError); } let pre_hashed_message = PH::hash::(message); - let oid = PH::oid(); - let domain_separation_context = match DomainSeparationContext::new(context, Some(&oid)) { - Ok(domain_separation_context) => domain_separation_context, - Err(_) => return Err(SigningError::ContextTooLongError), - }; + let domain_separation_context = DomainSeparationContext::new(context, Some(&PH::OID))?; sign_internal::< SIMDUnit, Shake128X4, @@ -187,11 +183,7 @@ pub(crate) fn sign< context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { - // TODO: Support implicit into() in ? so that this match becomes unnecessary - let domain_separation_context = match DomainSeparationContext::new(context, None) { - Ok(domain_separation_context) => domain_separation_context, - Err(_) => return Err(SigningError::ContextTooLongError), - }; + let domain_separation_context = DomainSeparationContext::new(context, None)?; sign_internal::< SIMDUnit, Shake128X4, @@ -585,11 +577,8 @@ pub(crate) fn verify< context: &[u8], signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { - // TODO: Support implicit into() in ? so that this match becomes unnecessary - let domain_separation_context = match DomainSeparationContext::new(context, None) { - Ok(domain_separation_context) => domain_separation_context, - Err(_) => return Err(VerificationError::ContextTooLongError), - }; + // We manually do the matching here to make Eurydice happy. + let domain_separation_context = DomainSeparationContext::new(context, None)?; verify_internal::< SIMDUnit, Shake128X4, @@ -646,11 +635,7 @@ pub(crate) fn verify_pre_hashed< signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { let pre_hashed_message = PH::hash::(message); - let oid = PH::oid(); - let domain_separation_context = match DomainSeparationContext::new(context, Some(&oid)) { - Ok(domain_separation_context) => domain_separation_context, - Err(_) => return Err(VerificationError::ContextTooLongError), - }; + let domain_separation_context = DomainSeparationContext::new(context, Some(&PH::OID))?; verify_internal::< SIMDUnit, diff --git a/libcrux-ml-dsa/src/pre_hash.rs b/libcrux-ml-dsa/src/pre_hash.rs index ff635536c..7c259c26c 100644 --- a/libcrux-ml-dsa/src/pre_hash.rs +++ b/libcrux-ml-dsa/src/pre_hash.rs @@ -4,7 +4,7 @@ //! of FIPS 204, any NIST-approved hash function or XOF can be used to //!/perform the pre-hash of the message. This module implements the //! pre-hash trait for SHAKE-128, with a digest length of 256 bytes. -use crate::{constants::CONTEXT_MAX_LEN, hash_functions}; +use crate::{constants::CONTEXT_MAX_LEN, hash_functions, SigningError, VerificationError}; pub(crate) const PRE_HASH_OID_LEN: usize = 11; pub(crate) type PreHashOID = [u8; PRE_HASH_OID_LEN]; @@ -12,7 +12,7 @@ pub(crate) type PreHashOID = [u8; PRE_HASH_OID_LEN]; pub(crate) trait PreHash { /// The object identifier (OID) of the hash function or XOF used /// to perform the pre-hashing of the message. - fn oid() -> PreHashOID; + const OID: PreHashOID; /// Used to derive the pre-hash PH of the message before signing. fn hash(message: &[u8]) -> [u8; DIGEST_LEN]; @@ -24,12 +24,11 @@ pub(crate) trait PreHash { pub(crate) struct SHAKE128_PH(); impl PreHash<256> for SHAKE128_PH { - fn oid() -> PreHashOID { - [ - 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0b, - ] - } + const OID: PreHashOID = [ + 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0b, + ]; + #[inline(always)] fn hash(message: &[u8]) -> [u8; 256] { let mut output = [0u8; 256]; Shake128::shake128(message, &mut output); @@ -77,3 +76,21 @@ impl<'a> DomainSeparationContext<'a> { self.pre_hash_oid } } + +impl From for SigningError { + fn from(e: DomainSeparationError) -> SigningError { + match e { + DomainSeparationError::ContextTooLongError => SigningError::ContextTooLongError, + } + } +} + +impl From for VerificationError { + fn from(e: DomainSeparationError) -> VerificationError { + match e { + DomainSeparationError::ContextTooLongError => { + VerificationError::VerificationContextTooLongError + } + } + } +} diff --git a/libcrux-ml-dsa/src/types.rs b/libcrux-ml-dsa/src/types.rs index c0304c654..8cc04494d 100644 --- a/libcrux-ml-dsa/src/types.rs +++ b/libcrux-ml-dsa/src/types.rs @@ -71,7 +71,9 @@ pub enum VerificationError { MalformedHintError, SignerResponseExceedsBoundError, CommitmentHashesDontMatchError, - ContextTooLongError, + // FIXME: Eurydice can't handle enum variants with the same name + // https://github.com/AeneasVerif/eurydice/issues/102 + VerificationContextTooLongError, } #[derive(Debug)] From 11a2dcf9b3f0c4803b93a53caa737ed8eac8bfd1 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 6 Dec 2024 12:31:36 +0000 Subject: [PATCH 07/27] first C extraction --- libcrux-ml-dsa/cg/libcrux_core.h | 455 ++ libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h | 5651 ++++++++++++++++ libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h | 6276 ++++++++++++++++++ libcrux-ml-dsa/cg/libcrux_sha3_avx2.h | 2571 +++++++ libcrux-ml-dsa/cg/libcrux_sha3_portable.h | 4931 ++++++++++++++ 5 files changed, 19884 insertions(+) create mode 100644 libcrux-ml-dsa/cg/libcrux_core.h create mode 100644 libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h create mode 100644 libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h create mode 100644 libcrux-ml-dsa/cg/libcrux_sha3_avx2.h create mode 100644 libcrux-ml-dsa/cg/libcrux_sha3_portable.h diff --git a/libcrux-ml-dsa/cg/libcrux_core.h b/libcrux-ml-dsa/cg/libcrux_core.h new file mode 100644 index 000000000..50d5433fc --- /dev/null +++ b/libcrux-ml-dsa/cg/libcrux_core.h @@ -0,0 +1,455 @@ +/* + * SPDX-FileCopyrightText: 2024 Cryspen Sarl + * + * SPDX-License-Identifier: MIT or Apache-2.0 + * + * This code was generated with the following revisions: + * Charon: a68994d00017b76a805d0115ca06c1f2c1805e79 + * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 + * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 + * F*: b0961063393215ca65927f017720cb365a193833-dirty + * Libcrux: 5a0f22fa8387080e4c4e4ac018aaddcdf944e4be + */ + +#ifndef __libcrux_core_H +#define __libcrux_core_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include "eurydice_glue.h" + +/** +A monomorphic instance of core.ops.range.Range +with types size_t + +*/ +typedef struct core_ops_range_Range_08_s { + size_t start; + size_t end; +} core_ops_range_Range_08; + +static inline uint8_t Eurydice_bitand_pv_u8(uint8_t *x, uint8_t y); + +static inline uint8_t Eurydice_shr_pv_u8(uint8_t *x, int32_t y); + +#define None 0 +#define Some 1 + +typedef uint8_t Option_08_tags; + +/** +A monomorphic instance of core.option.Option +with types size_t + +*/ +typedef struct Option_08_s { + Option_08_tags tag; + size_t f0; +} Option_08; + +#define Ok 0 +#define Err 1 + +typedef uint8_t Result_a9_tags; + +/** +A monomorphic instance of core.result.Result +with types (), core_fmt_Error + +*/ +typedef struct Result_a9_s { + Result_a9_tags tag; + void *f0; +} Result_a9; + +static inline Result_a9 core_fmt__core__fmt__Formatter__a__9__write_str( + core_fmt_Formatter *x0, Prims_string x1); + +static inline uint32_t core_num__i32_2__count_ones(int32_t x0); + +static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t x0[8U]); + +static inline void core_num__u64_9__to_le_bytes(uint64_t x0, uint8_t x1[8U]); + +/** +A monomorphic instance of core.result.Result +with types uint8_t[10size_t], core_array_TryFromSliceError + +*/ +typedef struct Result_9d_s { + Result_a9_tags tag; + union { + uint8_t case_Ok[10U]; + TryFromSliceError case_Err; + } val; +} Result_9d; + +/** +This function found in impl {core::result::Result[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of core.result.unwrap_26 +with types uint8_t[10size_t], core_array_TryFromSliceError + +*/ +static inline void unwrap_26_ce(Result_9d self, uint8_t ret[10U]) { + if (self.tag == Ok) { + uint8_t f0[10U]; + memcpy(f0, self.val.case_Ok, (size_t)10U * sizeof(uint8_t)); + memcpy(ret, f0, (size_t)10U * sizeof(uint8_t)); + } else { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "unwrap not Ok"); + KRML_HOST_EXIT(255U); + } +} + +/** +A monomorphic instance of core.result.Result +with types uint8_t[13size_t], core_array_TryFromSliceError + +*/ +typedef struct Result_b0_s { + Result_a9_tags tag; + union { + uint8_t case_Ok[13U]; + TryFromSliceError case_Err; + } val; +} Result_b0; + +/** +This function found in impl {core::result::Result[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of core.result.unwrap_26 +with types uint8_t[13size_t], core_array_TryFromSliceError + +*/ +static inline void unwrap_26_23(Result_b0 self, uint8_t ret[13U]) { + if (self.tag == Ok) { + uint8_t f0[13U]; + memcpy(f0, self.val.case_Ok, (size_t)13U * sizeof(uint8_t)); + memcpy(ret, f0, (size_t)13U * sizeof(uint8_t)); + } else { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "unwrap not Ok"); + KRML_HOST_EXIT(255U); + } +} + +typedef struct libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature_s { + uint8_t value[3309U]; +} libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature; + +/** + A reference to the raw byte array. +*/ +/** +This function found in impl {libcrux_ml_dsa::types::MLDSASignature#4} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.types.as_raw_8f +with const generics +- SIZE= 3309 +*/ +static inline uint8_t *libcrux_ml_dsa_types_as_raw_8f_fa( + libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *self) { + return self->value; +} + +#define libcrux_ml_dsa_types_MalformedHintError 0 +#define libcrux_ml_dsa_types_SignerResponseExceedsBoundError 1 +#define libcrux_ml_dsa_types_CommitmentHashesDontMatchError 2 +#define libcrux_ml_dsa_types_VerificationContextTooLongError 3 + +typedef uint8_t libcrux_ml_dsa_types_VerificationError; + +/** +A monomorphic instance of core.result.Result +with types (), libcrux_ml_dsa_types_VerificationError + +*/ +typedef struct Result_41_s { + Result_a9_tags tag; + libcrux_ml_dsa_types_VerificationError f0; +} Result_41; + +/** +A monomorphic instance of libcrux_ml_dsa.types.MLDSAVerificationKey +with const generics +- $1952size_t +*/ +typedef struct libcrux_ml_dsa_types_MLDSAVerificationKey_ea_s { + uint8_t value[1952U]; +} libcrux_ml_dsa_types_MLDSAVerificationKey_ea; + +/** + A reference to the raw byte array. +*/ +/** +This function found in impl +{libcrux_ml_dsa::types::MLDSAVerificationKey#2} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.types.as_raw_66 +with const generics +- SIZE= 1952 +*/ +static inline uint8_t *libcrux_ml_dsa_types_as_raw_66_97( + libcrux_ml_dsa_types_MLDSAVerificationKey_ea *self) { + return self->value; +} + +#define libcrux_ml_dsa_types_RejectionSamplingError 0 +#define libcrux_ml_dsa_types_ContextTooLongError 1 + +typedef uint8_t libcrux_ml_dsa_types_SigningError; + +/** +A monomorphic instance of core.result.Result +with types libcrux_ml_dsa_types_MLDSASignature[[$3309size_t]], +libcrux_ml_dsa_types_SigningError + +*/ +typedef struct Result_2e_s { + Result_a9_tags tag; + union { + libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature case_Ok; + libcrux_ml_dsa_types_SigningError case_Err; + } val; +} Result_2e; + +/** +A monomorphic instance of libcrux_ml_dsa.types.MLDSASigningKey +with const generics +- $4032size_t +*/ +typedef struct libcrux_ml_dsa_types_MLDSASigningKey_22_s { + uint8_t value[4032U]; +} libcrux_ml_dsa_types_MLDSASigningKey_22; + +/** + A reference to the raw byte array. +*/ +/** +This function found in impl {libcrux_ml_dsa::types::MLDSASigningKey} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.types.as_raw_9b +with const generics +- SIZE= 4032 +*/ +static inline uint8_t *libcrux_ml_dsa_types_as_raw_9b_09( + libcrux_ml_dsa_types_MLDSASigningKey_22 *self) { + return self->value; +} + +/** + Build +*/ +/** +This function found in impl +{libcrux_ml_dsa::types::MLDSAVerificationKey#2} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.types.new_66 +with const generics +- SIZE= 1952 +*/ +static inline libcrux_ml_dsa_types_MLDSAVerificationKey_ea +libcrux_ml_dsa_types_new_66_97(uint8_t value[1952U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[1952U]; + memcpy(copy_of_value, value, (size_t)1952U * sizeof(uint8_t)); + libcrux_ml_dsa_types_MLDSAVerificationKey_ea lit; + memcpy(lit.value, copy_of_value, (size_t)1952U * sizeof(uint8_t)); + return lit; +} + +/** + Build +*/ +/** +This function found in impl {libcrux_ml_dsa::types::MLDSASigningKey} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.types.new_9b +with const generics +- SIZE= 4032 +*/ +static inline libcrux_ml_dsa_types_MLDSASigningKey_22 +libcrux_ml_dsa_types_new_9b_09(uint8_t value[4032U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[4032U]; + memcpy(copy_of_value, value, (size_t)4032U * sizeof(uint8_t)); + libcrux_ml_dsa_types_MLDSASigningKey_22 lit; + memcpy(lit.value, copy_of_value, (size_t)4032U * sizeof(uint8_t)); + return lit; +} + +/** + Pad the `slice` with `0`s at the end. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.utils.into_padded_array +with const generics +- LEN= 66 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_utils_into_padded_array_20( + Eurydice_slice slice, uint8_t ret[66U]) { + uint8_t out[66U] = {0U}; + uint8_t *uu____0 = out; + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); + memcpy(ret, out, (size_t)66U * sizeof(uint8_t)); +} + +/** + Pad the `slice` with `0`s at the end. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.utils.into_padded_array +with const generics +- LEN= 34 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_utils_into_padded_array_b6( + Eurydice_slice slice, uint8_t ret[34U]) { + uint8_t out[34U] = {0U}; + uint8_t *uu____0 = out; + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); + memcpy(ret, out, (size_t)34U * sizeof(uint8_t)); +} + +/** +A monomorphic instance of core.option.Option +with types Eurydice_slice int32_t + +*/ +typedef struct Option_93_s { + Option_08_tags tag; + Eurydice_slice f0; +} Option_93; + +/** +A monomorphic instance of core.option.Option +with types Eurydice_slice uint8_t + +*/ +typedef struct Option_1b_s { + Option_08_tags tag; + Eurydice_slice f0; +} Option_1b; + +/** +A monomorphic instance of core.result.Result +with types int32_t[8size_t], core_array_TryFromSliceError + +*/ +typedef struct Result_6c_s { + Result_a9_tags tag; + union { + int32_t case_Ok[8U]; + TryFromSliceError case_Err; + } val; +} Result_6c; + +/** +This function found in impl {core::result::Result[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of core.result.unwrap_26 +with types int32_t[8size_t], core_array_TryFromSliceError + +*/ +static inline void unwrap_26_55(Result_6c self, int32_t ret[8U]) { + if (self.tag == Ok) { + int32_t f0[8U]; + memcpy(f0, self.val.case_Ok, (size_t)8U * sizeof(int32_t)); + memcpy(ret, f0, (size_t)8U * sizeof(int32_t)); + } else { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "unwrap not Ok"); + KRML_HOST_EXIT(255U); + } +} + +/** +A monomorphic instance of core.option.Option +with types uint8_t* + +*/ +typedef struct Option_3f_s { + Option_08_tags tag; + uint8_t *f0; +} Option_3f; + +typedef struct libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair_s { + libcrux_ml_dsa_types_MLDSASigningKey_22 signing_key; + libcrux_ml_dsa_types_MLDSAVerificationKey_ea verification_key; +} libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair; + +typedef struct Eurydice_slice_uint8_t_4size_t__x2_s { + Eurydice_slice fst[4U]; + Eurydice_slice snd[4U]; +} Eurydice_slice_uint8_t_4size_t__x2; + +/** +A monomorphic instance of core.result.Result +with types uint8_t[8size_t], core_array_TryFromSliceError + +*/ +typedef struct Result_15_s { + Result_a9_tags tag; + union { + uint8_t case_Ok[8U]; + TryFromSliceError case_Err; + } val; +} Result_15; + +/** +This function found in impl {core::result::Result[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of core.result.unwrap_26 +with types uint8_t[8size_t], core_array_TryFromSliceError + +*/ +static inline void unwrap_26_68(Result_15 self, uint8_t ret[8U]) { + if (self.tag == Ok) { + uint8_t f0[8U]; + memcpy(f0, self.val.case_Ok, (size_t)8U * sizeof(uint8_t)); + memcpy(ret, f0, (size_t)8U * sizeof(uint8_t)); + } else { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "unwrap not Ok"); + KRML_HOST_EXIT(255U); + } +} + +typedef struct Eurydice_slice_uint8_t_x2_s { + Eurydice_slice fst; + Eurydice_slice snd; +} Eurydice_slice_uint8_t_x2; + +typedef struct Eurydice_slice_uint8_t_1size_t__x2_s { + Eurydice_slice fst[1U]; + Eurydice_slice snd[1U]; +} Eurydice_slice_uint8_t_1size_t__x2; + +#if defined(__cplusplus) +} +#endif + +#define __libcrux_core_H_DEFINED +#endif diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h new file mode 100644 index 000000000..6d3d3112f --- /dev/null +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h @@ -0,0 +1,5651 @@ +/* + * SPDX-FileCopyrightText: 2024 Cryspen Sarl + * + * SPDX-License-Identifier: MIT or Apache-2.0 + * + * This code was generated with the following revisions: + * Charon: a68994d00017b76a805d0115ca06c1f2c1805e79 + * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 + * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 + * F*: b0961063393215ca65927f017720cb365a193833-dirty + * Libcrux: 5a0f22fa8387080e4c4e4ac018aaddcdf944e4be + */ + +#ifndef __libcrux_mldsa65_avx2_H +#define __libcrux_mldsa65_avx2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include "eurydice_glue.h" +#include "intrinsics/libcrux_intrinsics_avx2.h" +#include "libcrux_core.h" +#include "libcrux_mldsa65_portable.h" +#include "libcrux_sha3_avx2.h" +#include "libcrux_sha3_portable.h" + +typedef libcrux_sha3_avx2_x4_incremental_KeccakState + libcrux_ml_dsa_hash_functions_simd256_Shake128x4; + +/** + Init the state and absorb 4 blocks in parallel. +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState +libcrux_ml_dsa_hash_functions_simd256_init_absorb(Eurydice_slice input0, + Eurydice_slice input1, + Eurydice_slice input2, + Eurydice_slice input3) { + libcrux_sha3_generic_keccak_KeccakState_55 state = + libcrux_sha3_avx2_x4_incremental_init(); + libcrux_sha3_avx2_x4_incremental_shake128_absorb_final(&state, input0, input1, + input2, input3); + return state; +} + +typedef libcrux_sha3_portable_KeccakState + libcrux_ml_dsa_hash_functions_simd256_Shake256; + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_sha3_portable_KeccakState +libcrux_ml_dsa_hash_functions_simd256_init_absorb_final_shake256( + Eurydice_slice input) { + libcrux_sha3_generic_keccak_KeccakState_17 state = + libcrux_sha3_portable_incremental_shake256_init(); + libcrux_sha3_portable_incremental_shake256_absorb_final(&state, input); + return state; +} + +typedef libcrux_sha3_avx2_x4_incremental_KeccakState + libcrux_ml_dsa_hash_functions_simd256_Shake256x4; + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState +libcrux_ml_dsa_hash_functions_simd256_init_absorb_x4(Eurydice_slice input0, + Eurydice_slice input1, + Eurydice_slice input2, + Eurydice_slice input3) { + libcrux_sha3_generic_keccak_KeccakState_55 state = + libcrux_sha3_avx2_x4_incremental_init(); + libcrux_sha3_avx2_x4_incremental_shake256_absorb_final(&state, input0, input1, + input2, input3); + return state; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_shake256( + libcrux_sha3_portable_KeccakState *state, uint8_t ret[136U]) { + uint8_t out[136U] = {0U}; + libcrux_sha3_portable_incremental_shake256_squeeze_first_block( + state, Eurydice_array_to_slice((size_t)136U, out, uint8_t)); + memcpy(ret, out, (size_t)136U * sizeof(uint8_t)); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE uint8_t_136size_t__x4 +libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_x4( + libcrux_sha3_avx2_x4_incremental_KeccakState *state) { + uint8_t out0[136U] = {0U}; + uint8_t out1[136U] = {0U}; + uint8_t out2[136U] = {0U}; + uint8_t out3[136U] = {0U}; + libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( + state, Eurydice_array_to_slice((size_t)136U, out0, uint8_t), + Eurydice_array_to_slice((size_t)136U, out1, uint8_t), + Eurydice_array_to_slice((size_t)136U, out2, uint8_t), + Eurydice_array_to_slice((size_t)136U, out3, uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out0[136U]; + memcpy(copy_of_out0, out0, (size_t)136U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out1[136U]; + memcpy(copy_of_out1, out1, (size_t)136U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out2[136U]; + memcpy(copy_of_out2, out2, (size_t)136U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out3[136U]; + memcpy(copy_of_out3, out3, (size_t)136U * sizeof(uint8_t)); + uint8_t_136size_t__x4 lit; + memcpy(lit.fst, copy_of_out0, (size_t)136U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_out1, (size_t)136U * sizeof(uint8_t)); + memcpy(lit.thd, copy_of_out2, (size_t)136U * sizeof(uint8_t)); + memcpy(lit.f3, copy_of_out3, (size_t)136U * sizeof(uint8_t)); + return lit; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_simd256_squeeze_first_five_blocks( + libcrux_sha3_avx2_x4_incremental_KeccakState *state, uint8_t *out0, + uint8_t *out1, uint8_t *out2, uint8_t *out3) { + libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( + state, Eurydice_array_to_slice((size_t)840U, out0, uint8_t), + Eurydice_array_to_slice((size_t)840U, out1, uint8_t), + Eurydice_array_to_slice((size_t)840U, out2, uint8_t), + Eurydice_array_to_slice((size_t)840U, out3, uint8_t)); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE uint8_t_168size_t__x4 +libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block( + libcrux_sha3_avx2_x4_incremental_KeccakState *state) { + uint8_t out0[168U] = {0U}; + uint8_t out1[168U] = {0U}; + uint8_t out2[168U] = {0U}; + uint8_t out3[168U] = {0U}; + libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( + state, Eurydice_array_to_slice((size_t)168U, out0, uint8_t), + Eurydice_array_to_slice((size_t)168U, out1, uint8_t), + Eurydice_array_to_slice((size_t)168U, out2, uint8_t), + Eurydice_array_to_slice((size_t)168U, out3, uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out0[168U]; + memcpy(copy_of_out0, out0, (size_t)168U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out1[168U]; + memcpy(copy_of_out1, out1, (size_t)168U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out2[168U]; + memcpy(copy_of_out2, out2, (size_t)168U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out3[168U]; + memcpy(copy_of_out3, out3, (size_t)168U * sizeof(uint8_t)); + uint8_t_168size_t__x4 lit; + memcpy(lit.fst, copy_of_out0, (size_t)168U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_out1, (size_t)168U * sizeof(uint8_t)); + memcpy(lit.thd, copy_of_out2, (size_t)168U * sizeof(uint8_t)); + memcpy(lit.f3, copy_of_out3, (size_t)168U * sizeof(uint8_t)); + return lit; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_shake256( + libcrux_sha3_portable_KeccakState *state, uint8_t ret[136U]) { + uint8_t out[136U] = {0U}; + libcrux_sha3_portable_incremental_shake256_squeeze_next_block( + state, Eurydice_array_to_slice((size_t)136U, out, uint8_t)); + memcpy(ret, out, (size_t)136U * sizeof(uint8_t)); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE uint8_t_136size_t__x4 +libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4( + libcrux_sha3_avx2_x4_incremental_KeccakState *state) { + uint8_t out0[136U] = {0U}; + uint8_t out1[136U] = {0U}; + uint8_t out2[136U] = {0U}; + uint8_t out3[136U] = {0U}; + libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block( + state, Eurydice_array_to_slice((size_t)136U, out0, uint8_t), + Eurydice_array_to_slice((size_t)136U, out1, uint8_t), + Eurydice_array_to_slice((size_t)136U, out2, uint8_t), + Eurydice_array_to_slice((size_t)136U, out3, uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out0[136U]; + memcpy(copy_of_out0, out0, (size_t)136U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out1[136U]; + memcpy(copy_of_out1, out1, (size_t)136U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out2[136U]; + memcpy(copy_of_out2, out2, (size_t)136U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out3[136U]; + memcpy(copy_of_out3, out3, (size_t)136U * sizeof(uint8_t)); + uint8_t_136size_t__x4 lit; + memcpy(lit.fst, copy_of_out0, (size_t)136U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_out1, (size_t)136U * sizeof(uint8_t)); + memcpy(lit.thd, copy_of_out2, (size_t)136U * sizeof(uint8_t)); + memcpy(lit.f3, copy_of_out3, (size_t)136U * sizeof(uint8_t)); + return lit; +} + +/** + Init the state and absorb 4 blocks in parallel. +*/ +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::XofX4 +for libcrux_ml_dsa::hash_functions::simd256::Shake128x4)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState +libcrux_ml_dsa_hash_functions_simd256_init_absorb_7b(Eurydice_slice input0, + Eurydice_slice input1, + Eurydice_slice input2, + Eurydice_slice input3) { + return libcrux_ml_dsa_hash_functions_simd256_init_absorb(input0, input1, + input2, input3); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::XofX4 +for libcrux_ml_dsa::hash_functions::simd256::Shake128x4)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_simd256_squeeze_first_five_blocks_7b( + libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t *out0, + uint8_t *out1, uint8_t *out2, uint8_t *out3) { + libcrux_ml_dsa_hash_functions_simd256_squeeze_first_five_blocks( + self, out0, out1, out2, out3); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::XofX4 +for libcrux_ml_dsa::hash_functions::simd256::Shake128x4)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE uint8_t_168size_t__x4 +libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_7b( + libcrux_sha3_avx2_x4_incremental_KeccakState *self) { + return libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block(self); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof +for libcrux_ml_dsa::hash_functions::simd256::Shake256)#1} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_sha3_portable_KeccakState +libcrux_ml_dsa_hash_functions_simd256_init_absorb_final_d9( + Eurydice_slice input) { + return libcrux_ml_dsa_hash_functions_simd256_init_absorb_final_shake256( + input); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof +for libcrux_ml_dsa::hash_functions::simd256::Shake256)#1} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_d9( + libcrux_sha3_portable_KeccakState *self, uint8_t ret[136U]) { + libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_shake256(self, ret); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof +for libcrux_ml_dsa::hash_functions::simd256::Shake256)#1} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_d9( + libcrux_sha3_portable_KeccakState *self, uint8_t ret[136U]) { + libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_shake256(self, ret); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4 +for libcrux_ml_dsa::hash_functions::simd256::Shake256x4)#2} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState +libcrux_ml_dsa_hash_functions_simd256_init_absorb_x4_fb(Eurydice_slice input0, + Eurydice_slice input1, + Eurydice_slice input2, + Eurydice_slice input3) { + return libcrux_ml_dsa_hash_functions_simd256_init_absorb_x4(input0, input1, + input2, input3); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4 +for libcrux_ml_dsa::hash_functions::simd256::Shake256x4)#2} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE uint8_t_136size_t__x4 +libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_x4_fb( + libcrux_sha3_avx2_x4_incremental_KeccakState *self) { + return libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_x4(self); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4 +for libcrux_ml_dsa::hash_functions::simd256::Shake256x4)#2} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE uint8_t_136size_t__x4 +libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb( + libcrux_sha3_avx2_x4_incremental_KeccakState *self) { + return libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4(self); +} + +typedef __m256i libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit; + +KRML_ATTRIBUTE_TARGET("avx2") +static inline __m256i libcrux_ml_dsa_simd_avx2_vector_type_ZERO(void) { + return libcrux_intrinsics_avx2_mm256_setzero_si256(); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_ml_dsa_simd_avx2_ZERO_a2(void) { + return libcrux_ml_dsa_simd_avx2_vector_type_ZERO(); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline __m256i +libcrux_ml_dsa_simd_avx2_vector_type_from_coefficient_array( + Eurydice_slice coefficient_array) { + return libcrux_intrinsics_avx2_mm256_loadu_si256_i32(coefficient_array); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_from_coefficient_array_a2( + Eurydice_slice coefficient_array) { + return libcrux_ml_dsa_simd_avx2_vector_type_from_coefficient_array( + coefficient_array); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_vector_type_to_coefficient_array( + __m256i *x, int32_t ret[8U]) { + int32_t coefficient_array[8U] = {0U}; + libcrux_intrinsics_avx2_mm256_storeu_si256_i32( + Eurydice_array_to_slice((size_t)8U, coefficient_array, int32_t), x[0U]); + memcpy(ret, coefficient_array, (size_t)8U * sizeof(int32_t)); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_to_coefficient_array_a2( + __m256i *self, int32_t ret[8U]) { + libcrux_ml_dsa_simd_avx2_vector_type_to_coefficient_array(self, ret); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_arithmetic_add(__m256i lhs, __m256i rhs) { + return libcrux_intrinsics_avx2_mm256_add_epi32(lhs, rhs); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_ml_dsa_simd_avx2_add_a2(__m256i *lhs, + __m256i *rhs) { + return libcrux_ml_dsa_simd_avx2_arithmetic_add(lhs[0U], rhs[0U]); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_arithmetic_subtract(__m256i lhs, __m256i rhs) { + return libcrux_intrinsics_avx2_mm256_sub_epi32(lhs, rhs); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_subtract_a2(__m256i *lhs, __m256i *rhs) { + return libcrux_ml_dsa_simd_avx2_arithmetic_subtract(lhs[0U], rhs[0U]); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE bool +libcrux_ml_dsa_simd_avx2_arithmetic_infinity_norm_exceeds(__m256i simd_unit, + int32_t bound) { + __m256i absolute_values = libcrux_intrinsics_avx2_mm256_abs_epi32(simd_unit); + __m256i bound0 = libcrux_intrinsics_avx2_mm256_set1_epi32(bound - (int32_t)1); + __m256i compare_with_bound = + libcrux_intrinsics_avx2_mm256_cmpgt_epi32(absolute_values, bound0); + int32_t result = libcrux_intrinsics_avx2_mm256_testz_si256( + compare_with_bound, compare_with_bound); + bool uu____0; + if (result == (int32_t)1) { + uu____0 = false; + } else { + uu____0 = true; + } + return uu____0; +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE bool libcrux_ml_dsa_simd_avx2_infinity_norm_exceeds_a2( + __m256i simd_unit, int32_t bound) { + return libcrux_ml_dsa_simd_avx2_arithmetic_infinity_norm_exceeds(simd_unit, + bound); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline __m256i +libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives(__m256i t) { + __m256i signs = + libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)31, t, __m256i); + __m256i conditional_add_field_modulus = + libcrux_intrinsics_avx2_mm256_and_si256( + signs, libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS)); + return libcrux_intrinsics_avx2_mm256_add_epi32(t, + conditional_add_field_modulus); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(__m256i lhs, + __m256i rhs) { + __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + __m256i inverse_of_modulus_mod_montgomery_r = + libcrux_intrinsics_avx2_mm256_set1_epi32( + (int32_t) + LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R); + __m256i prod02 = libcrux_intrinsics_avx2_mm256_mul_epi32(lhs, rhs); + __m256i prod13 = libcrux_intrinsics_avx2_mm256_mul_epi32( + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, lhs, __m256i), + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, rhs, __m256i)); + __m256i k02 = libcrux_intrinsics_avx2_mm256_mul_epi32( + prod02, inverse_of_modulus_mod_montgomery_r); + __m256i k13 = libcrux_intrinsics_avx2_mm256_mul_epi32( + prod13, inverse_of_modulus_mod_montgomery_r); + __m256i c02 = libcrux_intrinsics_avx2_mm256_mul_epi32(k02, field_modulus); + __m256i c13 = libcrux_intrinsics_avx2_mm256_mul_epi32(k13, field_modulus); + __m256i res02 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod02, c02); + __m256i res13 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod13, c13); + __m256i res02_shifted = + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, res02, __m256i); + return libcrux_intrinsics_avx2_mm256_blend_epi32((int32_t)170, res02_shifted, + res13, __m256i); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_montgomery_multiply_a2(__m256i lhs, __m256i rhs) { + return libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply(lhs, rhs); +} + +typedef struct core_core_arch_x86___m256i_x2_s { + __m256i fst; + __m256i snd; +} core_core_arch_x86___m256i_x2; + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +libcrux_ml_dsa_simd_avx2_arithmetic_power2round(__m256i r) { + __m256i r2 = + libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives(r); + __m256i r1 = libcrux_intrinsics_avx2_mm256_add_epi32( + r2, libcrux_intrinsics_avx2_mm256_set1_epi32( + ((int32_t)1 + << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - + (size_t)1U)) - + (int32_t)1)); + __m256i r10 = + libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)13, r1, __m256i); + __m256i r0 = + libcrux_intrinsics_avx2_mm256_slli_epi32((int32_t)13, r10, __m256i); + __m256i r00 = libcrux_intrinsics_avx2_mm256_sub_epi32(r2, r0); + return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = r00, .snd = r10}); +} + +typedef struct libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2_s { + __m256i fst; + __m256i snd; +} libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2; + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2 +libcrux_ml_dsa_simd_avx2_power2round_a2(__m256i simd_unit) { + core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_arithmetic_power2round(simd_unit); + __m256i lower = uu____0.fst; + __m256i upper = uu____0.snd; + return (CLITERAL(libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2){ + .fst = lower, .snd = upper}); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_REJECTION_SAMPLE_LESS_THAN_FIELD_MODULUS_BYTESTREAM_TO_POTENTIAL_COEFFICIENTS_COEFFICIENT_MASK \ + (((int32_t)1 << 23U) - (int32_t)1) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_bytestream_to_potential_coefficients( + Eurydice_slice serialized) { + uint8_t serialized_extended[32U] = {0U}; + Eurydice_slice uu____0 = Eurydice_array_to_subslice_to( + (size_t)32U, serialized_extended, (size_t)24U, uint8_t, size_t); + Eurydice_slice_copy(uu____0, serialized, uint8_t); + __m256i coefficients = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_array_to_slice((size_t)32U, serialized_extended, uint8_t)); + __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( + coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)5, (int32_t)4, (int32_t)3, + (int32_t)0, (int32_t)2, (int32_t)1, (int32_t)0)); + __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + coefficients0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)8, + (int8_t)7, (int8_t)6, (int8_t)-1, (int8_t)5, (int8_t)4, (int8_t)3, + (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)0, (int8_t)-1, (int8_t)11, + (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, + (int8_t)-1, (int8_t)5, (int8_t)4, (int8_t)3, (int8_t)-1, (int8_t)2, + (int8_t)1, (int8_t)0)); + return libcrux_intrinsics_avx2_mm256_and_si256( + coefficients1, + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_REJECTION_SAMPLE_LESS_THAN_FIELD_MODULUS_BYTESTREAM_TO_POTENTIAL_COEFFICIENTS_COEFFICIENT_MASK)); +} + +static const uint8_t + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE + [16U][16U] = {{255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U}, + {4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, + 255U, 255U, 255U}, + {12U, 13U, 14U, 15U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U}, + {4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, + 255U, 255U, 255U}, + {8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, + 255U, 255U, 255U, 255U}, + {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, + 255U, 255U, 255U, 255U}, + {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, + 13U, 14U, 15U}}; + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_sample( + Eurydice_slice input, Eurydice_slice output) { + __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + __m256i potential_coefficients = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_bytestream_to_potential_coefficients( + input); + __m256i compare_with_field_modulus = + libcrux_intrinsics_avx2_mm256_cmpgt_epi32(field_modulus, + potential_coefficients); + int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps( + libcrux_intrinsics_avx2_mm256_castsi256_ps(compare_with_field_modulus)); + int32_t good_lower_half = good & (int32_t)15; + int32_t good_upper_half = good >> 4U; + uint8_t lower_shuffles[16U]; + memcpy(lower_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_lower_half], + (size_t)16U * sizeof(uint8_t)); + __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); + __m128i lower_coefficients = + libcrux_intrinsics_avx2_mm256_castsi256_si128(potential_coefficients); + __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + lower_coefficients, lower_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t), + lower_coefficients0); + size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half); + uint8_t upper_shuffles[16U]; + memcpy(upper_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_upper_half], + (size_t)16U * sizeof(uint8_t)); + __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); + __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, potential_coefficients, __m128i); + __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + upper_coefficients, upper_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, sampled_count, + sampled_count + (size_t)4U, int32_t), + upper_coefficients0); + size_t uu____0 = sampled_count; + return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_a2( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_sample( + randomness, out); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_2_COEFFICIENT_MASK \ + (((int32_t)1 << 3U) - (int32_t)1) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_2( + Eurydice_slice bytes) { + __m256i bytes_in_simd_unit = libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) + << 8U | + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) + << 8U | + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); + __m256i coefficients = libcrux_intrinsics_avx2_mm256_srlv_epi32( + bytes_in_simd_unit, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)5, (int32_t)2, (int32_t)7, (int32_t)4, + (int32_t)1, (int32_t)6, (int32_t)3, (int32_t)0)); + return libcrux_intrinsics_avx2_mm256_and_si256( + coefficients, + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_2_COEFFICIENT_MASK)); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_4_COEFFICIENT_MASK \ + (((int32_t)1 << 4U) - (int32_t)1) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_4( + Eurydice_slice bytes) { + __m256i bytes_in_simd_unit = libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); + __m256i coefficients = libcrux_intrinsics_avx2_mm256_srlv_epi32( + bytes_in_simd_unit, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0, + (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0)); + return libcrux_intrinsics_avx2_mm256_and_si256( + coefficients, + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_DESERIALIZE_TO_UNSIGNED_WHEN_ETA_IS_4_COEFFICIENT_MASK)); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.simd.avx2.encoding.error.deserialize_to_unsigned with const +generics +- ETA= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac( + Eurydice_slice serialized) { + return libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_when_eta_is_4( + serialized); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.shift_interval with +const generics +- ETA= 2 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_fd( + __m256i coefficients) { + __m256i uu____0; + __m256i quotient = libcrux_intrinsics_avx2_mm256_mullo_epi32( + coefficients, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)26)); + __m256i quotient0 = + libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)7, quotient, __m256i); + __m256i quotient1 = libcrux_intrinsics_avx2_mm256_mullo_epi32( + quotient0, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)5)); + __m256i coefficients_mod_5 = + libcrux_intrinsics_avx2_mm256_sub_epi32(coefficients, quotient1); + uu____0 = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)(size_t)2U), + coefficients_mod_5); + return uu____0; +} + +/** +A monomorphic instance of +libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.sample with const +generics +- ETA= 2 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_fd( + Eurydice_slice input, Eurydice_slice output) { + __m256i potential_coefficients = + libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac(input); + int32_t interval_boundary; + interval_boundary = (int32_t)15; + __m256i compare_with_interval_boundary = + libcrux_intrinsics_avx2_mm256_cmpgt_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32(interval_boundary), + potential_coefficients); + int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps( + libcrux_intrinsics_avx2_mm256_castsi256_ps( + compare_with_interval_boundary)); + int32_t good_lower_half = good & (int32_t)15; + int32_t good_upper_half = good >> 4U; + __m256i shifted = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_fd( + potential_coefficients); + uint8_t lower_shuffles[16U]; + memcpy(lower_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_lower_half], + (size_t)16U * sizeof(uint8_t)); + __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); + __m128i lower_coefficients = + libcrux_intrinsics_avx2_mm256_castsi256_si128(shifted); + __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + lower_coefficients, lower_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t), + lower_coefficients0); + size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half); + uint8_t upper_shuffles[16U]; + memcpy(upper_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_upper_half], + (size_t)16U * sizeof(uint8_t)); + __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); + __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, shifted, __m128i); + __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + upper_coefficients, upper_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, sampled_count, + sampled_count + (size_t)4U, int32_t), + upper_coefficients0); + size_t uu____0 = sampled_count; + return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_2_a2( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_fd( + randomness, out); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.shift_interval with +const generics +- ETA= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_ac( + __m256i coefficients) { + return libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)(size_t)4U), + coefficients); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.simd.avx2.rejection_sample.less_than_eta.sample with const +generics +- ETA= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_ac( + Eurydice_slice input, Eurydice_slice output) { + __m256i potential_coefficients = + libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac(input); + int32_t interval_boundary; + interval_boundary = (int32_t)9; + __m256i compare_with_interval_boundary = + libcrux_intrinsics_avx2_mm256_cmpgt_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32(interval_boundary), + potential_coefficients); + int32_t good = libcrux_intrinsics_avx2_mm256_movemask_ps( + libcrux_intrinsics_avx2_mm256_castsi256_ps( + compare_with_interval_boundary)); + int32_t good_lower_half = good & (int32_t)15; + int32_t good_upper_half = good >> 4U; + __m256i shifted = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_shift_interval_ac( + potential_coefficients); + uint8_t lower_shuffles[16U]; + memcpy(lower_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_lower_half], + (size_t)16U * sizeof(uint8_t)); + __m128i lower_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); + __m128i lower_coefficients = + libcrux_intrinsics_avx2_mm256_castsi256_si128(shifted); + __m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + lower_coefficients, lower_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, (size_t)0U, (size_t)4U, int32_t), + lower_coefficients0); + size_t sampled_count = (size_t)core_num__i32_2__count_ones(good_lower_half); + uint8_t upper_shuffles[16U]; + memcpy(upper_shuffles, + libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_SHUFFLE_TABLE[( + size_t)good_upper_half], + (size_t)16U * sizeof(uint8_t)); + __m128i upper_shuffles0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); + __m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, shifted, __m128i); + __m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + upper_coefficients, upper_shuffles0); + libcrux_intrinsics_avx2_mm_storeu_si128_i32( + Eurydice_slice_subslice2(output, sampled_count, + sampled_count + (size_t)4U, int32_t), + upper_coefficients0); + size_t uu____0 = sampled_count; + return uu____0 + (size_t)core_num__i32_2__count_ones(good_upper_half); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_4_a2( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_sample_ac( + randomness, out); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + ((int32_t)1 << 17U) + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + ((int32_t)1 << 19U) + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + ((int32_t)1 << 17U) + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_MASK \ + ((LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + << 1U) - \ + (int32_t)1) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17( + Eurydice_slice serialized) { + __m128i serialized_lower = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t)); + __m128i serialized_upper = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(serialized, (size_t)2U, (size_t)18U, uint8_t)); + __m256i serialized0 = libcrux_intrinsics_avx2_mm256_set_m128i( + serialized_upper, serialized_lower); + __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + serialized0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)15, (int8_t)14, (int8_t)13, (int8_t)-1, + (int8_t)13, (int8_t)12, (int8_t)11, (int8_t)-1, (int8_t)11, + (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)7, + (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, (int8_t)-1, (int8_t)6, + (int8_t)5, (int8_t)4, (int8_t)-1, (int8_t)4, (int8_t)3, (int8_t)2, + (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)0)); + __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32( + coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0, + (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0)); + __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_and_si256( + coefficients0, + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_MASK)); + return libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1), + coefficients1); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + ((int32_t)1 << 19U) + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_MASK \ + ((LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + << 1U) - \ + (int32_t)1) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( + Eurydice_slice serialized) { + __m128i serialized_lower = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t)); + __m128i serialized_upper = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(serialized, (size_t)4U, (size_t)20U, uint8_t)); + __m256i serialized0 = libcrux_intrinsics_avx2_mm256_set_m128i( + serialized_upper, serialized_lower); + __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + serialized0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)15, (int8_t)14, (int8_t)13, (int8_t)-1, + (int8_t)13, (int8_t)12, (int8_t)11, (int8_t)-1, (int8_t)10, (int8_t)9, + (int8_t)8, (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, (int8_t)-1, + (int8_t)9, (int8_t)8, (int8_t)7, (int8_t)-1, (int8_t)7, (int8_t)6, + (int8_t)5, (int8_t)-1, (int8_t)4, (int8_t)3, (int8_t)2, (int8_t)-1, + (int8_t)2, (int8_t)1, (int8_t)0)); + __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32( + coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0, + (int32_t)4, (int32_t)0, (int32_t)4, (int32_t)0)); + __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_and_si256( + coefficients0, + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_MASK)); + return libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1), + coefficients1); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA \ + ((int32_t)2) + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA \ + ((int32_t)4) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(__m256i simd_unit) { + __m256i interval_end = libcrux_intrinsics_avx2_mm256_set1_epi32( + (int32_t)1 + << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - + (size_t)1U)); + return libcrux_intrinsics_avx2_mm256_sub_epi32(interval_end, simd_unit); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t0_serialize( + __m256i simd_unit, uint8_t ret[13U]) { + uint8_t serialized[16U] = {0U}; + __m256i simd_unit0 = + libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(simd_unit); + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit0, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)19, (int32_t)0, (int32_t)19, + (int32_t)0, (int32_t)19, (int32_t)0, (int32_t)19)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)19, adjacent_2_combined, __m256i); + __m256i adjacent_4_combined = + libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6, + (int32_t)4, (int32_t)2, (int32_t)0)); + __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_sllv_epi32( + adjacent_4_combined, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)6, (int32_t)0, (int32_t)6, + (int32_t)0, (int32_t)6, (int32_t)0, (int32_t)6)); + __m256i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)6, adjacent_4_combined0, __m256i); + __m256i second_4_combined = libcrux_intrinsics_avx2_mm256_bsrli_epi128( + (int32_t)8, adjacent_4_combined1, __m256i); + __m256i least_12_bits_shifted_up = libcrux_intrinsics_avx2_mm256_slli_epi64( + (int32_t)52, second_4_combined, __m256i); + __m256i bits_sequential = libcrux_intrinsics_avx2_mm256_add_epi64( + adjacent_4_combined1, least_12_bits_shifted_up); + __m256i bits_sequential0 = libcrux_intrinsics_avx2_mm256_srlv_epi64( + bits_sequential, libcrux_intrinsics_avx2_mm256_set_epi64x( + (int64_t)0, (int64_t)0, (int64_t)12, (int64_t)0)); + __m128i bits_sequential1 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(bits_sequential0); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_slice((size_t)16U, serialized, uint8_t), + bits_sequential1); + uint8_t ret0[13U]; + Result_b0 dst; + Eurydice_slice_to_array2( + &dst, + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)13U, uint8_t), + Eurydice_slice, uint8_t[13U]); + unwrap_26_23(dst, ret0); + memcpy(ret, ret0, (size_t)13U * sizeof(uint8_t)); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t0_serialize_a2( + __m256i simd_unit, uint8_t ret[13U]) { + libcrux_ml_dsa_simd_avx2_encoding_t0_serialize(simd_unit, ret); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T0_DESERIALIZE_COEFFICIENT_MASK \ + (((int32_t)1 << 13U) - (int32_t)1) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_encoding_t0_deserialize(Eurydice_slice serialized) { + uint8_t serialized_extended[16U] = {0U}; + Eurydice_slice_copy( + Eurydice_array_to_subslice2(serialized_extended, (size_t)0U, (size_t)13U, + uint8_t), + serialized, uint8_t); + __m128i serialized0 = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, serialized_extended, uint8_t)); + __m256i serialized1 = + libcrux_intrinsics_avx2_mm256_set_m128i(serialized0, serialized0); + __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + serialized1, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)-1, (int8_t)12, (int8_t)11, (int8_t)-1, + (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)-1, (int8_t)-1, (int8_t)9, + (int8_t)8, (int8_t)-1, (int8_t)8, (int8_t)7, (int8_t)6, (int8_t)-1, + (int8_t)6, (int8_t)5, (int8_t)4, (int8_t)-1, (int8_t)-1, (int8_t)4, + (int8_t)3, (int8_t)-1, (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)-1, + (int8_t)-1, (int8_t)1, (int8_t)0)); + __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32( + coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)3, (int32_t)6, (int32_t)1, (int32_t)4, + (int32_t)7, (int32_t)2, (int32_t)5, (int32_t)0)); + __m256i coefficients1 = libcrux_intrinsics_avx2_mm256_and_si256( + coefficients0, + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T0_DESERIALIZE_COEFFICIENT_MASK)); + return libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(coefficients1); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_t0_deserialize_a2(Eurydice_slice serialized) { + return libcrux_ml_dsa_simd_avx2_encoding_t0_deserialize(serialized); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_encoding_t1_serialize( + __m256i simd_unit, uint8_t ret[10U]) { + uint8_t serialized[24U] = {0U}; + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)22, (int32_t)0, (int32_t)22, + (int32_t)0, (int32_t)22, (int32_t)0, (int32_t)22)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)22, adjacent_2_combined, __m256i); + __m256i adjacent_4_combined = + libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)0, (int32_t)6, (int32_t)4, (int32_t)0, + (int32_t)0, (int32_t)2, (int32_t)0)); + __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_sllv_epi32( + adjacent_4_combined, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)12, (int32_t)0, (int32_t)12, (int32_t)0, + (int32_t)12, (int32_t)0, (int32_t)12)); + __m256i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)12, adjacent_4_combined0, __m256i); + __m128i lower_4 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined1); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), + lower_4); + __m128i upper_4 = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, adjacent_4_combined1, __m128i); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)5U, (size_t)21U, uint8_t), + upper_4); + uint8_t ret0[10U]; + Result_9d dst; + Eurydice_slice_to_array2( + &dst, + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)10U, uint8_t), + Eurydice_slice, uint8_t[10U]); + unwrap_26_ce(dst, ret0); + memcpy(ret, ret0, (size_t)10U * sizeof(uint8_t)); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_t1_serialize_a2( + __m256i simd_unit, uint8_t ret[10U]) { + libcrux_ml_dsa_simd_avx2_encoding_t1_serialize(simd_unit, ret); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T1_DESERIALIZE_COEFFICIENT_MASK \ + (((int32_t)1 << 10U) - (int32_t)1) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_encoding_t1_deserialize(Eurydice_slice bytes) { + uint8_t bytes_extended[16U] = {0U}; + Eurydice_slice_copy(Eurydice_array_to_subslice2(bytes_extended, (size_t)0U, + (size_t)10U, uint8_t), + bytes, uint8_t); + __m128i bytes_loaded = libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, bytes_extended, uint8_t)); + __m256i bytes_loaded0 = + libcrux_intrinsics_avx2_mm256_set_m128i(bytes_loaded, bytes_loaded); + __m256i coefficients = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + bytes_loaded0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)-1, (int8_t)-1, + (int8_t)8, (int8_t)7, (int8_t)-1, (int8_t)-1, (int8_t)7, (int8_t)6, + (int8_t)-1, (int8_t)-1, (int8_t)6, (int8_t)5, (int8_t)-1, (int8_t)-1, + (int8_t)4, (int8_t)3, (int8_t)-1, (int8_t)-1, (int8_t)3, (int8_t)2, + (int8_t)-1, (int8_t)-1, (int8_t)2, (int8_t)1, (int8_t)-1, (int8_t)-1, + (int8_t)1, (int8_t)0)); + __m256i coefficients0 = libcrux_intrinsics_avx2_mm256_srlv_epi32( + coefficients, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0, + (int32_t)6, (int32_t)4, (int32_t)2, (int32_t)0)); + return libcrux_intrinsics_avx2_mm256_and_si256( + coefficients0, + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_T1_DESERIALIZE_COEFFICIENT_MASK)); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_t1_deserialize_a2(Eurydice_slice serialized) { + return libcrux_ml_dsa_simd_avx2_encoding_t1_deserialize(serialized); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7 \ + ((size_t)2U * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT) + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + __m256i *re, size_t index, __m256i zeta, size_t step_by, + __m256i field_modulus, __m256i inverse_of_modulus_mod_montgomery_r) { + __m256i prod02 = + libcrux_intrinsics_avx2_mm256_mul_epi32(re[index + step_by], zeta); + __m256i prod13 = libcrux_intrinsics_avx2_mm256_mul_epi32( + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, + re[index + step_by], __m256i), + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, zeta, __m256i)); + __m256i k02 = libcrux_intrinsics_avx2_mm256_mul_epi32( + prod02, inverse_of_modulus_mod_montgomery_r); + __m256i k13 = libcrux_intrinsics_avx2_mm256_mul_epi32( + prod13, inverse_of_modulus_mod_montgomery_r); + __m256i c02 = libcrux_intrinsics_avx2_mm256_mul_epi32(k02, field_modulus); + __m256i c13 = libcrux_intrinsics_avx2_mm256_mul_epi32(k13, field_modulus); + __m256i res02 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod02, c02); + __m256i res13 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod13, c13); + __m256i res02_shifted = + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, res02, __m256i); + __m256i t = libcrux_intrinsics_avx2_mm256_blend_epi32( + (int32_t)170, res02_shifted, res13, __m256i); + re[index + step_by] = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[index], t); + re[index] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[index], t); +} + +#define LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6 \ + (((size_t)1U << 6U) / LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT) + +/** + This is equivalent to the pqclean 0 and 1 + + This does 32 Montgomery multiplications (192 multiplications). + This is the same as in pqclean. The only difference is locality of registers. +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6( + __m256i *re) { + __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + __m256i inverse_of_modulus_mod_montgomery_r = + libcrux_intrinsics_avx2_mm256_set1_epi32( + (int32_t) + LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R); + __m256i zeta7 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)25847); + __m256i zeta60 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)-2608894); + __m256i zeta61 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)-518909); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)1U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)2U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)3U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)8U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)8U + (size_t)1U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)8U + (size_t)2U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)8U + (size_t)3U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)1U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)2U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)0U + (size_t)3U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)16U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)16U + (size_t)1U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)16U + (size_t)2U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)16U + (size_t)3U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)1U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)2U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)3U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)12U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)12U + (size_t)1U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)12U + (size_t)2U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)12U + (size_t)3U, zeta7, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_7, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)1U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)2U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)4U + (size_t)3U, zeta60, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)20U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)20U + (size_t)1U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)20U + (size_t)2U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6_mul( + re, (size_t)20U + (size_t)3U, zeta61, + LIBCRUX_ML_DSA_SIMD_AVX2_NTT_NTT_AT_LAYER_7_AND_6_STEP_BY_6, + field_modulus, inverse_of_modulus_mod_montgomery_r); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round +with const generics +- STEP= 32 +- STEP_BY= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(__m256i *re, + size_t index, + int32_t zeta) { + __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta); + size_t offset = index * (size_t)32U * (size_t)2U / + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT; + for (size_t i = offset; i < offset + (size_t)4U; i++) { + size_t j = i; + __m256i t = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( + re[j + (size_t)4U], rhs); + re[j + (size_t)4U] = libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j], t); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], t); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round +with const generics +- STEP= 16 +- STEP_BY= 2 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(__m256i *re, + size_t index, + int32_t zeta) { + __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta); + size_t offset = index * (size_t)16U * (size_t)2U / + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT; + for (size_t i = offset; i < offset + (size_t)2U; i++) { + size_t j = i; + __m256i t = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( + re[j + (size_t)2U], rhs); + re[j + (size_t)2U] = libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j], t); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], t); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.ntt.ntt_at_layer_5_to_3.round +with const generics +- STEP= 8 +- STEP_BY= 1 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(__m256i *re, + size_t index, + int32_t zeta) { + __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(zeta); + size_t offset = index * (size_t)8U * (size_t)2U / + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT; + for (size_t i = offset; i < offset + (size_t)1U; i++) { + size_t j = i; + __m256i t = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( + re[j + (size_t)1U], rhs); + re[j + (size_t)1U] = libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j], t); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], t); + } +} + +/** + Layer 5, 4, 3 + + Each layer does 16 Montgomery multiplications -> 3*16 = 48 total + pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time + (48) +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)0U, + (int32_t)237124); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)1U, + (int32_t)-777960); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)2U, + (int32_t)-876248); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_f6(re, (size_t)3U, + (int32_t)466468); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)0U, + (int32_t)1826347); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)1U, + (int32_t)2353451); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)2U, + (int32_t)-359251); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)3U, + (int32_t)-2091905); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)4U, + (int32_t)3119733); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)5U, + (int32_t)-2884855); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)6U, + (int32_t)3111497); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_90(re, (size_t)7U, + (int32_t)2680103); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)0U, + (int32_t)2725464); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)1U, + (int32_t)1024112); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)2U, + (int32_t)-1079900); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)3U, + (int32_t)3585928); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)4U, + (int32_t)-549488); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)5U, + (int32_t)-1119584); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)6U, + (int32_t)2619752); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)7U, + (int32_t)-2108549); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)8U, + (int32_t)-2118186); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)9U, + (int32_t)-3859737); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)10U, + (int32_t)-1399561); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)11U, + (int32_t)-3277672); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)12U, + (int32_t)1757237); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)13U, + (int32_t)-19422); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)14U, + (int32_t)4010497); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3_round_7b(re, (size_t)15U, + (int32_t)280005); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +libcrux_ml_dsa_simd_avx2_ntt_butterfly_8(__m256i a, __m256i b, int32_t zeta0, + int32_t zeta1) { + __m256i summands = libcrux_intrinsics_avx2_mm256_set_m128i( + libcrux_intrinsics_avx2_mm256_castsi256_si128(b), + libcrux_intrinsics_avx2_mm256_castsi256_si128(a)); + __m256i zeta_multiplicands = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)19, b, a, __m256i); + __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( + zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); + __m256i zeta_products = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( + zeta_multiplicands, zetas); + __m256i add_terms = + libcrux_ml_dsa_simd_avx2_arithmetic_add(summands, zeta_products); + __m256i sub_terms = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(summands, zeta_products); + __m256i a_out = libcrux_intrinsics_avx2_mm256_set_m128i( + libcrux_intrinsics_avx2_mm256_castsi256_si128(sub_terms), + libcrux_intrinsics_avx2_mm256_castsi256_si128(add_terms)); + __m256i b_out = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)19, sub_terms, add_terms, __m256i); + return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a_out, .snd = b_out}); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + __m256i *re, size_t index, int32_t zeta_0, int32_t zeta_1) { + core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_ntt_butterfly_8( + re[index], re[index + (size_t)1U], zeta_0, zeta_1); + __m256i a = uu____0.fst; + __m256i b = uu____0.snd; + re[index] = a; + re[index + (size_t)1U] = b; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2(__m256i *re) { + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)0U, (int32_t)2706023, (int32_t)95776); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)2U, (int32_t)3077325, (int32_t)3530437); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)4U, (int32_t)-1661693, (int32_t)-3592148); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)6U, (int32_t)-2537516, (int32_t)3915439); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)8U, (int32_t)-3861115, (int32_t)-3043716); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)10U, (int32_t)3574422, (int32_t)-2867647); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)12U, (int32_t)3539968, (int32_t)-300467); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)14U, (int32_t)2348700, (int32_t)-539299); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)16U, (int32_t)-1699267, (int32_t)-1643818); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)18U, (int32_t)3505694, (int32_t)-3821735); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)20U, (int32_t)3507263, (int32_t)-2140649); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)22U, (int32_t)-1600420, (int32_t)3699596); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)24U, (int32_t)811944, (int32_t)531354); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)26U, (int32_t)954230, (int32_t)3881043); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)28U, (int32_t)3900724, (int32_t)-2556880); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2_round( + re, (size_t)30U, (int32_t)2071892, (int32_t)-2797779); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +libcrux_ml_dsa_simd_avx2_ntt_butterfly_4(__m256i a, __m256i b, int32_t zeta_a0, + int32_t zeta_a1, int32_t zeta_b0, + int32_t zeta_b1) { + __m256i summands = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a, b); + __m256i zeta_multiplicands = + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a, b); + __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( + zeta_b1, zeta_b1, zeta_a1, zeta_a1, zeta_b0, zeta_b0, zeta_a0, zeta_a0); + __m256i zeta_products = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( + zeta_multiplicands, zetas); + __m256i add_terms = + libcrux_ml_dsa_simd_avx2_arithmetic_add(summands, zeta_products); + __m256i sub_terms = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(summands, zeta_products); + __m256i a_out = + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(add_terms, sub_terms); + __m256i b_out = + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(add_terms, sub_terms); + return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a_out, .snd = b_out}); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + __m256i *re, size_t index, int32_t zeta_0, int32_t zeta_1, int32_t zeta_2, + int32_t zeta_3) { + core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_ntt_butterfly_4( + re[index], re[index + (size_t)1U], zeta_0, zeta_1, zeta_2, zeta_3); + __m256i a = uu____0.fst; + __m256i b = uu____0.snd; + re[index] = a; + re[index + (size_t)1U] = b; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1(__m256i *re) { + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)0U, (int32_t)-3930395, (int32_t)-1528703, (int32_t)-3677745, + (int32_t)-3041255); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)2U, (int32_t)-1452451, (int32_t)3475950, (int32_t)2176455, + (int32_t)-1585221); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)4U, (int32_t)-1257611, (int32_t)1939314, (int32_t)-4083598, + (int32_t)-1000202); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)6U, (int32_t)-3190144, (int32_t)-3157330, (int32_t)-3632928, + (int32_t)126922); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)8U, (int32_t)3412210, (int32_t)-983419, (int32_t)2147896, + (int32_t)2715295); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)10U, (int32_t)-2967645, (int32_t)-3693493, (int32_t)-411027, + (int32_t)-2477047); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)12U, (int32_t)-671102, (int32_t)-1228525, (int32_t)-22981, + (int32_t)-1308169); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)14U, (int32_t)-381987, (int32_t)1349076, (int32_t)1852771, + (int32_t)-1430430); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)16U, (int32_t)-3343383, (int32_t)264944, (int32_t)508951, + (int32_t)3097992); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)18U, (int32_t)44288, (int32_t)-1100098, (int32_t)904516, + (int32_t)3958618); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)20U, (int32_t)-3724342, (int32_t)-8578, (int32_t)1653064, + (int32_t)-3249728); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)22U, (int32_t)2389356, (int32_t)-210977, (int32_t)759969, + (int32_t)-1316856); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)24U, (int32_t)189548, (int32_t)-3553272, (int32_t)3159746, + (int32_t)-1851402); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)26U, (int32_t)-2409325, (int32_t)-177440, (int32_t)1315589, + (int32_t)1341330); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)28U, (int32_t)1285669, (int32_t)-1584928, (int32_t)-812732, + (int32_t)-1439742); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1_round( + re, (size_t)30U, (int32_t)-3019102, (int32_t)-3881060, (int32_t)-3628969, + (int32_t)3839961); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +libcrux_ml_dsa_simd_avx2_ntt_butterfly_2(__m256i a, __m256i b, int32_t zeta_a0, + int32_t zeta_a1, int32_t zeta_a2, + int32_t zeta_a3, int32_t zeta_b0, + int32_t zeta_b1, int32_t zeta_b2, + int32_t zeta_b3) { + __m256i a_shuffled = + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, a, __m256i); + __m256i b_shuffled = + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, b, __m256i); + __m256i summands = + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a_shuffled, b_shuffled); + __m256i zeta_multiplicands = + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a_shuffled, b_shuffled); + __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( + zeta_b3, zeta_b2, zeta_a3, zeta_a2, zeta_b1, zeta_b0, zeta_a1, zeta_a0); + __m256i zeta_products = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( + zeta_multiplicands, zetas); + __m256i add_terms = + libcrux_ml_dsa_simd_avx2_arithmetic_add(summands, zeta_products); + __m256i sub_terms = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(summands, zeta_products); + __m256i a_terms_shuffled = + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(add_terms, sub_terms); + __m256i b_terms_shuffled = + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(add_terms, sub_terms); + __m256i a_out = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)216, a_terms_shuffled, __m256i); + __m256i b_out = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)216, b_terms_shuffled, __m256i); + return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a_out, .snd = b_out}); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + __m256i *re, size_t index, int32_t zeta_0, int32_t zeta_1, int32_t zeta_2, + int32_t zeta_3, int32_t zeta_4, int32_t zeta_5, int32_t zeta_6, + int32_t zeta_7) { + core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_ntt_butterfly_2( + re[index], re[index + (size_t)1U], zeta_0, zeta_1, zeta_2, zeta_3, + zeta_4, zeta_5, zeta_6, zeta_7); + __m256i a = uu____0.fst; + __m256i b = uu____0.snd; + re[index] = a; + re[index + (size_t)1U] = b; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0(__m256i *re) { + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)0U, (int32_t)2091667, (int32_t)3407706, (int32_t)2316500, + (int32_t)3817976, (int32_t)-3342478, (int32_t)2244091, (int32_t)-2446433, + (int32_t)-3562462); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)2U, (int32_t)266997, (int32_t)2434439, (int32_t)-1235728, + (int32_t)3513181, (int32_t)-3520352, (int32_t)-3759364, (int32_t)-1197226, + (int32_t)-3193378); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)4U, (int32_t)900702, (int32_t)1859098, (int32_t)909542, + (int32_t)819034, (int32_t)495491, (int32_t)-1613174, (int32_t)-43260, + (int32_t)-522500); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)6U, (int32_t)-655327, (int32_t)-3122442, (int32_t)2031748, + (int32_t)3207046, (int32_t)-3556995, (int32_t)-525098, (int32_t)-768622, + (int32_t)-3595838); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)8U, (int32_t)342297, (int32_t)286988, (int32_t)-2437823, + (int32_t)4108315, (int32_t)3437287, (int32_t)-3342277, (int32_t)1735879, + (int32_t)203044); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)10U, (int32_t)2842341, (int32_t)2691481, (int32_t)-2590150, + (int32_t)1265009, (int32_t)4055324, (int32_t)1247620, (int32_t)2486353, + (int32_t)1595974); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)12U, (int32_t)-3767016, (int32_t)1250494, (int32_t)2635921, + (int32_t)-3548272, (int32_t)-2994039, (int32_t)1869119, (int32_t)1903435, + (int32_t)-1050970); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)14U, (int32_t)-1333058, (int32_t)1237275, (int32_t)-3318210, + (int32_t)-1430225, (int32_t)-451100, (int32_t)1312455, (int32_t)3306115, + (int32_t)-1962642); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)16U, (int32_t)-1279661, (int32_t)1917081, (int32_t)-2546312, + (int32_t)-1374803, (int32_t)1500165, (int32_t)777191, (int32_t)2235880, + (int32_t)3406031); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)18U, (int32_t)-542412, (int32_t)-2831860, (int32_t)-1671176, + (int32_t)-1846953, (int32_t)-2584293, (int32_t)-3724270, (int32_t)594136, + (int32_t)-3776993); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)20U, (int32_t)-2013608, (int32_t)2432395, (int32_t)2454455, + (int32_t)-164721, (int32_t)1957272, (int32_t)3369112, (int32_t)185531, + (int32_t)-1207385); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)22U, (int32_t)-3183426, (int32_t)162844, (int32_t)1616392, + (int32_t)3014001, (int32_t)810149, (int32_t)1652634, (int32_t)-3694233, + (int32_t)-1799107); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)24U, (int32_t)-3038916, (int32_t)3523897, (int32_t)3866901, + (int32_t)269760, (int32_t)2213111, (int32_t)-975884, (int32_t)1717735, + (int32_t)472078); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)26U, (int32_t)-426683, (int32_t)1723600, (int32_t)-1803090, + (int32_t)1910376, (int32_t)-1667432, (int32_t)-1104333, (int32_t)-260646, + (int32_t)-3833893); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)28U, (int32_t)-2939036, (int32_t)-2235985, (int32_t)-420899, + (int32_t)-2286327, (int32_t)183443, (int32_t)-976891, (int32_t)1612842, + (int32_t)-3545687); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0_round( + re, (size_t)30U, (int32_t)-554416, (int32_t)3919660, (int32_t)-48306, + (int32_t)-1362209, (int32_t)3937738, (int32_t)1400424, (int32_t)-846154, + (int32_t)1976782); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_ntt(__m256i re[32U], + __m256i ret[32U]) { + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_7_and_6(re); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_5_to_3(re); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_2(re); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_1(re); + libcrux_ml_dsa_simd_avx2_ntt_ntt_at_layer_0(re); + memcpy(ret, re, (size_t)32U * sizeof(__m256i)); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline __m256i libcrux_ml_dsa_simd_avx2_ntt_closure_a2(__m256i **state, + size_t i) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"unexpected / ill-typed projection\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_ntt_a2( + __m256i simd_units[32U], __m256i ret[32U]) { + __m256i re[32U]; + for (size_t i = (size_t)0U; i < (size_t)32U; i++) { + re[i] = libcrux_intrinsics_avx2_mm256_setzero_si256(); + } + for (size_t i = (size_t)0U; + i < LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT; i++) { + size_t i0 = i; + re[i0] = simd_units[i0]; + } + /* Passing arrays by value in Rust generates a copy in C */ + __m256i copy_of_re[32U]; + memcpy(copy_of_re, re, (size_t)32U * sizeof(__m256i)); + __m256i result[32U]; + libcrux_ml_dsa_simd_avx2_ntt_ntt(copy_of_re, result); + __m256i ret0[32U]; + for (size_t i = (size_t)0U; i < (size_t)32U; i++) { + ret0[i] = KRML_EABORT( + __m256i, + "Eurydice error: Failure(\"unexpected / ill-typed projection\")\n"); + } + memcpy(ret, ret0, (size_t)32U * sizeof(__m256i)); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_0( + __m256i simd_unit0, __m256i simd_unit1, int32_t zeta00, int32_t zeta01, + int32_t zeta02, int32_t zeta03, int32_t zeta10, int32_t zeta11, + int32_t zeta12, int32_t zeta13) { + __m256i a_shuffled0 = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)216, simd_unit0, __m256i); + __m256i b_shuffled0 = libcrux_intrinsics_avx2_mm256_shuffle_epi32( + (int32_t)216, simd_unit1, __m256i); + __m256i lo_values = + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a_shuffled0, b_shuffled0); + __m256i hi_values = + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a_shuffled0, b_shuffled0); + __m256i sums = libcrux_ml_dsa_simd_avx2_arithmetic_add(lo_values, hi_values); + __m256i differences = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(hi_values, lo_values); + __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( + zeta13, zeta12, zeta03, zeta02, zeta11, zeta10, zeta01, zeta00); + __m256i products = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( + differences, zetas); + __m256i a_shuffled = + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(sums, products); + __m256i b_shuffled = + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(sums, products); + __m256i a = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, + a_shuffled, __m256i); + __m256i b = libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)216, + b_shuffled, __m256i); + return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a, .snd = b}); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + __m256i *re, size_t index, int32_t zeta00, int32_t zeta01, int32_t zeta02, + int32_t zeta03, int32_t zeta10, int32_t zeta11, int32_t zeta12, + int32_t zeta13) { + core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_0( + re[index], re[index + (size_t)1U], zeta00, zeta01, zeta02, zeta03, + zeta10, zeta11, zeta12, zeta13); + __m256i lhs0 = uu____0.fst; + __m256i lhs = uu____0.snd; + re[index] = lhs0; + re[index + (size_t)1U] = lhs; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)0U, (int32_t)1976782, (int32_t)-846154, (int32_t)1400424, + (int32_t)3937738, (int32_t)-1362209, (int32_t)-48306, (int32_t)3919660, + (int32_t)-554416); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)2U, (int32_t)-3545687, (int32_t)1612842, (int32_t)-976891, + (int32_t)183443, (int32_t)-2286327, (int32_t)-420899, (int32_t)-2235985, + (int32_t)-2939036); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)4U, (int32_t)-3833893, (int32_t)-260646, (int32_t)-1104333, + (int32_t)-1667432, (int32_t)1910376, (int32_t)-1803090, (int32_t)1723600, + (int32_t)-426683); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)6U, (int32_t)472078, (int32_t)1717735, (int32_t)-975884, + (int32_t)2213111, (int32_t)269760, (int32_t)3866901, (int32_t)3523897, + (int32_t)-3038916); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)8U, (int32_t)-1799107, (int32_t)-3694233, (int32_t)1652634, + (int32_t)810149, (int32_t)3014001, (int32_t)1616392, (int32_t)162844, + (int32_t)-3183426); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)10U, (int32_t)-1207385, (int32_t)185531, (int32_t)3369112, + (int32_t)1957272, (int32_t)-164721, (int32_t)2454455, (int32_t)2432395, + (int32_t)-2013608); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)12U, (int32_t)-3776993, (int32_t)594136, (int32_t)-3724270, + (int32_t)-2584293, (int32_t)-1846953, (int32_t)-1671176, + (int32_t)-2831860, (int32_t)-542412); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)14U, (int32_t)3406031, (int32_t)2235880, (int32_t)777191, + (int32_t)1500165, (int32_t)-1374803, (int32_t)-2546312, (int32_t)1917081, + (int32_t)-1279661); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)16U, (int32_t)-1962642, (int32_t)3306115, (int32_t)1312455, + (int32_t)-451100, (int32_t)-1430225, (int32_t)-3318210, (int32_t)1237275, + (int32_t)-1333058); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)18U, (int32_t)-1050970, (int32_t)1903435, (int32_t)1869119, + (int32_t)-2994039, (int32_t)-3548272, (int32_t)2635921, (int32_t)1250494, + (int32_t)-3767016); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)20U, (int32_t)1595974, (int32_t)2486353, (int32_t)1247620, + (int32_t)4055324, (int32_t)1265009, (int32_t)-2590150, (int32_t)2691481, + (int32_t)2842341); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)22U, (int32_t)203044, (int32_t)1735879, (int32_t)-3342277, + (int32_t)3437287, (int32_t)4108315, (int32_t)-2437823, (int32_t)286988, + (int32_t)342297); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)24U, (int32_t)-3595838, (int32_t)-768622, (int32_t)-525098, + (int32_t)-3556995, (int32_t)3207046, (int32_t)2031748, (int32_t)-3122442, + (int32_t)-655327); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)26U, (int32_t)-522500, (int32_t)-43260, (int32_t)-1613174, + (int32_t)495491, (int32_t)819034, (int32_t)909542, (int32_t)1859098, + (int32_t)900702); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)28U, (int32_t)-3193378, (int32_t)-1197226, (int32_t)-3759364, + (int32_t)-3520352, (int32_t)3513181, (int32_t)-1235728, (int32_t)2434439, + (int32_t)266997); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0_round( + re, (size_t)30U, (int32_t)-3562462, (int32_t)-2446433, (int32_t)2244091, + (int32_t)-3342478, (int32_t)3817976, (int32_t)2316500, (int32_t)3407706, + (int32_t)2091667); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_1( + __m256i simd_unit0, __m256i simd_unit1, int32_t zeta00, int32_t zeta01, + int32_t zeta10, int32_t zeta11) { + __m256i lo_values = + libcrux_intrinsics_avx2_mm256_unpacklo_epi64(simd_unit0, simd_unit1); + __m256i hi_values = + libcrux_intrinsics_avx2_mm256_unpackhi_epi64(simd_unit0, simd_unit1); + __m256i sums = libcrux_ml_dsa_simd_avx2_arithmetic_add(lo_values, hi_values); + __m256i differences = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(hi_values, lo_values); + __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( + zeta11, zeta11, zeta01, zeta01, zeta10, zeta10, zeta00, zeta00); + __m256i products = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( + differences, zetas); + __m256i a = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(sums, products); + __m256i b = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(sums, products); + return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a, .snd = b}); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + __m256i *re, size_t index, int32_t zeta_00, int32_t zeta_01, + int32_t zeta_10, int32_t zeta_11) { + core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_1( + re[index], re[index + (size_t)1U], zeta_00, zeta_01, zeta_10, + zeta_11); + __m256i lhs0 = uu____0.fst; + __m256i lhs = uu____0.snd; + re[index] = lhs0; + re[index + (size_t)1U] = lhs; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)0U, (int32_t)3839961, (int32_t)-3628969, (int32_t)-3881060, + (int32_t)-3019102); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)2U, (int32_t)-1439742, (int32_t)-812732, (int32_t)-1584928, + (int32_t)1285669); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)4U, (int32_t)1341330, (int32_t)1315589, (int32_t)-177440, + (int32_t)-2409325); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)6U, (int32_t)-1851402, (int32_t)3159746, (int32_t)-3553272, + (int32_t)189548); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)8U, (int32_t)-1316856, (int32_t)759969, (int32_t)-210977, + (int32_t)2389356); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)10U, (int32_t)-3249728, (int32_t)1653064, (int32_t)-8578, + (int32_t)-3724342); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)12U, (int32_t)3958618, (int32_t)904516, (int32_t)-1100098, + (int32_t)44288); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)14U, (int32_t)3097992, (int32_t)508951, (int32_t)264944, + (int32_t)-3343383); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)16U, (int32_t)-1430430, (int32_t)1852771, (int32_t)1349076, + (int32_t)-381987); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)18U, (int32_t)-1308169, (int32_t)-22981, (int32_t)-1228525, + (int32_t)-671102); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)20U, (int32_t)-2477047, (int32_t)-411027, (int32_t)-3693493, + (int32_t)-2967645); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)22U, (int32_t)2715295, (int32_t)2147896, (int32_t)-983419, + (int32_t)3412210); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)24U, (int32_t)126922, (int32_t)-3632928, (int32_t)-3157330, + (int32_t)-3190144); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)26U, (int32_t)-1000202, (int32_t)-4083598, (int32_t)1939314, + (int32_t)-1257611); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)28U, (int32_t)-1585221, (int32_t)2176455, (int32_t)3475950, + (int32_t)-1452451); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1_round( + re, (size_t)30U, (int32_t)-3041255, (int32_t)-3677745, (int32_t)-1528703, + (int32_t)-3930395); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_2( + __m256i simd_unit0, __m256i simd_unit1, int32_t zeta0, int32_t zeta1) { + __m256i lo_values = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)32, simd_unit0, simd_unit1, __m256i); + __m256i hi_values = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)49, simd_unit0, simd_unit1, __m256i); + __m256i sums = libcrux_ml_dsa_simd_avx2_arithmetic_add(lo_values, hi_values); + __m256i differences = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(hi_values, lo_values); + __m256i zetas = libcrux_intrinsics_avx2_mm256_set_epi32( + zeta1, zeta1, zeta1, zeta1, zeta0, zeta0, zeta0, zeta0); + __m256i products = libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply( + differences, zetas); + __m256i a = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)32, sums, products, __m256i); + __m256i b = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)49, sums, products, __m256i); + return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = a, .snd = b}); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round(__m256i *re, + size_t index, + int32_t zeta1, + int32_t zeta2) { + core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_invntt_simd_unit_invert_ntt_at_layer_2( + re[index], re[index + (size_t)1U], zeta1, zeta2); + __m256i lhs0 = uu____0.fst; + __m256i lhs = uu____0.snd; + re[index] = lhs0; + re[index + (size_t)1U] = lhs; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)0U, (int32_t)-2797779, (int32_t)2071892); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)2U, (int32_t)-2556880, (int32_t)3900724); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)4U, (int32_t)3881043, (int32_t)954230); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)6U, (int32_t)531354, (int32_t)811944); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)8U, (int32_t)3699596, (int32_t)-1600420); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)10U, (int32_t)-2140649, (int32_t)3507263); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)12U, (int32_t)-3821735, (int32_t)3505694); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)14U, (int32_t)-1643818, (int32_t)-1699267); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)16U, (int32_t)-539299, (int32_t)2348700); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)18U, (int32_t)-300467, (int32_t)3539968); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)20U, (int32_t)-2867647, (int32_t)3574422); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)22U, (int32_t)-3043716, (int32_t)-3861115); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)24U, (int32_t)3915439, (int32_t)-2537516); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)26U, (int32_t)-3592148, (int32_t)-1661693); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)28U, (int32_t)3530437, (int32_t)3077325); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2_round( + re, (size_t)30U, (int32_t)95776, (int32_t)2706023); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + __m256i lhs, int32_t constant) { + __m256i rhs = libcrux_intrinsics_avx2_mm256_set1_epi32(constant); + __m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + __m256i inverse_of_modulus_mod_montgomery_r = + libcrux_intrinsics_avx2_mm256_set1_epi32( + (int32_t) + LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R); + __m256i prod02 = libcrux_intrinsics_avx2_mm256_mul_epi32(lhs, rhs); + __m256i prod13 = libcrux_intrinsics_avx2_mm256_mul_epi32( + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, lhs, __m256i), + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, rhs, __m256i)); + __m256i k02 = libcrux_intrinsics_avx2_mm256_mul_epi32( + prod02, inverse_of_modulus_mod_montgomery_r); + __m256i k13 = libcrux_intrinsics_avx2_mm256_mul_epi32( + prod13, inverse_of_modulus_mod_montgomery_r); + __m256i c02 = libcrux_intrinsics_avx2_mm256_mul_epi32(k02, field_modulus); + __m256i c13 = libcrux_intrinsics_avx2_mm256_mul_epi32(k13, field_modulus); + __m256i res02 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod02, c02); + __m256i res13 = libcrux_intrinsics_avx2_mm256_sub_epi32(prod13, c13); + __m256i res02_shifted = + libcrux_intrinsics_avx2_mm256_shuffle_epi32((int32_t)245, res02, __m256i); + return libcrux_intrinsics_avx2_mm256_blend_epi32((int32_t)170, res02_shifted, + res13, __m256i); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 1 +- ZETA= 280005 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_99( + __m256i *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)280005); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 2 +- STEP_BY= 1 +- ZETA= 4010497 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1c( + __m256i *re) { + for (size_t i = (size_t)2U; i < (size_t)2U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)4010497); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 4 +- STEP_BY= 1 +- ZETA= -19422 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b( + __m256i *re) { + for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-19422); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 6 +- STEP_BY= 1 +- ZETA= 1757237 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_44( + __m256i *re) { + for (size_t i = (size_t)6U; i < (size_t)6U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)1757237); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 1 +- ZETA= -3277672 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a8( + __m256i *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-3277672); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 10 +- STEP_BY= 1 +- ZETA= -1399561 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1f( + __m256i *re) { + for (size_t i = (size_t)10U; i < (size_t)10U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-1399561); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 12 +- STEP_BY= 1 +- ZETA= -3859737 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_95( + __m256i *re) { + for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-3859737); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 14 +- STEP_BY= 1 +- ZETA= -2118186 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b( + __m256i *re) { + for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-2118186); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 1 +- ZETA= -2108549 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a( + __m256i *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-2108549); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 18 +- STEP_BY= 1 +- ZETA= 2619752 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_e4( + __m256i *re) { + for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)2619752); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 20 +- STEP_BY= 1 +- ZETA= -1119584 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de( + __m256i *re) { + for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-1119584); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 22 +- STEP_BY= 1 +- ZETA= -549488 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_05( + __m256i *re) { + for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-549488); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 1 +- ZETA= 3585928 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d9( + __m256i *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)3585928); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 26 +- STEP_BY= 1 +- ZETA= -1079900 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3a( + __m256i *re) { + for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-1079900); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 28 +- STEP_BY= 1 +- ZETA= 1024112 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b0( + __m256i *re) { + for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)1024112); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 30 +- STEP_BY= 1 +- ZETA= 2725464 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a0( + __m256i *re) { + for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)1U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)1U]); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)2725464); + } +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_3( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_99(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1c(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_44(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a8(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_1f(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_95(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_e4(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_05(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d9(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3a(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b0(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a0(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 2 +- ZETA= 2680103 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_990( + __m256i *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)2680103); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 4 +- STEP_BY= 2 +- ZETA= 3111497 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b0( + __m256i *re) { + for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)3111497); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 2 +- ZETA= -2884855 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a80( + __m256i *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-2884855); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 12 +- STEP_BY= 2 +- ZETA= 3119733 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_950( + __m256i *re) { + for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)3119733); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 2 +- ZETA= -2091905 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a0( + __m256i *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-2091905); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 20 +- STEP_BY= 2 +- ZETA= -359251 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de0( + __m256i *re) { + for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-359251); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 2 +- ZETA= 2353451 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d90( + __m256i *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)2353451); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 28 +- STEP_BY= 2 +- ZETA= 1826347 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b1( + __m256i *re) { + for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)2U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)2U]); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)1826347); + } +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_4( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_990(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_6b0(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a80(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_950(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a0(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_de0(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d90(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_3b1(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 4 +- ZETA= 466468 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_991( + __m256i *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)4U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)4U]); + re[j + (size_t)4U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)466468); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 4 +- ZETA= -876248 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a81( + __m256i *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)4U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)4U]); + re[j + (size_t)4U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-876248); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 4 +- ZETA= -777960 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a1( + __m256i *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)4U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)4U]); + re[j + (size_t)4U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-777960); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 4 +- ZETA= 237124 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d91( + __m256i *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)4U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)4U]); + re[j + (size_t)4U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)237124); + } +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_5( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_991(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_a81(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a1(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_d91(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 8 +- ZETA= -518909 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_992( + __m256i *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)8U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)8U]); + re[j + (size_t)8U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-518909); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 8 +- ZETA= -2608894 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a2( + __m256i *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) { + size_t j = i; + __m256i a_minus_b = + libcrux_ml_dsa_simd_avx2_arithmetic_subtract(re[j + (size_t)8U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)8U]); + re[j + (size_t)8U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-2608894); + } +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_6( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_992(re); + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_7a2(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.invntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 16 +- ZETA= 25847 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_993( + __m256i *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) { + size_t j = i; + __m256i a_minus_b = libcrux_ml_dsa_simd_avx2_arithmetic_subtract( + re[j + (size_t)16U], re[j]); + re[j] = libcrux_ml_dsa_simd_avx2_arithmetic_add(re[j], re[j + (size_t)16U]); + re[j + (size_t)16U] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)25847); + } +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_7( + __m256i *re) { + libcrux_ml_dsa_simd_avx2_invntt_outer_3_plus_993(re); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_montgomery(__m256i re[32U], + __m256i ret[32U]) { + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_0(re); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_1(re); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_2(re); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_3(re); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_4(re); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_5(re); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_6(re); + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_at_layer_7(re); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice((size_t)32U, re, __m256i), + __m256i); + i++) { + size_t i0 = i; + re[i0] = + libcrux_ml_dsa_simd_avx2_arithmetic_montgomery_multiply_by_constant( + re[i0], (int32_t)41978); + } + memcpy(ret, re, (size_t)32U * sizeof(__m256i)); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline __m256i libcrux_ml_dsa_simd_avx2_invert_ntt_montgomery_closure_a2( + __m256i **state, size_t i) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"unexpected / ill-typed projection\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_invert_ntt_montgomery_a2( + __m256i simd_units[32U], __m256i ret[32U]) { + __m256i re[32U]; + for (size_t i = (size_t)0U; i < (size_t)32U; i++) { + re[i] = libcrux_intrinsics_avx2_mm256_setzero_si256(); + } + for (size_t i = (size_t)0U; + i < LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT; i++) { + size_t i0 = i; + re[i0] = simd_units[i0]; + } + /* Passing arrays by value in Rust generates a copy in C */ + __m256i copy_of_re[32U]; + memcpy(copy_of_re, re, (size_t)32U * sizeof(__m256i)); + __m256i result[32U]; + libcrux_ml_dsa_simd_avx2_invntt_invert_ntt_montgomery(copy_of_re, result); + __m256i ret0[32U]; + for (size_t i = (size_t)0U; i < (size_t)32U; i++) { + ret0[i] = KRML_EABORT( + __m256i, + "Eurydice error: Failure(\"unexpected / ill-typed projection\")\n"); + } + memcpy(ret, ret0, (size_t)32U * sizeof(__m256i)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.PolynomialRingElement +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit + +*/ +typedef struct libcrux_ml_dsa_polynomial_PolynomialRingElement_24_s { + __m256i simd_units[32U]; +} libcrux_ml_dsa_polynomial_PolynomialRingElement_24; + +/** +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.ZERO_ff +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_24 +libcrux_ml_dsa_polynomial_ZERO_ff_ea(void) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 lit; + lit.simd_units[0U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[1U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[2U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[3U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[4U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[5U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[6U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[7U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[8U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[9U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[10U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[11U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[12U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[13U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[14U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[15U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[16U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[17U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[18U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[19U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[20U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[21U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[22U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[23U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[24U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[25U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[26U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[27U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[28U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[29U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[30U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + lit.simd_units[31U] = libcrux_ml_dsa_simd_avx2_ZERO_a2(); + return lit; +} + +typedef struct + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4_s { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 fst; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 thd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f3; +} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4; + +/** +A monomorphic instance of +libcrux_ml_dsa.sample.rejection_sample_less_than_field_modulus with types +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE bool +libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { + bool done = false; + core_slice_iter_Chunks iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + core_slice___Slice_T___chunks(randomness, (size_t)24U, uint8_t, + core_slice_iter_Chunks), + core_slice_iter_Chunks, core_slice_iter_Chunks); + while (true) { + Option_1b uu____0 = + core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( + &iter, uint8_t, Option_1b); + if (uu____0.tag == None) { + break; + } else { + Eurydice_slice random_bytes = uu____0.f0; + if (!done) { + Eurydice_slice uu____1 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_a2( + uu____1, Eurydice_array_to_subslice_from( + (size_t)263U, out, sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; + } + } + } + } + return done; +} + +/** +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.from_i32_array_ff +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_24 +libcrux_ml_dsa_polynomial_from_i32_array_ff_ea(Eurydice_slice array) { + core_slice_iter_Chunks array_chunks = core_slice___Slice_T___chunks( + array, LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, int32_t, + core_slice_iter_Chunks); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result = + libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + for (size_t i = (size_t)0U; + i < LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT; i++) { + size_t i0 = i; + __m256i uu____0 = libcrux_ml_dsa_simd_avx2_from_coefficient_array_a2( + core_option__core__option__Option_T__TraitClause_0___unwrap( + core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( + &array_chunks, int32_t, Option_93), + Eurydice_slice, Eurydice_slice)); + result.simd_units[i0] = uu____0; + } + return result; +} + +/** +A monomorphic instance of libcrux_ml_dsa.sample.sample_four_ring_elements +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 +libcrux_ml_dsa_sample_sample_four_ring_elements_ea(uint8_t seed0[34U], + uint16_t domain_separator0, + uint16_t domain_separator1, + uint16_t domain_seperator2, + uint16_t domain_separator3) { + seed0[32U] = (uint8_t)domain_separator0; + seed0[33U] = (uint8_t)((uint32_t)domain_separator0 >> 8U); + uint8_t seed1[34U]; + memcpy(seed1, seed0, (size_t)34U * sizeof(uint8_t)); + seed1[32U] = (uint8_t)domain_separator1; + seed1[33U] = (uint8_t)((uint32_t)domain_separator1 >> 8U); + uint8_t seed2[34U]; + memcpy(seed2, seed0, (size_t)34U * sizeof(uint8_t)); + seed2[32U] = (uint8_t)domain_seperator2; + seed2[33U] = (uint8_t)((uint32_t)domain_seperator2 >> 8U); + uint8_t seed3[34U]; + memcpy(seed3, seed0, (size_t)34U * sizeof(uint8_t)); + seed3[32U] = (uint8_t)domain_separator3; + seed3[33U] = (uint8_t)((uint32_t)domain_separator3 >> 8U); + libcrux_ml_dsa_hash_functions_portable_Shake128X4 state = + libcrux_ml_dsa_hash_functions_portable_init_absorb_ed( + Eurydice_array_to_slice((size_t)34U, seed0, uint8_t), + Eurydice_array_to_slice((size_t)34U, seed1, uint8_t), + Eurydice_array_to_slice((size_t)34U, seed2, uint8_t), + Eurydice_array_to_slice((size_t)34U, seed3, uint8_t)); + uint8_t randomness0[840U] = {0U}; + uint8_t randomness1[840U] = {0U}; + uint8_t randomness2[840U] = {0U}; + uint8_t randomness3[840U] = {0U}; + libcrux_ml_dsa_hash_functions_portable_squeeze_first_five_blocks_ed( + &state, randomness0, randomness1, randomness2, randomness3); + int32_t coefficients0[263U] = {0U}; + int32_t coefficients1[263U] = {0U}; + int32_t coefficients2[263U] = {0U}; + int32_t coefficients3[263U] = {0U}; + size_t sampled0 = (size_t)0U; + size_t sampled1 = (size_t)0U; + size_t sampled2 = (size_t)0U; + size_t sampled3 = (size_t)0U; + bool done0 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)840U, randomness0, uint8_t), + &sampled0, coefficients0); + bool done1 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)840U, randomness1, uint8_t), + &sampled1, coefficients1); + bool done2 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)840U, randomness2, uint8_t), + &sampled2, coefficients2); + bool done3 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)840U, randomness3, uint8_t), + &sampled3, coefficients3); + while (true) { + if (done0) { + if (done1) { + if (done2) { + if (done3) { + break; + } else { + uint8_t_168size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( + &state); + if (!done0) { + done0 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.fst, + uint8_t), + &sampled0, coefficients0); + } + if (!done1) { + done1 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.snd, + uint8_t), + &sampled1, coefficients1); + } + if (!done2) { + done2 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.thd, + uint8_t), + &sampled2, coefficients2); + } + if (!done3) { + done3 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.f3, + uint8_t), + &sampled3, coefficients3); + } + } + } else { + uint8_t_168size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( + &state); + if (!done0) { + done0 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.fst, + uint8_t), + &sampled0, coefficients0); + } + if (!done1) { + done1 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.snd, + uint8_t), + &sampled1, coefficients1); + } + if (!done2) { + done2 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.thd, + uint8_t), + &sampled2, coefficients2); + } + if (!done3) { + done3 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.f3, + uint8_t), + &sampled3, coefficients3); + } + } + } else { + uint8_t_168size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( + &state); + if (!done0) { + done0 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.fst, + uint8_t), + &sampled0, coefficients0); + } + if (!done1) { + done1 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.snd, + uint8_t), + &sampled1, coefficients1); + } + if (!done2) { + done2 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.thd, + uint8_t), + &sampled2, coefficients2); + } + if (!done3) { + done3 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.f3, + uint8_t), + &sampled3, coefficients3); + } + } + } else { + uint8_t_168size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed(&state); + if (!done0) { + done0 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.fst, + uint8_t), + &sampled0, coefficients0); + } + if (!done1) { + done1 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.snd, + uint8_t), + &sampled1, coefficients1); + } + if (!done2) { + done2 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.thd, + uint8_t), + &sampled2, coefficients2); + } + if (!done3) { + done3 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( + Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), + &sampled3, coefficients3); + } + } + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = + libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( + Eurydice_array_to_slice((size_t)263U, coefficients0, int32_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 = + libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( + Eurydice_array_to_slice((size_t)263U, coefficients1, int32_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 = + libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( + Eurydice_array_to_slice((size_t)263U, coefficients2, int32_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + lit; + lit.fst = uu____0; + lit.snd = uu____1; + lit.thd = uu____2; + lit.f3 = libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( + Eurydice_array_to_slice((size_t)263U, coefficients3, int32_t)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.update_matrix +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_samplex4_update_matrix_fe( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*m)[5U], size_t i, + size_t j, libcrux_ml_dsa_polynomial_PolynomialRingElement_24 v) { + m[i][j] = v; +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_4_by_4 +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_4_by_4_fe( + uint8_t seed[34U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U][5U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A[6U][5U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + A[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + A[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + A[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed, + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)0U, + four_ring_elements.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)1U, + four_ring_elements.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)2U, + four_ring_elements.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)3U, + four_ring_elements.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed0[34U]; + memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements0 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed0, + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)0U, + four_ring_elements0.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)1U, + four_ring_elements0.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)2U, + four_ring_elements0.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)3U, + four_ring_elements0.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed1[34U]; + memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements1 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed1, + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)0U, + four_ring_elements1.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)1U, + four_ring_elements1.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)2U, + four_ring_elements1.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)3U, + four_ring_elements1.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed2[34U]; + memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements2 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed2, + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)0U, + four_ring_elements2.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)1U, + four_ring_elements2.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)2U, + four_ring_elements2.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)3U, + four_ring_elements2.f3); + memcpy(ret, A, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U])); +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_6_by_5 +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_6_by_5_fe( + uint8_t seed[34U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U][5U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A[6U][5U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + A[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + A[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + A[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed, + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)0U, + four_ring_elements.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)1U, + four_ring_elements.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)2U, + four_ring_elements.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)3U, + four_ring_elements.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed0[34U]; + memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements0 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed0, + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 2U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)4U, + four_ring_elements0.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)0U, + four_ring_elements0.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)1U, + four_ring_elements0.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)2U, + four_ring_elements0.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed1[34U]; + memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements1 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed1, + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 1U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)3U, + four_ring_elements1.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)4U, + four_ring_elements1.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)0U, + four_ring_elements1.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)1U, + four_ring_elements1.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed2[34U]; + memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements2 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed2, + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 0U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)2U, + four_ring_elements2.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)3U, + four_ring_elements2.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)4U, + four_ring_elements2.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)0U, + four_ring_elements2.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed3[34U]; + memcpy(copy_of_seed3, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements3 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed3, + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 4U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)1U, + four_ring_elements3.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)2U, + four_ring_elements3.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)3U, + four_ring_elements3.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)4U, + four_ring_elements3.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed4[34U]; + memcpy(copy_of_seed4, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements4 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed4, + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)0U, + four_ring_elements4.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)1U, + four_ring_elements4.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)2U, + four_ring_elements4.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)3U, + four_ring_elements4.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed5[34U]; + memcpy(copy_of_seed5, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements5 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed5, + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 2U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)4U, + four_ring_elements5.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)0U, + four_ring_elements5.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)1U, + four_ring_elements5.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)2U, + four_ring_elements5.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed6[34U]; + memcpy(copy_of_seed6, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements6 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed6, + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 5U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 6U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)3U, + four_ring_elements6.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)4U, + four_ring_elements6.snd); + memcpy(ret, A, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U])); +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_8_by_7 +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_8_by_7_fe( + uint8_t seed[34U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U][5U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A[6U][5U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + A[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + A[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + A[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed, + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)0U, + four_ring_elements.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)1U, + four_ring_elements.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)2U, + four_ring_elements.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)3U, + four_ring_elements.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed0[34U]; + memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements0 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed0, + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 5U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 6U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 0U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)4U, + four_ring_elements0.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)5U, + four_ring_elements0.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)0U, (size_t)6U, + four_ring_elements0.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)0U, + four_ring_elements0.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed1[34U]; + memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements1 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed1, + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 4U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)1U, + four_ring_elements1.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)2U, + four_ring_elements1.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)3U, + four_ring_elements1.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)4U, + four_ring_elements1.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed2[34U]; + memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements2 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed2, + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 5U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 6U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 1U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)5U, + four_ring_elements2.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)1U, (size_t)6U, + four_ring_elements2.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)0U, + four_ring_elements2.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)1U, + four_ring_elements2.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed3[34U]; + memcpy(copy_of_seed3, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements3 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed3, + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 5U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)2U, + four_ring_elements3.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)3U, + four_ring_elements3.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)4U, + four_ring_elements3.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)5U, + four_ring_elements3.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed4[34U]; + memcpy(copy_of_seed4, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements4 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed4, + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 6U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 2U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)2U, (size_t)6U, + four_ring_elements4.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)0U, + four_ring_elements4.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)1U, + four_ring_elements4.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)2U, + four_ring_elements4.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed5[34U]; + memcpy(copy_of_seed5, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements5 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed5, + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 5U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 6U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)3U, + four_ring_elements5.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)4U, + four_ring_elements5.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)5U, + four_ring_elements5.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)3U, (size_t)6U, + four_ring_elements5.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed6[34U]; + memcpy(copy_of_seed6, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements6 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed6, + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)0U, + four_ring_elements6.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)1U, + four_ring_elements6.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)2U, + four_ring_elements6.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)3U, + four_ring_elements6.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed7[34U]; + memcpy(copy_of_seed7, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements7 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed7, + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 5U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 6U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 0U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)4U, + four_ring_elements7.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)5U, + four_ring_elements7.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)4U, (size_t)6U, + four_ring_elements7.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)0U, + four_ring_elements7.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed8[34U]; + memcpy(copy_of_seed8, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements8 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed8, + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 4U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)1U, + four_ring_elements8.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)2U, + four_ring_elements8.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)3U, + four_ring_elements8.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)4U, + four_ring_elements8.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed9[34U]; + memcpy(copy_of_seed9, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements9 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed9, + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 5U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 6U), + libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 1U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)5U, + four_ring_elements9.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)5U, (size_t)6U, + four_ring_elements9.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)6U, (size_t)0U, + four_ring_elements9.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)6U, (size_t)1U, + four_ring_elements9.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed10[34U]; + memcpy(copy_of_seed10, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements10 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed10, + libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 5U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)6U, (size_t)2U, + four_ring_elements10.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)6U, (size_t)3U, + four_ring_elements10.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)6U, (size_t)4U, + four_ring_elements10.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)6U, (size_t)5U, + four_ring_elements10.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed11[34U]; + memcpy(copy_of_seed11, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements11 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed11, + libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 6U), + libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 2U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)6U, (size_t)6U, + four_ring_elements11.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)7U, (size_t)0U, + four_ring_elements11.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)7U, (size_t)1U, + four_ring_elements11.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)7U, (size_t)2U, + four_ring_elements11.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed12[34U]; + memcpy(copy_of_seed12, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four_ring_elements12 = libcrux_ml_dsa_sample_sample_four_ring_elements_ea( + copy_of_seed12, + libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 5U), + libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 6U)); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)7U, (size_t)3U, + four_ring_elements12.fst); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)7U, (size_t)4U, + four_ring_elements12.snd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)7U, (size_t)5U, + four_ring_elements12.thd); + libcrux_ml_dsa_samplex4_update_matrix_fe(A, (size_t)7U, (size_t)6U, + four_ring_elements12.f3); + memcpy(ret, A, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U])); +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_fe( + uint8_t seed[34U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U][5U]) { + uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)6U, .snd = (uint8_t)(size_t)5U}; + switch (uu____0.fst) { + case 4U: { + switch (uu____0.snd) { + case 4U: { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret0[6U][5U]; + libcrux_ml_dsa_samplex4_matrix_A_4_by_4_fe(copy_of_seed, ret0); + memcpy( + ret, ret0, + (size_t)6U * + sizeof( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U])); + return; + } + default: { + } + } + break; + } + case 6U: { + switch (uu____0.snd) { + case 5U: { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret0[6U][5U]; + libcrux_ml_dsa_samplex4_matrix_A_6_by_5_fe(copy_of_seed, ret0); + memcpy( + ret, ret0, + (size_t)6U * + sizeof( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U])); + return; + } + default: { + } + } + break; + } + case 8U: { + switch (uu____0.snd) { + case 7U: { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret0[6U][5U]; + libcrux_ml_dsa_samplex4_matrix_A_8_by_7_fe(copy_of_seed, ret0); + memcpy( + ret, ret0, + (size_t)6U * + sizeof( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U])); + return; + } + default: { + } + } + break; + } + default: { + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** +A monomorphic instance of K. +with types libcrux_ml_dsa_polynomial_PolynomialRingElement +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[5size_t], +libcrux_ml_dsa_polynomial_PolynomialRingElement +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[6size_t] + +*/ +typedef struct tuple_ce0_s { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 fst[5U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 snd[6U]; +} tuple_ce0; + +/** +A monomorphic instance of +libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_2 with types +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE bool +libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_2_ea( + Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { + bool done = false; + core_slice_iter_Chunks iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + core_slice___Slice_T___chunks(randomness, (size_t)4U, uint8_t, + core_slice_iter_Chunks), + core_slice_iter_Chunks, core_slice_iter_Chunks); + while (true) { + Option_1b uu____0 = + core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( + &iter, uint8_t, Option_1b); + if (uu____0.tag == None) { + break; + } else { + Eurydice_slice random_bytes = uu____0.f0; + if (!done) { + Eurydice_slice uu____1 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_2_a2( + uu____1, Eurydice_array_to_subslice_from( + (size_t)263U, out, sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; + } + } + } + } + return done; +} + +/** +A monomorphic instance of +libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_4 with types +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE bool +libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_ea( + Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { + bool done = false; + core_slice_iter_Chunks iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + core_slice___Slice_T___chunks(randomness, (size_t)4U, uint8_t, + core_slice_iter_Chunks), + core_slice_iter_Chunks, core_slice_iter_Chunks); + while (true) { + Option_1b uu____0 = + core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( + &iter, uint8_t, Option_1b); + if (uu____0.tag == None) { + break; + } else { + Eurydice_slice random_bytes = uu____0.f0; + if (!done) { + Eurydice_slice uu____1 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_4_a2( + uu____1, Eurydice_array_to_subslice_from( + (size_t)263U, out, sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; + } + } + } + } + return done; +} + +/** +A monomorphic instance of libcrux_ml_dsa.sample.rejection_sample_less_than_eta +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ETA= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE bool +libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_slice randomness, size_t *sampled, int32_t *out) { + return libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_ea( + randomness, sampled, out); +} + +/** +A monomorphic instance of libcrux_ml_dsa.sample.sample_four_error_ring_elements +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics +- ETA= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( + uint8_t seed_base[66U], uint16_t domain_separator0, + uint16_t domain_separator1, uint16_t domain_seperator2, + uint16_t domain_separator3) { + uint8_t seed0[66U]; + memcpy(seed0, seed_base, (size_t)66U * sizeof(uint8_t)); + seed0[64U] = (uint8_t)domain_separator0; + seed0[65U] = (uint8_t)((uint32_t)domain_separator0 >> 8U); + uint8_t seed1[66U]; + memcpy(seed1, seed0, (size_t)66U * sizeof(uint8_t)); + seed1[64U] = (uint8_t)domain_separator1; + seed1[65U] = (uint8_t)((uint32_t)domain_separator1 >> 8U); + uint8_t seed2[66U]; + memcpy(seed2, seed0, (size_t)66U * sizeof(uint8_t)); + seed2[64U] = (uint8_t)domain_seperator2; + seed2[65U] = (uint8_t)((uint32_t)domain_seperator2 >> 8U); + uint8_t seed3[66U]; + memcpy(seed3, seed0, (size_t)66U * sizeof(uint8_t)); + seed3[64U] = (uint8_t)domain_separator3; + seed3[65U] = (uint8_t)((uint32_t)domain_separator3 >> 8U); + libcrux_sha3_avx2_x4_incremental_KeccakState state = + libcrux_ml_dsa_hash_functions_simd256_init_absorb_x4_fb( + Eurydice_array_to_slice((size_t)66U, seed0, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed1, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed2, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed3, uint8_t)); + uint8_t_136size_t__x4 randomnesses0 = + libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_x4_fb(&state); + int32_t out0[263U] = {0U}; + int32_t out1[263U] = {0U}; + int32_t out2[263U] = {0U}; + int32_t out3[263U] = {0U}; + size_t sampled0 = (size_t)0U; + size_t sampled1 = (size_t)0U; + size_t sampled2 = (size_t)0U; + size_t sampled3 = (size_t)0U; + bool done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses0.fst, uint8_t), + &sampled0, out0); + bool done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses0.snd, uint8_t), + &sampled1, out1); + bool done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses0.thd, uint8_t), + &sampled2, out2); + bool done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses0.f3, uint8_t), + &sampled3, out3); + while (true) { + if (done0) { + if (done1) { + if (done2) { + if (done3) { + break; + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, + uint8_t), + &sampled0, out0); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, + uint8_t), + &sampled1, out1); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, + uint8_t), + &sampled2, out2); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, + uint8_t), + &sampled3, out3); + } + } + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, + uint8_t), + &sampled0, out0); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, + uint8_t), + &sampled1, out1); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, + uint8_t), + &sampled2, out2); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), + &sampled3, out3); + } + } + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t), + &sampled0, out0); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t), + &sampled1, out1); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t), + &sampled2, out2); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), + &sampled3, out3); + } + } + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_x4_fb( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t), + &sampled0, out0); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t), + &sampled1, out1); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t), + &sampled2, out2); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_4d( + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), + &sampled3, out3); + } + } + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = + libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( + Eurydice_array_to_slice((size_t)263U, out0, int32_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 = + libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( + Eurydice_array_to_slice((size_t)263U, out1, int32_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 = + libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( + Eurydice_array_to_slice((size_t)263U, out2, int32_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + lit; + lit.fst = uu____0; + lit.snd = uu____1; + lit.thd = uu____2; + lit.f3 = libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( + Eurydice_array_to_slice((size_t)263U, out3, int32_t)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_4_by_4 +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics +- ETA= 4 +- S1_DIMENSION= 5 +- S2_DIMENSION= 6 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE tuple_ce0 +libcrux_ml_dsa_samplex4_sample_s1_and_s2_4_by_4_4d(uint8_t seed_base[66U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + s1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base[66U]; + memcpy(copy_of_seed_base, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( + copy_of_seed_base, 0U, 1U, 2U, 3U); + s1[0U] = four.fst; + s1[1U] = four.snd; + s1[2U] = four.thd; + s1[3U] = four.f3; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base0[66U]; + memcpy(copy_of_seed_base0, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four0 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( + copy_of_seed_base0, 4U, 5U, 6U, 7U); + s2[0U] = four0.fst; + s2[1U] = four0.snd; + s2[2U] = four0.thd; + s2[3U] = four0.f3; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1[5U]; + memcpy( + copy_of_s1, s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s2[6U]; + memcpy( + copy_of_s2, s2, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + tuple_ce0 lit; + memcpy( + lit.fst, copy_of_s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + memcpy( + lit.snd, copy_of_s2, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_5_by_6 +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics +- ETA= 4 +- S1_DIMENSION= 5 +- S2_DIMENSION= 6 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE tuple_ce0 +libcrux_ml_dsa_samplex4_sample_s1_and_s2_5_by_6_4d(uint8_t seed_base[66U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + s1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base[66U]; + memcpy(copy_of_seed_base, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( + copy_of_seed_base, 0U, 1U, 2U, 3U); + s1[0U] = four.fst; + s1[1U] = four.snd; + s1[2U] = four.thd; + s1[3U] = four.f3; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base0[66U]; + memcpy(copy_of_seed_base0, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four0 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( + copy_of_seed_base0, 4U, 5U, 6U, 7U); + s1[4U] = four0.fst; + s2[0U] = four0.snd; + s2[1U] = four0.thd; + s2[2U] = four0.f3; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base1[66U]; + memcpy(copy_of_seed_base1, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four1 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( + copy_of_seed_base1, 8U, 9U, 10U, 11U); + s2[3U] = four1.fst; + s2[4U] = four1.snd; + s2[5U] = four1.thd; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1[5U]; + memcpy( + copy_of_s1, s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s2[6U]; + memcpy( + copy_of_s2, s2, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + tuple_ce0 lit; + memcpy( + lit.fst, copy_of_s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + memcpy( + lit.snd, copy_of_s2, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_7_by_8 +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics +- ETA= 4 +- S1_DIMENSION= 5 +- S2_DIMENSION= 6 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE tuple_ce0 +libcrux_ml_dsa_samplex4_sample_s1_and_s2_7_by_8_4d(uint8_t seed_base[66U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + s1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base[66U]; + memcpy(copy_of_seed_base, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( + copy_of_seed_base, 0U, 1U, 2U, 3U); + s1[0U] = four.fst; + s1[1U] = four.snd; + s1[2U] = four.thd; + s1[3U] = four.f3; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base0[66U]; + memcpy(copy_of_seed_base0, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four0 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( + copy_of_seed_base0, 4U, 5U, 6U, 7U); + s1[4U] = four0.fst; + s1[5U] = four0.snd; + s1[6U] = four0.thd; + s2[0U] = four0.f3; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base1[66U]; + memcpy(copy_of_seed_base1, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four1 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( + copy_of_seed_base1, 8U, 9U, 10U, 11U); + s2[1U] = four1.fst; + s2[2U] = four1.snd; + s2[3U] = four1.thd; + s2[4U] = four1.f3; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base2[66U]; + memcpy(copy_of_seed_base2, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 + four2 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( + copy_of_seed_base2, 12U, 13U, 14U, 15U); + s2[5U] = four2.fst; + s2[6U] = four2.snd; + s2[7U] = four2.thd; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1[5U]; + memcpy( + copy_of_s1, s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s2[6U]; + memcpy( + copy_of_s2, s2, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + tuple_ce0 lit; + memcpy( + lit.fst, copy_of_s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + memcpy( + lit.snd, copy_of_s2, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2 +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics +- ETA= 4 +- S1_DIMENSION= 5 +- S2_DIMENSION= 6 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE tuple_ce0 +libcrux_ml_dsa_samplex4_sample_s1_and_s2_4d(uint8_t seed[66U]) { + uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)5U, .snd = (uint8_t)(size_t)6U}; + switch (uu____0.fst) { + case 4U: { + switch (uu____0.snd) { + case 4U: { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[66U]; + memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); + return libcrux_ml_dsa_samplex4_sample_s1_and_s2_4_by_4_4d( + copy_of_seed); + } + default: { + } + } + break; + } + case 5U: { + switch (uu____0.snd) { + case 6U: { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[66U]; + memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); + return libcrux_ml_dsa_samplex4_sample_s1_and_s2_5_by_6_4d( + copy_of_seed); + } + default: { + } + } + break; + } + case 7U: { + switch (uu____0.snd) { + case 8U: { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[66U]; + memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); + return libcrux_ml_dsa_samplex4_sample_s1_and_s2_7_by_8_4d( + copy_of_seed); + } + default: { + } + } + break; + } + default: { + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** + Compute InvertNTT(Â ◦ ŝ₁) + s₂ +*/ +/** +A monomorphic instance of libcrux_ml_dsa.matrix.compute_As1_plus_s2 +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_As1_plus_s2_fe( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*A_as_ntt)[5U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *s1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::slice::iter::{core::iter::traits::iterator::Iterator for " + "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " + "@Array[" + "TraitClause@0, TraitClause@1], " + "C@1>>[core::marker::Sized<@Array[TraitClause@0, TraitClause@1], C@1>>] " + "enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +typedef struct + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2_s { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 fst[6U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 snd[6U]; +} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2; + +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.power2round_vector +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- DIMENSION= 6 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2 + libcrux_ml_dsa_arithmetic_power2round_vector_a3( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t[6U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::slice::iter::{core::iter::traits::iterator::Iterator for " + "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " + "libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, " + "TraitClause@1]>[core::marker::Sized[TraitClause@0, TraitClause@1]>] " + "enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.verification_key.generate_serialized with types +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics +- ROWS_IN_A= 6 +- VERIFICATION_KEY_SIZE= 1952 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_verification_key_generate_serialized_fe( + Eurydice_slice seed_for_A, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U], + uint8_t ret[1952U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::slice::iter::{core::iter::traits::iterator::Iterator for " + "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " + "libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, " + "TraitClause@1]>[core::marker::Sized[TraitClause@0, TraitClause@1]>] " + "enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256 +with const generics +- OUTPUT_LENGTH= 64 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_simd256_shake256_24( + Eurydice_slice input, uint8_t *out) { + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)64U, out, uint8_t), input); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof +for libcrux_ml_dsa::hash_functions::simd256::Shake256)#1} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_d9 +with const generics +- OUTPUT_LENGTH= 64 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_simd256_shake256_d9_24(Eurydice_slice input, + uint8_t *out) { + libcrux_ml_dsa_hash_functions_simd256_shake256_24(input, out); +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.error.serialize +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ETA= 4 +- OUTPUT_SIZE= 128 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_serialize_a8( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re, uint8_t ret[128U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::slice::iter::{core::iter::traits::iterator::Iterator for " + "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " + "T@0>[TraitClause@0] enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.t0.serialize +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_serialize_ea( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re, uint8_t ret[416U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::slice::iter::{core::iter::traits::iterator::Iterator for " + "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " + "T@0>[TraitClause@0] enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.signing_key.generate_serialized with types +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake256 with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- SIGNING_KEY_SIZE= 4032 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_signing_key_generate_serialized_a9( + Eurydice_slice seed_for_A, Eurydice_slice seed_for_signing, + Eurydice_slice verification_key, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1[5U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2[6U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0[6U], + uint8_t ret[4032U]) { + uint8_t signing_key_serialized[4032U] = {0U}; + size_t offset = (size_t)0U; + Eurydice_slice_copy( + Eurydice_array_to_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t), + seed_for_A, uint8_t); + offset = offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE; + Eurydice_slice_copy( + Eurydice_array_to_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE, uint8_t), + seed_for_signing, uint8_t); + offset = offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE; + uint8_t verification_key_hash[64U] = {0U}; + libcrux_ml_dsa_hash_functions_simd256_shake256_d9_24(verification_key, + verification_key_hash); + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH, + uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_slice((size_t)64U, verification_key_hash, uint8_t), + uint8_t); + offset = offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, s1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + i++) { + size_t _cloop_i = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = + &s1[_cloop_i]; + Eurydice_slice uu____1 = Eurydice_array_to_subslice2( + signing_key_serialized, offset, offset + (size_t)128U, uint8_t); + uint8_t ret0[128U]; + libcrux_ml_dsa_encoding_error_serialize_a8(ring_element[0U], ret0); + Eurydice_slice_copy( + uu____1, Eurydice_array_to_slice((size_t)128U, ret0, uint8_t), uint8_t); + offset = offset + (size_t)128U; + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + i++) { + size_t _cloop_i = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = + &s2[_cloop_i]; + Eurydice_slice uu____2 = Eurydice_array_to_subslice2( + signing_key_serialized, offset, offset + (size_t)128U, uint8_t); + uint8_t ret0[128U]; + libcrux_ml_dsa_encoding_error_serialize_a8(ring_element[0U], ret0); + Eurydice_slice_copy( + uu____2, Eurydice_array_to_slice((size_t)128U, ret0, uint8_t), uint8_t); + offset = offset + (size_t)128U; + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, t0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + i++) { + size_t _cloop_i = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = + &t0[_cloop_i]; + Eurydice_slice uu____3 = Eurydice_array_to_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, uint8_t); + uint8_t ret0[416U]; + libcrux_ml_dsa_encoding_t0_serialize_ea(ring_element[0U], ret0); + Eurydice_slice_copy( + uu____3, Eurydice_array_to_slice((size_t)416U, ret0, uint8_t), uint8_t); + offset = offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE; + } + memcpy(ret, signing_key_serialized, (size_t)4032U * sizeof(uint8_t)); +} + +/** + Generate a key pair. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.generate_key_pair +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake128x4, +libcrux_ml_dsa_hash_functions_simd256_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- SIGNING_KEY_SIZE= 4032 +- VERIFICATION_KEY_SIZE= 1952 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE tuple_a0 +libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_bc(uint8_t randomness[32U]) { + uint8_t seed_expanded0[128U] = {0U}; + libcrux_sha3_portable_incremental_Shake256Xof shake = + libcrux_ml_dsa_hash_functions_portable_init_83(); + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake, Eurydice_array_to_slice((size_t)32U, randomness, uint8_t)); + uint8_t buf[2U] = {(uint8_t)(size_t)6U, (uint8_t)(size_t)5U}; + libcrux_ml_dsa_hash_functions_portable_absorb_final_83( + &shake, Eurydice_array_to_slice((size_t)2U, buf, uint8_t)); + libcrux_ml_dsa_hash_functions_portable_squeeze_83( + &shake, Eurydice_array_to_slice((size_t)128U, seed_expanded0, uint8_t)); + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)128U, seed_expanded0, uint8_t), + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, + Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_a = uu____0.fst; + Eurydice_slice seed_expanded = uu____0.snd; + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + seed_expanded, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_ERROR_VECTORS_SIZE, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_error_vectors = uu____1.fst; + Eurydice_slice seed_for_signing = uu____1.snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 a_as_ntt[6U][5U]; + uint8_t ret[34U]; + libcrux_ml_dsa_utils_into_padded_array_b6(seed_for_a, ret); + libcrux_ml_dsa_samplex4_matrix_A_fe(ret, a_as_ntt); + uint8_t ret0[66U]; + libcrux_ml_dsa_utils_into_padded_array_20(seed_for_error_vectors, ret0); + tuple_ce0 uu____2 = libcrux_ml_dsa_samplex4_sample_s1_and_s2_4d(ret0); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1[5U]; + memcpy( + s1, uu____2.fst, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2[6U]; + memcpy( + s2, uu____2.snd, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t[6U]; + libcrux_ml_dsa_matrix_compute_As1_plus_s2_fe(a_as_ntt, s1, s2, t); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t[6U]; + memcpy( + copy_of_t, t, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2 + uu____4 = libcrux_ml_dsa_arithmetic_power2round_vector_a3(copy_of_t); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0[6U]; + memcpy( + t0, uu____4.fst, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U]; + memcpy( + t1, uu____4.snd, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + Eurydice_slice uu____5 = seed_for_a; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t1[6U]; + memcpy( + copy_of_t1, t1, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + uint8_t verification_key_serialized[1952U]; + libcrux_ml_dsa_encoding_verification_key_generate_serialized_fe( + uu____5, copy_of_t1, verification_key_serialized); + Eurydice_slice uu____7 = seed_for_a; + Eurydice_slice uu____8 = seed_for_signing; + Eurydice_slice uu____9 = Eurydice_array_to_slice( + (size_t)1952U, verification_key_serialized, uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1[5U]; + memcpy( + copy_of_s1, s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s2[6U]; + memcpy( + copy_of_s2, s2, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t0[6U]; + memcpy( + copy_of_t0, t0, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + uint8_t signing_key_serialized[4032U]; + libcrux_ml_dsa_encoding_signing_key_generate_serialized_a9( + uu____7, uu____8, uu____9, copy_of_s1, copy_of_s2, copy_of_t0, + signing_key_serialized); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_signing_key_serialized[4032U]; + memcpy(copy_of_signing_key_serialized, signing_key_serialized, + (size_t)4032U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_verification_key_serialized[1952U]; + memcpy(copy_of_verification_key_serialized, verification_key_serialized, + (size_t)1952U * sizeof(uint8_t)); + tuple_a0 lit; + memcpy(lit.fst, copy_of_signing_key_serialized, + (size_t)4032U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_verification_key_serialized, + (size_t)1952U * sizeof(uint8_t)); + return lit; +} + +/** + Generate key pair. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.generate_key_pair +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- SIGNING_KEY_SIZE= 4032 +- VERIFICATION_KEY_SIZE= 1952 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline tuple_a0 +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_generate_key_pair_52( + uint8_t randomness[32U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_bc(copy_of_randomness); +} + +/** + Generate key pair. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.generate_key_pair with const +generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- SIGNING_KEY_SIZE= 4032 +- VERIFICATION_KEY_SIZE= 1952 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline tuple_a0 +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_generate_key_pair_52( + uint8_t randomness[32U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_generate_key_pair_52( + copy_of_randomness); +} + +/** + Generate an ML-DSA-65 Key Pair +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair +libcrux_ml_dsa_ml_dsa_65_avx2_generate_key_pair(uint8_t randomness[32U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + tuple_a0 uu____1 = + libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_generate_key_pair_52( + copy_of_randomness); + uint8_t signing_key[4032U]; + memcpy(signing_key, uu____1.fst, (size_t)4032U * sizeof(uint8_t)); + uint8_t verification_key[1952U]; + memcpy(verification_key, uu____1.snd, (size_t)1952U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_signing_key[4032U]; + memcpy(copy_of_signing_key, signing_key, (size_t)4032U * sizeof(uint8_t)); + libcrux_ml_dsa_types_MLDSASigningKey_22 uu____3 = + libcrux_ml_dsa_types_new_9b_09(copy_of_signing_key); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_verification_key[1952U]; + memcpy(copy_of_verification_key, verification_key, + (size_t)1952U * sizeof(uint8_t)); + libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair lit; + lit.signing_key = uu____3; + lit.verification_key = + libcrux_ml_dsa_types_new_66_97(copy_of_verification_key); + return lit; +} + +/** + The internal signing API. + + If no `domain_separation_context` is supplied, it is assumed that + `message` already contains the domain separation. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_internal +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake128x4, +libcrux_ml_dsa_hash_functions_simd256_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_ea( + uint8_t *signing_key, Eurydice_slice message, + Option_84 domain_separation_context, uint8_t randomness[32U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes " + "core::result::{core::ops::try_trait::Try for core::result::Result[TraitClause@0, TraitClause@1]}#26[TraitClause@0, " + "TraitClause@1]::Residual\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake128x4, +libcrux_ml_dsa_hash_functions_simd256_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_ea( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( + context, (CLITERAL(Option_3f){.tag = None})); + Result_2e uu____1; + if (uu____0.tag == Ok) { + libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = + uu____0.val.case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context0 = + domain_separation_context; + uint8_t *uu____2 = signing_key; + Eurydice_slice uu____3 = message; + Option_84 uu____4 = {.tag = Some, .f0 = domain_separation_context0}; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + uu____1 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_ea( + uu____2, uu____3, uu____4, copy_of_randomness); + } else { + uu____1 = (CLITERAL(Result_2e){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}}); + } + return uu____1; +} + +/** + Sign. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.sign with const +generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_2e +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_f3( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + uint8_t *uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_sign_ea(uu____0, uu____1, uu____2, + copy_of_randomness); +} + +/** + Sign. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.sign +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Result_2e +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_f3( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + uint8_t *uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_f3( + uu____0, uu____1, uu____2, copy_of_randomness); +} + +/** + Generate an ML-DSA-65 Signature + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign( + libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, + Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { + uint8_t *uu____0 = libcrux_ml_dsa_types_as_raw_9b_09(signing_key); + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_f3( + uu____0, uu____1, uu____2, copy_of_randomness); +} + +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_pre_hashed +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128, +libcrux_ml_dsa_hash_functions_simd256_Shake128x4, +libcrux_ml_dsa_hash_functions_simd256_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_simd256_Shake256x4, +libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics +- PH_DIGEST_LEN= 256 +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Result_2e +libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_6e(uint8_t *signing_key, + Eurydice_slice message, + Eurydice_slice context, + uint8_t randomness[32U]) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"expression_of_operand Constant: " + "TraitClause@13OID\")\n"); + KRML_HOST_EXIT(255U); +} + +/** + Sign (pre-hashed). +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.sign_pre_hashed_shake128 +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_2e +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_pre_hashed_shake128_f3( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + uint8_t *uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_6e( + uu____0, uu____1, uu____2, copy_of_randomness); +} + +/** + Sign (pre-hashed). +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.sign_pre_hashed_shake128 with +const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_2e +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_pre_hashed_shake128_f3( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + uint8_t *uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_sign_pre_hashed_shake128_f3( + uu____0, uu____1, uu____2, copy_of_randomness); +} + +/** + Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign_pre_hashed_shake128( + libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, + Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { + uint8_t *uu____0 = libcrux_ml_dsa_types_as_raw_9b_09(signing_key); + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_sign_pre_hashed_shake128_f3( + uu____0, uu____1, uu____2, copy_of_randomness); +} + +/** + The internal verification API. + + If no `domain_separation_context` is supplied, it is assumed that + `message` already contains the domain separation. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_internal +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake128x4, +libcrux_ml_dsa_hash_functions_simd256_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Result_41 +libcrux_ml_dsa_ml_dsa_generic_verify_internal_d1( + uint8_t *verification_key_serialized, Eurydice_slice message, + Option_84 domain_separation_context, uint8_t *signature_serialized) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes " + "core::result::{core::ops::try_trait::Try for core::result::Result[TraitClause@0, TraitClause@1]}#26[TraitClause@0, " + "TraitClause@1]::Residual\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake128x4, +libcrux_ml_dsa_hash_functions_simd256_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_d1( + uint8_t *verification_key_serialized, Eurydice_slice message, + Eurydice_slice context, uint8_t *signature_serialized) { + Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( + context, (CLITERAL(Option_3f){.tag = None})); + Result_41 uu____1; + if (uu____0.tag == Ok) { + libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = + uu____0.val.case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context0 = + domain_separation_context; + uu____1 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_d1( + verification_key_serialized, message, + (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context0}), + signature_serialized); + } else { + uu____1 = (CLITERAL(Result_41){ + .tag = Err, + .f0 = libcrux_ml_dsa_types_VerificationContextTooLongError}); + } + return uu____1; +} + +/** + Verify. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.verify with const +generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_41 +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_01( + uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, + uint8_t *signature) { + return libcrux_ml_dsa_ml_dsa_generic_verify_d1(verification_key, message, + context, signature); +} + +/** + Verify. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.verify with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_41 +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_01( + uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, + uint8_t *signature) { + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_01( + verification_key, message, context, signature); +} + +/** + Verify an ML-DSA-65 Signature + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_41 libcrux_ml_dsa_ml_dsa_65_avx2_verify( + libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, + Eurydice_slice message, Eurydice_slice context, + libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_01( + libcrux_ml_dsa_types_as_raw_66_97(verification_key), message, context, + libcrux_ml_dsa_types_as_raw_8f_fa(signature)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_pre_hashed +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128, +libcrux_ml_dsa_hash_functions_simd256_Shake128x4, +libcrux_ml_dsa_hash_functions_simd256_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics +- PH_DIGEST_LEN= 256 +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Result_41 +libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_07( + uint8_t *verification_key_serialized, Eurydice_slice message, + Eurydice_slice context, uint8_t *signature_serialized) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"expression_of_operand Constant: " + "TraitClause@11OID\")\n"); + KRML_HOST_EXIT(255U); +} + +/** + Verify (pre-hashed with SHAKE-128). +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.avx2_feature.verify_pre_hashed_shake128 +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_41 +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_pre_hashed_shake128_01( + uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, + uint8_t *signature) { + return libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_07( + verification_key, message, context, signature); +} + +/** + Verify (pre-hashed with SHAKE-128). +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.avx2.verify_pre_hashed_shake128 +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_41 +libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_pre_hashed_shake128_01( + uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, + uint8_t *signature) { + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_avx2_feature_verify_pre_hashed_shake128_01( + verification_key, message, context, signature); +} + +/** + Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline Result_41 +libcrux_ml_dsa_ml_dsa_65_avx2_verify_pre_hashed_shake128( + libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, + Eurydice_slice message, Eurydice_slice context, + libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { + return libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2_verify_pre_hashed_shake128_01( + libcrux_ml_dsa_types_as_raw_66_97(verification_key), message, context, + libcrux_ml_dsa_types_as_raw_8f_fa(signature)); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline bool +libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_is_bit_set( + size_t number, uint8_t bit_position) { + return (number & (size_t)1U << (uint32_t)bit_position) >> + (uint32_t)bit_position == + (size_t)1U; +} + +KRML_ATTRIBUTE_TARGET("avx2") +static inline void +libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_generate_shuffle_table( + uint8_t ret[16U][16U]) { + uint8_t byte_shuffles[16U][16U] = { + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}, + {255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, + 255U, 255U, 255U, 255U}}; + for (size_t i0 = (size_t)0U; i0 < (size_t)1U << 4U; i0++) { + size_t bit_pattern = i0; + size_t byte_shuffles_index = (size_t)0U; + for (uint8_t i = 0U; i < 4U; i = (uint32_t)i + 1U) { + uint8_t bit_position = i; + if (libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table_is_bit_set( + bit_pattern, bit_position)) { + byte_shuffles[bit_pattern][byte_shuffles_index] = + (uint32_t)bit_position * 4U; + byte_shuffles_index++; + byte_shuffles[bit_pattern][byte_shuffles_index] = + (uint32_t)bit_position * 4U + 1U; + byte_shuffles_index++; + byte_shuffles[bit_pattern][byte_shuffles_index] = + (uint32_t)bit_position * 4U + 2U; + byte_shuffles_index++; + byte_shuffles[bit_pattern][byte_shuffles_index] = + (uint32_t)bit_position * 4U + 3U; + byte_shuffles_index++; + } + } + } + memcpy(ret, byte_shuffles, (size_t)16U * sizeof(uint8_t[16U])); +} + +/** +This function found in impl {(core::clone::Clone for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)#1} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline __m256i libcrux_ml_dsa_simd_avx2_vector_type_clone_0f( + __m256i *self) { + return self[0U]; +} + +/** +This function found in impl {(core::convert::From +for libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline __m256i libcrux_ml_dsa_simd_avx2_vector_type_from_af( + __m256i coefficients) { + return coefficients; +} + +#if defined(__cplusplus) +} +#endif + +#define __libcrux_mldsa65_avx2_H_DEFINED +#endif diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h new file mode 100644 index 000000000..3bbbfd2e9 --- /dev/null +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h @@ -0,0 +1,6276 @@ +/* + * SPDX-FileCopyrightText: 2024 Cryspen Sarl + * + * SPDX-License-Identifier: MIT or Apache-2.0 + * + * This code was generated with the following revisions: + * Charon: a68994d00017b76a805d0115ca06c1f2c1805e79 + * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 + * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 + * F*: b0961063393215ca65927f017720cb365a193833-dirty + * Libcrux: 5a0f22fa8387080e4c4e4ac018aaddcdf944e4be + */ + +#ifndef __libcrux_mldsa65_portable_H +#define __libcrux_mldsa65_portable_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include "eurydice_glue.h" +#include "libcrux_core.h" +#include "libcrux_sha3_portable.h" + +#define LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT ((size_t)8U) + +#define LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U) + +#define LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT \ + (LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / \ + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT) + +#define LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T ((size_t)13U) + +#define LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH \ + ((size_t)23U) + +#define LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_UPPER_PART_OF_T \ + (LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH - \ + LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T) + +#define LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH ((size_t)64U) + +#define LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN ((size_t)255U) + +#define LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS ((int32_t)8380417) + +#define LIBCRUX_ML_DSA_CONSTANTS_KEY_GENERATION_RANDOMNESS_SIZE ((size_t)32U) + +#define LIBCRUX_ML_DSA_CONSTANTS_MASK_SEED_SIZE ((size_t)64U) + +#define LIBCRUX_ML_DSA_CONSTANTS_MESSAGE_REPRESENTATIVE_SIZE ((size_t)64U) + +#define LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN ((size_t)814U) + +#define LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE \ + (LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T * \ + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U) + +#define LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE \ + (LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_UPPER_PART_OF_T * \ + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U) + +#define LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE ((size_t)32U) + +#define LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_ERROR_VECTORS_SIZE ((size_t)64U) + +#define LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE ((size_t)32U) + +#define LIBCRUX_ML_DSA_CONSTANTS_SIGNING_RANDOMNESS_SIZE ((size_t)32U) + +#define LIBCRUX_ML_DSA_ENCODING_COMMITMENT_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT \ + ((size_t)6U) + +#define LIBCRUX_ML_DSA_ENCODING_ERROR_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT \ + ((size_t)4U) + +#define LIBCRUX_ML_DSA_ENCODING_GAMMA1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT \ + ((size_t)20U) + +#define LIBCRUX_ML_DSA_ENCODING_T0_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT \ + ((size_t)13U) + +#define LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT \ + ((size_t)10U) + +typedef struct libcrux_ml_dsa_hash_functions_portable_Shake128X4_s { + libcrux_sha3_generic_keccak_KeccakState_17 state0; + libcrux_sha3_generic_keccak_KeccakState_17 state1; + libcrux_sha3_generic_keccak_KeccakState_17 state2; + libcrux_sha3_generic_keccak_KeccakState_17 state3; +} libcrux_ml_dsa_hash_functions_portable_Shake128X4; + +static KRML_MUSTINLINE libcrux_ml_dsa_hash_functions_portable_Shake128X4 +libcrux_ml_dsa_hash_functions_portable_init_absorb(Eurydice_slice input0, + Eurydice_slice input1, + Eurydice_slice input2, + Eurydice_slice input3) { + libcrux_sha3_generic_keccak_KeccakState_17 state0 = + libcrux_sha3_portable_incremental_shake128_init(); + libcrux_sha3_portable_incremental_shake128_absorb_final(&state0, input0); + libcrux_sha3_generic_keccak_KeccakState_17 state1 = + libcrux_sha3_portable_incremental_shake128_init(); + libcrux_sha3_portable_incremental_shake128_absorb_final(&state1, input1); + libcrux_sha3_generic_keccak_KeccakState_17 state2 = + libcrux_sha3_portable_incremental_shake128_init(); + libcrux_sha3_portable_incremental_shake128_absorb_final(&state2, input2); + libcrux_sha3_generic_keccak_KeccakState_17 state3 = + libcrux_sha3_portable_incremental_shake128_init(); + libcrux_sha3_portable_incremental_shake128_absorb_final(&state3, input3); + return (CLITERAL(libcrux_ml_dsa_hash_functions_portable_Shake128X4){ + .state0 = state0, .state1 = state1, .state2 = state2, .state3 = state3}); +} + +typedef libcrux_sha3_portable_KeccakState + libcrux_ml_dsa_hash_functions_portable_Shake256; + +static KRML_MUSTINLINE libcrux_sha3_portable_KeccakState +libcrux_ml_dsa_hash_functions_portable_init_absorb_final_shake256( + Eurydice_slice input) { + libcrux_sha3_generic_keccak_KeccakState_17 state = + libcrux_sha3_portable_incremental_shake256_init(); + libcrux_sha3_portable_incremental_shake256_absorb_final(&state, input); + return state; +} + +typedef struct libcrux_ml_dsa_hash_functions_portable_Shake256X4_s { + libcrux_sha3_generic_keccak_KeccakState_17 state0; + libcrux_sha3_generic_keccak_KeccakState_17 state1; + libcrux_sha3_generic_keccak_KeccakState_17 state2; + libcrux_sha3_generic_keccak_KeccakState_17 state3; +} libcrux_ml_dsa_hash_functions_portable_Shake256X4; + +static KRML_MUSTINLINE libcrux_ml_dsa_hash_functions_portable_Shake256X4 +libcrux_ml_dsa_hash_functions_portable_init_absorb_x4(Eurydice_slice input0, + Eurydice_slice input1, + Eurydice_slice input2, + Eurydice_slice input3) { + libcrux_sha3_generic_keccak_KeccakState_17 state0 = + libcrux_sha3_portable_incremental_shake256_init(); + libcrux_sha3_portable_incremental_shake256_absorb_final(&state0, input0); + libcrux_sha3_generic_keccak_KeccakState_17 state1 = + libcrux_sha3_portable_incremental_shake256_init(); + libcrux_sha3_portable_incremental_shake256_absorb_final(&state1, input1); + libcrux_sha3_generic_keccak_KeccakState_17 state2 = + libcrux_sha3_portable_incremental_shake256_init(); + libcrux_sha3_portable_incremental_shake256_absorb_final(&state2, input2); + libcrux_sha3_generic_keccak_KeccakState_17 state3 = + libcrux_sha3_portable_incremental_shake256_init(); + libcrux_sha3_portable_incremental_shake256_absorb_final(&state3, input3); + return (CLITERAL(libcrux_ml_dsa_hash_functions_portable_Shake256X4){ + .state0 = state0, .state1 = state1, .state2 = state2, .state3 = state3}); +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_shake256( + libcrux_sha3_portable_KeccakState *state, uint8_t ret[136U]) { + uint8_t out[136U] = {0U}; + libcrux_sha3_portable_incremental_shake256_squeeze_first_block( + state, Eurydice_array_to_slice((size_t)136U, out, uint8_t)); + memcpy(ret, out, (size_t)136U * sizeof(uint8_t)); +} + +typedef struct uint8_t_136size_t__x4_s { + uint8_t fst[136U]; + uint8_t snd[136U]; + uint8_t thd[136U]; + uint8_t f3[136U]; +} uint8_t_136size_t__x4; + +static KRML_MUSTINLINE uint8_t_136size_t__x4 +libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_x4( + libcrux_ml_dsa_hash_functions_portable_Shake256X4 *state) { + uint8_t out0[136U] = {0U}; + libcrux_sha3_portable_incremental_shake256_squeeze_first_block( + &state->state0, Eurydice_array_to_slice((size_t)136U, out0, uint8_t)); + uint8_t out1[136U] = {0U}; + libcrux_sha3_portable_incremental_shake256_squeeze_first_block( + &state->state1, Eurydice_array_to_slice((size_t)136U, out1, uint8_t)); + uint8_t out2[136U] = {0U}; + libcrux_sha3_portable_incremental_shake256_squeeze_first_block( + &state->state2, Eurydice_array_to_slice((size_t)136U, out2, uint8_t)); + uint8_t out3[136U] = {0U}; + libcrux_sha3_portable_incremental_shake256_squeeze_first_block( + &state->state3, Eurydice_array_to_slice((size_t)136U, out3, uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out0[136U]; + memcpy(copy_of_out0, out0, (size_t)136U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out1[136U]; + memcpy(copy_of_out1, out1, (size_t)136U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out2[136U]; + memcpy(copy_of_out2, out2, (size_t)136U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out3[136U]; + memcpy(copy_of_out3, out3, (size_t)136U * sizeof(uint8_t)); + uint8_t_136size_t__x4 lit; + memcpy(lit.fst, copy_of_out0, (size_t)136U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_out1, (size_t)136U * sizeof(uint8_t)); + memcpy(lit.thd, copy_of_out2, (size_t)136U * sizeof(uint8_t)); + memcpy(lit.f3, copy_of_out3, (size_t)136U * sizeof(uint8_t)); + return lit; +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_squeeze_first_five_blocks( + libcrux_ml_dsa_hash_functions_portable_Shake128X4 *state, uint8_t *out0, + uint8_t *out1, uint8_t *out2, uint8_t *out3) { + libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( + &state->state0, Eurydice_array_to_slice((size_t)840U, out0, uint8_t)); + libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( + &state->state1, Eurydice_array_to_slice((size_t)840U, out1, uint8_t)); + libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( + &state->state2, Eurydice_array_to_slice((size_t)840U, out2, uint8_t)); + libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( + &state->state3, Eurydice_array_to_slice((size_t)840U, out3, uint8_t)); +} + +typedef struct uint8_t_168size_t__x4_s { + uint8_t fst[168U]; + uint8_t snd[168U]; + uint8_t thd[168U]; + uint8_t f3[168U]; +} uint8_t_168size_t__x4; + +static KRML_MUSTINLINE uint8_t_168size_t__x4 +libcrux_ml_dsa_hash_functions_portable_squeeze_next_block( + libcrux_ml_dsa_hash_functions_portable_Shake128X4 *state) { + uint8_t out0[168U] = {0U}; + libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + &state->state0, Eurydice_array_to_slice((size_t)168U, out0, uint8_t)); + uint8_t out1[168U] = {0U}; + libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + &state->state1, Eurydice_array_to_slice((size_t)168U, out1, uint8_t)); + uint8_t out2[168U] = {0U}; + libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + &state->state2, Eurydice_array_to_slice((size_t)168U, out2, uint8_t)); + uint8_t out3[168U] = {0U}; + libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + &state->state3, Eurydice_array_to_slice((size_t)168U, out3, uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out0[168U]; + memcpy(copy_of_out0, out0, (size_t)168U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out1[168U]; + memcpy(copy_of_out1, out1, (size_t)168U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out2[168U]; + memcpy(copy_of_out2, out2, (size_t)168U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out3[168U]; + memcpy(copy_of_out3, out3, (size_t)168U * sizeof(uint8_t)); + uint8_t_168size_t__x4 lit; + memcpy(lit.fst, copy_of_out0, (size_t)168U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_out1, (size_t)168U * sizeof(uint8_t)); + memcpy(lit.thd, copy_of_out2, (size_t)168U * sizeof(uint8_t)); + memcpy(lit.f3, copy_of_out3, (size_t)168U * sizeof(uint8_t)); + return lit; +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_shake256( + libcrux_sha3_portable_KeccakState *state, uint8_t ret[136U]) { + uint8_t out[136U] = {0U}; + libcrux_sha3_portable_incremental_shake256_squeeze_next_block( + state, Eurydice_array_to_slice((size_t)136U, out, uint8_t)); + memcpy(ret, out, (size_t)136U * sizeof(uint8_t)); +} + +static KRML_MUSTINLINE uint8_t_136size_t__x4 +libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4( + libcrux_ml_dsa_hash_functions_portable_Shake256X4 *state) { + uint8_t out0[136U] = {0U}; + libcrux_sha3_portable_incremental_shake256_squeeze_next_block( + &state->state0, Eurydice_array_to_slice((size_t)136U, out0, uint8_t)); + uint8_t out1[136U] = {0U}; + libcrux_sha3_portable_incremental_shake256_squeeze_next_block( + &state->state1, Eurydice_array_to_slice((size_t)136U, out1, uint8_t)); + uint8_t out2[136U] = {0U}; + libcrux_sha3_portable_incremental_shake256_squeeze_next_block( + &state->state2, Eurydice_array_to_slice((size_t)136U, out2, uint8_t)); + uint8_t out3[136U] = {0U}; + libcrux_sha3_portable_incremental_shake256_squeeze_next_block( + &state->state3, Eurydice_array_to_slice((size_t)136U, out3, uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out0[136U]; + memcpy(copy_of_out0, out0, (size_t)136U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out1[136U]; + memcpy(copy_of_out1, out1, (size_t)136U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out2[136U]; + memcpy(copy_of_out2, out2, (size_t)136U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out3[136U]; + memcpy(copy_of_out3, out3, (size_t)136U * sizeof(uint8_t)); + uint8_t_136size_t__x4 lit; + memcpy(lit.fst, copy_of_out0, (size_t)136U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_out1, (size_t)136U * sizeof(uint8_t)); + memcpy(lit.thd, copy_of_out2, (size_t)136U * sizeof(uint8_t)); + memcpy(lit.f3, copy_of_out3, (size_t)136U * sizeof(uint8_t)); + return lit; +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::XofX4 +for libcrux_ml_dsa::hash_functions::portable::Shake128X4)} +*/ +static KRML_MUSTINLINE libcrux_ml_dsa_hash_functions_portable_Shake128X4 +libcrux_ml_dsa_hash_functions_portable_init_absorb_ed(Eurydice_slice input0, + Eurydice_slice input1, + Eurydice_slice input2, + Eurydice_slice input3) { + return libcrux_ml_dsa_hash_functions_portable_init_absorb(input0, input1, + input2, input3); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::XofX4 +for libcrux_ml_dsa::hash_functions::portable::Shake128X4)} +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_squeeze_first_five_blocks_ed( + libcrux_ml_dsa_hash_functions_portable_Shake128X4 *self, uint8_t *out0, + uint8_t *out1, uint8_t *out2, uint8_t *out3) { + libcrux_ml_dsa_hash_functions_portable_squeeze_first_five_blocks( + self, out0, out1, out2, out3); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::XofX4 +for libcrux_ml_dsa::hash_functions::portable::Shake128X4)} +*/ +static KRML_MUSTINLINE uint8_t_168size_t__x4 +libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( + libcrux_ml_dsa_hash_functions_portable_Shake128X4 *self) { + return libcrux_ml_dsa_hash_functions_portable_squeeze_next_block(self); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof +for libcrux_ml_dsa::hash_functions::portable::Shake256)#2} +*/ +static KRML_MUSTINLINE libcrux_sha3_portable_KeccakState +libcrux_ml_dsa_hash_functions_portable_init_absorb_final_5c( + Eurydice_slice input) { + return libcrux_ml_dsa_hash_functions_portable_init_absorb_final_shake256( + input); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof +for libcrux_ml_dsa::hash_functions::portable::Shake256)#2} +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_5c( + libcrux_sha3_portable_KeccakState *self, uint8_t ret[136U]) { + libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_shake256(self, + ret); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof +for libcrux_ml_dsa::hash_functions::portable::Shake256)#2} +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_5c( + libcrux_sha3_portable_KeccakState *self, uint8_t ret[136U]) { + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_shake256(self, ret); +} + +typedef libcrux_sha3_portable_incremental_Shake256Xof + libcrux_ml_dsa_hash_functions_portable_Shake256Xof; + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::Xof for +libcrux_ml_dsa::hash_functions::portable::Shake256Xof)#4} +*/ +static inline void libcrux_ml_dsa_hash_functions_portable_absorb_83( + libcrux_sha3_portable_incremental_Shake256Xof *self, Eurydice_slice input) { + libcrux_sha3_portable_incremental_absorb_68(self, input); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::Xof for +libcrux_ml_dsa::hash_functions::portable::Shake256Xof)#4} +*/ +static inline void libcrux_ml_dsa_hash_functions_portable_absorb_final_83( + libcrux_sha3_portable_incremental_Shake256Xof *self, Eurydice_slice input) { + libcrux_sha3_portable_incremental_absorb_final_68(self, input); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::Xof for +libcrux_ml_dsa::hash_functions::portable::Shake256Xof)#4} +*/ +static inline libcrux_sha3_portable_incremental_Shake256Xof +libcrux_ml_dsa_hash_functions_portable_init_83(void) { + return libcrux_sha3_portable_incremental_new_68(); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::Xof for +libcrux_ml_dsa::hash_functions::portable::Shake256Xof)#4} +*/ +static inline void libcrux_ml_dsa_hash_functions_portable_squeeze_83( + libcrux_sha3_portable_incremental_Shake256Xof *self, Eurydice_slice out) { + libcrux_sha3_portable_incremental_squeeze_68(self, out); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4 +for libcrux_ml_dsa::hash_functions::portable::Shake256X4)#3} +*/ +static KRML_MUSTINLINE libcrux_ml_dsa_hash_functions_portable_Shake256X4 +libcrux_ml_dsa_hash_functions_portable_init_absorb_x4_50( + Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, + Eurydice_slice input3) { + return libcrux_ml_dsa_hash_functions_portable_init_absorb_x4(input0, input1, + input2, input3); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4 +for libcrux_ml_dsa::hash_functions::portable::Shake256X4)#3} +*/ +static KRML_MUSTINLINE uint8_t_136size_t__x4 +libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_x4_50( + libcrux_ml_dsa_hash_functions_portable_Shake256X4 *self) { + return libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_x4(self); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4 +for libcrux_ml_dsa::hash_functions::portable::Shake256X4)#3} +*/ +static KRML_MUSTINLINE uint8_t_136size_t__x4 +libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50( + libcrux_ml_dsa_hash_functions_portable_Shake256X4 *self) { + return libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4(self); +} + +#define LIBCRUX_ML_DSA_HASH_FUNCTIONS_SHAKE128_BLOCK_SIZE ((size_t)168U) + +#define LIBCRUX_ML_DSA_HASH_FUNCTIONS_SHAKE128_FIVE_BLOCKS_SIZE \ + (LIBCRUX_ML_DSA_HASH_FUNCTIONS_SHAKE128_BLOCK_SIZE * (size_t)5U) + +#define LIBCRUX_ML_DSA_HASH_FUNCTIONS_SHAKE256_BLOCK_SIZE ((size_t)136U) + +#define LIBCRUX_ML_DSA_ML_DSA_65_ONES_IN_VERIFIER_CHALLENGE ((size_t)49U) + +#define LIBCRUX_ML_DSA_ML_DSA_65_ETA ((size_t)4U) + +#define LIBCRUX_ML_DSA_ML_DSA_65_BETA \ + ((int32_t)(LIBCRUX_ML_DSA_ML_DSA_65_ONES_IN_VERIFIER_CHALLENGE * \ + LIBCRUX_ML_DSA_ML_DSA_65_ETA)) + +#define LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_COMMITMENT_COEFFICIENT ((size_t)4U) + +#define LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_ERROR_COEFFICIENT ((size_t)4U) + +#define LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_GAMMA1_COEFFICIENT ((size_t)20U) + +#define LIBCRUX_ML_DSA_ML_DSA_65_COLUMNS_IN_A ((size_t)5U) + +#define LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_HASH_SIZE ((size_t)48U) + +#define LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_RING_ELEMENT_SIZE \ + (LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_COMMITMENT_COEFFICIENT * \ + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U) + +#define LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A ((size_t)6U) + +#define LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_VECTOR_SIZE \ + (LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_RING_ELEMENT_SIZE * \ + LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A) + +#define LIBCRUX_ML_DSA_ML_DSA_65_ERROR_RING_ELEMENT_SIZE \ + (LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_ERROR_COEFFICIENT * \ + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U) + +#define LIBCRUX_ML_DSA_ML_DSA_65_GAMMA1_EXPONENT ((size_t)19U) + +#define LIBCRUX_ML_DSA_ML_DSA_65_GAMMA1_RING_ELEMENT_SIZE \ + (LIBCRUX_ML_DSA_ML_DSA_65_BITS_PER_GAMMA1_COEFFICIENT * \ + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)8U) + +#define LIBCRUX_ML_DSA_ML_DSA_65_GAMMA2 \ + ((LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS - (int32_t)1) / (int32_t)32) + +#define LIBCRUX_ML_DSA_ML_DSA_65_MAX_ONES_IN_HINT ((size_t)55U) + +typedef libcrux_ml_dsa_types_MLDSASigningKey_22 + libcrux_ml_dsa_ml_dsa_65_MLDSA65SigningKey; + +typedef libcrux_ml_dsa_types_MLDSAVerificationKey_ea + libcrux_ml_dsa_ml_dsa_65_MLDSA65VerificationKey; + +#define LIBCRUX_ML_DSA_ML_DSA_65_SIGNATURE_SIZE \ + (LIBCRUX_ML_DSA_ML_DSA_65_COMMITMENT_HASH_SIZE + \ + LIBCRUX_ML_DSA_ML_DSA_65_COLUMNS_IN_A * \ + LIBCRUX_ML_DSA_ML_DSA_65_GAMMA1_RING_ELEMENT_SIZE + \ + LIBCRUX_ML_DSA_ML_DSA_65_MAX_ONES_IN_HINT + \ + LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A) + +#define LIBCRUX_ML_DSA_ML_DSA_65_SIGNING_KEY_SIZE \ + (LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE + \ + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE + \ + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH + \ + (LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A + \ + LIBCRUX_ML_DSA_ML_DSA_65_COLUMNS_IN_A) * \ + LIBCRUX_ML_DSA_ML_DSA_65_ERROR_RING_ELEMENT_SIZE + \ + LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A * \ + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE) + +#define LIBCRUX_ML_DSA_ML_DSA_65_VERIFICATION_KEY_SIZE \ + (LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE + \ + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * \ + LIBCRUX_ML_DSA_ML_DSA_65_ROWS_IN_A * \ + (LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH - \ + LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T) / \ + (size_t)8U) + +static KRML_MUSTINLINE uint16_t +libcrux_ml_dsa_samplex4_generate_domain_separator(uint8_t row, uint8_t column) { + return (uint32_t)(uint16_t)column | (uint32_t)(uint16_t)row << 8U; +} + +#define LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS ((int32_t)8380417) + +#define LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R \ + (58728449ULL) + +typedef struct libcrux_ml_dsa_pre_hash_DomainSeparationContext_s { + Eurydice_slice context; + Option_3f pre_hash_oid; +} libcrux_ml_dsa_pre_hash_DomainSeparationContext; + +#define libcrux_ml_dsa_pre_hash_ContextTooLongError 0 + +typedef uint8_t libcrux_ml_dsa_pre_hash_DomainSeparationError; + +/** +A monomorphic instance of core.result.Result +with types libcrux_ml_dsa_pre_hash_DomainSeparationContext, +libcrux_ml_dsa_pre_hash_DomainSeparationError + +*/ +typedef struct Result_a8_s { + Result_a9_tags tag; + union { + libcrux_ml_dsa_pre_hash_DomainSeparationContext case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationError case_Err; + } val; +} Result_a8; + +/** + `context` must be at most 255 bytes long. +*/ +/** +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +*/ +static inline Result_a8 libcrux_ml_dsa_pre_hash_new_45(Eurydice_slice context, + Option_3f pre_hash_oid) { + Result_a8 uu____0; + if (Eurydice_slice_len(context, uint8_t) > + LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN) { + uu____0 = (CLITERAL(Result_a8){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_pre_hash_ContextTooLongError}}); + } else { + uu____0 = (CLITERAL(Result_a8){ + .tag = Ok, + .val = { + .case_Ok = {.context = context, .pre_hash_oid = pre_hash_oid}}}); + } + return uu____0; +} + +typedef struct libcrux_ml_dsa_pre_hash_SHAKE128_PH_s { +} libcrux_ml_dsa_pre_hash_SHAKE128_PH; + +typedef struct libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_s { + int32_t coefficients[8U]; +} libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit; + +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_vector_type_ZERO(void) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit lit; + lit.coefficients[0U] = (int32_t)0; + lit.coefficients[1U] = (int32_t)0; + lit.coefficients[2U] = (int32_t)0; + lit.coefficients[3U] = (int32_t)0; + lit.coefficients[4U] = (int32_t)0; + lit.coefficients[5U] = (int32_t)0; + lit.coefficients[6U] = (int32_t)0; + lit.coefficients[7U] = (int32_t)0; + return lit; +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_ZERO_36(void) { + return libcrux_ml_dsa_simd_portable_vector_type_ZERO(); +} + +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_vector_type_from_coefficient_array( + Eurydice_slice array) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit lit; + int32_t ret[8U]; + Result_6c dst; + Eurydice_slice_to_array2( + &dst, Eurydice_slice_subslice2(array, (size_t)0U, (size_t)8U, int32_t), + Eurydice_slice, int32_t[8U]); + unwrap_26_55(dst, ret); + memcpy(lit.coefficients, ret, (size_t)8U * sizeof(int32_t)); + return lit; +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_from_coefficient_array_36(Eurydice_slice array) { + return libcrux_ml_dsa_simd_portable_vector_type_from_coefficient_array(array); +} + +static inline void +libcrux_ml_dsa_simd_portable_vector_type_to_coefficient_array( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *x, + int32_t ret[8U]) { + memcpy(ret, x->coefficients, (size_t)8U * sizeof(int32_t)); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline void libcrux_ml_dsa_simd_portable_to_coefficient_array_36( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *self, + int32_t ret[8U]) { + libcrux_ml_dsa_simd_portable_vector_type_to_coefficient_array(self, ret); +} + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_arithmetic_add( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *lhs, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *rhs) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit sum = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, sum.coefficients, int32_t), + int32_t); + i++) { + size_t i0 = i; + sum.coefficients[i0] = lhs->coefficients[i0] + rhs->coefficients[i0]; + } + return sum; +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_add_36( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *lhs, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *rhs) { + return libcrux_ml_dsa_simd_portable_arithmetic_add(lhs, rhs); +} + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_arithmetic_subtract( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *lhs, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *rhs) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit difference = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)8U, difference.coefficients, int32_t), + int32_t); + i++) { + size_t i0 = i; + difference.coefficients[i0] = lhs->coefficients[i0] - rhs->coefficients[i0]; + } + return difference; +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_subtract_36( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *lhs, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *rhs) { + return libcrux_ml_dsa_simd_portable_arithmetic_subtract(lhs, rhs); +} + +static KRML_MUSTINLINE bool +libcrux_ml_dsa_simd_portable_arithmetic_infinity_norm_exceeds( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + int32_t bound) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes " + "core::array::iter::{core::iter::traits::iterator::" + "Iterator for core::array::iter::IntoIter[TraitClause@0]}#2[TraitClause@0]::Item\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline bool libcrux_ml_dsa_simd_portable_infinity_norm_exceeds_36( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + int32_t bound) { + return libcrux_ml_dsa_simd_portable_arithmetic_infinity_norm_exceeds( + simd_unit, bound); +} + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT (32U) + +static KRML_MUSTINLINE uint64_t +libcrux_ml_dsa_simd_portable_arithmetic_get_n_least_significant_bits( + uint8_t n, uint64_t value) { + return value & ((1ULL << (uint32_t)n) - 1ULL); +} + +static KRML_MUSTINLINE int32_t +libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( + int64_t value) { + uint64_t t = + libcrux_ml_dsa_simd_portable_arithmetic_get_n_least_significant_bits( + LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT, + (uint64_t)value) * + LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R; + int32_t k = (int32_t) + libcrux_ml_dsa_simd_portable_arithmetic_get_n_least_significant_bits( + LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT, t); + int64_t k_times_modulus = + (int64_t)k * (int64_t)LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS; + int32_t c = + (int32_t)(k_times_modulus >> + (uint32_t) + LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT); + int32_t value_high = + (int32_t)(value >> + (uint32_t) + LIBCRUX_ML_DSA_SIMD_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT); + return value_high - c; +} + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *lhs, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *rhs) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit product = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)8U, product.coefficients, int32_t), + int32_t); + i++) { + size_t i0 = i; + product.coefficients[i0] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( + (int64_t)lhs->coefficients[i0] * (int64_t)rhs->coefficients[i0]); + } + return product; +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_montgomery_multiply_36( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit lhs, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit rhs) { + return libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply(&lhs, + &rhs); +} + +static KRML_MUSTINLINE int32_t +libcrux_ml_dsa_simd_portable_arithmetic_reduce_element(int32_t fe) { + int32_t quotient = (fe + ((int32_t)1 << 22U)) >> 23U; + return fe - quotient * LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS; +} + +typedef struct libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2_s { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit fst; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit snd; +} libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2; + +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2 +libcrux_ml_dsa_simd_portable_arithmetic_power2round( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::array::iter::{core::iter::traits::iterator::Iterator for " + "core::array::iter::IntoIter[TraitClause@0]}#2[core::marker::Sized] enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2 +libcrux_ml_dsa_simd_portable_power2round_36( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) { + return libcrux_ml_dsa_simd_portable_arithmetic_power2round(simd_unit); +} + +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_field_modulus( + Eurydice_slice randomness, Eurydice_slice out) { + size_t sampled = (size_t)0U; + core_slice_iter_Chunks iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + core_slice___Slice_T___chunks(randomness, (size_t)3U, uint8_t, + core_slice_iter_Chunks), + core_slice_iter_Chunks, core_slice_iter_Chunks); + while (true) { + Option_1b uu____0 = + core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( + &iter, uint8_t, Option_1b); + if (uu____0.tag == None) { + break; + } else { + Eurydice_slice bytes = uu____0.f0; + int32_t b0 = + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); + int32_t b1 = + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *); + int32_t b2 = + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *); + int32_t coefficient = ((b2 << 16U | b1 << 8U) | b0) & (int32_t)8388607; + if (coefficient < LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS) { + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = coefficient; + sampled++; + } + } + } + return sampled; +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline size_t +libcrux_ml_dsa_simd_portable_rejection_sample_less_than_field_modulus_36( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_field_modulus( + randomness, out); +} + +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_2( + Eurydice_slice randomness, Eurydice_slice out) { + size_t sampled = (size_t)0U; + core_slice_iter_Iter iter = + core_slice_iter___core__iter__traits__collect__IntoIterator_for___a___Slice_T____1__into_iter( + randomness, uint8_t, core_slice_iter_Iter); + while (true) { + Option_3f uu____0 = + core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Iter__a__T__TraitClause_0___182__next( + &iter, uint8_t, Option_3f); + if (uu____0.tag == None) { + break; + } else { + uint8_t *byte = uu____0.f0; + uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U); + uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4); + if (try_0 < 15U) { + int32_t try_00 = (int32_t)try_0; + int32_t try_0_mod_5 = + try_00 - (try_00 * (int32_t)26 >> 7U) * (int32_t)5; + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)2 - try_0_mod_5; + sampled++; + } + if (try_1 < 15U) { + int32_t try_10 = (int32_t)try_1; + int32_t try_1_mod_5 = + try_10 - (try_10 * (int32_t)26 >> 7U) * (int32_t)5; + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)2 - try_1_mod_5; + sampled++; + } + } + } + return sampled; +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline size_t +libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_2_36( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_2( + randomness, out); +} + +static KRML_MUSTINLINE size_t +libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_4( + Eurydice_slice randomness, Eurydice_slice out) { + size_t sampled = (size_t)0U; + core_slice_iter_Iter iter = + core_slice_iter___core__iter__traits__collect__IntoIterator_for___a___Slice_T____1__into_iter( + randomness, uint8_t, core_slice_iter_Iter); + while (true) { + Option_3f uu____0 = + core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Iter__a__T__TraitClause_0___182__next( + &iter, uint8_t, Option_3f); + if (uu____0.tag == None) { + break; + } else { + uint8_t *byte = uu____0.f0; + uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U); + uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4); + if (try_0 < 9U) { + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)4 - (int32_t)try_0; + sampled++; + } + if (try_1 < 9U) { + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)4 - (int32_t)try_1; + sampled++; + } + } + } + return sampled; +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline size_t +libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_4_36( + Eurydice_slice randomness, Eurydice_slice out) { + return libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_4( + randomness, out); +} + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17( + Eurydice_slice serialized) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::slice::iter::{core::iter::traits::iterator::Iterator for " + "core::slice::iter::ChunksExact<\'a, T>[TraitClause@0]}#90<\'_, " + "u8>[core::marker::Sized] enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( + Eurydice_slice serialized) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::slice::iter::{core::iter::traits::iterator::Iterator for " + "core::slice::iter::ChunksExact<\'a, T>[TraitClause@0]}#90<\'_, " + "u8>[core::marker::Sized] enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA \ + ((int32_t)2) + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA \ + ((int32_t)2) + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_2( + Eurydice_slice serialized) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + int32_t byte0 = + (int32_t)Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *); + int32_t byte1 = + (int32_t)Eurydice_slice_index(serialized, (size_t)1U, uint8_t, uint8_t *); + int32_t byte2 = + (int32_t)Eurydice_slice_index(serialized, (size_t)2U, uint8_t, uint8_t *); + simd_unit.coefficients[0U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte0 & (int32_t)7); + simd_unit.coefficients[1U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte0 >> 3U & (int32_t)7); + simd_unit.coefficients[2U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + ((byte0 >> 6U | byte1 << 2U) & (int32_t)7); + simd_unit.coefficients[3U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte1 >> 1U & (int32_t)7); + simd_unit.coefficients[4U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte1 >> 4U & (int32_t)7); + simd_unit.coefficients[5U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + ((byte1 >> 7U | byte2 << 1U) & (int32_t)7); + simd_unit.coefficients[6U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte2 >> 2U & (int32_t)7); + simd_unit.coefficients[7U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA - + (byte2 >> 5U & (int32_t)7); + return simd_unit; +} + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_4( + Eurydice_slice serialized) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::slice::iter::{core::iter::traits::iterator::Iterator for " + "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " + "u8>[core::marker::Sized] enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +static KRML_MUSTINLINE int32_t +libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(int32_t t0) { + return ((int32_t)1 + << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - + (size_t)1U)) - + t0; +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_t0_serialize( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + uint8_t ret[13U]) { + uint8_t serialized[13U] = {0U}; + int32_t coefficient0 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit.coefficients[0U]); + int32_t coefficient1 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit.coefficients[1U]); + int32_t coefficient2 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit.coefficients[2U]); + int32_t coefficient3 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit.coefficients[3U]); + int32_t coefficient4 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit.coefficients[4U]); + int32_t coefficient5 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit.coefficients[5U]); + int32_t coefficient6 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit.coefficients[6U]); + int32_t coefficient7 = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval( + simd_unit.coefficients[7U]); + serialized[0U] = (uint8_t)coefficient0; + serialized[1U] = (uint8_t)(coefficient0 >> 8U); + size_t uu____0 = (size_t)1U; + serialized[uu____0] = + (uint32_t)serialized[uu____0] | (uint32_t)(uint8_t)(coefficient1 << 5U); + serialized[2U] = (uint8_t)(coefficient1 >> 3U); + serialized[3U] = (uint8_t)(coefficient1 >> 11U); + size_t uu____1 = (size_t)3U; + serialized[uu____1] = + (uint32_t)serialized[uu____1] | (uint32_t)(uint8_t)(coefficient2 << 2U); + serialized[4U] = (uint8_t)(coefficient2 >> 6U); + size_t uu____2 = (size_t)4U; + serialized[uu____2] = + (uint32_t)serialized[uu____2] | (uint32_t)(uint8_t)(coefficient3 << 7U); + serialized[5U] = (uint8_t)(coefficient3 >> 1U); + serialized[6U] = (uint8_t)(coefficient3 >> 9U); + size_t uu____3 = (size_t)6U; + serialized[uu____3] = + (uint32_t)serialized[uu____3] | (uint32_t)(uint8_t)(coefficient4 << 4U); + serialized[7U] = (uint8_t)(coefficient4 >> 4U); + serialized[8U] = (uint8_t)(coefficient4 >> 12U); + size_t uu____4 = (size_t)8U; + serialized[uu____4] = + (uint32_t)serialized[uu____4] | (uint32_t)(uint8_t)(coefficient5 << 1U); + serialized[9U] = (uint8_t)(coefficient5 >> 7U); + size_t uu____5 = (size_t)9U; + serialized[uu____5] = + (uint32_t)serialized[uu____5] | (uint32_t)(uint8_t)(coefficient6 << 6U); + serialized[10U] = (uint8_t)(coefficient6 >> 2U); + serialized[11U] = (uint8_t)(coefficient6 >> 10U); + size_t uu____6 = (size_t)11U; + serialized[uu____6] = + (uint32_t)serialized[uu____6] | (uint32_t)(uint8_t)(coefficient7 << 3U); + serialized[12U] = (uint8_t)(coefficient7 >> 5U); + memcpy(ret, serialized, (size_t)13U * sizeof(uint8_t)); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline void libcrux_ml_dsa_simd_portable_t0_serialize_36( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + uint8_t ret[13U]) { + libcrux_ml_dsa_simd_portable_encoding_t0_serialize(simd_unit, ret); +} + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK \ + (((int32_t)1 << (uint32_t)(int32_t) \ + LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T) - \ + (int32_t)1) + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_encoding_t0_deserialize( + Eurydice_slice serialized) { + int32_t byte0 = + (int32_t)Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *); + int32_t byte1 = + (int32_t)Eurydice_slice_index(serialized, (size_t)1U, uint8_t, uint8_t *); + int32_t byte2 = + (int32_t)Eurydice_slice_index(serialized, (size_t)2U, uint8_t, uint8_t *); + int32_t byte3 = + (int32_t)Eurydice_slice_index(serialized, (size_t)3U, uint8_t, uint8_t *); + int32_t byte4 = + (int32_t)Eurydice_slice_index(serialized, (size_t)4U, uint8_t, uint8_t *); + int32_t byte5 = + (int32_t)Eurydice_slice_index(serialized, (size_t)5U, uint8_t, uint8_t *); + int32_t byte6 = + (int32_t)Eurydice_slice_index(serialized, (size_t)6U, uint8_t, uint8_t *); + int32_t byte7 = + (int32_t)Eurydice_slice_index(serialized, (size_t)7U, uint8_t, uint8_t *); + int32_t byte8 = + (int32_t)Eurydice_slice_index(serialized, (size_t)8U, uint8_t, uint8_t *); + int32_t byte9 = + (int32_t)Eurydice_slice_index(serialized, (size_t)9U, uint8_t, uint8_t *); + int32_t byte10 = (int32_t)Eurydice_slice_index(serialized, (size_t)10U, + uint8_t, uint8_t *); + int32_t byte11 = (int32_t)Eurydice_slice_index(serialized, (size_t)11U, + uint8_t, uint8_t *); + int32_t byte12 = (int32_t)Eurydice_slice_index(serialized, (size_t)12U, + uint8_t, uint8_t *); + int32_t coefficient0 = byte0; + coefficient0 = coefficient0 | byte1 << 8U; + coefficient0 = + coefficient0 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + int32_t coefficient1 = byte1 >> 5U; + coefficient1 = coefficient1 | byte2 << 3U; + coefficient1 = coefficient1 | byte3 << 11U; + coefficient1 = + coefficient1 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + int32_t coefficient2 = byte3 >> 2U; + coefficient2 = coefficient2 | byte4 << 6U; + coefficient2 = + coefficient2 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + int32_t coefficient3 = byte4 >> 7U; + coefficient3 = coefficient3 | byte5 << 1U; + coefficient3 = coefficient3 | byte6 << 9U; + coefficient3 = + coefficient3 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + int32_t coefficient4 = byte6 >> 4U; + coefficient4 = coefficient4 | byte7 << 4U; + coefficient4 = coefficient4 | byte8 << 12U; + coefficient4 = + coefficient4 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + int32_t coefficient5 = byte8 >> 1U; + coefficient5 = coefficient5 | byte9 << 7U; + coefficient5 = + coefficient5 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + int32_t coefficient6 = byte9 >> 6U; + coefficient6 = coefficient6 | byte10 << 2U; + coefficient6 = coefficient6 | byte11 << 10U; + coefficient6 = + coefficient6 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + int32_t coefficient7 = byte11 >> 3U; + coefficient7 = coefficient7 | byte12 << 5U; + coefficient7 = + coefficient7 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_T0_DESERIALIZE_BITS_IN_LOWER_PART_OF_T_MASK; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + simd_unit.coefficients[0U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient0); + simd_unit.coefficients[1U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient1); + simd_unit.coefficients[2U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient2); + simd_unit.coefficients[3U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient3); + simd_unit.coefficients[4U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient4); + simd_unit.coefficients[5U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient5); + simd_unit.coefficients[6U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient6); + simd_unit.coefficients[7U] = + libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(coefficient7); + return simd_unit; +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_t0_deserialize_36(Eurydice_slice serialized) { + return libcrux_ml_dsa_simd_portable_encoding_t0_deserialize(serialized); +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_t1_serialize( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + uint8_t ret[10U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::slice::iter::{core::iter::traits::iterator::Iterator for " + "core::slice::iter::ChunksExact<\'a, T>[TraitClause@0]}#90<\'_, " + "i32>[core::marker::Sized] enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline void libcrux_ml_dsa_simd_portable_t1_serialize_36( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + uint8_t ret[10U]) { + libcrux_ml_dsa_simd_portable_encoding_t1_serialize(simd_unit, ret); +} + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_encoding_t1_deserialize( + Eurydice_slice serialized) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::slice::iter::{core::iter::traits::iterator::Iterator for " + "core::slice::iter::ChunksExact<\'a, T>[TraitClause@0]}#90<\'_, " + "u8>[core::marker::Sized] enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_t1_deserialize_36(Eurydice_slice serialized) { + return libcrux_ml_dsa_simd_portable_encoding_t1_deserialize(serialized); +} + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + int32_t c) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)8U, simd_unit.coefficients, int32_t), + int32_t); + i++) { + size_t i0 = i; + simd_unit.coefficients[i0] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( + (int64_t)simd_unit.coefficients[i0] * (int64_t)c); + } + return simd_unit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 16 +- ZETA= 25847 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_99( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)16U], (int32_t)25847); + re[j + (size_t)16U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_7( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_99(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 8 +- ZETA= -2608894 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_990( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)8U], (int32_t)-2608894); + re[j + (size_t)8U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 8 +- ZETA= -518909 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)8U], (int32_t)-518909); + re[j + (size_t)8U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_6( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_990(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 4 +- ZETA= 237124 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_991( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)4U], (int32_t)237124); + re[j + (size_t)4U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 4 +- ZETA= -777960 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a8( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)4U], (int32_t)-777960); + re[j + (size_t)4U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 4 +- ZETA= -876248 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a0( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)4U], (int32_t)-876248); + re[j + (size_t)4U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 4 +- ZETA= 466468 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d9( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)4U], (int32_t)466468); + re[j + (size_t)4U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_5( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_991(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a8(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a0(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d9(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 2 +- ZETA= 1826347 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_992( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)1826347); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 4 +- STEP_BY= 2 +- ZETA= 2353451 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)2353451); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 2 +- ZETA= -359251 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a80( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)-359251); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 12 +- STEP_BY= 2 +- ZETA= -2091905 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_95( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)-2091905); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 2 +- ZETA= 3119733 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a1( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)3119733); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 20 +- STEP_BY= 2 +- ZETA= -2884855 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)-2884855); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 2 +- ZETA= 3111497 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d90( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)3111497); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 28 +- STEP_BY= 2 +- ZETA= 2680103 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)2U], (int32_t)2680103); + re[j + (size_t)2U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_4( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_992(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a80(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_95(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a1(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d90(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 1 +- ZETA= 2725464 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_993( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)2725464); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 2 +- STEP_BY= 1 +- ZETA= 1024112 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1c( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)2U; i < (size_t)2U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)1024112); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 4 +- STEP_BY= 1 +- ZETA= -1079900 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b0( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-1079900); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 6 +- STEP_BY= 1 +- ZETA= 3585928 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_44( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)6U; i < (size_t)6U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)3585928); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 1 +- ZETA= -549488 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a81( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-549488); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 10 +- STEP_BY= 1 +- ZETA= -1119584 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1f( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)10U; i < (size_t)10U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-1119584); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 12 +- STEP_BY= 1 +- ZETA= 2619752 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_950( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)2619752); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 14 +- STEP_BY= 1 +- ZETA= -2108549 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b0( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-2108549); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 1 +- ZETA= -2118186 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a2( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-2118186); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 18 +- STEP_BY= 1 +- ZETA= -3859737 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_e4( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-3859737); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 20 +- STEP_BY= 1 +- ZETA= -1399561 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de0( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-1399561); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 22 +- STEP_BY= 1 +- ZETA= -3277672 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_05( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-3277672); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 1 +- ZETA= 1757237 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d91( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)1757237); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 26 +- STEP_BY= 1 +- ZETA= -19422 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3a( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)-19422); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 28 +- STEP_BY= 1 +- ZETA= 4010497 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b1( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)4010497); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.ntt.outer_3_plus +with const generics +- OFFSET= 30 +- STEP_BY= 1 +- ZETA= 280005 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a0( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[j + (size_t)1U], (int32_t)280005); + re[j + (size_t)1U] = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j], &t); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], &t); + re[j] = uu____1; + } +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_3( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_993(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1c(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_6b0(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_44(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a81(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_1f(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_950(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b0(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_7a2(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_e4(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_de0(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_05(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_d91(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3a(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_3b1(re); + libcrux_ml_dsa_simd_portable_ntt_outer_3_plus_a0(re); +} + +static KRML_MUSTINLINE int32_t +libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + int32_t fe, int32_t fer) { + return libcrux_ml_dsa_simd_portable_arithmetic_montgomery_reduce_element( + (int64_t)fe * (int64_t)fer); +} + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_2( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + int32_t zeta) { + int32_t t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit.coefficients[4U], zeta); + simd_unit.coefficients[4U] = simd_unit.coefficients[0U] - t; + simd_unit.coefficients[0U] = simd_unit.coefficients[0U] + t; + int32_t t0 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit.coefficients[5U], zeta); + simd_unit.coefficients[5U] = simd_unit.coefficients[1U] - t0; + simd_unit.coefficients[1U] = simd_unit.coefficients[1U] + t0; + int32_t t1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit.coefficients[6U], zeta); + simd_unit.coefficients[6U] = simd_unit.coefficients[2U] - t1; + simd_unit.coefficients[2U] = simd_unit.coefficients[2U] + t1; + int32_t t2 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit.coefficients[7U], zeta); + simd_unit.coefficients[7U] = simd_unit.coefficients[3U] - t2; + simd_unit.coefficients[3U] = simd_unit.coefficients[3U] + t2; + return simd_unit; +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index, + int32_t zeta) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_2(re[index], + zeta); + re[index] = uu____0; +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)0U, + (int32_t)2706023); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)1U, + (int32_t)95776); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)2U, + (int32_t)3077325); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)3U, + (int32_t)3530437); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)4U, + (int32_t)-1661693); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)5U, + (int32_t)-3592148); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)6U, + (int32_t)-2537516); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)7U, + (int32_t)3915439); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)8U, + (int32_t)-3861115); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)9U, + (int32_t)-3043716); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)10U, + (int32_t)3574422); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)11U, + (int32_t)-2867647); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)12U, + (int32_t)3539968); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)13U, + (int32_t)-300467); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)14U, + (int32_t)2348700); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)15U, + (int32_t)-539299); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)16U, + (int32_t)-1699267); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)17U, + (int32_t)-1643818); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)18U, + (int32_t)3505694); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)19U, + (int32_t)-3821735); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)20U, + (int32_t)3507263); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)21U, + (int32_t)-2140649); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)22U, + (int32_t)-1600420); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)23U, + (int32_t)3699596); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)24U, + (int32_t)811944); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)25U, + (int32_t)531354); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)26U, + (int32_t)954230); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)27U, + (int32_t)3881043); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)28U, + (int32_t)3900724); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)29U, + (int32_t)-2556880); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)30U, + (int32_t)2071892); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2_round(re, (size_t)31U, + (int32_t)-2797779); +} + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_1( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + int32_t zeta1, int32_t zeta2) { + int32_t t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit.coefficients[2U], zeta1); + simd_unit.coefficients[2U] = simd_unit.coefficients[0U] - t; + simd_unit.coefficients[0U] = simd_unit.coefficients[0U] + t; + int32_t t0 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit.coefficients[3U], zeta1); + simd_unit.coefficients[3U] = simd_unit.coefficients[1U] - t0; + simd_unit.coefficients[1U] = simd_unit.coefficients[1U] + t0; + int32_t t1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit.coefficients[6U], zeta2); + simd_unit.coefficients[6U] = simd_unit.coefficients[4U] - t1; + simd_unit.coefficients[4U] = simd_unit.coefficients[4U] + t1; + int32_t t2 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit.coefficients[7U], zeta2); + simd_unit.coefficients[7U] = simd_unit.coefficients[5U] - t2; + simd_unit.coefficients[5U] = simd_unit.coefficients[5U] + t2; + return simd_unit; +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index, + int32_t zeta_0, int32_t zeta_1) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_1(re[index], + zeta_0, zeta_1); + re[index] = uu____0; +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)0U, (int32_t)-3930395, (int32_t)-1528703); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)1U, (int32_t)-3677745, (int32_t)-3041255); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)2U, (int32_t)-1452451, (int32_t)3475950); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)3U, (int32_t)2176455, (int32_t)-1585221); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)4U, (int32_t)-1257611, (int32_t)1939314); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)5U, (int32_t)-4083598, (int32_t)-1000202); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)6U, (int32_t)-3190144, (int32_t)-3157330); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)7U, (int32_t)-3632928, (int32_t)126922); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)8U, (int32_t)3412210, (int32_t)-983419); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)9U, (int32_t)2147896, (int32_t)2715295); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)10U, (int32_t)-2967645, (int32_t)-3693493); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)11U, (int32_t)-411027, (int32_t)-2477047); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)12U, (int32_t)-671102, (int32_t)-1228525); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)13U, (int32_t)-22981, (int32_t)-1308169); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)14U, (int32_t)-381987, (int32_t)1349076); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)15U, (int32_t)1852771, (int32_t)-1430430); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)16U, (int32_t)-3343383, (int32_t)264944); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)17U, (int32_t)508951, (int32_t)3097992); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)18U, (int32_t)44288, (int32_t)-1100098); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)19U, (int32_t)904516, (int32_t)3958618); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)20U, (int32_t)-3724342, (int32_t)-8578); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)21U, (int32_t)1653064, (int32_t)-3249728); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)22U, (int32_t)2389356, (int32_t)-210977); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)23U, (int32_t)759969, (int32_t)-1316856); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)24U, (int32_t)189548, (int32_t)-3553272); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)25U, (int32_t)3159746, (int32_t)-1851402); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)26U, (int32_t)-2409325, (int32_t)-177440); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)27U, (int32_t)1315589, (int32_t)1341330); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)28U, (int32_t)1285669, (int32_t)-1584928); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)29U, (int32_t)-812732, (int32_t)-1439742); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)30U, (int32_t)-3019102, (int32_t)-3881060); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1_round( + re, (size_t)31U, (int32_t)-3628969, (int32_t)3839961); +} + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_0( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + int32_t zeta0, int32_t zeta1, int32_t zeta2, int32_t zeta3) { + int32_t t = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit.coefficients[1U], zeta0); + simd_unit.coefficients[1U] = simd_unit.coefficients[0U] - t; + simd_unit.coefficients[0U] = simd_unit.coefficients[0U] + t; + int32_t t0 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit.coefficients[3U], zeta1); + simd_unit.coefficients[3U] = simd_unit.coefficients[2U] - t0; + simd_unit.coefficients[2U] = simd_unit.coefficients[2U] + t0; + int32_t t1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit.coefficients[5U], zeta2); + simd_unit.coefficients[5U] = simd_unit.coefficients[4U] - t1; + simd_unit.coefficients[4U] = simd_unit.coefficients[4U] + t1; + int32_t t2 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + simd_unit.coefficients[7U], zeta3); + simd_unit.coefficients[7U] = simd_unit.coefficients[6U] - t2; + simd_unit.coefficients[6U] = simd_unit.coefficients[6U] + t2; + return simd_unit; +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index, + int32_t zeta_0, int32_t zeta_1, int32_t zeta_2, int32_t zeta_3) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_ntt_simd_unit_ntt_at_layer_0( + re[index], zeta_0, zeta_1, zeta_2, zeta_3); + re[index] = uu____0; +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)0U, (int32_t)2091667, (int32_t)3407706, (int32_t)2316500, + (int32_t)3817976); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)1U, (int32_t)-3342478, (int32_t)2244091, (int32_t)-2446433, + (int32_t)-3562462); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)2U, (int32_t)266997, (int32_t)2434439, (int32_t)-1235728, + (int32_t)3513181); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)3U, (int32_t)-3520352, (int32_t)-3759364, (int32_t)-1197226, + (int32_t)-3193378); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)4U, (int32_t)900702, (int32_t)1859098, (int32_t)909542, + (int32_t)819034); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)5U, (int32_t)495491, (int32_t)-1613174, (int32_t)-43260, + (int32_t)-522500); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)6U, (int32_t)-655327, (int32_t)-3122442, (int32_t)2031748, + (int32_t)3207046); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)7U, (int32_t)-3556995, (int32_t)-525098, (int32_t)-768622, + (int32_t)-3595838); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)8U, (int32_t)342297, (int32_t)286988, (int32_t)-2437823, + (int32_t)4108315); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)9U, (int32_t)3437287, (int32_t)-3342277, (int32_t)1735879, + (int32_t)203044); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)10U, (int32_t)2842341, (int32_t)2691481, (int32_t)-2590150, + (int32_t)1265009); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)11U, (int32_t)4055324, (int32_t)1247620, (int32_t)2486353, + (int32_t)1595974); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)12U, (int32_t)-3767016, (int32_t)1250494, (int32_t)2635921, + (int32_t)-3548272); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)13U, (int32_t)-2994039, (int32_t)1869119, (int32_t)1903435, + (int32_t)-1050970); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)14U, (int32_t)-1333058, (int32_t)1237275, (int32_t)-3318210, + (int32_t)-1430225); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)15U, (int32_t)-451100, (int32_t)1312455, (int32_t)3306115, + (int32_t)-1962642); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)16U, (int32_t)-1279661, (int32_t)1917081, (int32_t)-2546312, + (int32_t)-1374803); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)17U, (int32_t)1500165, (int32_t)777191, (int32_t)2235880, + (int32_t)3406031); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)18U, (int32_t)-542412, (int32_t)-2831860, (int32_t)-1671176, + (int32_t)-1846953); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)19U, (int32_t)-2584293, (int32_t)-3724270, (int32_t)594136, + (int32_t)-3776993); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)20U, (int32_t)-2013608, (int32_t)2432395, (int32_t)2454455, + (int32_t)-164721); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)21U, (int32_t)1957272, (int32_t)3369112, (int32_t)185531, + (int32_t)-1207385); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)22U, (int32_t)-3183426, (int32_t)162844, (int32_t)1616392, + (int32_t)3014001); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)23U, (int32_t)810149, (int32_t)1652634, (int32_t)-3694233, + (int32_t)-1799107); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)24U, (int32_t)-3038916, (int32_t)3523897, (int32_t)3866901, + (int32_t)269760); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)25U, (int32_t)2213111, (int32_t)-975884, (int32_t)1717735, + (int32_t)472078); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)26U, (int32_t)-426683, (int32_t)1723600, (int32_t)-1803090, + (int32_t)1910376); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)27U, (int32_t)-1667432, (int32_t)-1104333, (int32_t)-260646, + (int32_t)-3833893); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)28U, (int32_t)-2939036, (int32_t)-2235985, (int32_t)-420899, + (int32_t)-2286327); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)29U, (int32_t)183443, (int32_t)-976891, (int32_t)1612842, + (int32_t)-3545687); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)30U, (int32_t)-554416, (int32_t)3919660, (int32_t)-48306, + (int32_t)-1362209); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0_round( + re, (size_t)31U, (int32_t)3937738, (int32_t)1400424, (int32_t)-846154, + (int32_t)1976782); +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_ntt_ntt( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit re[32U], + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]) { + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_7(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_6(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_5(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_4(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_3(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_2(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_1(re); + libcrux_ml_dsa_simd_portable_ntt_ntt_at_layer_0(re); + memcpy(ret, re, + (size_t)32U * + sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline void libcrux_ml_dsa_simd_portable_ntt_36( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_units[32U], + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]) { + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit + copy_of_simd_units[32U]; + memcpy(copy_of_simd_units, simd_units, + (size_t)32U * + sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret0[32U]; + libcrux_ml_dsa_simd_portable_ntt_ntt(copy_of_simd_units, ret0); + memcpy(ret, ret0, + (size_t)32U * + sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); +} + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_0( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + int32_t zeta0, int32_t zeta1, int32_t zeta2, int32_t zeta3) { + int32_t a_minus_b = simd_unit.coefficients[1U] - simd_unit.coefficients[0U]; + simd_unit.coefficients[0U] = + simd_unit.coefficients[0U] + simd_unit.coefficients[1U]; + simd_unit.coefficients[1U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b, zeta0); + int32_t a_minus_b0 = simd_unit.coefficients[3U] - simd_unit.coefficients[2U]; + simd_unit.coefficients[2U] = + simd_unit.coefficients[2U] + simd_unit.coefficients[3U]; + simd_unit.coefficients[3U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b0, zeta1); + int32_t a_minus_b1 = simd_unit.coefficients[5U] - simd_unit.coefficients[4U]; + simd_unit.coefficients[4U] = + simd_unit.coefficients[4U] + simd_unit.coefficients[5U]; + simd_unit.coefficients[5U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b1, zeta2); + int32_t a_minus_b2 = simd_unit.coefficients[7U] - simd_unit.coefficients[6U]; + simd_unit.coefficients[6U] = + simd_unit.coefficients[6U] + simd_unit.coefficients[7U]; + simd_unit.coefficients[7U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b2, zeta3); + return simd_unit; +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index, + int32_t zeta0, int32_t zeta1, int32_t zeta2, int32_t zeta3) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_0( + re[index], zeta0, zeta1, zeta2, zeta3); + re[index] = uu____0; +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)0U, (int32_t)1976782, (int32_t)-846154, (int32_t)1400424, + (int32_t)3937738); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)1U, (int32_t)-1362209, (int32_t)-48306, (int32_t)3919660, + (int32_t)-554416); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)2U, (int32_t)-3545687, (int32_t)1612842, (int32_t)-976891, + (int32_t)183443); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)3U, (int32_t)-2286327, (int32_t)-420899, (int32_t)-2235985, + (int32_t)-2939036); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)4U, (int32_t)-3833893, (int32_t)-260646, (int32_t)-1104333, + (int32_t)-1667432); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)5U, (int32_t)1910376, (int32_t)-1803090, (int32_t)1723600, + (int32_t)-426683); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)6U, (int32_t)472078, (int32_t)1717735, (int32_t)-975884, + (int32_t)2213111); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)7U, (int32_t)269760, (int32_t)3866901, (int32_t)3523897, + (int32_t)-3038916); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)8U, (int32_t)-1799107, (int32_t)-3694233, (int32_t)1652634, + (int32_t)810149); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)9U, (int32_t)3014001, (int32_t)1616392, (int32_t)162844, + (int32_t)-3183426); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)10U, (int32_t)-1207385, (int32_t)185531, (int32_t)3369112, + (int32_t)1957272); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)11U, (int32_t)-164721, (int32_t)2454455, (int32_t)2432395, + (int32_t)-2013608); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)12U, (int32_t)-3776993, (int32_t)594136, (int32_t)-3724270, + (int32_t)-2584293); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)13U, (int32_t)-1846953, (int32_t)-1671176, (int32_t)-2831860, + (int32_t)-542412); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)14U, (int32_t)3406031, (int32_t)2235880, (int32_t)777191, + (int32_t)1500165); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)15U, (int32_t)-1374803, (int32_t)-2546312, (int32_t)1917081, + (int32_t)-1279661); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)16U, (int32_t)-1962642, (int32_t)3306115, (int32_t)1312455, + (int32_t)-451100); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)17U, (int32_t)-1430225, (int32_t)-3318210, (int32_t)1237275, + (int32_t)-1333058); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)18U, (int32_t)-1050970, (int32_t)1903435, (int32_t)1869119, + (int32_t)-2994039); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)19U, (int32_t)-3548272, (int32_t)2635921, (int32_t)1250494, + (int32_t)-3767016); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)20U, (int32_t)1595974, (int32_t)2486353, (int32_t)1247620, + (int32_t)4055324); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)21U, (int32_t)1265009, (int32_t)-2590150, (int32_t)2691481, + (int32_t)2842341); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)22U, (int32_t)203044, (int32_t)1735879, (int32_t)-3342277, + (int32_t)3437287); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)23U, (int32_t)4108315, (int32_t)-2437823, (int32_t)286988, + (int32_t)342297); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)24U, (int32_t)-3595838, (int32_t)-768622, (int32_t)-525098, + (int32_t)-3556995); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)25U, (int32_t)3207046, (int32_t)2031748, (int32_t)-3122442, + (int32_t)-655327); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)26U, (int32_t)-522500, (int32_t)-43260, (int32_t)-1613174, + (int32_t)495491); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)27U, (int32_t)819034, (int32_t)909542, (int32_t)1859098, + (int32_t)900702); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)28U, (int32_t)-3193378, (int32_t)-1197226, (int32_t)-3759364, + (int32_t)-3520352); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)29U, (int32_t)3513181, (int32_t)-1235728, (int32_t)2434439, + (int32_t)266997); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)30U, (int32_t)-3562462, (int32_t)-2446433, (int32_t)2244091, + (int32_t)-3342478); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0_round( + re, (size_t)31U, (int32_t)3817976, (int32_t)2316500, (int32_t)3407706, + (int32_t)2091667); +} + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_1( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + int32_t zeta0, int32_t zeta1) { + int32_t a_minus_b = simd_unit.coefficients[2U] - simd_unit.coefficients[0U]; + simd_unit.coefficients[0U] = + simd_unit.coefficients[0U] + simd_unit.coefficients[2U]; + simd_unit.coefficients[2U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b, zeta0); + int32_t a_minus_b0 = simd_unit.coefficients[3U] - simd_unit.coefficients[1U]; + simd_unit.coefficients[1U] = + simd_unit.coefficients[1U] + simd_unit.coefficients[3U]; + simd_unit.coefficients[3U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b0, zeta0); + int32_t a_minus_b1 = simd_unit.coefficients[6U] - simd_unit.coefficients[4U]; + simd_unit.coefficients[4U] = + simd_unit.coefficients[4U] + simd_unit.coefficients[6U]; + simd_unit.coefficients[6U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b1, zeta1); + int32_t a_minus_b2 = simd_unit.coefficients[7U] - simd_unit.coefficients[5U]; + simd_unit.coefficients[5U] = + simd_unit.coefficients[5U] + simd_unit.coefficients[7U]; + simd_unit.coefficients[7U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b2, zeta1); + return simd_unit; +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index, + int32_t zeta_00, int32_t zeta_01) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_1( + re[index], zeta_00, zeta_01); + re[index] = uu____0; +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)0U, (int32_t)3839961, (int32_t)-3628969); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)1U, (int32_t)-3881060, (int32_t)-3019102); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)2U, (int32_t)-1439742, (int32_t)-812732); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)3U, (int32_t)-1584928, (int32_t)1285669); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)4U, (int32_t)1341330, (int32_t)1315589); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)5U, (int32_t)-177440, (int32_t)-2409325); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)6U, (int32_t)-1851402, (int32_t)3159746); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)7U, (int32_t)-3553272, (int32_t)189548); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)8U, (int32_t)-1316856, (int32_t)759969); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)9U, (int32_t)-210977, (int32_t)2389356); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)10U, (int32_t)-3249728, (int32_t)1653064); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)11U, (int32_t)-8578, (int32_t)-3724342); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)12U, (int32_t)3958618, (int32_t)904516); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)13U, (int32_t)-1100098, (int32_t)44288); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)14U, (int32_t)3097992, (int32_t)508951); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)15U, (int32_t)264944, (int32_t)-3343383); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)16U, (int32_t)-1430430, (int32_t)1852771); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)17U, (int32_t)1349076, (int32_t)-381987); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)18U, (int32_t)-1308169, (int32_t)-22981); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)19U, (int32_t)-1228525, (int32_t)-671102); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)20U, (int32_t)-2477047, (int32_t)-411027); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)21U, (int32_t)-3693493, (int32_t)-2967645); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)22U, (int32_t)2715295, (int32_t)2147896); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)23U, (int32_t)-983419, (int32_t)3412210); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)24U, (int32_t)126922, (int32_t)-3632928); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)25U, (int32_t)-3157330, (int32_t)-3190144); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)26U, (int32_t)-1000202, (int32_t)-4083598); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)27U, (int32_t)1939314, (int32_t)-1257611); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)28U, (int32_t)-1585221, (int32_t)2176455); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)29U, (int32_t)3475950, (int32_t)-1452451); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)30U, (int32_t)-3041255, (int32_t)-3677745); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1_round( + re, (size_t)31U, (int32_t)-1528703, (int32_t)-3930395); +} + +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_2( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + int32_t zeta) { + int32_t a_minus_b = simd_unit.coefficients[4U] - simd_unit.coefficients[0U]; + simd_unit.coefficients[0U] = + simd_unit.coefficients[0U] + simd_unit.coefficients[4U]; + simd_unit.coefficients[4U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b, zeta); + int32_t a_minus_b0 = simd_unit.coefficients[5U] - simd_unit.coefficients[1U]; + simd_unit.coefficients[1U] = + simd_unit.coefficients[1U] + simd_unit.coefficients[5U]; + simd_unit.coefficients[5U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b0, zeta); + int32_t a_minus_b1 = simd_unit.coefficients[6U] - simd_unit.coefficients[2U]; + simd_unit.coefficients[2U] = + simd_unit.coefficients[2U] + simd_unit.coefficients[6U]; + simd_unit.coefficients[6U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b1, zeta); + int32_t a_minus_b2 = simd_unit.coefficients[7U] - simd_unit.coefficients[3U]; + simd_unit.coefficients[3U] = + simd_unit.coefficients[3U] + simd_unit.coefficients[7U]; + simd_unit.coefficients[7U] = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b2, zeta); + return simd_unit; +} + +static inline void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re, size_t index, + int32_t zeta1) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_invntt_simd_unit_invert_ntt_at_layer_2( + re[index], zeta1); + re[index] = uu____0; +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)0U, (int32_t)-2797779); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)1U, (int32_t)2071892); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)2U, (int32_t)-2556880); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)3U, (int32_t)3900724); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)4U, (int32_t)3881043); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)5U, (int32_t)954230); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)6U, (int32_t)531354); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)7U, (int32_t)811944); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)8U, (int32_t)3699596); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)9U, (int32_t)-1600420); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)10U, (int32_t)-2140649); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)11U, (int32_t)3507263); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)12U, (int32_t)-3821735); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)13U, (int32_t)3505694); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)14U, (int32_t)-1643818); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)15U, (int32_t)-1699267); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)16U, (int32_t)-539299); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)17U, (int32_t)2348700); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)18U, (int32_t)-300467); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)19U, (int32_t)3539968); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)20U, (int32_t)-2867647); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)21U, (int32_t)3574422); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)22U, (int32_t)-3043716); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)23U, (int32_t)-3861115); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)24U, (int32_t)3915439); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)25U, (int32_t)-2537516); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)26U, (int32_t)-3592148); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)27U, (int32_t)-1661693); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)28U, (int32_t)3530437); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)29U, (int32_t)3077325); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)30U, (int32_t)95776); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2_round( + re, (size_t)31U, (int32_t)2706023); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 1 +- ZETA= 280005 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_99( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)280005); + re[j + (size_t)1U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 2 +- STEP_BY= 1 +- ZETA= 4010497 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1c( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)2U; i < (size_t)2U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)4010497); + re[j + (size_t)1U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 4 +- STEP_BY= 1 +- ZETA= -19422 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-19422); + re[j + (size_t)1U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 6 +- STEP_BY= 1 +- ZETA= 1757237 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_44( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)6U; i < (size_t)6U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)1757237); + re[j + (size_t)1U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 1 +- ZETA= -3277672 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a8( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-3277672); + re[j + (size_t)1U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 10 +- STEP_BY= 1 +- ZETA= -1399561 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1f( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)10U; i < (size_t)10U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-1399561); + re[j + (size_t)1U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 12 +- STEP_BY= 1 +- ZETA= -3859737 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_95( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-3859737); + re[j + (size_t)1U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 14 +- STEP_BY= 1 +- ZETA= -2118186 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)14U; i < (size_t)14U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-2118186); + re[j + (size_t)1U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 1 +- ZETA= -2108549 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-2108549); + re[j + (size_t)1U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 18 +- STEP_BY= 1 +- ZETA= 2619752 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_e4( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)18U; i < (size_t)18U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)2619752); + re[j + (size_t)1U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 20 +- STEP_BY= 1 +- ZETA= -1119584 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-1119584); + re[j + (size_t)1U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 22 +- STEP_BY= 1 +- ZETA= -549488 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_05( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)22U; i < (size_t)22U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-549488); + re[j + (size_t)1U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 1 +- ZETA= 3585928 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d9( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)3585928); + re[j + (size_t)1U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 26 +- STEP_BY= 1 +- ZETA= -1079900 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3a( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)26U; i < (size_t)26U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-1079900); + re[j + (size_t)1U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 28 +- STEP_BY= 1 +- ZETA= 1024112 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b0( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)1024112); + re[j + (size_t)1U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 30 +- STEP_BY= 1 +- ZETA= 2725464 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a0( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)30U; i < (size_t)30U + (size_t)1U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)1U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)1U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)2725464); + re[j + (size_t)1U] = uu____1; + } +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_3( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_99(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1c(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_44(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a8(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_1f(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_95(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_e4(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_05(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d9(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3a(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b0(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a0(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 2 +- ZETA= 2680103 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_990( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)2680103); + re[j + (size_t)2U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 4 +- STEP_BY= 2 +- ZETA= 3111497 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b0( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)4U; i < (size_t)4U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)3111497); + re[j + (size_t)2U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 2 +- ZETA= -2884855 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a80( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-2884855); + re[j + (size_t)2U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 12 +- STEP_BY= 2 +- ZETA= 3119733 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_950( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)12U; i < (size_t)12U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)3119733); + re[j + (size_t)2U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 2 +- ZETA= -2091905 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a0( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-2091905); + re[j + (size_t)2U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 20 +- STEP_BY= 2 +- ZETA= -359251 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de0( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)20U; i < (size_t)20U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-359251); + re[j + (size_t)2U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 2 +- ZETA= 2353451 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d90( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)2353451); + re[j + (size_t)2U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 28 +- STEP_BY= 2 +- ZETA= 1826347 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b1( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)28U; i < (size_t)28U + (size_t)2U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)2U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)2U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)1826347); + re[j + (size_t)2U] = uu____1; + } +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_4( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_990(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_6b0(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a80(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_950(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a0(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_de0(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d90(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_3b1(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 4 +- ZETA= 466468 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_991( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)4U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)4U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)466468); + re[j + (size_t)4U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 8 +- STEP_BY= 4 +- ZETA= -876248 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a81( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)8U; i < (size_t)8U + (size_t)4U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)4U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-876248); + re[j + (size_t)4U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 4 +- ZETA= -777960 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a1( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)4U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)4U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-777960); + re[j + (size_t)4U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 24 +- STEP_BY= 4 +- ZETA= 237124 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d91( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)24U; i < (size_t)24U + (size_t)4U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)4U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)4U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)237124); + re[j + (size_t)4U] = uu____1; + } +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_5( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_991(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_a81(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a1(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_d91(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 8 +- ZETA= -518909 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_992( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)8U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)8U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)8U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-518909); + re[j + (size_t)8U] = uu____1; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 16 +- STEP_BY= 8 +- ZETA= -2608894 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a2( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)16U; i < (size_t)16U + (size_t)8U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)8U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)8U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)-2608894); + re[j + (size_t)8U] = uu____1; + } +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_6( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_992(re); + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_7a2(re); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.invntt.outer_3_plus +with const generics +- OFFSET= 0 +- STEP_BY= 16 +- ZETA= 25847 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_993( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + for (size_t i = (size_t)0U; i < (size_t)0U + (size_t)16U; i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit a_minus_b = + libcrux_ml_dsa_simd_portable_arithmetic_subtract(&re[j + (size_t)16U], + &re[j]); + re[j] = libcrux_ml_dsa_simd_portable_arithmetic_add(&re[j], + &re[j + (size_t)16U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____1 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + a_minus_b, (int32_t)25847); + re[j + (size_t)16U] = uu____1; + } +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_7( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *re) { + libcrux_ml_dsa_simd_portable_invntt_outer_3_plus_993(re); +} + +static inline void libcrux_ml_dsa_simd_portable_invntt_invert_ntt_montgomery( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit re[32U], + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]) { + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_0(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_1(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_2(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_3(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_4(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_5(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_6(re); + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_at_layer_7(re); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, re, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_arithmetic_montgomery_multiply_by_constant( + re[i0], (int32_t)41978); + re[i0] = uu____0; + } + memcpy(ret, re, + (size_t)32U * + sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline void libcrux_ml_dsa_simd_portable_invert_ntt_montgomery_36( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_units[32U], + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]) { + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit + copy_of_simd_units[32U]; + memcpy(copy_of_simd_units, simd_units, + (size_t)32U * + sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret0[32U]; + libcrux_ml_dsa_simd_portable_invntt_invert_ntt_montgomery(copy_of_simd_units, + ret0); + memcpy(ret, ret0, + (size_t)32U * + sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); +} + +typedef struct uint8_t_x2_s { + uint8_t fst; + uint8_t snd; +} uint8_t_x2; + +/** +A monomorphic instance of K. +with types uint8_t[4032size_t], uint8_t[1952size_t] + +*/ +typedef struct tuple_a0_s { + uint8_t fst[4032U]; + uint8_t snd[1952U]; +} tuple_a0; + +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.PolynomialRingElement +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit + +*/ +typedef struct libcrux_ml_dsa_polynomial_PolynomialRingElement_9b_s { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_units[32U]; +} libcrux_ml_dsa_polynomial_PolynomialRingElement_9b; + +/** +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.ZERO_ff +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics + +*/ +static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_9b +libcrux_ml_dsa_polynomial_ZERO_ff_ba(void) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b lit; + lit.simd_units[0U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[1U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[2U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[3U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[4U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[5U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[6U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[7U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[8U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[9U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[10U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[11U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[12U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[13U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[14U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[15U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[16U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[17U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[18U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[19U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[20U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[21U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[22U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[23U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[24U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[25U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[26U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[27U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[28U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[29U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[30U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + lit.simd_units[31U] = libcrux_ml_dsa_simd_portable_ZERO_36(); + return lit; +} + +typedef struct + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4_s { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b fst; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b thd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f3; +} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4; + +/** +A monomorphic instance of +libcrux_ml_dsa.sample.rejection_sample_less_than_field_modulus with types +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics + +*/ +static KRML_MUSTINLINE bool +libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { + bool done = false; + core_slice_iter_Chunks iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + core_slice___Slice_T___chunks(randomness, (size_t)24U, uint8_t, + core_slice_iter_Chunks), + core_slice_iter_Chunks, core_slice_iter_Chunks); + while (true) { + Option_1b uu____0 = + core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( + &iter, uint8_t, Option_1b); + if (uu____0.tag == None) { + break; + } else { + Eurydice_slice random_bytes = uu____0.f0; + if (!done) { + Eurydice_slice uu____1 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_portable_rejection_sample_less_than_field_modulus_36( + uu____1, Eurydice_array_to_subslice_from( + (size_t)263U, out, sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; + } + } + } + } + return done; +} + +/** +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.from_i32_array_ff +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics + +*/ +static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_9b +libcrux_ml_dsa_polynomial_from_i32_array_ff_ba(Eurydice_slice array) { + core_slice_iter_Chunks array_chunks = core_slice___Slice_T___chunks( + array, LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, int32_t, + core_slice_iter_Chunks); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result = + libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + for (size_t i = (size_t)0U; + i < LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT; i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_from_coefficient_array_36( + core_option__core__option__Option_T__TraitClause_0___unwrap( + core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( + &array_chunks, int32_t, Option_93), + Eurydice_slice, Eurydice_slice)); + result.simd_units[i0] = uu____0; + } + return result; +} + +/** +A monomorphic instance of libcrux_ml_dsa.sample.sample_four_ring_elements +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics + +*/ +static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 +libcrux_ml_dsa_sample_sample_four_ring_elements_ba(uint8_t seed0[34U], + uint16_t domain_separator0, + uint16_t domain_separator1, + uint16_t domain_seperator2, + uint16_t domain_separator3) { + seed0[32U] = (uint8_t)domain_separator0; + seed0[33U] = (uint8_t)((uint32_t)domain_separator0 >> 8U); + uint8_t seed1[34U]; + memcpy(seed1, seed0, (size_t)34U * sizeof(uint8_t)); + seed1[32U] = (uint8_t)domain_separator1; + seed1[33U] = (uint8_t)((uint32_t)domain_separator1 >> 8U); + uint8_t seed2[34U]; + memcpy(seed2, seed0, (size_t)34U * sizeof(uint8_t)); + seed2[32U] = (uint8_t)domain_seperator2; + seed2[33U] = (uint8_t)((uint32_t)domain_seperator2 >> 8U); + uint8_t seed3[34U]; + memcpy(seed3, seed0, (size_t)34U * sizeof(uint8_t)); + seed3[32U] = (uint8_t)domain_separator3; + seed3[33U] = (uint8_t)((uint32_t)domain_separator3 >> 8U); + libcrux_ml_dsa_hash_functions_portable_Shake128X4 state = + libcrux_ml_dsa_hash_functions_portable_init_absorb_ed( + Eurydice_array_to_slice((size_t)34U, seed0, uint8_t), + Eurydice_array_to_slice((size_t)34U, seed1, uint8_t), + Eurydice_array_to_slice((size_t)34U, seed2, uint8_t), + Eurydice_array_to_slice((size_t)34U, seed3, uint8_t)); + uint8_t randomness0[840U] = {0U}; + uint8_t randomness1[840U] = {0U}; + uint8_t randomness2[840U] = {0U}; + uint8_t randomness3[840U] = {0U}; + libcrux_ml_dsa_hash_functions_portable_squeeze_first_five_blocks_ed( + &state, randomness0, randomness1, randomness2, randomness3); + int32_t coefficients0[263U] = {0U}; + int32_t coefficients1[263U] = {0U}; + int32_t coefficients2[263U] = {0U}; + int32_t coefficients3[263U] = {0U}; + size_t sampled0 = (size_t)0U; + size_t sampled1 = (size_t)0U; + size_t sampled2 = (size_t)0U; + size_t sampled3 = (size_t)0U; + bool done0 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)840U, randomness0, uint8_t), + &sampled0, coefficients0); + bool done1 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)840U, randomness1, uint8_t), + &sampled1, coefficients1); + bool done2 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)840U, randomness2, uint8_t), + &sampled2, coefficients2); + bool done3 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)840U, randomness3, uint8_t), + &sampled3, coefficients3); + while (true) { + if (done0) { + if (done1) { + if (done2) { + if (done3) { + break; + } else { + uint8_t_168size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( + &state); + if (!done0) { + done0 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.fst, + uint8_t), + &sampled0, coefficients0); + } + if (!done1) { + done1 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.snd, + uint8_t), + &sampled1, coefficients1); + } + if (!done2) { + done2 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.thd, + uint8_t), + &sampled2, coefficients2); + } + if (!done3) { + done3 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.f3, + uint8_t), + &sampled3, coefficients3); + } + } + } else { + uint8_t_168size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( + &state); + if (!done0) { + done0 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.fst, + uint8_t), + &sampled0, coefficients0); + } + if (!done1) { + done1 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.snd, + uint8_t), + &sampled1, coefficients1); + } + if (!done2) { + done2 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.thd, + uint8_t), + &sampled2, coefficients2); + } + if (!done3) { + done3 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.f3, + uint8_t), + &sampled3, coefficients3); + } + } + } else { + uint8_t_168size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed( + &state); + if (!done0) { + done0 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.fst, + uint8_t), + &sampled0, coefficients0); + } + if (!done1) { + done1 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.snd, + uint8_t), + &sampled1, coefficients1); + } + if (!done2) { + done2 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.thd, + uint8_t), + &sampled2, coefficients2); + } + if (!done3) { + done3 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.f3, + uint8_t), + &sampled3, coefficients3); + } + } + } else { + uint8_t_168size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_ed(&state); + if (!done0) { + done0 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.fst, + uint8_t), + &sampled0, coefficients0); + } + if (!done1) { + done1 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.snd, + uint8_t), + &sampled1, coefficients1); + } + if (!done2) { + done2 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.thd, + uint8_t), + &sampled2, coefficients2); + } + if (!done3) { + done3 = + libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( + Eurydice_array_to_slice((size_t)168U, randomnesses.f3, uint8_t), + &sampled3, coefficients3); + } + } + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = + libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( + Eurydice_array_to_slice((size_t)263U, coefficients0, int32_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 = + libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( + Eurydice_array_to_slice((size_t)263U, coefficients1, int32_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 = + libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( + Eurydice_array_to_slice((size_t)263U, coefficients2, int32_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + lit; + lit.fst = uu____0; + lit.snd = uu____1; + lit.thd = uu____2; + lit.f3 = libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( + Eurydice_array_to_slice((size_t)263U, coefficients3, int32_t)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.update_matrix +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +static inline void libcrux_ml_dsa_samplex4_update_matrix_2f( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*m)[5U], size_t i, + size_t j, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b v) { + m[i][j] = v; +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_4_by_4 +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_4_by_4_2f( + uint8_t seed[34U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U][5U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A[6U][5U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + A[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + A[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + A[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed, + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)0U, + four_ring_elements.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)1U, + four_ring_elements.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)2U, + four_ring_elements.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)3U, + four_ring_elements.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed0[34U]; + memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements0 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed0, + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)0U, + four_ring_elements0.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)1U, + four_ring_elements0.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)2U, + four_ring_elements0.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)3U, + four_ring_elements0.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed1[34U]; + memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements1 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed1, + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)0U, + four_ring_elements1.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)1U, + four_ring_elements1.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)2U, + four_ring_elements1.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)3U, + four_ring_elements1.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed2[34U]; + memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements2 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed2, + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)0U, + four_ring_elements2.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)1U, + four_ring_elements2.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)2U, + four_ring_elements2.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)3U, + four_ring_elements2.f3); + memcpy(ret, A, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U])); +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_6_by_5 +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_6_by_5_2f( + uint8_t seed[34U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U][5U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A[6U][5U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + A[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + A[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + A[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed, + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)0U, + four_ring_elements.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)1U, + four_ring_elements.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)2U, + four_ring_elements.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)3U, + four_ring_elements.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed0[34U]; + memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements0 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed0, + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 2U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)4U, + four_ring_elements0.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)0U, + four_ring_elements0.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)1U, + four_ring_elements0.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)2U, + four_ring_elements0.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed1[34U]; + memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements1 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed1, + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 1U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)3U, + four_ring_elements1.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)4U, + four_ring_elements1.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)0U, + four_ring_elements1.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)1U, + four_ring_elements1.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed2[34U]; + memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements2 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed2, + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 0U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)2U, + four_ring_elements2.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)3U, + four_ring_elements2.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)4U, + four_ring_elements2.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)0U, + four_ring_elements2.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed3[34U]; + memcpy(copy_of_seed3, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements3 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed3, + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 4U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)1U, + four_ring_elements3.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)2U, + four_ring_elements3.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)3U, + four_ring_elements3.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)4U, + four_ring_elements3.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed4[34U]; + memcpy(copy_of_seed4, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements4 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed4, + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)0U, + four_ring_elements4.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)1U, + four_ring_elements4.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)2U, + four_ring_elements4.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)3U, + four_ring_elements4.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed5[34U]; + memcpy(copy_of_seed5, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements5 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed5, + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 2U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)4U, + four_ring_elements5.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)0U, + four_ring_elements5.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)1U, + four_ring_elements5.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)2U, + four_ring_elements5.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed6[34U]; + memcpy(copy_of_seed6, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements6 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed6, + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 5U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 6U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)3U, + four_ring_elements6.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)4U, + four_ring_elements6.snd); + memcpy(ret, A, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U])); +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A_8_by_7 +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_8_by_7_2f( + uint8_t seed[34U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U][5U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A[6U][5U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + A[i][0U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + A[i][1U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + A[i][2U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + A[i][3U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + A[i][4U] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed, + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)0U, + four_ring_elements.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)1U, + four_ring_elements.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)2U, + four_ring_elements.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)3U, + four_ring_elements.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed0[34U]; + memcpy(copy_of_seed0, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements0 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed0, + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 5U), + libcrux_ml_dsa_samplex4_generate_domain_separator(0U, 6U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 0U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)4U, + four_ring_elements0.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)5U, + four_ring_elements0.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)0U, (size_t)6U, + four_ring_elements0.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)0U, + four_ring_elements0.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed1[34U]; + memcpy(copy_of_seed1, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements1 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed1, + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 4U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)1U, + four_ring_elements1.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)2U, + four_ring_elements1.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)3U, + four_ring_elements1.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)4U, + four_ring_elements1.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed2[34U]; + memcpy(copy_of_seed2, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements2 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed2, + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 5U), + libcrux_ml_dsa_samplex4_generate_domain_separator(1U, 6U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 1U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)5U, + four_ring_elements2.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)1U, (size_t)6U, + four_ring_elements2.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)0U, + four_ring_elements2.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)1U, + four_ring_elements2.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed3[34U]; + memcpy(copy_of_seed3, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements3 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed3, + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 5U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)2U, + four_ring_elements3.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)3U, + four_ring_elements3.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)4U, + four_ring_elements3.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)5U, + four_ring_elements3.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed4[34U]; + memcpy(copy_of_seed4, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements4 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed4, + libcrux_ml_dsa_samplex4_generate_domain_separator(2U, 6U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 2U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)2U, (size_t)6U, + four_ring_elements4.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)0U, + four_ring_elements4.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)1U, + four_ring_elements4.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)2U, + four_ring_elements4.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed5[34U]; + memcpy(copy_of_seed5, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements5 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed5, + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 5U), + libcrux_ml_dsa_samplex4_generate_domain_separator(3U, 6U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)3U, + four_ring_elements5.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)4U, + four_ring_elements5.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)5U, + four_ring_elements5.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)3U, (size_t)6U, + four_ring_elements5.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed6[34U]; + memcpy(copy_of_seed6, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements6 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed6, + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 3U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)0U, + four_ring_elements6.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)1U, + four_ring_elements6.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)2U, + four_ring_elements6.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)3U, + four_ring_elements6.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed7[34U]; + memcpy(copy_of_seed7, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements7 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed7, + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 5U), + libcrux_ml_dsa_samplex4_generate_domain_separator(4U, 6U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 0U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)4U, + four_ring_elements7.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)5U, + four_ring_elements7.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)4U, (size_t)6U, + four_ring_elements7.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)0U, + four_ring_elements7.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed8[34U]; + memcpy(copy_of_seed8, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements8 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed8, + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 4U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)1U, + four_ring_elements8.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)2U, + four_ring_elements8.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)3U, + four_ring_elements8.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)4U, + four_ring_elements8.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed9[34U]; + memcpy(copy_of_seed9, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements9 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed9, + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 5U), + libcrux_ml_dsa_samplex4_generate_domain_separator(5U, 6U), + libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 1U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)5U, + four_ring_elements9.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)5U, (size_t)6U, + four_ring_elements9.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)6U, (size_t)0U, + four_ring_elements9.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)6U, (size_t)1U, + four_ring_elements9.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed10[34U]; + memcpy(copy_of_seed10, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements10 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed10, + libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 2U), + libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 5U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)6U, (size_t)2U, + four_ring_elements10.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)6U, (size_t)3U, + four_ring_elements10.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)6U, (size_t)4U, + four_ring_elements10.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)6U, (size_t)5U, + four_ring_elements10.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed11[34U]; + memcpy(copy_of_seed11, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements11 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed11, + libcrux_ml_dsa_samplex4_generate_domain_separator(6U, 6U), + libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 0U), + libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 1U), + libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 2U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)6U, (size_t)6U, + four_ring_elements11.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)7U, (size_t)0U, + four_ring_elements11.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)7U, (size_t)1U, + four_ring_elements11.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)7U, (size_t)2U, + four_ring_elements11.f3); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed12[34U]; + memcpy(copy_of_seed12, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four_ring_elements12 = libcrux_ml_dsa_sample_sample_four_ring_elements_ba( + copy_of_seed12, + libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 3U), + libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 4U), + libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 5U), + libcrux_ml_dsa_samplex4_generate_domain_separator(7U, 6U)); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)7U, (size_t)3U, + four_ring_elements12.fst); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)7U, (size_t)4U, + four_ring_elements12.snd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)7U, (size_t)5U, + four_ring_elements12.thd); + libcrux_ml_dsa_samplex4_update_matrix_2f(A, (size_t)7U, (size_t)6U, + four_ring_elements12.f3); + memcpy(ret, A, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U])); +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.matrix_A +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_samplex4_matrix_A_2f( + uint8_t seed[34U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U][5U]) { + uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)6U, .snd = (uint8_t)(size_t)5U}; + switch (uu____0.fst) { + case 4U: { + switch (uu____0.snd) { + case 4U: { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret0[6U][5U]; + libcrux_ml_dsa_samplex4_matrix_A_4_by_4_2f(copy_of_seed, ret0); + memcpy( + ret, ret0, + (size_t)6U * + sizeof( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U])); + return; + } + default: { + } + } + break; + } + case 6U: { + switch (uu____0.snd) { + case 5U: { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret0[6U][5U]; + libcrux_ml_dsa_samplex4_matrix_A_6_by_5_2f(copy_of_seed, ret0); + memcpy( + ret, ret0, + (size_t)6U * + sizeof( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U])); + return; + } + default: { + } + } + break; + } + case 8U: { + switch (uu____0.snd) { + case 7U: { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret0[6U][5U]; + libcrux_ml_dsa_samplex4_matrix_A_8_by_7_2f(copy_of_seed, ret0); + memcpy( + ret, ret0, + (size_t)6U * + sizeof( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U])); + return; + } + default: { + } + } + break; + } + default: { + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** +A monomorphic instance of K. +with types libcrux_ml_dsa_polynomial_PolynomialRingElement +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[5size_t], +libcrux_ml_dsa_polynomial_PolynomialRingElement +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[6size_t] + +*/ +typedef struct tuple_ce_s { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b fst[5U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b snd[6U]; +} tuple_ce; + +/** +A monomorphic instance of +libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_2 with types +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics + +*/ +static KRML_MUSTINLINE bool +libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_2_ba( + Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { + bool done = false; + core_slice_iter_Chunks iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + core_slice___Slice_T___chunks(randomness, (size_t)4U, uint8_t, + core_slice_iter_Chunks), + core_slice_iter_Chunks, core_slice_iter_Chunks); + while (true) { + Option_1b uu____0 = + core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( + &iter, uint8_t, Option_1b); + if (uu____0.tag == None) { + break; + } else { + Eurydice_slice random_bytes = uu____0.f0; + if (!done) { + Eurydice_slice uu____1 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_2_36( + uu____1, Eurydice_array_to_subslice_from( + (size_t)263U, out, sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; + } + } + } + } + return done; +} + +/** +A monomorphic instance of +libcrux_ml_dsa.sample.rejection_sample_less_than_eta_equals_4 with types +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics + +*/ +static KRML_MUSTINLINE bool +libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_ba( + Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { + bool done = false; + core_slice_iter_Chunks iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + core_slice___Slice_T___chunks(randomness, (size_t)4U, uint8_t, + core_slice_iter_Chunks), + core_slice_iter_Chunks, core_slice_iter_Chunks); + while (true) { + Option_1b uu____0 = + core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( + &iter, uint8_t, Option_1b); + if (uu____0.tag == None) { + break; + } else { + Eurydice_slice random_bytes = uu____0.f0; + if (!done) { + Eurydice_slice uu____1 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_4_36( + uu____1, Eurydice_array_to_subslice_from( + (size_t)263U, out, sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; + } + } + } + } + return done; +} + +/** +A monomorphic instance of libcrux_ml_dsa.sample.rejection_sample_less_than_eta +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ETA= 4 +*/ +static KRML_MUSTINLINE bool +libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_slice randomness, size_t *sampled, int32_t *out) { + return libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_ba( + randomness, sampled, out); +} + +/** +A monomorphic instance of libcrux_ml_dsa.sample.sample_four_error_ring_elements +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics +- ETA= 4 +*/ +static KRML_MUSTINLINE + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( + uint8_t seed_base[66U], uint16_t domain_separator0, + uint16_t domain_separator1, uint16_t domain_seperator2, + uint16_t domain_separator3) { + uint8_t seed0[66U]; + memcpy(seed0, seed_base, (size_t)66U * sizeof(uint8_t)); + seed0[64U] = (uint8_t)domain_separator0; + seed0[65U] = (uint8_t)((uint32_t)domain_separator0 >> 8U); + uint8_t seed1[66U]; + memcpy(seed1, seed0, (size_t)66U * sizeof(uint8_t)); + seed1[64U] = (uint8_t)domain_separator1; + seed1[65U] = (uint8_t)((uint32_t)domain_separator1 >> 8U); + uint8_t seed2[66U]; + memcpy(seed2, seed0, (size_t)66U * sizeof(uint8_t)); + seed2[64U] = (uint8_t)domain_seperator2; + seed2[65U] = (uint8_t)((uint32_t)domain_seperator2 >> 8U); + uint8_t seed3[66U]; + memcpy(seed3, seed0, (size_t)66U * sizeof(uint8_t)); + seed3[64U] = (uint8_t)domain_separator3; + seed3[65U] = (uint8_t)((uint32_t)domain_separator3 >> 8U); + libcrux_ml_dsa_hash_functions_portable_Shake256X4 state = + libcrux_ml_dsa_hash_functions_portable_init_absorb_x4_50( + Eurydice_array_to_slice((size_t)66U, seed0, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed1, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed2, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed3, uint8_t)); + uint8_t_136size_t__x4 randomnesses0 = + libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_x4_50(&state); + int32_t out0[263U] = {0U}; + int32_t out1[263U] = {0U}; + int32_t out2[263U] = {0U}; + int32_t out3[263U] = {0U}; + size_t sampled0 = (size_t)0U; + size_t sampled1 = (size_t)0U; + size_t sampled2 = (size_t)0U; + size_t sampled3 = (size_t)0U; + bool done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses0.fst, uint8_t), + &sampled0, out0); + bool done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses0.snd, uint8_t), + &sampled1, out1); + bool done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses0.thd, uint8_t), + &sampled2, out2); + bool done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses0.f3, uint8_t), + &sampled3, out3); + while (true) { + if (done0) { + if (done1) { + if (done2) { + if (done3) { + break; + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, + uint8_t), + &sampled0, out0); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, + uint8_t), + &sampled1, out1); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, + uint8_t), + &sampled2, out2); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, + uint8_t), + &sampled3, out3); + } + } + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, + uint8_t), + &sampled0, out0); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, + uint8_t), + &sampled1, out1); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, + uint8_t), + &sampled2, out2); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), + &sampled3, out3); + } + } + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t), + &sampled0, out0); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t), + &sampled1, out1); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t), + &sampled2, out2); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), + &sampled3, out3); + } + } + } else { + uint8_t_136size_t__x4 randomnesses = + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_x4_50( + &state); + if (!done0) { + done0 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.fst, uint8_t), + &sampled0, out0); + } + if (!done1) { + done1 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.snd, uint8_t), + &sampled1, out1); + } + if (!done2) { + done2 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.thd, uint8_t), + &sampled2, out2); + } + if (!done3) { + done3 = libcrux_ml_dsa_sample_rejection_sample_less_than_eta_73( + Eurydice_array_to_slice((size_t)136U, randomnesses.f3, uint8_t), + &sampled3, out3); + } + } + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = + libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( + Eurydice_array_to_slice((size_t)263U, out0, int32_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 = + libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( + Eurydice_array_to_slice((size_t)263U, out1, int32_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 = + libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( + Eurydice_array_to_slice((size_t)263U, out2, int32_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + lit; + lit.fst = uu____0; + lit.snd = uu____1; + lit.thd = uu____2; + lit.f3 = libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( + Eurydice_array_to_slice((size_t)263U, out3, int32_t)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_4_by_4 +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics +- ETA= 4 +- S1_DIMENSION= 5 +- S2_DIMENSION= 6 +*/ +static KRML_MUSTINLINE tuple_ce +libcrux_ml_dsa_samplex4_sample_s1_and_s2_4_by_4_fe(uint8_t seed_base[66U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + s1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base[66U]; + memcpy(copy_of_seed_base, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( + copy_of_seed_base, 0U, 1U, 2U, 3U); + s1[0U] = four.fst; + s1[1U] = four.snd; + s1[2U] = four.thd; + s1[3U] = four.f3; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base0[66U]; + memcpy(copy_of_seed_base0, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four0 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( + copy_of_seed_base0, 4U, 5U, 6U, 7U); + s2[0U] = four0.fst; + s2[1U] = four0.snd; + s2[2U] = four0.thd; + s2[3U] = four0.f3; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1[5U]; + memcpy( + copy_of_s1, s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s2[6U]; + memcpy( + copy_of_s2, s2, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + tuple_ce lit; + memcpy( + lit.fst, copy_of_s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + memcpy( + lit.snd, copy_of_s2, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_5_by_6 +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics +- ETA= 4 +- S1_DIMENSION= 5 +- S2_DIMENSION= 6 +*/ +static KRML_MUSTINLINE tuple_ce +libcrux_ml_dsa_samplex4_sample_s1_and_s2_5_by_6_fe(uint8_t seed_base[66U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + s1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base[66U]; + memcpy(copy_of_seed_base, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( + copy_of_seed_base, 0U, 1U, 2U, 3U); + s1[0U] = four.fst; + s1[1U] = four.snd; + s1[2U] = four.thd; + s1[3U] = four.f3; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base0[66U]; + memcpy(copy_of_seed_base0, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four0 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( + copy_of_seed_base0, 4U, 5U, 6U, 7U); + s1[4U] = four0.fst; + s2[0U] = four0.snd; + s2[1U] = four0.thd; + s2[2U] = four0.f3; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base1[66U]; + memcpy(copy_of_seed_base1, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four1 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( + copy_of_seed_base1, 8U, 9U, 10U, 11U); + s2[3U] = four1.fst; + s2[4U] = four1.snd; + s2[5U] = four1.thd; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1[5U]; + memcpy( + copy_of_s1, s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s2[6U]; + memcpy( + copy_of_s2, s2, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + tuple_ce lit; + memcpy( + lit.fst, copy_of_s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + memcpy( + lit.snd, copy_of_s2, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_7_by_8 +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics +- ETA= 4 +- S1_DIMENSION= 5 +- S2_DIMENSION= 6 +*/ +static KRML_MUSTINLINE tuple_ce +libcrux_ml_dsa_samplex4_sample_s1_and_s2_7_by_8_fe(uint8_t seed_base[66U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + s1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base[66U]; + memcpy(copy_of_seed_base, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( + copy_of_seed_base, 0U, 1U, 2U, 3U); + s1[0U] = four.fst; + s1[1U] = four.snd; + s1[2U] = four.thd; + s1[3U] = four.f3; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base0[66U]; + memcpy(copy_of_seed_base0, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four0 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( + copy_of_seed_base0, 4U, 5U, 6U, 7U); + s1[4U] = four0.fst; + s1[5U] = four0.snd; + s1[6U] = four0.thd; + s2[0U] = four0.f3; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base1[66U]; + memcpy(copy_of_seed_base1, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four1 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( + copy_of_seed_base1, 8U, 9U, 10U, 11U); + s2[1U] = four1.fst; + s2[2U] = four1.snd; + s2[3U] = four1.thd; + s2[4U] = four1.f3; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_base2[66U]; + memcpy(copy_of_seed_base2, seed_base, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 + four2 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( + copy_of_seed_base2, 12U, 13U, 14U, 15U); + s2[5U] = four2.fst; + s2[6U] = four2.snd; + s2[7U] = four2.thd; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1[5U]; + memcpy( + copy_of_s1, s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s2[6U]; + memcpy( + copy_of_s2, s2, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + tuple_ce lit; + memcpy( + lit.fst, copy_of_s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + memcpy( + lit.snd, copy_of_s2, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2 +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics +- ETA= 4 +- S1_DIMENSION= 5 +- S2_DIMENSION= 6 +*/ +static KRML_MUSTINLINE tuple_ce +libcrux_ml_dsa_samplex4_sample_s1_and_s2_fe(uint8_t seed[66U]) { + uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)5U, .snd = (uint8_t)(size_t)6U}; + switch (uu____0.fst) { + case 4U: { + switch (uu____0.snd) { + case 4U: { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[66U]; + memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); + return libcrux_ml_dsa_samplex4_sample_s1_and_s2_4_by_4_fe( + copy_of_seed); + } + default: { + } + } + break; + } + case 5U: { + switch (uu____0.snd) { + case 6U: { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[66U]; + memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); + return libcrux_ml_dsa_samplex4_sample_s1_and_s2_5_by_6_fe( + copy_of_seed); + } + default: { + } + } + break; + } + case 7U: { + switch (uu____0.snd) { + case 8U: { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[66U]; + memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); + return libcrux_ml_dsa_samplex4_sample_s1_and_s2_7_by_8_fe( + copy_of_seed); + } + default: { + } + } + break; + } + default: { + } + } + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** + Compute InvertNTT(Â ◦ ŝ₁) + s₂ +*/ +/** +A monomorphic instance of libcrux_ml_dsa.matrix.compute_As1_plus_s2 +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_As1_plus_s2_2f( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*A_as_ntt)[5U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *s1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::slice::iter::{core::iter::traits::iterator::Iterator for " + "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " + "@Array[" + "TraitClause@0, TraitClause@1], " + "C@1>>[core::marker::Sized<@Array[TraitClause@0, TraitClause@1], C@1>>] " + "enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +typedef struct + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2_s { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b fst[6U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b snd[6U]; +} libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2; + +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.power2round_vector +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- DIMENSION= 6 +*/ +static KRML_MUSTINLINE + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2 + libcrux_ml_dsa_arithmetic_power2round_vector_07( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t[6U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::slice::iter::{core::iter::traits::iterator::Iterator for " + "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " + "libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, " + "TraitClause@1]>[core::marker::Sized[TraitClause@0, TraitClause@1]>] " + "enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.verification_key.generate_serialized with types +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics +- ROWS_IN_A= 6 +- VERIFICATION_KEY_SIZE= 1952 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_verification_key_generate_serialized_2f( + Eurydice_slice seed_for_A, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U], + uint8_t ret[1952U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::slice::iter::{core::iter::traits::iterator::Iterator for " + "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " + "libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, " + "TraitClause@1]>[core::marker::Sized[TraitClause@0, TraitClause@1]>] " + "enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256 +with const generics +- OUTPUT_LENGTH= 64 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake256_24( + Eurydice_slice input, uint8_t *out) { + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)64U, out, uint8_t), input); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof +for libcrux_ml_dsa::hash_functions::portable::Shake256)#2} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_5c +with const generics +- OUTPUT_LENGTH= 64 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_shake256_5c_24(Eurydice_slice input, + uint8_t *out) { + libcrux_ml_dsa_hash_functions_portable_shake256_24(input, out); +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.error.serialize +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ETA= 4 +- OUTPUT_SIZE= 128 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_serialize_ea( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re, uint8_t ret[128U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::slice::iter::{core::iter::traits::iterator::Iterator for " + "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " + "T@0>[TraitClause@0] enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.t0.serialize +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics + +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_serialize_ba( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re, uint8_t ret[416U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"Error looking trait impl: " + "core::slice::iter::{core::iter::traits::iterator::Iterator for " + "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " + "T@0>[TraitClause@0] enumerate\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.signing_key.generate_serialized with types +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake256 with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- SIGNING_KEY_SIZE= 4032 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_signing_key_generate_serialized_d2( + Eurydice_slice seed_for_A, Eurydice_slice seed_for_signing, + Eurydice_slice verification_key, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1[5U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2[6U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0[6U], + uint8_t ret[4032U]) { + uint8_t signing_key_serialized[4032U] = {0U}; + size_t offset = (size_t)0U; + Eurydice_slice_copy( + Eurydice_array_to_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t), + seed_for_A, uint8_t); + offset = offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE; + Eurydice_slice_copy( + Eurydice_array_to_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE, uint8_t), + seed_for_signing, uint8_t); + offset = offset + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE; + uint8_t verification_key_hash[64U] = {0U}; + libcrux_ml_dsa_hash_functions_portable_shake256_5c_24(verification_key, + verification_key_hash); + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH, + uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_slice((size_t)64U, verification_key_hash, uint8_t), + uint8_t); + offset = offset + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, s1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + i++) { + size_t _cloop_i = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = + &s1[_cloop_i]; + Eurydice_slice uu____1 = Eurydice_array_to_subslice2( + signing_key_serialized, offset, offset + (size_t)128U, uint8_t); + uint8_t ret0[128U]; + libcrux_ml_dsa_encoding_error_serialize_ea(ring_element[0U], ret0); + Eurydice_slice_copy( + uu____1, Eurydice_array_to_slice((size_t)128U, ret0, uint8_t), uint8_t); + offset = offset + (size_t)128U; + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, s2, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + i++) { + size_t _cloop_i = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = + &s2[_cloop_i]; + Eurydice_slice uu____2 = Eurydice_array_to_subslice2( + signing_key_serialized, offset, offset + (size_t)128U, uint8_t); + uint8_t ret0[128U]; + libcrux_ml_dsa_encoding_error_serialize_ea(ring_element[0U], ret0); + Eurydice_slice_copy( + uu____2, Eurydice_array_to_slice((size_t)128U, ret0, uint8_t), uint8_t); + offset = offset + (size_t)128U; + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, t0, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + i++) { + size_t _cloop_i = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = + &t0[_cloop_i]; + Eurydice_slice uu____3 = Eurydice_array_to_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, uint8_t); + uint8_t ret0[416U]; + libcrux_ml_dsa_encoding_t0_serialize_ba(ring_element[0U], ret0); + Eurydice_slice_copy( + uu____3, Eurydice_array_to_slice((size_t)416U, ret0, uint8_t), uint8_t); + offset = offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE; + } + memcpy(ret, signing_key_serialized, (size_t)4032U * sizeof(uint8_t)); +} + +/** + Generate a key pair. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.generate_key_pair +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128X4, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- SIGNING_KEY_SIZE= 4032 +- VERIFICATION_KEY_SIZE= 1952 +*/ +static KRML_MUSTINLINE tuple_a0 +libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_5a(uint8_t randomness[32U]) { + uint8_t seed_expanded0[128U] = {0U}; + libcrux_sha3_portable_incremental_Shake256Xof shake = + libcrux_ml_dsa_hash_functions_portable_init_83(); + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake, Eurydice_array_to_slice((size_t)32U, randomness, uint8_t)); + uint8_t buf[2U] = {(uint8_t)(size_t)6U, (uint8_t)(size_t)5U}; + libcrux_ml_dsa_hash_functions_portable_absorb_final_83( + &shake, Eurydice_array_to_slice((size_t)2U, buf, uint8_t)); + libcrux_ml_dsa_hash_functions_portable_squeeze_83( + &shake, Eurydice_array_to_slice((size_t)128U, seed_expanded0, uint8_t)); + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)128U, seed_expanded0, uint8_t), + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, + Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_a = uu____0.fst; + Eurydice_slice seed_expanded = uu____0.snd; + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + seed_expanded, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_ERROR_VECTORS_SIZE, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_error_vectors = uu____1.fst; + Eurydice_slice seed_for_signing = uu____1.snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b a_as_ntt[6U][5U]; + uint8_t ret[34U]; + libcrux_ml_dsa_utils_into_padded_array_b6(seed_for_a, ret); + libcrux_ml_dsa_samplex4_matrix_A_2f(ret, a_as_ntt); + uint8_t ret0[66U]; + libcrux_ml_dsa_utils_into_padded_array_20(seed_for_error_vectors, ret0); + tuple_ce uu____2 = libcrux_ml_dsa_samplex4_sample_s1_and_s2_fe(ret0); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1[5U]; + memcpy( + s1, uu____2.fst, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2[6U]; + memcpy( + s2, uu____2.snd, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t[6U]; + libcrux_ml_dsa_matrix_compute_As1_plus_s2_2f(a_as_ntt, s1, s2, t); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t[6U]; + memcpy( + copy_of_t, t, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2 + uu____4 = libcrux_ml_dsa_arithmetic_power2round_vector_07(copy_of_t); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0[6U]; + memcpy( + t0, uu____4.fst, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U]; + memcpy( + t1, uu____4.snd, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + Eurydice_slice uu____5 = seed_for_a; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t1[6U]; + memcpy( + copy_of_t1, t1, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + uint8_t verification_key_serialized[1952U]; + libcrux_ml_dsa_encoding_verification_key_generate_serialized_2f( + uu____5, copy_of_t1, verification_key_serialized); + Eurydice_slice uu____7 = seed_for_a; + Eurydice_slice uu____8 = seed_for_signing; + Eurydice_slice uu____9 = Eurydice_array_to_slice( + (size_t)1952U, verification_key_serialized, uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1[5U]; + memcpy( + copy_of_s1, s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s2[6U]; + memcpy( + copy_of_s2, s2, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t0[6U]; + memcpy( + copy_of_t0, t0, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + uint8_t signing_key_serialized[4032U]; + libcrux_ml_dsa_encoding_signing_key_generate_serialized_d2( + uu____7, uu____8, uu____9, copy_of_s1, copy_of_s2, copy_of_t0, + signing_key_serialized); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_signing_key_serialized[4032U]; + memcpy(copy_of_signing_key_serialized, signing_key_serialized, + (size_t)4032U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_verification_key_serialized[1952U]; + memcpy(copy_of_verification_key_serialized, verification_key_serialized, + (size_t)1952U * sizeof(uint8_t)); + tuple_a0 lit; + memcpy(lit.fst, copy_of_signing_key_serialized, + (size_t)4032U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_verification_key_serialized, + (size_t)1952U * sizeof(uint8_t)); + return lit; +} + +/** + Generate key pair. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.generate_key_pair with +const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- SIGNING_KEY_SIZE= 4032 +- VERIFICATION_KEY_SIZE= 1952 +*/ +static inline tuple_a0 +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_generate_key_pair_52( + uint8_t randomness[32U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_generate_key_pair_5a(copy_of_randomness); +} + +/** + Generate an ML-DSA-65 Key Pair +*/ +static inline libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair +libcrux_ml_dsa_ml_dsa_65_portable_generate_key_pair(uint8_t randomness[32U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + tuple_a0 uu____1 = + libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_generate_key_pair_52( + copy_of_randomness); + uint8_t signing_key[4032U]; + memcpy(signing_key, uu____1.fst, (size_t)4032U * sizeof(uint8_t)); + uint8_t verification_key[1952U]; + memcpy(verification_key, uu____1.snd, (size_t)1952U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_signing_key[4032U]; + memcpy(copy_of_signing_key, signing_key, (size_t)4032U * sizeof(uint8_t)); + libcrux_ml_dsa_types_MLDSASigningKey_22 uu____3 = + libcrux_ml_dsa_types_new_9b_09(copy_of_signing_key); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_verification_key[1952U]; + memcpy(copy_of_verification_key, verification_key, + (size_t)1952U * sizeof(uint8_t)); + libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair lit; + lit.signing_key = uu____3; + lit.verification_key = + libcrux_ml_dsa_types_new_66_97(copy_of_verification_key); + return lit; +} + +/** +A monomorphic instance of core.option.Option +with types libcrux_ml_dsa_pre_hash_DomainSeparationContext + +*/ +typedef struct Option_84_s { + Option_08_tags tag; + libcrux_ml_dsa_pre_hash_DomainSeparationContext f0; +} Option_84; + +/** + The internal signing API. + + If no `domain_separation_context` is supplied, it is assumed that + `message` already contains the domain separation. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_internal +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128X4, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_05( + uint8_t *signing_key, Eurydice_slice message, + Option_84 domain_separation_context, uint8_t randomness[32U]) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes " + "core::result::{core::ops::try_trait::Try for core::result::Result[TraitClause@0, TraitClause@1]}#26[TraitClause@0, " + "TraitClause@1]::Residual\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128X4, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_05( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( + context, (CLITERAL(Option_3f){.tag = None})); + Result_2e uu____1; + if (uu____0.tag == Ok) { + libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = + uu____0.val.case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context0 = + domain_separation_context; + uint8_t *uu____2 = signing_key; + Eurydice_slice uu____3 = message; + Option_84 uu____4 = {.tag = Some, .f0 = domain_separation_context0}; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + uu____1 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_05( + uu____2, uu____3, uu____4, copy_of_randomness); + } else { + uu____1 = (CLITERAL(Result_2e){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}}); + } + return uu____1; +} + +/** + Sign. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.sign with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +static inline Result_2e +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + uint8_t *uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_sign_05(uu____0, uu____1, uu____2, + copy_of_randomness); +} + +/** + Generate an ML-DSA-65 Signature + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +static inline Result_2e libcrux_ml_dsa_ml_dsa_65_portable_sign( + libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, + Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { + uint8_t *uu____0 = libcrux_ml_dsa_types_as_raw_9b_09(signing_key); + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3( + uu____0, uu____1, uu____2, copy_of_randomness); +} + +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_pre_hashed +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128, +libcrux_ml_dsa_hash_functions_portable_Shake128X4, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_portable_Shake256X4, +libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics +- PH_DIGEST_LEN= 256 +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +static KRML_MUSTINLINE Result_2e +libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_0d(uint8_t *signing_key, + Eurydice_slice message, + Eurydice_slice context, + uint8_t randomness[32U]) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"expression_of_operand Constant: " + "TraitClause@13OID\")\n"); + KRML_HOST_EXIT(255U); +} + +/** + Sign (pre-hashed). +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.sign_pre_hashed_shake128 +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +static inline Result_2e +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_pre_hashed_shake128_f3( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + uint8_t *uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_0d( + uu____0, uu____1, uu____2, copy_of_randomness); +} + +/** + Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +static inline Result_2e +libcrux_ml_dsa_ml_dsa_65_portable_sign_pre_hashed_shake128( + libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, + Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { + uint8_t *uu____0 = libcrux_ml_dsa_types_as_raw_9b_09(signing_key); + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_pre_hashed_shake128_f3( + uu____0, uu____1, uu____2, copy_of_randomness); +} + +/** + The internal verification API. + + If no `domain_separation_context` is supplied, it is assumed that + `message` already contains the domain separation. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_internal +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128X4, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +static KRML_MUSTINLINE Result_41 +libcrux_ml_dsa_ml_dsa_generic_verify_internal_99( + uint8_t *verification_key_serialized, Eurydice_slice message, + Option_84 domain_separation_context, uint8_t *signature_serialized) { + KRML_HOST_EPRINTF( + "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"TODO: TraitTypes " + "core::result::{core::ops::try_trait::Try for core::result::Result[TraitClause@0, TraitClause@1]}#26[TraitClause@0, " + "TraitClause@1]::Residual\")\n"); + KRML_HOST_EXIT(255U); +} + +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128X4, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_99( + uint8_t *verification_key_serialized, Eurydice_slice message, + Eurydice_slice context, uint8_t *signature_serialized) { + Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( + context, (CLITERAL(Option_3f){.tag = None})); + Result_41 uu____1; + if (uu____0.tag == Ok) { + libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = + uu____0.val.case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context0 = + domain_separation_context; + uu____1 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_99( + verification_key_serialized, message, + (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context0}), + signature_serialized); + } else { + uu____1 = (CLITERAL(Result_41){ + .tag = Err, + .f0 = libcrux_ml_dsa_types_VerificationContextTooLongError}); + } + return uu____1; +} + +/** + Verify. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.verify with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +static inline Result_41 +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_01( + uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, + uint8_t *signature) { + return libcrux_ml_dsa_ml_dsa_generic_verify_99(verification_key, message, + context, signature); +} + +/** + Verify an ML-DSA-65 Signature + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +static inline Result_41 libcrux_ml_dsa_ml_dsa_65_portable_verify( + libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, + Eurydice_slice message, Eurydice_slice context, + libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { + return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_01( + libcrux_ml_dsa_types_as_raw_66_97(verification_key), message, context, + libcrux_ml_dsa_types_as_raw_8f_fa(signature)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_pre_hashed +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128, +libcrux_ml_dsa_hash_functions_portable_Shake128X4, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics +- PH_DIGEST_LEN= 256 +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +static KRML_MUSTINLINE Result_41 +libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_ae( + uint8_t *verification_key_serialized, Eurydice_slice message, + Eurydice_slice context, uint8_t *signature_serialized) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "Eurydice error: Failure(\"expression_of_operand Constant: " + "TraitClause@11OID\")\n"); + KRML_HOST_EXIT(255U); +} + +/** + Verify (pre-hashed with SHAKE-128). +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.verify_pre_hashed_shake128 +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +static inline Result_41 +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_pre_hashed_shake128_01( + uint8_t *verification_key, Eurydice_slice message, Eurydice_slice context, + uint8_t *signature) { + return libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_ae( + verification_key, message, context, signature); +} + +/** + Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +static inline Result_41 +libcrux_ml_dsa_ml_dsa_65_portable_verify_pre_hashed_shake128( + libcrux_ml_dsa_types_MLDSAVerificationKey_ea *verification_key, + Eurydice_slice message, Eurydice_slice context, + libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature *signature) { + return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_verify_pre_hashed_shake128_01( + libcrux_ml_dsa_types_as_raw_66_97(verification_key), message, context, + libcrux_ml_dsa_types_as_raw_8f_fa(signature)); +} + +/** + Returns the pre-hash OID, if any. +*/ +/** +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +*/ +static inline Option_3f libcrux_ml_dsa_pre_hash_pre_hash_oid_45( + libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { + return self->pre_hash_oid; +} + +/** + Returns the context, guaranteed to be at most 255 bytes long. +*/ +/** +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +*/ +static inline Eurydice_slice libcrux_ml_dsa_pre_hash_context_45( + libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { + return self->context; +} + +#define LIBCRUX_ML_DSA_PRE_HASH_PRE_HASH_OID_LEN ((size_t)11U) + +typedef uint8_t libcrux_ml_dsa_pre_hash_PreHashOID[11U]; + +/** +This function found in impl +{(core::convert::From for +libcrux_ml_dsa::types::SigningError)#2} +*/ +static inline libcrux_ml_dsa_types_SigningError libcrux_ml_dsa_pre_hash_from_4b( + libcrux_ml_dsa_pre_hash_DomainSeparationError e) { + return libcrux_ml_dsa_types_ContextTooLongError; +} + +/** +This function found in impl +{(core::convert::From for +libcrux_ml_dsa::types::VerificationError)#3} +*/ +static inline libcrux_ml_dsa_types_VerificationError +libcrux_ml_dsa_pre_hash_from_b6( + libcrux_ml_dsa_pre_hash_DomainSeparationError e) { + return libcrux_ml_dsa_types_VerificationContextTooLongError; +} + +static const uint8_t + libcrux_ml_dsa_pre_hash___libcrux_ml_dsa__pre_hash__PreHash_256__usize__for_libcrux_ml_dsa__pre_hash__SHAKE128_PH___OID + [11U] = {6U, 9U, 96U, 134U, 72U, 1U, 101U, 3U, 4U, 2U, 11U}; + +static KRML_MUSTINLINE bool libcrux_ml_dsa_sample_inside_out_shuffle( + Eurydice_slice randomness, size_t *out_index, uint64_t *signs, + int32_t *result) { + bool done = false; + core_slice_iter_Iter iter = + core_slice_iter___core__iter__traits__collect__IntoIterator_for___a___Slice_T____1__into_iter( + randomness, uint8_t, core_slice_iter_Iter); + while (true) { + Option_3f uu____0 = + core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Iter__a__T__TraitClause_0___182__next( + &iter, uint8_t, Option_3f); + if (uu____0.tag == None) { + break; + } else { + uint8_t *byte = uu____0.f0; + if (!done) { + size_t sample_at = (size_t)byte[0U]; + if (sample_at <= out_index[0U]) { + result[out_index[0U]] = result[sample_at]; + out_index[0U] = out_index[0U] + (size_t)1U; + result[sample_at] = + (int32_t)1 - (int32_t)2 * (int32_t)(signs[0U] & 1ULL); + signs[0U] = signs[0U] >> 1U; + size_t uu____1 = out_index[0U]; + done = uu____1 == + Eurydice_slice_len( + Eurydice_array_to_slice((size_t)256U, result, int32_t), + int32_t); + } else { + size_t uu____2 = out_index[0U]; + done = uu____2 == + Eurydice_slice_len( + Eurydice_array_to_slice((size_t)256U, result, int32_t), + int32_t); + } + } + } + } + return done; +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_update_seed( + uint8_t seed[66U], uint16_t *domain_separator, uint8_t ret[66U]) { + seed[64U] = (uint8_t)domain_separator[0U]; + seed[65U] = (uint8_t)((uint32_t)domain_separator[0U] >> 8U); + domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U; + memcpy(ret, seed, (size_t)66U * sizeof(uint8_t)); +} + +typedef struct int32_t_x2_s { + int32_t fst; + int32_t snd; +} int32_t_x2; + +static KRML_MUSTINLINE int32_t_x2 +libcrux_ml_dsa_simd_portable_arithmetic_power2round_element(int32_t t) { + int32_t t2 = t + (t >> 31U & LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + int32_t t1 = + (t2 - (int32_t)1 + + ((int32_t)1 + << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - + (size_t)1U))) >> + (uint32_t)LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T; + int32_t t0 = + t2 - (t1 << (uint32_t)LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T); + return (CLITERAL(int32_t_x2){.fst = t0, .snd = t1}); +} + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA \ + ((int32_t)4) + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA \ + ((int32_t)4) + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + ((int32_t)1 << 17U) + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK \ + ((LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + << 1U) - \ + (int32_t)1) + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + ((int32_t)1 << 19U) + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_BITMASK \ + ((LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + << 1U) - \ + (int32_t)1) + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + ((int32_t)1 << 17U) + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + ((int32_t)1 << 19U) + +/** +This function found in impl {(core::clone::Clone for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_vector_type_clone_ae( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *self) { + return self[0U]; +} + +/** +This function found in impl {(core::fmt::Debug for +libcrux_ml_dsa::types::SigningError)#7} +*/ +static inline Result_a9 libcrux_ml_dsa_types_fmt_16( + libcrux_ml_dsa_types_SigningError *self, core_fmt_Formatter *f) { + core_fmt_Formatter *uu____0 = f; + Prims_string uu____1; + switch (self[0U]) { + case libcrux_ml_dsa_types_RejectionSamplingError: { + uu____1 = "RejectionSamplingError"; + break; + } + case libcrux_ml_dsa_types_ContextTooLongError: { + uu____1 = "ContextTooLongError"; + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, + __LINE__); + KRML_HOST_EXIT(253U); + } + } + return core_fmt__core__fmt__Formatter__a__9__write_str(uu____0, uu____1); +} + +/** +This function found in impl {(core::fmt::Debug for +libcrux_ml_dsa::types::VerificationError)#6} +*/ +static inline Result_a9 libcrux_ml_dsa_types_fmt_7e( + libcrux_ml_dsa_types_VerificationError *self, core_fmt_Formatter *f) { + core_fmt_Formatter *uu____0 = f; + Prims_string uu____1; + switch (self[0U]) { + case libcrux_ml_dsa_types_MalformedHintError: { + uu____1 = "MalformedHintError"; + break; + } + case libcrux_ml_dsa_types_SignerResponseExceedsBoundError: { + uu____1 = "SignerResponseExceedsBoundError"; + break; + } + case libcrux_ml_dsa_types_CommitmentHashesDontMatchError: { + uu____1 = "CommitmentHashesDontMatchError"; + break; + } + case libcrux_ml_dsa_types_VerificationContextTooLongError: { + uu____1 = "VerificationContextTooLongError"; + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, + __LINE__); + KRML_HOST_EXIT(253U); + } + } + return core_fmt__core__fmt__Formatter__a__9__write_str(uu____0, uu____1); +} + +typedef int32_t libcrux_ml_dsa_simd_traits_FieldElementTimesMontgomeryR; + +typedef int32_t libcrux_ml_dsa_simd_portable_vector_type_FieldElement; + +typedef Result_a8 libcrux_ml_dsa_pre_hash_PreHashResult; + +typedef struct libcrux_ml_dsa_hash_functions_portable_Shake128_s { +} libcrux_ml_dsa_hash_functions_portable_Shake128; + +#if defined(__cplusplus) +} +#endif + +#define __libcrux_mldsa65_portable_H_DEFINED +#endif diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h new file mode 100644 index 000000000..3c2909209 --- /dev/null +++ b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h @@ -0,0 +1,2571 @@ +/* + * SPDX-FileCopyrightText: 2024 Cryspen Sarl + * + * SPDX-License-Identifier: MIT or Apache-2.0 + * + * This code was generated with the following revisions: + * Charon: a68994d00017b76a805d0115ca06c1f2c1805e79 + * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 + * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 + * F*: b0961063393215ca65927f017720cb365a193833-dirty + * Libcrux: 5a0f22fa8387080e4c4e4ac018aaddcdf944e4be + */ + +#ifndef __libcrux_sha3_avx2_H +#define __libcrux_sha3_avx2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include "eurydice_glue.h" +#include "intrinsics/libcrux_intrinsics_avx2.h" +#include "libcrux_core.h" +#include "libcrux_sha3_portable.h" + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2_zero_ef(void) { + return libcrux_intrinsics_avx2_mm256_set1_epi64x((int64_t)0); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__veor5q_u64( + __m256i a, __m256i b, __m256i c, __m256i d, __m256i e) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + __m256i cd = libcrux_intrinsics_avx2_mm256_xor_si256(c, d); + __m256i abcd = libcrux_intrinsics_avx2_mm256_xor_si256(ab, cd); + return libcrux_intrinsics_avx2_mm256_xor_si256(abcd, e); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2_xor5_ef( + __m256i a, __m256i b, __m256i c, __m256i d, __m256i e) { + return libcrux_sha3_simd_avx2__veor5q_u64(a, b, c, d, e); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 1 +- RIGHT= 63 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_76(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)1, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)63, x, __m256i)); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vrax1q_u64(__m256i a, + __m256i b) { + __m256i uu____0 = a; + return libcrux_intrinsics_avx2_mm256_xor_si256( + uu____0, libcrux_sha3_simd_avx2_rotate_left_76(b)); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vrax1q_u64(a, b); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vbcaxq_u64(__m256i a, + __m256i b, + __m256i c) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + a, libcrux_intrinsics_avx2_mm256_andnot_si256(c, b)); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_and_not_xor_ef(__m256i a, __m256i b, __m256i c) { + return libcrux_sha3_simd_avx2__vbcaxq_u64(a, b, c); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__veorq_n_u64(__m256i a, + uint64_t c) { + __m256i c0 = libcrux_intrinsics_avx2_mm256_set1_epi64x((int64_t)c); + return libcrux_intrinsics_avx2_mm256_xor_si256(a, c0); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_constant_ef(__m256i a, uint64_t c) { + return libcrux_sha3_simd_avx2__veorq_n_u64(a, c); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2_xor_ef(__m256i a, + __m256i b) { + return libcrux_intrinsics_avx2_mm256_xor_si256(a, b); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_slice_4( + Eurydice_slice a[4U], size_t start, size_t len, Eurydice_slice ret[4U]) { + ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t); + ret[1U] = Eurydice_slice_subslice2(a[1U], start, start + len, uint8_t); + ret[2U] = Eurydice_slice_subslice2(a[2U], start, start + len, uint8_t); + ret[3U] = Eurydice_slice_subslice2(a[3U], start, start + len, uint8_t); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_slice_n_ef( + Eurydice_slice a[4U], size_t start, size_t len, Eurydice_slice ret[4U]) { + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_a[4U]; + memcpy(copy_of_a, a, (size_t)4U * sizeof(Eurydice_slice)); + Eurydice_slice ret0[4U]; + libcrux_sha3_simd_avx2_slice_4(copy_of_a, start, len, ret0); + memcpy(ret, ret0, (size_t)4U * sizeof(Eurydice_slice)); +} + +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Eurydice_slice_uint8_t_4size_t__x2 +libcrux_sha3_simd_avx2_split_at_mut_4(Eurydice_slice out[4U], size_t mid) { + Eurydice_slice out0 = out[0U]; + Eurydice_slice out1 = out[1U]; + Eurydice_slice out2 = out[2U]; + Eurydice_slice out3 = out[3U]; + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at_mut( + out0, mid, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out00 = uu____0.fst; + Eurydice_slice out01 = uu____0.snd; + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at_mut( + out1, mid, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out10 = uu____1.fst; + Eurydice_slice out11 = uu____1.snd; + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at_mut( + out2, mid, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out20 = uu____2.fst; + Eurydice_slice out21 = uu____2.snd; + Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at_mut( + out3, mid, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out30 = uu____3.fst; + Eurydice_slice out31 = uu____3.snd; + Eurydice_slice_uint8_t_4size_t__x2 lit; + lit.fst[0U] = out00; + lit.fst[1U] = out10; + lit.fst[2U] = out20; + lit.fst[3U] = out30; + lit.snd[0U] = out01; + lit.snd[1U] = out11; + lit.snd[2U] = out21; + lit.snd[3U] = out31; + return lit; +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Eurydice_slice_uint8_t_4size_t__x2 +libcrux_sha3_simd_avx2_split_at_mut_n_ef(Eurydice_slice a[4U], size_t mid) { + return libcrux_sha3_simd_avx2_split_at_mut_4(a, mid); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.KeccakState +with types core_core_arch_x86___m256i +with const generics +- $4size_t +*/ +typedef struct libcrux_sha3_generic_keccak_KeccakState_55_s { + __m256i st[5U][5U]; +} libcrux_sha3_generic_keccak_KeccakState_55; + +typedef libcrux_sha3_generic_keccak_KeccakState_55 + libcrux_sha3_avx2_x4_incremental_KeccakState; + +/** + Create a new Shake128 x4 state. +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakState[TraitClause@0, TraitClause@1]#1} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.new_89 +with types core_core_arch_x86___m256i +with const generics +- N= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55 +libcrux_sha3_generic_keccak_new_89_a6(void) { + libcrux_sha3_generic_keccak_KeccakState_55 lit; + lit.st[0U][0U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[0U][1U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[0U][2U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[0U][3U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[0U][4U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[1U][0U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[1U][1U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[1U][2U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[1U][3U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[1U][4U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[2U][0U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[2U][1U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[2U][2U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[2U][3U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[2U][4U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[3U][0U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[3U][1U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[3U][2U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[3U][3U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[3U][4U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[4U][0U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[4U][1U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[4U][2U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[4U][3U] = libcrux_sha3_simd_avx2_zero_ef(); + lit.st[4U][4U] = libcrux_sha3_simd_avx2_zero_ef(); + return lit; +} + +/** + Initialise the [`KeccakState`]. +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55 +libcrux_sha3_avx2_x4_incremental_init(void) { + return libcrux_sha3_generic_keccak_new_89_a6(); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.load_block +with const generics +- RATE= 168 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_3a( + __m256i (*s)[5U], Eurydice_slice blocks[4U]) { + for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) { + size_t i0 = i; + __m256i v00 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[0U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); + __m256i v10 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[1U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); + __m256i v20 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[2U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); + __m256i v30 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[3U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); + __m256i v0l = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v00, v10); + __m256i v1h = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v00, v10); + __m256i v2l = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v20, v30); + __m256i v3h = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v20, v30); + __m256i v0 = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)32, v0l, v2l, __m256i); + __m256i v1 = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)32, v1h, v3h, __m256i); + __m256i v2 = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)49, v0l, v2l, __m256i); + __m256i v3 = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)49, v1h, v3h, __m256i); + s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U] = + libcrux_intrinsics_avx2_mm256_xor_si256( + s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U], v0); + s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)1U) % (size_t)5U] = + libcrux_intrinsics_avx2_mm256_xor_si256( + s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)1U) % (size_t)5U], + v1); + s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)2U) % (size_t)5U] = + libcrux_intrinsics_avx2_mm256_xor_si256( + s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)2U) % (size_t)5U], + v2); + s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)3U) % (size_t)5U] = + libcrux_intrinsics_avx2_mm256_xor_si256( + s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)3U) % (size_t)5U], + v3); + } + size_t rem = (size_t)168U % (size_t)32U; + size_t start = (size_t)32U * ((size_t)168U / (size_t)32U); + uint8_t u8s[32U] = {0U}; + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_slice_subslice2(blocks[0U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____1 = + Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t); + Eurydice_slice_copy( + uu____1, + Eurydice_slice_subslice2(blocks[1U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____2 = + Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t); + Eurydice_slice_copy( + uu____2, + Eurydice_slice_subslice2(blocks[2U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____3 = + Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t); + Eurydice_slice_copy( + uu____3, + Eurydice_slice_subslice2(blocks[3U], start, start + (size_t)8U, uint8_t), + uint8_t); + __m256i u = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + core_array___Array_T__N__23__as_slice((size_t)32U, u8s, uint8_t, + Eurydice_slice)); + size_t i0 = (size_t)4U * ((size_t)168U / (size_t)32U) / (size_t)5U; + size_t j0 = (size_t)4U * ((size_t)168U / (size_t)32U) % (size_t)5U; + s[i0][j0] = libcrux_intrinsics_avx2_mm256_xor_si256(s[i0][j0], u); + if (rem == (size_t)16U) { + uint8_t u8s0[32U] = {0U}; + Eurydice_slice uu____4 = + Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t); + Eurydice_slice_copy(uu____4, + Eurydice_slice_subslice2(blocks[0U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____5 = + Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t); + Eurydice_slice_copy(uu____5, + Eurydice_slice_subslice2(blocks[1U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____6 = + Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t); + Eurydice_slice_copy(uu____6, + Eurydice_slice_subslice2(blocks[2U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____7 = + Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t); + Eurydice_slice_copy(uu____7, + Eurydice_slice_subslice2(blocks[3U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + __m256i u0 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + core_array___Array_T__N__23__as_slice((size_t)32U, u8s0, uint8_t, + Eurydice_slice)); + size_t i = + ((size_t)4U * ((size_t)168U / (size_t)32U) + (size_t)1U) / (size_t)5U; + size_t j = + ((size_t)4U * ((size_t)168U / (size_t)32U) + (size_t)1U) % (size_t)5U; + s[i][j] = libcrux_intrinsics_avx2_mm256_xor_si256(s[i][j], u0); + } +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.load_block_full +with const generics +- RATE= 168 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_full_3a( + __m256i (*s)[5U], uint8_t blocks[4U][200U]) { + Eurydice_slice buf[4U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[1U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[2U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[3U], uint8_t)}; + libcrux_sha3_simd_avx2_load_block_3a(s, buf); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.load_block_full_ef +with const generics +- RATE= 168 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_full_ef_3a( + __m256i (*a)[5U], uint8_t b[4U][200U]) { + __m256i(*uu____0)[5U] = a; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[4U][200U]; + memcpy(copy_of_b, b, (size_t)4U * sizeof(uint8_t[200U])); + libcrux_sha3_simd_avx2_load_block_full_3a(uu____0, copy_of_b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 36 +- RIGHT= 28 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_02(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)36, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)28, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 36 +- RIGHT= 28 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_02(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_02(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 36 +- RIGHT= 28 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_02(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_02(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 3 +- RIGHT= 61 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_ac(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)3, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)61, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 3 +- RIGHT= 61 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ac(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_ac(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 3 +- RIGHT= 61 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_ac(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_ac(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 41 +- RIGHT= 23 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_020(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)41, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)23, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 41 +- RIGHT= 23 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2__vxarq_u64_020(__m256i a, __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_020(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 41 +- RIGHT= 23 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_020(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_020(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 18 +- RIGHT= 46 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_a9(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)18, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)46, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 18 +- RIGHT= 46 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_a9(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_a9(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 18 +- RIGHT= 46 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_a9(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_a9(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 1 +- RIGHT= 63 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_76(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_76(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 1 +- RIGHT= 63 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_76(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_76(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 44 +- RIGHT= 20 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_58(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)44, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)20, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 44 +- RIGHT= 20 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_58(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_58(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 44 +- RIGHT= 20 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_58(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_58(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 10 +- RIGHT= 54 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_e0(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)10, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)54, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 10 +- RIGHT= 54 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_e0(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_e0(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 10 +- RIGHT= 54 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_e0(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_e0(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 45 +- RIGHT= 19 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_63(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)45, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)19, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 45 +- RIGHT= 19 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_63(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_63(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 45 +- RIGHT= 19 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_63(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_63(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 2 +- RIGHT= 62 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_6a(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)2, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)62, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 2 +- RIGHT= 62 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_6a(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_6a(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 2 +- RIGHT= 62 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_6a(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_6a(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 62 +- RIGHT= 2 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_ab(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)62, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)2, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 62 +- RIGHT= 2 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ab(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_ab(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 62 +- RIGHT= 2 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_ab(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_ab(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 6 +- RIGHT= 58 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_5b(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)6, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)58, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 6 +- RIGHT= 58 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_5b(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_5b(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 6 +- RIGHT= 58 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_5b(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_5b(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 43 +- RIGHT= 21 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_6f(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)43, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)21, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 43 +- RIGHT= 21 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_6f(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_6f(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 43 +- RIGHT= 21 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_6f(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_6f(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 15 +- RIGHT= 49 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_62(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)15, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)49, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 15 +- RIGHT= 49 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_62(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_62(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 15 +- RIGHT= 49 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_62(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_62(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 61 +- RIGHT= 3 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_23(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)61, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)3, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 61 +- RIGHT= 3 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_23(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_23(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 61 +- RIGHT= 3 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_23(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_23(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 28 +- RIGHT= 36 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_37(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)28, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)36, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 28 +- RIGHT= 36 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_37(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_37(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 28 +- RIGHT= 36 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_37(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_37(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 55 +- RIGHT= 9 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_bb(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)55, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)9, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 55 +- RIGHT= 9 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_bb(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_bb(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 55 +- RIGHT= 9 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_bb(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_bb(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 25 +- RIGHT= 39 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_b9(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)25, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)39, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 25 +- RIGHT= 39 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_b9(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_b9(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 25 +- RIGHT= 39 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_b9(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_b9(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 21 +- RIGHT= 43 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_54(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)21, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)43, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 21 +- RIGHT= 43 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_54(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_54(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 21 +- RIGHT= 43 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_54(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_54(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 56 +- RIGHT= 8 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_4c(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)56, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)8, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 56 +- RIGHT= 8 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_4c(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_4c(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 56 +- RIGHT= 8 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_4c(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_4c(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 27 +- RIGHT= 37 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_ce(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)27, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)37, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 27 +- RIGHT= 37 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ce(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_ce(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 27 +- RIGHT= 37 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_ce(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_ce(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 20 +- RIGHT= 44 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_77(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)20, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)44, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 20 +- RIGHT= 44 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_77(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_77(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 20 +- RIGHT= 44 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_77(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_77(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 39 +- RIGHT= 25 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_25(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)39, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)25, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 39 +- RIGHT= 25 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_25(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_25(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 39 +- RIGHT= 25 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_25(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_25(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 8 +- RIGHT= 56 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_af(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)8, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)56, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 8 +- RIGHT= 56 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_af(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_af(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 8 +- RIGHT= 56 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_af(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_af(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.rotate_left +with const generics +- LEFT= 14 +- RIGHT= 50 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_fd(__m256i x) { + return libcrux_intrinsics_avx2_mm256_xor_si256( + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)14, x, __m256i), + libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)50, x, __m256i)); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2._vxarq_u64 +with const generics +- LEFT= 14 +- RIGHT= 50 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_fd(__m256i a, + __m256i b) { + __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_rotate_left_fd(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.xor_and_rotate_ef +with const generics +- LEFT= 14 +- RIGHT= 50 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_xor_and_rotate_ef_fd(__m256i a, __m256i b) { + return libcrux_sha3_simd_avx2__vxarq_u64_fd(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.theta_rho +with types core_core_arch_x86___m256i +with const generics +- N= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_theta_rho_a6( + libcrux_sha3_generic_keccak_KeccakState_55 *s) { + __m256i c[5U] = {libcrux_sha3_simd_avx2_xor5_ef(s->st[0U][0U], s->st[1U][0U], + s->st[2U][0U], s->st[3U][0U], + s->st[4U][0U]), + libcrux_sha3_simd_avx2_xor5_ef(s->st[0U][1U], s->st[1U][1U], + s->st[2U][1U], s->st[3U][1U], + s->st[4U][1U]), + libcrux_sha3_simd_avx2_xor5_ef(s->st[0U][2U], s->st[1U][2U], + s->st[2U][2U], s->st[3U][2U], + s->st[4U][2U]), + libcrux_sha3_simd_avx2_xor5_ef(s->st[0U][3U], s->st[1U][3U], + s->st[2U][3U], s->st[3U][3U], + s->st[4U][3U]), + libcrux_sha3_simd_avx2_xor5_ef(s->st[0U][4U], s->st[1U][4U], + s->st[2U][4U], s->st[3U][4U], + s->st[4U][4U])}; + __m256i uu____0 = libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef( + c[((size_t)0U + (size_t)4U) % (size_t)5U], + c[((size_t)0U + (size_t)1U) % (size_t)5U]); + __m256i uu____1 = libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef( + c[((size_t)1U + (size_t)4U) % (size_t)5U], + c[((size_t)1U + (size_t)1U) % (size_t)5U]); + __m256i uu____2 = libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef( + c[((size_t)2U + (size_t)4U) % (size_t)5U], + c[((size_t)2U + (size_t)1U) % (size_t)5U]); + __m256i uu____3 = libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef( + c[((size_t)3U + (size_t)4U) % (size_t)5U], + c[((size_t)3U + (size_t)1U) % (size_t)5U]); + __m256i t[5U] = {uu____0, uu____1, uu____2, uu____3, + libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef( + c[((size_t)4U + (size_t)4U) % (size_t)5U], + c[((size_t)4U + (size_t)1U) % (size_t)5U])}; + s->st[0U][0U] = libcrux_sha3_simd_avx2_xor_ef(s->st[0U][0U], t[0U]); + s->st[1U][0U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_02(s->st[1U][0U], t[0U]); + s->st[2U][0U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_ac(s->st[2U][0U], t[0U]); + s->st[3U][0U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_020(s->st[3U][0U], t[0U]); + s->st[4U][0U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_a9(s->st[4U][0U], t[0U]); + s->st[0U][1U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_76(s->st[0U][1U], t[1U]); + s->st[1U][1U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_58(s->st[1U][1U], t[1U]); + s->st[2U][1U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_e0(s->st[2U][1U], t[1U]); + s->st[3U][1U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_63(s->st[3U][1U], t[1U]); + s->st[4U][1U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_6a(s->st[4U][1U], t[1U]); + s->st[0U][2U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_ab(s->st[0U][2U], t[2U]); + s->st[1U][2U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_5b(s->st[1U][2U], t[2U]); + s->st[2U][2U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_6f(s->st[2U][2U], t[2U]); + s->st[3U][2U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_62(s->st[3U][2U], t[2U]); + s->st[4U][2U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_23(s->st[4U][2U], t[2U]); + s->st[0U][3U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_37(s->st[0U][3U], t[3U]); + s->st[1U][3U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_bb(s->st[1U][3U], t[3U]); + s->st[2U][3U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_b9(s->st[2U][3U], t[3U]); + s->st[3U][3U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_54(s->st[3U][3U], t[3U]); + s->st[4U][3U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_4c(s->st[4U][3U], t[3U]); + s->st[0U][4U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_ce(s->st[0U][4U], t[4U]); + s->st[1U][4U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_77(s->st[1U][4U], t[4U]); + s->st[2U][4U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_25(s->st[2U][4U], t[4U]); + s->st[3U][4U] = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_af(s->st[3U][4U], t[4U]); + __m256i uu____27 = + libcrux_sha3_simd_avx2_xor_and_rotate_ef_fd(s->st[4U][4U], t[4U]); + s->st[4U][4U] = uu____27; +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.pi +with types core_core_arch_x86___m256i +with const generics +- N= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_pi_a6( + libcrux_sha3_generic_keccak_KeccakState_55 *s) { + __m256i old[5U][5U]; + memcpy(old, s->st, (size_t)5U * sizeof(__m256i[5U])); + s->st[0U][1U] = old[1U][1U]; + s->st[0U][2U] = old[2U][2U]; + s->st[0U][3U] = old[3U][3U]; + s->st[0U][4U] = old[4U][4U]; + s->st[1U][0U] = old[0U][3U]; + s->st[1U][1U] = old[1U][4U]; + s->st[1U][2U] = old[2U][0U]; + s->st[1U][3U] = old[3U][1U]; + s->st[1U][4U] = old[4U][2U]; + s->st[2U][0U] = old[0U][1U]; + s->st[2U][1U] = old[1U][2U]; + s->st[2U][2U] = old[2U][3U]; + s->st[2U][3U] = old[3U][4U]; + s->st[2U][4U] = old[4U][0U]; + s->st[3U][0U] = old[0U][4U]; + s->st[3U][1U] = old[1U][0U]; + s->st[3U][2U] = old[2U][1U]; + s->st[3U][3U] = old[3U][2U]; + s->st[3U][4U] = old[4U][3U]; + s->st[4U][0U] = old[0U][2U]; + s->st[4U][1U] = old[1U][3U]; + s->st[4U][2U] = old[2U][4U]; + s->st[4U][3U] = old[3U][0U]; + s->st[4U][4U] = old[4U][1U]; +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.chi +with types core_core_arch_x86___m256i +with const generics +- N= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_chi_a6( + libcrux_sha3_generic_keccak_KeccakState_55 *s) { + __m256i old[5U][5U]; + memcpy(old, s->st, (size_t)5U * sizeof(__m256i[5U])); + for (size_t i0 = (size_t)0U; i0 < (size_t)5U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + size_t j = i; + s->st[i1][j] = libcrux_sha3_simd_avx2_and_not_xor_ef( + s->st[i1][j], old[i1][(j + (size_t)2U) % (size_t)5U], + old[i1][(j + (size_t)1U) % (size_t)5U]); + } + } +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.iota +with types core_core_arch_x86___m256i +with const generics +- N= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_iota_a6( + libcrux_sha3_generic_keccak_KeccakState_55 *s, size_t i) { + s->st[0U][0U] = libcrux_sha3_simd_avx2_xor_constant_ef( + s->st[0U][0U], libcrux_sha3_generic_keccak_ROUNDCONSTANTS[i]); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.keccakf1600 +with types core_core_arch_x86___m256i +with const generics +- N= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccakf1600_a6( + libcrux_sha3_generic_keccak_KeccakState_55 *s) { + for (size_t i = (size_t)0U; i < (size_t)24U; i++) { + size_t i0 = i; + libcrux_sha3_generic_keccak_theta_rho_a6(s); + libcrux_sha3_generic_keccak_pi_a6(s); + libcrux_sha3_generic_keccak_chi_a6(s); + libcrux_sha3_generic_keccak_iota_a6(s, i0); + } +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final +with types core_core_arch_x86___m256i +with const generics +- N= 4 +- RATE= 168 +- DELIM= 31 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_fb( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice last[4U]) { + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); + uint8_t blocks[4U][200U] = {{0U}}; + for (size_t i = (size_t)0U; i < (size_t)4U; i++) { + size_t i0 = i; + if (last_len > (size_t)0U) { + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); + } + blocks[i0][last_len] = 31U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)168U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; + } + __m256i(*uu____3)[5U] = s->st; + uint8_t uu____4[4U][200U]; + memcpy(uu____4, blocks, (size_t)4U * sizeof(uint8_t[200U])); + libcrux_sha3_simd_avx2_load_block_full_ef_3a(uu____3, uu____4); + libcrux_sha3_generic_keccak_keccakf1600_a6(s); +} + +/** + Absorb +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0, + Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) { + Eurydice_slice buf[4U] = {data0, data1, data2, data3}; + libcrux_sha3_generic_keccak_absorb_final_fb(s, buf); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.load_block +with const generics +- RATE= 136 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_5b( + __m256i (*s)[5U], Eurydice_slice blocks[4U]) { + for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) { + size_t i0 = i; + __m256i v00 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[0U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); + __m256i v10 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[1U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); + __m256i v20 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[2U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); + __m256i v30 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[3U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); + __m256i v0l = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v00, v10); + __m256i v1h = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v00, v10); + __m256i v2l = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v20, v30); + __m256i v3h = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v20, v30); + __m256i v0 = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)32, v0l, v2l, __m256i); + __m256i v1 = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)32, v1h, v3h, __m256i); + __m256i v2 = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)49, v0l, v2l, __m256i); + __m256i v3 = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)49, v1h, v3h, __m256i); + s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U] = + libcrux_intrinsics_avx2_mm256_xor_si256( + s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U], v0); + s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)1U) % (size_t)5U] = + libcrux_intrinsics_avx2_mm256_xor_si256( + s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)1U) % (size_t)5U], + v1); + s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)2U) % (size_t)5U] = + libcrux_intrinsics_avx2_mm256_xor_si256( + s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)2U) % (size_t)5U], + v2); + s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)3U) % (size_t)5U] = + libcrux_intrinsics_avx2_mm256_xor_si256( + s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)3U) % (size_t)5U], + v3); + } + size_t rem = (size_t)136U % (size_t)32U; + size_t start = (size_t)32U * ((size_t)136U / (size_t)32U); + uint8_t u8s[32U] = {0U}; + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_slice_subslice2(blocks[0U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____1 = + Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t); + Eurydice_slice_copy( + uu____1, + Eurydice_slice_subslice2(blocks[1U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____2 = + Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t); + Eurydice_slice_copy( + uu____2, + Eurydice_slice_subslice2(blocks[2U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____3 = + Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t); + Eurydice_slice_copy( + uu____3, + Eurydice_slice_subslice2(blocks[3U], start, start + (size_t)8U, uint8_t), + uint8_t); + __m256i u = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + core_array___Array_T__N__23__as_slice((size_t)32U, u8s, uint8_t, + Eurydice_slice)); + size_t i0 = (size_t)4U * ((size_t)136U / (size_t)32U) / (size_t)5U; + size_t j0 = (size_t)4U * ((size_t)136U / (size_t)32U) % (size_t)5U; + s[i0][j0] = libcrux_intrinsics_avx2_mm256_xor_si256(s[i0][j0], u); + if (rem == (size_t)16U) { + uint8_t u8s0[32U] = {0U}; + Eurydice_slice uu____4 = + Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t); + Eurydice_slice_copy(uu____4, + Eurydice_slice_subslice2(blocks[0U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____5 = + Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t); + Eurydice_slice_copy(uu____5, + Eurydice_slice_subslice2(blocks[1U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____6 = + Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t); + Eurydice_slice_copy(uu____6, + Eurydice_slice_subslice2(blocks[2U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____7 = + Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t); + Eurydice_slice_copy(uu____7, + Eurydice_slice_subslice2(blocks[3U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + __m256i u0 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + core_array___Array_T__N__23__as_slice((size_t)32U, u8s0, uint8_t, + Eurydice_slice)); + size_t i = + ((size_t)4U * ((size_t)136U / (size_t)32U) + (size_t)1U) / (size_t)5U; + size_t j = + ((size_t)4U * ((size_t)136U / (size_t)32U) + (size_t)1U) % (size_t)5U; + s[i][j] = libcrux_intrinsics_avx2_mm256_xor_si256(s[i][j], u0); + } +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.load_block_full +with const generics +- RATE= 136 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_full_5b( + __m256i (*s)[5U], uint8_t blocks[4U][200U]) { + Eurydice_slice buf[4U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[1U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[2U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[3U], uint8_t)}; + libcrux_sha3_simd_avx2_load_block_5b(s, buf); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.load_block_full_ef +with const generics +- RATE= 136 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_full_ef_5b( + __m256i (*a)[5U], uint8_t b[4U][200U]) { + __m256i(*uu____0)[5U] = a; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[4U][200U]; + memcpy(copy_of_b, b, (size_t)4U * sizeof(uint8_t[200U])); + libcrux_sha3_simd_avx2_load_block_full_5b(uu____0, copy_of_b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final +with types core_core_arch_x86___m256i +with const generics +- N= 4 +- RATE= 136 +- DELIM= 31 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_fb0( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice last[4U]) { + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); + uint8_t blocks[4U][200U] = {{0U}}; + for (size_t i = (size_t)0U; i < (size_t)4U; i++) { + size_t i0 = i; + if (last_len > (size_t)0U) { + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); + } + blocks[i0][last_len] = 31U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)136U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; + } + __m256i(*uu____3)[5U] = s->st; + uint8_t uu____4[4U][200U]; + memcpy(uu____4, blocks, (size_t)4U * sizeof(uint8_t[200U])); + libcrux_sha3_simd_avx2_load_block_full_ef_5b(uu____3, uu____4); + libcrux_sha3_generic_keccak_keccakf1600_a6(s); +} + +/** + Absorb +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0, + Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) { + Eurydice_slice buf[4U] = {data0, data1, data2, data3}; + libcrux_sha3_generic_keccak_absorb_final_fb0(s, buf); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.load_block_ef +with const generics +- RATE= 136 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_ef_5b( + __m256i (*a)[5U], Eurydice_slice b[4U]) { + __m256i(*uu____0)[5U] = a; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[4U]; + memcpy(copy_of_b, b, (size_t)4U * sizeof(Eurydice_slice)); + libcrux_sha3_simd_avx2_load_block_5b(uu____0, copy_of_b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block +with types core_core_arch_x86___m256i +with const generics +- N= 4 +- RATE= 136 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_97( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice blocks[4U]) { + __m256i(*uu____0)[5U] = s->st; + Eurydice_slice uu____1[4U]; + memcpy(uu____1, blocks, (size_t)4U * sizeof(Eurydice_slice)); + libcrux_sha3_simd_avx2_load_block_ef_5b(uu____0, uu____1); + libcrux_sha3_generic_keccak_keccakf1600_a6(s); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.store_block +with const generics +- RATE= 136 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_5b( + __m256i (*s)[5U], Eurydice_slice out[4U]) { + for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) { + size_t i0 = i; + __m256i v0l = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)32, + s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U], + s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)2U) % (size_t)5U], + __m256i); + __m256i v1h = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)32, + s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)1U) % (size_t)5U], + s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)3U) % (size_t)5U], + __m256i); + __m256i v2l = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)49, + s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U], + s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)2U) % (size_t)5U], + __m256i); + __m256i v3h = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)49, + s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)1U) % (size_t)5U], + s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)3U) % (size_t)5U], + __m256i); + __m256i v0 = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v0l, v1h); + __m256i v1 = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v0l, v1h); + __m256i v2 = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v2l, v3h); + __m256i v3 = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v2l, v3h); + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_slice_subslice2(out[0U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t), + v0); + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_slice_subslice2(out[1U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t), + v1); + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_slice_subslice2(out[2U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t), + v2); + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_slice_subslice2(out[3U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t), + v3); + } + size_t rem = (size_t)136U % (size_t)32U; + size_t start = (size_t)32U * ((size_t)136U / (size_t)32U); + uint8_t u8s[32U] = {0U}; + size_t i0 = (size_t)4U * ((size_t)136U / (size_t)32U) / (size_t)5U; + size_t j0 = (size_t)4U * ((size_t)136U / (size_t)32U) % (size_t)5U; + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_array_to_slice((size_t)32U, u8s, uint8_t), s[i0][j0]); + Eurydice_slice uu____0 = + Eurydice_slice_subslice2(out[0U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____1 = + Eurydice_slice_subslice2(out[1U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( + uu____1, + Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____2 = + Eurydice_slice_subslice2(out[2U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( + uu____2, + Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t), + uint8_t); + Eurydice_slice uu____3 = + Eurydice_slice_subslice2(out[3U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( + uu____3, + Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t), + uint8_t); + if (rem == (size_t)16U) { + uint8_t u8s0[32U] = {0U}; + size_t i = + ((size_t)4U * ((size_t)136U / (size_t)32U) + (size_t)1U) / (size_t)5U; + size_t j = + ((size_t)4U * ((size_t)136U / (size_t)32U) + (size_t)1U) % (size_t)5U; + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t), s[i][j]); + Eurydice_slice uu____4 = Eurydice_slice_subslice2( + out[0U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( + uu____4, + Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____5 = Eurydice_slice_subslice2( + out[1U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( + uu____5, + Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____6 = Eurydice_slice_subslice2( + out[2U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( + uu____6, + Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t), + uint8_t); + Eurydice_slice uu____7 = Eurydice_slice_subslice2( + out[3U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( + uu____7, + Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t), + uint8_t); + } +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.store_block_full +with const generics +- RATE= 136 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_full_5b( + __m256i (*s)[5U], uint8_t ret[4U][200U]) { + uint8_t out0[200U] = {0U}; + uint8_t out1[200U] = {0U}; + uint8_t out2[200U] = {0U}; + uint8_t out3[200U] = {0U}; + Eurydice_slice buf[4U] = { + Eurydice_array_to_slice((size_t)200U, out0, uint8_t), + Eurydice_array_to_slice((size_t)200U, out1, uint8_t), + Eurydice_array_to_slice((size_t)200U, out2, uint8_t), + Eurydice_array_to_slice((size_t)200U, out3, uint8_t)}; + libcrux_sha3_simd_avx2_store_block_5b(s, buf); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out0[200U]; + memcpy(copy_of_out0, out0, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out1[200U]; + memcpy(copy_of_out1, out1, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out2[200U]; + memcpy(copy_of_out2, out2, (size_t)200U * sizeof(uint8_t)); + uint8_t uu____3[200U]; + memcpy(uu____3, out3, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out0, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[1U], copy_of_out1, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[2U], copy_of_out2, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[3U], uu____3, (size_t)200U * sizeof(uint8_t)); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.store_block_full_ef +with const generics +- RATE= 136 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_full_ef_5b( + __m256i (*a)[5U], uint8_t ret[4U][200U]) { + libcrux_sha3_simd_avx2_store_block_full_5b(a, ret); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last +with types core_core_arch_x86___m256i +with const generics +- N= 4 +- RATE= 136 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_sha3_generic_keccak_squeeze_first_and_last_97( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) { + uint8_t b[4U][200U]; + libcrux_sha3_simd_avx2_store_block_full_ef_5b(s->st, b); + for (size_t i = (size_t)0U; i < (size_t)4U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; + core_ops_range_Range_08 lit; + lit.start = (size_t)0U; + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, + core_ops_range_Range_08), + uint8_t); + } +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.store_block_ef +with const generics +- RATE= 136 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_ef_5b( + __m256i (*a)[5U], Eurydice_slice b[4U]) { + libcrux_sha3_simd_avx2_store_block_5b(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block +with types core_core_arch_x86___m256i +with const generics +- N= 4 +- RATE= 136 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_97( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) { + libcrux_sha3_simd_avx2_store_block_ef_5b(s->st, out); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block +with types core_core_arch_x86___m256i +with const generics +- N= 4 +- RATE= 136 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_97( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) { + libcrux_sha3_generic_keccak_keccakf1600_a6(s); + libcrux_sha3_simd_avx2_store_block_ef_5b(s->st, out); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last +with types core_core_arch_x86___m256i +with const generics +- N= 4 +- RATE= 136 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_97( + libcrux_sha3_generic_keccak_KeccakState_55 s, Eurydice_slice out[4U]) { + libcrux_sha3_generic_keccak_keccakf1600_a6(&s); + uint8_t b[4U][200U]; + libcrux_sha3_simd_avx2_store_block_full_ef_5b(s.st, b); + for (size_t i = (size_t)0U; i < (size_t)4U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; + core_ops_range_Range_08 lit; + lit.start = (size_t)0U; + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, + core_ops_range_Range_08), + uint8_t); + } +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.keccak +with types core_core_arch_x86___m256i +with const generics +- N= 4 +- RATE= 136 +- DELIM= 31 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_fb( + Eurydice_slice data[4U], Eurydice_slice out[4U]) { + libcrux_sha3_generic_keccak_KeccakState_55 s = + libcrux_sha3_generic_keccak_new_89_a6(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) { + size_t i0 = i; + libcrux_sha3_generic_keccak_KeccakState_55 *uu____0 = &s; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[4U]; + memcpy(copy_of_data, data, (size_t)4U * sizeof(Eurydice_slice)); + Eurydice_slice ret[4U]; + libcrux_sha3_simd_avx2_slice_n_ef(copy_of_data, i0 * (size_t)136U, + (size_t)136U, ret); + libcrux_sha3_generic_keccak_absorb_block_97(uu____0, ret); + } + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U; + libcrux_sha3_generic_keccak_KeccakState_55 *uu____2 = &s; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[4U]; + memcpy(copy_of_data, data, (size_t)4U * sizeof(Eurydice_slice)); + Eurydice_slice ret[4U]; + libcrux_sha3_simd_avx2_slice_n_ef( + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); + libcrux_sha3_generic_keccak_absorb_final_fb0(uu____2, ret); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); + size_t blocks = outlen / (size_t)136U; + size_t last = outlen - outlen % (size_t)136U; + if (blocks == (size_t)0U) { + libcrux_sha3_generic_keccak_squeeze_first_and_last_97(&s, out); + } else { + Eurydice_slice_uint8_t_4size_t__x2 uu____4 = + libcrux_sha3_simd_avx2_split_at_mut_n_ef(out, (size_t)136U); + Eurydice_slice o0[4U]; + memcpy(o0, uu____4.fst, (size_t)4U * sizeof(Eurydice_slice)); + Eurydice_slice o1[4U]; + memcpy(o1, uu____4.snd, (size_t)4U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_first_block_97(&s, o0); + core_ops_range_Range_08 iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U, + .end = blocks}), + core_ops_range_Range_08, core_ops_range_Range_08); + while (true) { + if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( + &iter, size_t, Option_08) + .tag == None) { + break; + } else { + Eurydice_slice_uint8_t_4size_t__x2 uu____5 = + libcrux_sha3_simd_avx2_split_at_mut_n_ef(o1, (size_t)136U); + Eurydice_slice o[4U]; + memcpy(o, uu____5.fst, (size_t)4U * sizeof(Eurydice_slice)); + Eurydice_slice orest[4U]; + memcpy(orest, uu____5.snd, (size_t)4U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_next_block_97(&s, o); + memcpy(o1, orest, (size_t)4U * sizeof(Eurydice_slice)); + } + } + if (last < outlen) { + libcrux_sha3_generic_keccak_squeeze_last_97(s, o1); + } + } +} + +/** + Perform 4 SHAKE256 operations in parallel +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_shake256( + Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, + Eurydice_slice input3, Eurydice_slice out0, Eurydice_slice out1, + Eurydice_slice out2, Eurydice_slice out3) { + Eurydice_slice buf0[4U] = {input0, input1, input2, input3}; + Eurydice_slice buf[4U] = {out0, out1, out2, out3}; + libcrux_sha3_generic_keccak_keccak_fb(buf0, buf); +} + +/** + Squeeze block +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, + Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { + Eurydice_slice buf[4U] = {out0, out1, out2, out3}; + libcrux_sha3_generic_keccak_squeeze_first_block_97(s, buf); +} + +/** +A monomorphic instance of libcrux_sha3.simd.avx2.store_block +with const generics +- RATE= 168 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_3a( + __m256i (*s)[5U], Eurydice_slice out[4U]) { + for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) { + size_t i0 = i; + __m256i v0l = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)32, + s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U], + s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)2U) % (size_t)5U], + __m256i); + __m256i v1h = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)32, + s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)1U) % (size_t)5U], + s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)3U) % (size_t)5U], + __m256i); + __m256i v2l = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)49, + s[(size_t)4U * i0 / (size_t)5U][(size_t)4U * i0 % (size_t)5U], + s[((size_t)4U * i0 + (size_t)2U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)2U) % (size_t)5U], + __m256i); + __m256i v3h = libcrux_intrinsics_avx2_mm256_permute2x128_si256( + (int32_t)49, + s[((size_t)4U * i0 + (size_t)1U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)1U) % (size_t)5U], + s[((size_t)4U * i0 + (size_t)3U) / (size_t)5U] + [((size_t)4U * i0 + (size_t)3U) % (size_t)5U], + __m256i); + __m256i v0 = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v0l, v1h); + __m256i v1 = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v0l, v1h); + __m256i v2 = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v2l, v3h); + __m256i v3 = libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v2l, v3h); + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_slice_subslice2(out[0U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t), + v0); + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_slice_subslice2(out[1U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t), + v1); + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_slice_subslice2(out[2U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t), + v2); + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_slice_subslice2(out[3U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t), + v3); + } + size_t rem = (size_t)168U % (size_t)32U; + size_t start = (size_t)32U * ((size_t)168U / (size_t)32U); + uint8_t u8s[32U] = {0U}; + size_t i0 = (size_t)4U * ((size_t)168U / (size_t)32U) / (size_t)5U; + size_t j0 = (size_t)4U * ((size_t)168U / (size_t)32U) % (size_t)5U; + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_array_to_slice((size_t)32U, u8s, uint8_t), s[i0][j0]); + Eurydice_slice uu____0 = + Eurydice_slice_subslice2(out[0U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____1 = + Eurydice_slice_subslice2(out[1U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( + uu____1, + Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____2 = + Eurydice_slice_subslice2(out[2U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( + uu____2, + Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t), + uint8_t); + Eurydice_slice uu____3 = + Eurydice_slice_subslice2(out[3U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( + uu____3, + Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t), + uint8_t); + if (rem == (size_t)16U) { + uint8_t u8s0[32U] = {0U}; + size_t i = + ((size_t)4U * ((size_t)168U / (size_t)32U) + (size_t)1U) / (size_t)5U; + size_t j = + ((size_t)4U * ((size_t)168U / (size_t)32U) + (size_t)1U) % (size_t)5U; + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t), s[i][j]); + Eurydice_slice uu____4 = Eurydice_slice_subslice2( + out[0U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( + uu____4, + Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____5 = Eurydice_slice_subslice2( + out[1U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( + uu____5, + Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____6 = Eurydice_slice_subslice2( + out[2U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( + uu____6, + Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t), + uint8_t); + Eurydice_slice uu____7 = Eurydice_slice_subslice2( + out[3U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( + uu____7, + Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t), + uint8_t); + } +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: +usize> for core::core_arch::x86::__m256i)} +*/ +/** +A monomorphic instance of libcrux_sha3.simd.avx2.store_block_ef +with const generics +- RATE= 168 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_ef_3a( + __m256i (*a)[5U], Eurydice_slice b[4U]) { + libcrux_sha3_simd_avx2_store_block_3a(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block +with types core_core_arch_x86___m256i +with const generics +- N= 4 +- RATE= 168 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_970( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) { + libcrux_sha3_simd_avx2_store_block_ef_3a(s->st, out); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block +with types core_core_arch_x86___m256i +with const generics +- N= 4 +- RATE= 168 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_970( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) { + libcrux_sha3_generic_keccak_keccakf1600_a6(s); + libcrux_sha3_simd_avx2_store_block_ef_3a(s->st, out); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_five_blocks +with types core_core_arch_x86___m256i +with const generics +- N= 4 +- RATE= 168 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_sha3_generic_keccak_squeeze_first_five_blocks_97( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) { + Eurydice_slice_uint8_t_4size_t__x2 uu____0 = + libcrux_sha3_simd_avx2_split_at_mut_n_ef(out, (size_t)168U); + Eurydice_slice o0[4U]; + memcpy(o0, uu____0.fst, (size_t)4U * sizeof(Eurydice_slice)); + Eurydice_slice o10[4U]; + memcpy(o10, uu____0.snd, (size_t)4U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_first_block_970(s, o0); + Eurydice_slice_uint8_t_4size_t__x2 uu____1 = + libcrux_sha3_simd_avx2_split_at_mut_n_ef(o10, (size_t)168U); + Eurydice_slice o1[4U]; + memcpy(o1, uu____1.fst, (size_t)4U * sizeof(Eurydice_slice)); + Eurydice_slice o20[4U]; + memcpy(o20, uu____1.snd, (size_t)4U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_next_block_970(s, o1); + Eurydice_slice_uint8_t_4size_t__x2 uu____2 = + libcrux_sha3_simd_avx2_split_at_mut_n_ef(o20, (size_t)168U); + Eurydice_slice o2[4U]; + memcpy(o2, uu____2.fst, (size_t)4U * sizeof(Eurydice_slice)); + Eurydice_slice o30[4U]; + memcpy(o30, uu____2.snd, (size_t)4U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_next_block_970(s, o2); + Eurydice_slice_uint8_t_4size_t__x2 uu____3 = + libcrux_sha3_simd_avx2_split_at_mut_n_ef(o30, (size_t)168U); + Eurydice_slice o3[4U]; + memcpy(o3, uu____3.fst, (size_t)4U * sizeof(Eurydice_slice)); + Eurydice_slice o4[4U]; + memcpy(o4, uu____3.snd, (size_t)4U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_next_block_970(s, o3); + libcrux_sha3_generic_keccak_squeeze_next_block_970(s, o4); +} + +/** + Squeeze five blocks +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, + Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { + Eurydice_slice buf[4U] = {out0, out1, out2, out3}; + libcrux_sha3_generic_keccak_squeeze_first_five_blocks_97(s, buf); +} + +/** + Squeeze another block +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, + Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { + Eurydice_slice buf[4U] = {out0, out1, out2, out3}; + libcrux_sha3_generic_keccak_squeeze_next_block_970(s, buf); +} + +/** + Squeeze next block +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, + Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { + Eurydice_slice buf[4U] = {out0, out1, out2, out3}; + libcrux_sha3_generic_keccak_squeeze_next_block_97(s, buf); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_three_blocks +with types core_core_arch_x86___m256i +with const generics +- N= 4 +- RATE= 168 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_sha3_generic_keccak_squeeze_first_three_blocks_97( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out[4U]) { + Eurydice_slice_uint8_t_4size_t__x2 uu____0 = + libcrux_sha3_simd_avx2_split_at_mut_n_ef(out, (size_t)168U); + Eurydice_slice o0[4U]; + memcpy(o0, uu____0.fst, (size_t)4U * sizeof(Eurydice_slice)); + Eurydice_slice o10[4U]; + memcpy(o10, uu____0.snd, (size_t)4U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_first_block_970(s, o0); + Eurydice_slice_uint8_t_4size_t__x2 uu____1 = + libcrux_sha3_simd_avx2_split_at_mut_n_ef(o10, (size_t)168U); + Eurydice_slice o1[4U]; + memcpy(o1, uu____1.fst, (size_t)4U * sizeof(Eurydice_slice)); + Eurydice_slice o2[4U]; + memcpy(o2, uu____1.snd, (size_t)4U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_next_block_970(s, o1); + libcrux_sha3_generic_keccak_squeeze_next_block_970(s, o2); +} + +/** + Squeeze three blocks +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( + libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, + Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { + Eurydice_slice buf[4U] = {out0, out1, out2, out3}; + libcrux_sha3_generic_keccak_squeeze_first_three_blocks_97(s, buf); +} + +#if defined(__cplusplus) +} +#endif + +#define __libcrux_sha3_avx2_H_DEFINED +#endif diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h new file mode 100644 index 000000000..ee42379c7 --- /dev/null +++ b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h @@ -0,0 +1,4931 @@ +/* + * SPDX-FileCopyrightText: 2024 Cryspen Sarl + * + * SPDX-License-Identifier: MIT or Apache-2.0 + * + * This code was generated with the following revisions: + * Charon: a68994d00017b76a805d0115ca06c1f2c1805e79 + * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 + * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 + * F*: b0961063393215ca65927f017720cb365a193833-dirty + * Libcrux: 5a0f22fa8387080e4c4e4ac018aaddcdf944e4be + */ + +#ifndef __libcrux_sha3_portable_H +#define __libcrux_sha3_portable_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include "eurydice_glue.h" +#include "libcrux_core.h" + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +static KRML_MUSTINLINE uint64_t libcrux_sha3_portable_keccak_zero_5a(void) { + return 0ULL; +} + +static KRML_MUSTINLINE uint64_t libcrux_sha3_portable_keccak__veor5q_u64( + uint64_t a, uint64_t b, uint64_t c, uint64_t d, uint64_t e) { + uint64_t ab = a ^ b; + uint64_t cd = c ^ d; + uint64_t abcd = ab ^ cd; + return abcd ^ e; +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +static KRML_MUSTINLINE uint64_t libcrux_sha3_portable_keccak_xor5_5a( + uint64_t a, uint64_t b, uint64_t c, uint64_t d, uint64_t e) { + return libcrux_sha3_portable_keccak__veor5q_u64(a, b, c, d, e); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 1 +- RIGHT= 63 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_76(uint64_t x) { + return x << (uint32_t)(int32_t)1 | x >> (uint32_t)(int32_t)63; +} + +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vrax1q_u64(uint64_t a, uint64_t b) { + uint64_t uu____0 = a; + return uu____0 ^ libcrux_sha3_portable_keccak_rotate_left_76(b); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vrax1q_u64(a, b); +} + +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vbcaxq_u64(uint64_t a, uint64_t b, uint64_t c) { + return a ^ (b & ~c); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +static KRML_MUSTINLINE uint64_t libcrux_sha3_portable_keccak_and_not_xor_5a( + uint64_t a, uint64_t b, uint64_t c) { + return libcrux_sha3_portable_keccak__vbcaxq_u64(a, b, c); +} + +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__veorq_n_u64(uint64_t a, uint64_t c) { + return a ^ c; +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_constant_5a(uint64_t a, uint64_t c) { + return libcrux_sha3_portable_keccak__veorq_n_u64(a, c); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_5a(uint64_t a, uint64_t b) { + return a ^ b; +} + +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_slice_1( + Eurydice_slice a[1U], size_t start, size_t len, Eurydice_slice ret[1U]) { + ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_slice_n_5a( + Eurydice_slice a[1U], size_t start, size_t len, Eurydice_slice ret[1U]) { + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_a[1U]; + memcpy(copy_of_a, a, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice ret0[1U]; + libcrux_sha3_portable_keccak_slice_1(copy_of_a, start, len, ret0); + memcpy(ret, ret0, (size_t)1U * sizeof(Eurydice_slice)); +} + +static KRML_MUSTINLINE Eurydice_slice_uint8_t_1size_t__x2 +libcrux_sha3_portable_keccak_split_at_mut_1(Eurydice_slice out[1U], + size_t mid) { + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at_mut( + out[0U], mid, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice out00 = uu____0.fst; + Eurydice_slice out01 = uu____0.snd; + Eurydice_slice_uint8_t_1size_t__x2 lit; + lit.fst[0U] = out00; + lit.snd[0U] = out01; + return lit; +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +static KRML_MUSTINLINE Eurydice_slice_uint8_t_1size_t__x2 +libcrux_sha3_portable_keccak_split_at_mut_n_5a(Eurydice_slice a[1U], + size_t mid) { + return libcrux_sha3_portable_keccak_split_at_mut_1(a, mid); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.KeccakState +with types uint64_t +with const generics +- $1size_t +*/ +typedef struct libcrux_sha3_generic_keccak_KeccakState_17_s { + uint64_t st[5U][5U]; +} libcrux_sha3_generic_keccak_KeccakState_17; + +typedef libcrux_sha3_generic_keccak_KeccakState_17 + libcrux_sha3_portable_KeccakState; + +/** + Create a new Shake128 x4 state. +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakState[TraitClause@0, TraitClause@1]#1} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.new_89 +with types uint64_t +with const generics +- N= 1 +*/ +static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17 +libcrux_sha3_generic_keccak_new_89_04(void) { + libcrux_sha3_generic_keccak_KeccakState_17 lit; + lit.st[0U][0U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[0U][1U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[0U][2U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[0U][3U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[0U][4U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[1U][0U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[1U][1U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[1U][2U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[1U][3U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[1U][4U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[2U][0U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[2U][1U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[2U][2U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[2U][3U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[2U][4U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[3U][0U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[3U][1U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[3U][2U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[3U][3U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[3U][4U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[4U][0U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[4U][1U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[4U][2U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[4U][3U] = libcrux_sha3_portable_keccak_zero_5a(); + lit.st[4U][4U] = libcrux_sha3_portable_keccak_zero_5a(); + return lit; +} + +/** + Create a new SHAKE-128 state object. +*/ +static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17 +libcrux_sha3_portable_incremental_shake128_init(void) { + return libcrux_sha3_generic_keccak_new_89_04(); +} + +static const uint64_t libcrux_sha3_generic_keccak_ROUNDCONSTANTS[24U] = { + 1ULL, + 32898ULL, + 9223372036854808714ULL, + 9223372039002292224ULL, + 32907ULL, + 2147483649ULL, + 9223372039002292353ULL, + 9223372036854808585ULL, + 138ULL, + 136ULL, + 2147516425ULL, + 2147483658ULL, + 2147516555ULL, + 9223372036854775947ULL, + 9223372036854808713ULL, + 9223372036854808579ULL, + 9223372036854808578ULL, + 9223372036854775936ULL, + 32778ULL, + 9223372039002259466ULL, + 9223372039002292353ULL, + 9223372036854808704ULL, + 2147483649ULL, + 9223372039002292232ULL}; + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block +with const generics +- RATE= 168 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_3a( + uint64_t (*s)[5U], Eurydice_slice blocks[1U]) { + for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)8U; i++) { + size_t i0 = i; + uint8_t uu____0[8U]; + Result_15 dst; + Eurydice_slice_to_array2( + &dst, + Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); + unwrap_26_68(dst, uu____0); + size_t uu____1 = i0 / (size_t)5U; + size_t uu____2 = i0 % (size_t)5U; + s[uu____1][uu____2] = + s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0); + } +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full +with const generics +- RATE= 168 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_3a( + uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; + libcrux_sha3_portable_keccak_load_block_3a(s, buf); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full_5a +with const generics +- RATE= 168 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_3a( + uint64_t (*a)[5U], uint8_t b[1U][200U]) { + uint64_t(*uu____0)[5U] = a; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[1U][200U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_3a(uu____0, copy_of_b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 36 +- RIGHT= 28 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_02(uint64_t x) { + return x << (uint32_t)(int32_t)36 | x >> (uint32_t)(int32_t)28; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 36 +- RIGHT= 28 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_02(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_02(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 36 +- RIGHT= 28 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_02(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_02(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 3 +- RIGHT= 61 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_ac(uint64_t x) { + return x << (uint32_t)(int32_t)3 | x >> (uint32_t)(int32_t)61; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 3 +- RIGHT= 61 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_ac(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_ac(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 3 +- RIGHT= 61 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_ac(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_ac(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 41 +- RIGHT= 23 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_020(uint64_t x) { + return x << (uint32_t)(int32_t)41 | x >> (uint32_t)(int32_t)23; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 41 +- RIGHT= 23 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_020(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_020(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 41 +- RIGHT= 23 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_020(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_020(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 18 +- RIGHT= 46 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_a9(uint64_t x) { + return x << (uint32_t)(int32_t)18 | x >> (uint32_t)(int32_t)46; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 18 +- RIGHT= 46 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_a9(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_a9(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 18 +- RIGHT= 46 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_a9(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_a9(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 1 +- RIGHT= 63 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_76(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_76(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 1 +- RIGHT= 63 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_76(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_76(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 44 +- RIGHT= 20 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_58(uint64_t x) { + return x << (uint32_t)(int32_t)44 | x >> (uint32_t)(int32_t)20; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 44 +- RIGHT= 20 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_58(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_58(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 44 +- RIGHT= 20 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_58(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_58(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 10 +- RIGHT= 54 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_e0(uint64_t x) { + return x << (uint32_t)(int32_t)10 | x >> (uint32_t)(int32_t)54; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 10 +- RIGHT= 54 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_e0(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_e0(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 10 +- RIGHT= 54 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_e0(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_e0(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 45 +- RIGHT= 19 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_63(uint64_t x) { + return x << (uint32_t)(int32_t)45 | x >> (uint32_t)(int32_t)19; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 45 +- RIGHT= 19 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_63(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_63(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 45 +- RIGHT= 19 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_63(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_63(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 2 +- RIGHT= 62 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_6a(uint64_t x) { + return x << (uint32_t)(int32_t)2 | x >> (uint32_t)(int32_t)62; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 2 +- RIGHT= 62 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_6a(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_6a(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 2 +- RIGHT= 62 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_6a(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_6a(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 62 +- RIGHT= 2 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_ab(uint64_t x) { + return x << (uint32_t)(int32_t)62 | x >> (uint32_t)(int32_t)2; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 62 +- RIGHT= 2 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_ab(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_ab(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 62 +- RIGHT= 2 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_ab(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_ab(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 6 +- RIGHT= 58 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_5b(uint64_t x) { + return x << (uint32_t)(int32_t)6 | x >> (uint32_t)(int32_t)58; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 6 +- RIGHT= 58 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_5b(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_5b(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 6 +- RIGHT= 58 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_5b(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_5b(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 43 +- RIGHT= 21 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_6f(uint64_t x) { + return x << (uint32_t)(int32_t)43 | x >> (uint32_t)(int32_t)21; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 43 +- RIGHT= 21 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_6f(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_6f(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 43 +- RIGHT= 21 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_6f(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_6f(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 15 +- RIGHT= 49 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_62(uint64_t x) { + return x << (uint32_t)(int32_t)15 | x >> (uint32_t)(int32_t)49; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 15 +- RIGHT= 49 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_62(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_62(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 15 +- RIGHT= 49 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_62(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_62(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 61 +- RIGHT= 3 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_23(uint64_t x) { + return x << (uint32_t)(int32_t)61 | x >> (uint32_t)(int32_t)3; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 61 +- RIGHT= 3 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_23(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_23(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 61 +- RIGHT= 3 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_23(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_23(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 28 +- RIGHT= 36 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_37(uint64_t x) { + return x << (uint32_t)(int32_t)28 | x >> (uint32_t)(int32_t)36; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 28 +- RIGHT= 36 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_37(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_37(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 28 +- RIGHT= 36 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_37(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_37(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 55 +- RIGHT= 9 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_bb(uint64_t x) { + return x << (uint32_t)(int32_t)55 | x >> (uint32_t)(int32_t)9; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 55 +- RIGHT= 9 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_bb(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_bb(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 55 +- RIGHT= 9 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_bb(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 25 +- RIGHT= 39 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_b9(uint64_t x) { + return x << (uint32_t)(int32_t)25 | x >> (uint32_t)(int32_t)39; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 25 +- RIGHT= 39 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_b9(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_b9(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 25 +- RIGHT= 39 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_b9(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_b9(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 21 +- RIGHT= 43 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_54(uint64_t x) { + return x << (uint32_t)(int32_t)21 | x >> (uint32_t)(int32_t)43; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 21 +- RIGHT= 43 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_54(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_54(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 21 +- RIGHT= 43 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_54(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_54(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 56 +- RIGHT= 8 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_4c(uint64_t x) { + return x << (uint32_t)(int32_t)56 | x >> (uint32_t)(int32_t)8; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 56 +- RIGHT= 8 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_4c(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_4c(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 56 +- RIGHT= 8 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_4c(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_4c(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 27 +- RIGHT= 37 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_ce(uint64_t x) { + return x << (uint32_t)(int32_t)27 | x >> (uint32_t)(int32_t)37; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 27 +- RIGHT= 37 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_ce(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_ce(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 27 +- RIGHT= 37 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_ce(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_ce(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 20 +- RIGHT= 44 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_77(uint64_t x) { + return x << (uint32_t)(int32_t)20 | x >> (uint32_t)(int32_t)44; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 20 +- RIGHT= 44 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_77(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_77(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 20 +- RIGHT= 44 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_77(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_77(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 39 +- RIGHT= 25 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_25(uint64_t x) { + return x << (uint32_t)(int32_t)39 | x >> (uint32_t)(int32_t)25; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 39 +- RIGHT= 25 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_25(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_25(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 39 +- RIGHT= 25 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_25(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_25(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 8 +- RIGHT= 56 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_af(uint64_t x) { + return x << (uint32_t)(int32_t)8 | x >> (uint32_t)(int32_t)56; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 8 +- RIGHT= 56 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_af(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_af(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 8 +- RIGHT= 56 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_af(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_af(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left +with const generics +- LEFT= 14 +- RIGHT= 50 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_rotate_left_fd(uint64_t x) { + return x << (uint32_t)(int32_t)14 | x >> (uint32_t)(int32_t)50; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64 +with const generics +- LEFT= 14 +- RIGHT= 50 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak__vxarq_u64_fd(uint64_t a, uint64_t b) { + uint64_t ab = a ^ b; + return libcrux_sha3_portable_keccak_rotate_left_fd(ab); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a +with const generics +- LEFT= 14 +- RIGHT= 50 +*/ +static KRML_MUSTINLINE uint64_t +libcrux_sha3_portable_keccak_xor_and_rotate_5a_fd(uint64_t a, uint64_t b) { + return libcrux_sha3_portable_keccak__vxarq_u64_fd(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.theta_rho +with types uint64_t +with const generics +- N= 1 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_theta_rho_04( + libcrux_sha3_generic_keccak_KeccakState_17 *s) { + uint64_t c[5U] = { + libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][0U], s->st[1U][0U], + s->st[2U][0U], s->st[3U][0U], + s->st[4U][0U]), + libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][1U], s->st[1U][1U], + s->st[2U][1U], s->st[3U][1U], + s->st[4U][1U]), + libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][2U], s->st[1U][2U], + s->st[2U][2U], s->st[3U][2U], + s->st[4U][2U]), + libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][3U], s->st[1U][3U], + s->st[2U][3U], s->st[3U][3U], + s->st[4U][3U]), + libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][4U], s->st[1U][4U], + s->st[2U][4U], s->st[3U][4U], + s->st[4U][4U])}; + uint64_t uu____0 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a( + c[((size_t)0U + (size_t)4U) % (size_t)5U], + c[((size_t)0U + (size_t)1U) % (size_t)5U]); + uint64_t uu____1 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a( + c[((size_t)1U + (size_t)4U) % (size_t)5U], + c[((size_t)1U + (size_t)1U) % (size_t)5U]); + uint64_t uu____2 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a( + c[((size_t)2U + (size_t)4U) % (size_t)5U], + c[((size_t)2U + (size_t)1U) % (size_t)5U]); + uint64_t uu____3 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a( + c[((size_t)3U + (size_t)4U) % (size_t)5U], + c[((size_t)3U + (size_t)1U) % (size_t)5U]); + uint64_t t[5U] = {uu____0, uu____1, uu____2, uu____3, + libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a( + c[((size_t)4U + (size_t)4U) % (size_t)5U], + c[((size_t)4U + (size_t)1U) % (size_t)5U])}; + s->st[0U][0U] = libcrux_sha3_portable_keccak_xor_5a(s->st[0U][0U], t[0U]); + s->st[1U][0U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_02(s->st[1U][0U], t[0U]); + s->st[2U][0U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_ac(s->st[2U][0U], t[0U]); + s->st[3U][0U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_020(s->st[3U][0U], t[0U]); + s->st[4U][0U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_a9(s->st[4U][0U], t[0U]); + s->st[0U][1U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_76(s->st[0U][1U], t[1U]); + s->st[1U][1U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_58(s->st[1U][1U], t[1U]); + s->st[2U][1U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_e0(s->st[2U][1U], t[1U]); + s->st[3U][1U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_63(s->st[3U][1U], t[1U]); + s->st[4U][1U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_6a(s->st[4U][1U], t[1U]); + s->st[0U][2U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_ab(s->st[0U][2U], t[2U]); + s->st[1U][2U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_5b(s->st[1U][2U], t[2U]); + s->st[2U][2U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_6f(s->st[2U][2U], t[2U]); + s->st[3U][2U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_62(s->st[3U][2U], t[2U]); + s->st[4U][2U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_23(s->st[4U][2U], t[2U]); + s->st[0U][3U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_37(s->st[0U][3U], t[3U]); + s->st[1U][3U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb(s->st[1U][3U], t[3U]); + s->st[2U][3U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_b9(s->st[2U][3U], t[3U]); + s->st[3U][3U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_54(s->st[3U][3U], t[3U]); + s->st[4U][3U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_4c(s->st[4U][3U], t[3U]); + s->st[0U][4U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_ce(s->st[0U][4U], t[4U]); + s->st[1U][4U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_77(s->st[1U][4U], t[4U]); + s->st[2U][4U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_25(s->st[2U][4U], t[4U]); + s->st[3U][4U] = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_af(s->st[3U][4U], t[4U]); + uint64_t uu____27 = + libcrux_sha3_portable_keccak_xor_and_rotate_5a_fd(s->st[4U][4U], t[4U]); + s->st[4U][4U] = uu____27; +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.pi +with types uint64_t +with const generics +- N= 1 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_pi_04( + libcrux_sha3_generic_keccak_KeccakState_17 *s) { + uint64_t old[5U][5U]; + memcpy(old, s->st, (size_t)5U * sizeof(uint64_t[5U])); + s->st[0U][1U] = old[1U][1U]; + s->st[0U][2U] = old[2U][2U]; + s->st[0U][3U] = old[3U][3U]; + s->st[0U][4U] = old[4U][4U]; + s->st[1U][0U] = old[0U][3U]; + s->st[1U][1U] = old[1U][4U]; + s->st[1U][2U] = old[2U][0U]; + s->st[1U][3U] = old[3U][1U]; + s->st[1U][4U] = old[4U][2U]; + s->st[2U][0U] = old[0U][1U]; + s->st[2U][1U] = old[1U][2U]; + s->st[2U][2U] = old[2U][3U]; + s->st[2U][3U] = old[3U][4U]; + s->st[2U][4U] = old[4U][0U]; + s->st[3U][0U] = old[0U][4U]; + s->st[3U][1U] = old[1U][0U]; + s->st[3U][2U] = old[2U][1U]; + s->st[3U][3U] = old[3U][2U]; + s->st[3U][4U] = old[4U][3U]; + s->st[4U][0U] = old[0U][2U]; + s->st[4U][1U] = old[1U][3U]; + s->st[4U][2U] = old[2U][4U]; + s->st[4U][3U] = old[3U][0U]; + s->st[4U][4U] = old[4U][1U]; +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.chi +with types uint64_t +with const generics +- N= 1 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_chi_04( + libcrux_sha3_generic_keccak_KeccakState_17 *s) { + uint64_t old[5U][5U]; + memcpy(old, s->st, (size_t)5U * sizeof(uint64_t[5U])); + for (size_t i0 = (size_t)0U; i0 < (size_t)5U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + size_t j = i; + s->st[i1][j] = libcrux_sha3_portable_keccak_and_not_xor_5a( + s->st[i1][j], old[i1][(j + (size_t)2U) % (size_t)5U], + old[i1][(j + (size_t)1U) % (size_t)5U]); + } + } +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.iota +with types uint64_t +with const generics +- N= 1 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_iota_04( + libcrux_sha3_generic_keccak_KeccakState_17 *s, size_t i) { + s->st[0U][0U] = libcrux_sha3_portable_keccak_xor_constant_5a( + s->st[0U][0U], libcrux_sha3_generic_keccak_ROUNDCONSTANTS[i]); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.keccakf1600 +with types uint64_t +with const generics +- N= 1 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccakf1600_04( + libcrux_sha3_generic_keccak_KeccakState_17 *s) { + for (size_t i = (size_t)0U; i < (size_t)24U; i++) { + size_t i0 = i; + libcrux_sha3_generic_keccak_theta_rho_04(s); + libcrux_sha3_generic_keccak_pi_04(s); + libcrux_sha3_generic_keccak_chi_04(s); + libcrux_sha3_generic_keccak_iota_04(s, i0); + } +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final +with types uint64_t +with const generics +- N= 1 +- RATE= 168 +- DELIM= 31 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice last[1U]) { + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); + uint8_t blocks[1U][200U] = {{0U}}; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + if (last_len > (size_t)0U) { + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); + } + blocks[i0][last_len] = 31U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)168U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; + } + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_5a_3a(uu____3, uu____4); + libcrux_sha3_generic_keccak_keccakf1600_04(s); +} + +/** + Absorb +*/ +static KRML_MUSTINLINE void +libcrux_sha3_portable_incremental_shake128_absorb_final( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data0) { + Eurydice_slice buf[1U] = {data0}; + libcrux_sha3_generic_keccak_absorb_final_9e(s, buf); +} + +/** + Create a new SHAKE-256 state object. +*/ +static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17 +libcrux_sha3_portable_incremental_shake256_init(void) { + return libcrux_sha3_generic_keccak_new_89_04(); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block +with const generics +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5b( + uint64_t (*s)[5U], Eurydice_slice blocks[1U]) { + for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)8U; i++) { + size_t i0 = i; + uint8_t uu____0[8U]; + Result_15 dst; + Eurydice_slice_to_array2( + &dst, + Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); + unwrap_26_68(dst, uu____0); + size_t uu____1 = i0 / (size_t)5U; + size_t uu____2 = i0 % (size_t)5U; + s[uu____1][uu____2] = + s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0); + } +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full +with const generics +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5b( + uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; + libcrux_sha3_portable_keccak_load_block_5b(s, buf); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full_5a +with const generics +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_5b( + uint64_t (*a)[5U], uint8_t b[1U][200U]) { + uint64_t(*uu____0)[5U] = a; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[1U][200U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_5b(uu____0, copy_of_b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final +with types uint64_t +with const generics +- N= 1 +- RATE= 136 +- DELIM= 31 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e0( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice last[1U]) { + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); + uint8_t blocks[1U][200U] = {{0U}}; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + if (last_len > (size_t)0U) { + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); + } + blocks[i0][last_len] = 31U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)136U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; + } + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_5a_5b(uu____3, uu____4); + libcrux_sha3_generic_keccak_keccakf1600_04(s); +} + +/** + Absorb some data for SHAKE-256 for the last time +*/ +static KRML_MUSTINLINE void +libcrux_sha3_portable_incremental_shake256_absorb_final( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data) { + Eurydice_slice buf[1U] = {data}; + libcrux_sha3_generic_keccak_absorb_final_9e0(s, buf); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block_5a +with const generics +- RATE= 168 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_3a( + uint64_t (*a)[5U], Eurydice_slice b[1U]) { + uint64_t(*uu____0)[5U] = a; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[1U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_3a(uu____0, copy_of_b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block +with types uint64_t +with const generics +- N= 1 +- RATE= 168 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_c6( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice blocks[1U]) { + uint64_t(*uu____0)[5U] = s->st; + Eurydice_slice uu____1[1U]; + memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_5a_3a(uu____0, uu____1); + libcrux_sha3_generic_keccak_keccakf1600_04(s); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block +with const generics +- RATE= 168 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_3a( + uint64_t (*s)[5U], Eurydice_slice out[1U]) { + for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)8U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = Eurydice_slice_subslice2( + out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); + uint8_t ret[8U]; + core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); + } +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full +with const generics +- RATE= 168 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_3a( + uint64_t (*s)[5U], uint8_t ret[1U][200U]) { + uint8_t out[200U] = {0U}; + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; + libcrux_sha3_portable_keccak_store_block_3a(s, buf); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out[200U]; + memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full_5a +with const generics +- RATE= 168 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_5a_3a( + uint64_t (*a)[5U], uint8_t ret[1U][200U]) { + libcrux_sha3_portable_keccak_store_block_full_3a(a, ret); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last +with types uint64_t +with const generics +- N= 1 +- RATE= 168 +*/ +static KRML_MUSTINLINE void +libcrux_sha3_generic_keccak_squeeze_first_and_last_c6( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + uint8_t b[1U][200U]; + libcrux_sha3_portable_keccak_store_block_full_5a_3a(s->st, b); + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; + core_ops_range_Range_08 lit; + lit.start = (size_t)0U; + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, + core_ops_range_Range_08), + uint8_t); + } +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block_5a +with const generics +- RATE= 168 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_3a( + uint64_t (*a)[5U], Eurydice_slice b[1U]) { + libcrux_sha3_portable_keccak_store_block_3a(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block +with types uint64_t +with const generics +- N= 1 +- RATE= 168 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c6( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + libcrux_sha3_portable_keccak_store_block_5a_3a(s->st, out); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block +with types uint64_t +with const generics +- N= 1 +- RATE= 168 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c6( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_keccakf1600_04(s); + libcrux_sha3_portable_keccak_store_block_5a_3a(s->st, out); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last +with types uint64_t +with const generics +- N= 1 +- RATE= 168 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_c6( + libcrux_sha3_generic_keccak_KeccakState_17 s, Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_keccakf1600_04(&s); + uint8_t b[1U][200U]; + libcrux_sha3_portable_keccak_store_block_full_5a_3a(s.st, b); + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; + core_ops_range_Range_08 lit; + lit.start = (size_t)0U; + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, + core_ops_range_Range_08), + uint8_t); + } +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.keccak +with types uint64_t +with const generics +- N= 1 +- RATE= 168 +- DELIM= 31 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_9e( + Eurydice_slice data[1U], Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_KeccakState_17 s = + libcrux_sha3_generic_keccak_new_89_04(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)168U; i++) { + size_t i0 = i; + libcrux_sha3_generic_keccak_KeccakState_17 *uu____0 = &s; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice ret[1U]; + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)168U, + (size_t)168U, ret); + libcrux_sha3_generic_keccak_absorb_block_c6(uu____0, ret); + } + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)168U; + libcrux_sha3_generic_keccak_KeccakState_17 *uu____2 = &s; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice ret[1U]; + libcrux_sha3_portable_keccak_slice_n_5a( + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); + libcrux_sha3_generic_keccak_absorb_final_9e(uu____2, ret); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); + size_t blocks = outlen / (size_t)168U; + size_t last = outlen - outlen % (size_t)168U; + if (blocks == (size_t)0U) { + libcrux_sha3_generic_keccak_squeeze_first_and_last_c6(&s, out); + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____4 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)168U); + Eurydice_slice o0[1U]; + memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice o1[1U]; + memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_first_block_c6(&s, o0); + core_ops_range_Range_08 iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U, + .end = blocks}), + core_ops_range_Range_08, core_ops_range_Range_08); + while (true) { + if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( + &iter, size_t, Option_08) + .tag == None) { + break; + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____5 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)168U); + Eurydice_slice o[1U]; + memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice orest[1U]; + memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_next_block_c6(&s, o); + memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice)); + } + } + if (last < outlen) { + libcrux_sha3_generic_keccak_squeeze_last_c6(s, o1); + } + } +} + +/** +A monomorphic instance of libcrux_sha3.portable.keccakx1 +with const generics +- RATE= 168 +- DELIM= 31 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_c6( + Eurydice_slice data[1U], Eurydice_slice out[1U]) { + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_9e(copy_of_data, out); +} + +/** + A portable SHAKE128 implementation. +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_shake128( + Eurydice_slice digest, Eurydice_slice data) { + Eurydice_slice buf0[1U] = {data}; + Eurydice_slice buf[1U] = {digest}; + libcrux_sha3_portable_keccakx1_c6(buf0, buf); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block_5a +with const generics +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_5b( + uint64_t (*a)[5U], Eurydice_slice b[1U]) { + uint64_t(*uu____0)[5U] = a; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[1U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_5b(uu____0, copy_of_b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block +with types uint64_t +with const generics +- N= 1 +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_c60( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice blocks[1U]) { + uint64_t(*uu____0)[5U] = s->st; + Eurydice_slice uu____1[1U]; + memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_5a_5b(uu____0, uu____1); + libcrux_sha3_generic_keccak_keccakf1600_04(s); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block +with const generics +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5b( + uint64_t (*s)[5U], Eurydice_slice out[1U]) { + for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)8U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = Eurydice_slice_subslice2( + out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); + uint8_t ret[8U]; + core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); + } +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full +with const generics +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_5b( + uint64_t (*s)[5U], uint8_t ret[1U][200U]) { + uint8_t out[200U] = {0U}; + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; + libcrux_sha3_portable_keccak_store_block_5b(s, buf); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out[200U]; + memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full_5a +with const generics +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_5a_5b( + uint64_t (*a)[5U], uint8_t ret[1U][200U]) { + libcrux_sha3_portable_keccak_store_block_full_5b(a, ret); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last +with types uint64_t +with const generics +- N= 1 +- RATE= 136 +*/ +static KRML_MUSTINLINE void +libcrux_sha3_generic_keccak_squeeze_first_and_last_c60( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + uint8_t b[1U][200U]; + libcrux_sha3_portable_keccak_store_block_full_5a_5b(s->st, b); + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; + core_ops_range_Range_08 lit; + lit.start = (size_t)0U; + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, + core_ops_range_Range_08), + uint8_t); + } +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block_5a +with const generics +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_5b( + uint64_t (*a)[5U], Eurydice_slice b[1U]) { + libcrux_sha3_portable_keccak_store_block_5b(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block +with types uint64_t +with const generics +- N= 1 +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c60( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + libcrux_sha3_portable_keccak_store_block_5a_5b(s->st, out); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block +with types uint64_t +with const generics +- N= 1 +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c60( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_keccakf1600_04(s); + libcrux_sha3_portable_keccak_store_block_5a_5b(s->st, out); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last +with types uint64_t +with const generics +- N= 1 +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_c60( + libcrux_sha3_generic_keccak_KeccakState_17 s, Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_keccakf1600_04(&s); + uint8_t b[1U][200U]; + libcrux_sha3_portable_keccak_store_block_full_5a_5b(s.st, b); + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; + core_ops_range_Range_08 lit; + lit.start = (size_t)0U; + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, + core_ops_range_Range_08), + uint8_t); + } +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.keccak +with types uint64_t +with const generics +- N= 1 +- RATE= 136 +- DELIM= 31 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_9e0( + Eurydice_slice data[1U], Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_KeccakState_17 s = + libcrux_sha3_generic_keccak_new_89_04(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) { + size_t i0 = i; + libcrux_sha3_generic_keccak_KeccakState_17 *uu____0 = &s; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice ret[1U]; + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)136U, + (size_t)136U, ret); + libcrux_sha3_generic_keccak_absorb_block_c60(uu____0, ret); + } + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U; + libcrux_sha3_generic_keccak_KeccakState_17 *uu____2 = &s; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice ret[1U]; + libcrux_sha3_portable_keccak_slice_n_5a( + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); + libcrux_sha3_generic_keccak_absorb_final_9e0(uu____2, ret); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); + size_t blocks = outlen / (size_t)136U; + size_t last = outlen - outlen % (size_t)136U; + if (blocks == (size_t)0U) { + libcrux_sha3_generic_keccak_squeeze_first_and_last_c60(&s, out); + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____4 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)136U); + Eurydice_slice o0[1U]; + memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice o1[1U]; + memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_first_block_c60(&s, o0); + core_ops_range_Range_08 iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U, + .end = blocks}), + core_ops_range_Range_08, core_ops_range_Range_08); + while (true) { + if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( + &iter, size_t, Option_08) + .tag == None) { + break; + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____5 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)136U); + Eurydice_slice o[1U]; + memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice orest[1U]; + memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_next_block_c60(&s, o); + memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice)); + } + } + if (last < outlen) { + libcrux_sha3_generic_keccak_squeeze_last_c60(s, o1); + } + } +} + +/** +A monomorphic instance of libcrux_sha3.portable.keccakx1 +with const generics +- RATE= 136 +- DELIM= 31 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ad( + Eurydice_slice data[1U], Eurydice_slice out[1U]) { + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_9e0(copy_of_data, out); +} + +/** + A portable SHAKE256 implementation. +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_shake256( + Eurydice_slice digest, Eurydice_slice data) { + Eurydice_slice buf0[1U] = {data}; + Eurydice_slice buf[1U] = {digest}; + libcrux_sha3_portable_keccakx1_ad(buf0, buf); +} + +/** + Squeeze the first SHAKE-256 block +*/ +static KRML_MUSTINLINE void +libcrux_sha3_portable_incremental_shake256_squeeze_first_block( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) { + Eurydice_slice buf[1U] = {out}; + libcrux_sha3_generic_keccak_squeeze_first_block_c60(s, buf); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_five_blocks +with types uint64_t +with const generics +- N= 1 +- RATE= 168 +*/ +static KRML_MUSTINLINE void +libcrux_sha3_generic_keccak_squeeze_first_five_blocks_c6( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + Eurydice_slice_uint8_t_1size_t__x2 uu____0 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)168U); + Eurydice_slice o0[1U]; + memcpy(o0, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice o10[1U]; + memcpy(o10, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_first_block_c6(s, o0); + Eurydice_slice_uint8_t_1size_t__x2 uu____1 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(o10, (size_t)168U); + Eurydice_slice o1[1U]; + memcpy(o1, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice o20[1U]; + memcpy(o20, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, o1); + Eurydice_slice_uint8_t_1size_t__x2 uu____2 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(o20, (size_t)168U); + Eurydice_slice o2[1U]; + memcpy(o2, uu____2.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice o30[1U]; + memcpy(o30, uu____2.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, o2); + Eurydice_slice_uint8_t_1size_t__x2 uu____3 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(o30, (size_t)168U); + Eurydice_slice o3[1U]; + memcpy(o3, uu____3.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice o4[1U]; + memcpy(o4, uu____3.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, o3); + libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, o4); +} + +/** + Squeeze five blocks +*/ +static KRML_MUSTINLINE void +libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { + Eurydice_slice buf[1U] = {out0}; + libcrux_sha3_generic_keccak_squeeze_first_five_blocks_c6(s, buf); +} + +/** + Squeeze another block +*/ +static KRML_MUSTINLINE void +libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { + Eurydice_slice buf[1U] = {out0}; + libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, buf); +} + +/** + Squeeze the next SHAKE-256 block +*/ +static KRML_MUSTINLINE void +libcrux_sha3_portable_incremental_shake256_squeeze_next_block( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) { + Eurydice_slice buf[1U] = {out}; + libcrux_sha3_generic_keccak_squeeze_next_block_c60(s, buf); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.KeccakXofState +with types uint64_t +with const generics +- $1size_t +- $136size_t +*/ +typedef struct libcrux_sha3_generic_keccak_KeccakXofState_e2_s { + libcrux_sha3_generic_keccak_KeccakState_17 inner; + uint8_t buf[1U][136U]; + size_t buf_len; + bool sponge; +} libcrux_sha3_generic_keccak_KeccakXofState_e2; + +typedef libcrux_sha3_generic_keccak_KeccakXofState_e2 + libcrux_sha3_portable_incremental_Shake256Xof; + +/** + Consume the internal buffer and the required amount of the input to pad to + `RATE`. + + Returns the `consumed` bytes from `inputs` if there's enough buffered + content to consume, and `0` otherwise. + If `consumed > 0` is returned, `self.buf` contains a full block to be + loaded. +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.fill_buffer_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 136 +*/ +static inline size_t libcrux_sha3_generic_keccak_fill_buffer_8b_c6( + libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, + Eurydice_slice inputs[1U]) { + size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t); + size_t consumed = (size_t)0U; + if (self->buf_len > (size_t)0U) { + if (self->buf_len + input_len >= (size_t)136U) { + consumed = (size_t)136U - self->buf_len; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( + (size_t)136U, self->buf[i0], self->buf_len, uint8_t, size_t); + Eurydice_slice_copy( + uu____0, + Eurydice_slice_subslice_to(inputs[i0], consumed, uint8_t, size_t), + uint8_t); + } + self->buf_len = self->buf_len + consumed; + } + } + return consumed; +} + +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_full_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 136 +*/ +static inline size_t libcrux_sha3_generic_keccak_absorb_full_8b_c6( + libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, + Eurydice_slice inputs[1U]) { + libcrux_sha3_generic_keccak_KeccakXofState_e2 *uu____0 = self; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_inputs0[1U]; + memcpy(copy_of_inputs0, inputs, (size_t)1U * sizeof(Eurydice_slice)); + size_t input_consumed = + libcrux_sha3_generic_keccak_fill_buffer_8b_c6(uu____0, copy_of_inputs0); + if (input_consumed > (size_t)0U) { + Eurydice_slice borrowed[1U]; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + uint8_t buf[136U] = {0U}; + borrowed[i] = core_array___Array_T__N__23__as_slice( + (size_t)136U, buf, uint8_t, Eurydice_slice); + } + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + borrowed[i0] = + Eurydice_array_to_slice((size_t)136U, self->buf[i0], uint8_t); + } + uint64_t(*uu____2)[5U] = self->inner.st; + Eurydice_slice uu____3[1U]; + memcpy(uu____3, borrowed, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_5a_5b(uu____2, uu____3); + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + self->buf_len = (size_t)0U; + } + size_t input_to_consume = + Eurydice_slice_len(inputs[0U], uint8_t) - input_consumed; + size_t num_blocks = input_to_consume / (size_t)136U; + size_t remainder = input_to_consume % (size_t)136U; + for (size_t i = (size_t)0U; i < num_blocks; i++) { + size_t i0 = i; + uint64_t(*uu____4)[5U] = self->inner.st; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_inputs[1U]; + memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice ret[1U]; + libcrux_sha3_portable_keccak_slice_n_5a( + copy_of_inputs, input_consumed + i0 * (size_t)136U, (size_t)136U, ret); + libcrux_sha3_portable_keccak_load_block_5a_5b(uu____4, ret); + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + } + return remainder; +} + +/** + Absorb + + This function takes any number of bytes to absorb and buffers if it's not + enough. The function assumes that all input slices in `blocks` have the same + length. + + Only a multiple of `RATE` blocks are absorbed. + For the remaining bytes [`absorb_final`] needs to be called. + + This works best with relatively small `inputs`. +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_8b_c6( + libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, + Eurydice_slice inputs[1U]) { + libcrux_sha3_generic_keccak_KeccakXofState_e2 *uu____0 = self; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_inputs[1U]; + memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice)); + size_t input_remainder_len = + libcrux_sha3_generic_keccak_absorb_full_8b_c6(uu____0, copy_of_inputs); + if (input_remainder_len > (size_t)0U) { + size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t); + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____2 = Eurydice_array_to_subslice2( + self->buf[i0], self->buf_len, self->buf_len + input_remainder_len, + uint8_t); + Eurydice_slice_copy( + uu____2, + Eurydice_slice_subslice_from( + inputs[i0], input_len - input_remainder_len, uint8_t, size_t), + uint8_t); + } + self->buf_len = self->buf_len + input_remainder_len; + } +} + +/** + Shake256 absorb +*/ +/** +This function found in impl {(libcrux_sha3::portable::incremental::Xof<136: +usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1} +*/ +static inline void libcrux_sha3_portable_incremental_absorb_68( + libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice input) { + Eurydice_slice buf[1U] = {input}; + libcrux_sha3_generic_keccak_absorb_8b_c6(self, buf); +} + +/** + Absorb a final block. + + The `inputs` block may be empty. Everything in the `inputs` block beyond + `RATE` bytes is ignored. +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 136 +- DELIMITER= 31 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_8b_9e( + libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, + Eurydice_slice inputs[1U]) { + libcrux_sha3_generic_keccak_KeccakXofState_e2 *uu____0 = self; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_inputs[1U]; + memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice)); + size_t input_remainder_len = + libcrux_sha3_generic_keccak_absorb_full_8b_c6(uu____0, copy_of_inputs); + size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t); + uint8_t blocks[1U][200U] = {{0U}}; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + if (self->buf_len > (size_t)0U) { + Eurydice_slice uu____2 = Eurydice_array_to_subslice2( + blocks[i0], (size_t)0U, self->buf_len, uint8_t); + Eurydice_slice_copy(uu____2, + Eurydice_array_to_subslice2(self->buf[i0], (size_t)0U, + self->buf_len, uint8_t), + uint8_t); + } + if (input_remainder_len > (size_t)0U) { + Eurydice_slice uu____3 = Eurydice_array_to_subslice2( + blocks[i0], self->buf_len, self->buf_len + input_remainder_len, + uint8_t); + Eurydice_slice_copy( + uu____3, + Eurydice_slice_subslice_from( + inputs[i0], input_len - input_remainder_len, uint8_t, size_t), + uint8_t); + } + blocks[i0][self->buf_len + input_remainder_len] = 31U; + size_t uu____4 = i0; + size_t uu____5 = (size_t)136U - (size_t)1U; + blocks[uu____4][uu____5] = (uint32_t)blocks[uu____4][uu____5] | 128U; + } + uint64_t(*uu____6)[5U] = self->inner.st; + uint8_t uu____7[1U][200U]; + memcpy(uu____7, blocks, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_5a_5b(uu____6, uu____7); + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); +} + +/** + Shake256 absorb final +*/ +/** +This function found in impl {(libcrux_sha3::portable::incremental::Xof<136: +usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1} +*/ +static inline void libcrux_sha3_portable_incremental_absorb_final_68( + libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice input) { + Eurydice_slice buf[1U] = {input}; + libcrux_sha3_generic_keccak_absorb_final_8b_9e(self, buf); +} + +/** + An all zero block +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.zero_block_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 136 +*/ +static inline void libcrux_sha3_generic_keccak_zero_block_8b_c6( + uint8_t ret[136U]) { + ret[0U] = 0U; + ret[1U] = 0U; + ret[2U] = 0U; + ret[3U] = 0U; + ret[4U] = 0U; + ret[5U] = 0U; + ret[6U] = 0U; + ret[7U] = 0U; + ret[8U] = 0U; + ret[9U] = 0U; + ret[10U] = 0U; + ret[11U] = 0U; + ret[12U] = 0U; + ret[13U] = 0U; + ret[14U] = 0U; + ret[15U] = 0U; + ret[16U] = 0U; + ret[17U] = 0U; + ret[18U] = 0U; + ret[19U] = 0U; + ret[20U] = 0U; + ret[21U] = 0U; + ret[22U] = 0U; + ret[23U] = 0U; + ret[24U] = 0U; + ret[25U] = 0U; + ret[26U] = 0U; + ret[27U] = 0U; + ret[28U] = 0U; + ret[29U] = 0U; + ret[30U] = 0U; + ret[31U] = 0U; + ret[32U] = 0U; + ret[33U] = 0U; + ret[34U] = 0U; + ret[35U] = 0U; + ret[36U] = 0U; + ret[37U] = 0U; + ret[38U] = 0U; + ret[39U] = 0U; + ret[40U] = 0U; + ret[41U] = 0U; + ret[42U] = 0U; + ret[43U] = 0U; + ret[44U] = 0U; + ret[45U] = 0U; + ret[46U] = 0U; + ret[47U] = 0U; + ret[48U] = 0U; + ret[49U] = 0U; + ret[50U] = 0U; + ret[51U] = 0U; + ret[52U] = 0U; + ret[53U] = 0U; + ret[54U] = 0U; + ret[55U] = 0U; + ret[56U] = 0U; + ret[57U] = 0U; + ret[58U] = 0U; + ret[59U] = 0U; + ret[60U] = 0U; + ret[61U] = 0U; + ret[62U] = 0U; + ret[63U] = 0U; + ret[64U] = 0U; + ret[65U] = 0U; + ret[66U] = 0U; + ret[67U] = 0U; + ret[68U] = 0U; + ret[69U] = 0U; + ret[70U] = 0U; + ret[71U] = 0U; + ret[72U] = 0U; + ret[73U] = 0U; + ret[74U] = 0U; + ret[75U] = 0U; + ret[76U] = 0U; + ret[77U] = 0U; + ret[78U] = 0U; + ret[79U] = 0U; + ret[80U] = 0U; + ret[81U] = 0U; + ret[82U] = 0U; + ret[83U] = 0U; + ret[84U] = 0U; + ret[85U] = 0U; + ret[86U] = 0U; + ret[87U] = 0U; + ret[88U] = 0U; + ret[89U] = 0U; + ret[90U] = 0U; + ret[91U] = 0U; + ret[92U] = 0U; + ret[93U] = 0U; + ret[94U] = 0U; + ret[95U] = 0U; + ret[96U] = 0U; + ret[97U] = 0U; + ret[98U] = 0U; + ret[99U] = 0U; + ret[100U] = 0U; + ret[101U] = 0U; + ret[102U] = 0U; + ret[103U] = 0U; + ret[104U] = 0U; + ret[105U] = 0U; + ret[106U] = 0U; + ret[107U] = 0U; + ret[108U] = 0U; + ret[109U] = 0U; + ret[110U] = 0U; + ret[111U] = 0U; + ret[112U] = 0U; + ret[113U] = 0U; + ret[114U] = 0U; + ret[115U] = 0U; + ret[116U] = 0U; + ret[117U] = 0U; + ret[118U] = 0U; + ret[119U] = 0U; + ret[120U] = 0U; + ret[121U] = 0U; + ret[122U] = 0U; + ret[123U] = 0U; + ret[124U] = 0U; + ret[125U] = 0U; + ret[126U] = 0U; + ret[127U] = 0U; + ret[128U] = 0U; + ret[129U] = 0U; + ret[130U] = 0U; + ret[131U] = 0U; + ret[132U] = 0U; + ret[133U] = 0U; + ret[134U] = 0U; + ret[135U] = 0U; +} + +/** + Generate a new keccak xof state. +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.new_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 136 +*/ +static inline libcrux_sha3_generic_keccak_KeccakXofState_e2 +libcrux_sha3_generic_keccak_new_8b_c6(void) { + libcrux_sha3_generic_keccak_KeccakXofState_e2 lit; + lit.inner = libcrux_sha3_generic_keccak_new_89_04(); + uint8_t ret[136U]; + libcrux_sha3_generic_keccak_zero_block_8b_c6(ret); + memcpy(lit.buf[0U], ret, (size_t)136U * sizeof(uint8_t)); + lit.buf_len = (size_t)0U; + lit.sponge = false; + return lit; +} + +/** + Shake256 new state +*/ +/** +This function found in impl {(libcrux_sha3::portable::incremental::Xof<136: +usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1} +*/ +static inline libcrux_sha3_generic_keccak_KeccakXofState_e2 +libcrux_sha3_portable_incremental_new_68(void) { + return libcrux_sha3_generic_keccak_new_8b_c6(); +} + +/** + `out` has the exact size we want here. It must be less than or equal to `RATE`. +*/ +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_5a +with const generics +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_5a_5b( + uint64_t (*state)[5U], Eurydice_slice out[1U]) { + size_t num_full_blocks = Eurydice_slice_len(out[0U], uint8_t) / (size_t)8U; + size_t last_block_len = Eurydice_slice_len(out[0U], uint8_t) % (size_t)8U; + for (size_t i = (size_t)0U; i < num_full_blocks; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = Eurydice_slice_subslice2( + out[0U], i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t); + uint8_t ret[8U]; + core_num__u64_9__to_le_bytes(state[i0 / (size_t)5U][i0 % (size_t)5U], ret); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); + } + if (last_block_len != (size_t)0U) { + Eurydice_slice uu____1 = Eurydice_slice_subslice2( + out[0U], num_full_blocks * (size_t)8U, + num_full_blocks * (size_t)8U + last_block_len, uint8_t); + uint8_t ret[8U]; + core_num__u64_9__to_le_bytes( + state[num_full_blocks / (size_t)5U][num_full_blocks % (size_t)5U], ret); + Eurydice_slice_copy( + uu____1, + Eurydice_array_to_subslice2(ret, (size_t)0U, last_block_len, uint8_t), + uint8_t); + } +} + +/** + Squeeze `N` x `LEN` bytes. +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c6( + libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, + Eurydice_slice out[1U]) { + if (self->sponge) { + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + } + size_t out_len = Eurydice_slice_len(out[0U], uint8_t); + size_t blocks = out_len / (size_t)136U; + size_t last = out_len - out_len % (size_t)136U; + size_t mid; + if ((size_t)136U >= out_len) { + mid = out_len; + } else { + mid = (size_t)136U; + } + Eurydice_slice_uint8_t_1size_t__x2 uu____0 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, mid); + Eurydice_slice out00[1U]; + memcpy(out00, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice out_rest[1U]; + memcpy(out_rest, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out00); + core_ops_range_Range_08 iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U, + .end = blocks}), + core_ops_range_Range_08, core_ops_range_Range_08); + while (true) { + if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( + &iter, size_t, Option_08) + .tag == None) { + break; + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____1 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out_rest, + (size_t)136U); + Eurydice_slice out0[1U]; + memcpy(out0, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice tmp[1U]; + memcpy(tmp, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out0); + memcpy(out_rest, tmp, (size_t)1U * sizeof(Eurydice_slice)); + } + } + if (last < out_len) { + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out_rest); + } + self->sponge = true; +} + +/** + Shake256 squeeze +*/ +/** +This function found in impl {(libcrux_sha3::portable::incremental::Xof<136: +usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1} +*/ +static inline void libcrux_sha3_portable_incremental_squeeze_68( + libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice out) { + Eurydice_slice buf[1U] = {out}; + libcrux_sha3_generic_keccak_squeeze_8b_c6(self, buf); +} + +#define libcrux_sha3_Sha224 0 +#define libcrux_sha3_Sha256 1 +#define libcrux_sha3_Sha384 2 +#define libcrux_sha3_Sha512 3 + +typedef uint8_t libcrux_sha3_Algorithm; + +/** + Returns the output size of a digest. +*/ +static inline size_t libcrux_sha3_digest_size(libcrux_sha3_Algorithm mode) { + size_t uu____0; + switch (mode) { + case libcrux_sha3_Sha224: { + uu____0 = (size_t)28U; + break; + } + case libcrux_sha3_Sha256: { + uu____0 = (size_t)32U; + break; + } + case libcrux_sha3_Sha384: { + uu____0 = (size_t)48U; + break; + } + case libcrux_sha3_Sha512: { + uu____0 = (size_t)64U; + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, + __LINE__); + KRML_HOST_EXIT(253U); + } + } + return uu____0; +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block +with const generics +- RATE= 144 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_2c( + uint64_t (*s)[5U], Eurydice_slice blocks[1U]) { + for (size_t i = (size_t)0U; i < (size_t)144U / (size_t)8U; i++) { + size_t i0 = i; + uint8_t uu____0[8U]; + Result_15 dst; + Eurydice_slice_to_array2( + &dst, + Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); + unwrap_26_68(dst, uu____0); + size_t uu____1 = i0 / (size_t)5U; + size_t uu____2 = i0 % (size_t)5U; + s[uu____1][uu____2] = + s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0); + } +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block_5a +with const generics +- RATE= 144 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_2c( + uint64_t (*a)[5U], Eurydice_slice b[1U]) { + uint64_t(*uu____0)[5U] = a; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[1U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_2c(uu____0, copy_of_b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block +with types uint64_t +with const generics +- N= 1 +- RATE= 144 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_c61( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice blocks[1U]) { + uint64_t(*uu____0)[5U] = s->st; + Eurydice_slice uu____1[1U]; + memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_5a_2c(uu____0, uu____1); + libcrux_sha3_generic_keccak_keccakf1600_04(s); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full +with const generics +- RATE= 144 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_2c( + uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; + libcrux_sha3_portable_keccak_load_block_2c(s, buf); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full_5a +with const generics +- RATE= 144 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_2c( + uint64_t (*a)[5U], uint8_t b[1U][200U]) { + uint64_t(*uu____0)[5U] = a; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[1U][200U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_2c(uu____0, copy_of_b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final +with types uint64_t +with const generics +- N= 1 +- RATE= 144 +- DELIM= 6 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e1( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice last[1U]) { + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); + uint8_t blocks[1U][200U] = {{0U}}; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + if (last_len > (size_t)0U) { + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); + } + blocks[i0][last_len] = 6U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)144U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; + } + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_5a_2c(uu____3, uu____4); + libcrux_sha3_generic_keccak_keccakf1600_04(s); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block +with const generics +- RATE= 144 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_2c( + uint64_t (*s)[5U], Eurydice_slice out[1U]) { + for (size_t i = (size_t)0U; i < (size_t)144U / (size_t)8U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = Eurydice_slice_subslice2( + out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); + uint8_t ret[8U]; + core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); + } +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full +with const generics +- RATE= 144 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_2c( + uint64_t (*s)[5U], uint8_t ret[1U][200U]) { + uint8_t out[200U] = {0U}; + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; + libcrux_sha3_portable_keccak_store_block_2c(s, buf); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out[200U]; + memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full_5a +with const generics +- RATE= 144 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_5a_2c( + uint64_t (*a)[5U], uint8_t ret[1U][200U]) { + libcrux_sha3_portable_keccak_store_block_full_2c(a, ret); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last +with types uint64_t +with const generics +- N= 1 +- RATE= 144 +*/ +static KRML_MUSTINLINE void +libcrux_sha3_generic_keccak_squeeze_first_and_last_c61( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + uint8_t b[1U][200U]; + libcrux_sha3_portable_keccak_store_block_full_5a_2c(s->st, b); + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; + core_ops_range_Range_08 lit; + lit.start = (size_t)0U; + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, + core_ops_range_Range_08), + uint8_t); + } +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block_5a +with const generics +- RATE= 144 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_2c( + uint64_t (*a)[5U], Eurydice_slice b[1U]) { + libcrux_sha3_portable_keccak_store_block_2c(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block +with types uint64_t +with const generics +- N= 1 +- RATE= 144 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c61( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + libcrux_sha3_portable_keccak_store_block_5a_2c(s->st, out); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block +with types uint64_t +with const generics +- N= 1 +- RATE= 144 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c61( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_keccakf1600_04(s); + libcrux_sha3_portable_keccak_store_block_5a_2c(s->st, out); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last +with types uint64_t +with const generics +- N= 1 +- RATE= 144 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_c61( + libcrux_sha3_generic_keccak_KeccakState_17 s, Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_keccakf1600_04(&s); + uint8_t b[1U][200U]; + libcrux_sha3_portable_keccak_store_block_full_5a_2c(s.st, b); + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; + core_ops_range_Range_08 lit; + lit.start = (size_t)0U; + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, + core_ops_range_Range_08), + uint8_t); + } +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.keccak +with types uint64_t +with const generics +- N= 1 +- RATE= 144 +- DELIM= 6 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_9e1( + Eurydice_slice data[1U], Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_KeccakState_17 s = + libcrux_sha3_generic_keccak_new_89_04(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)144U; i++) { + size_t i0 = i; + libcrux_sha3_generic_keccak_KeccakState_17 *uu____0 = &s; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice ret[1U]; + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)144U, + (size_t)144U, ret); + libcrux_sha3_generic_keccak_absorb_block_c61(uu____0, ret); + } + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)144U; + libcrux_sha3_generic_keccak_KeccakState_17 *uu____2 = &s; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice ret[1U]; + libcrux_sha3_portable_keccak_slice_n_5a( + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); + libcrux_sha3_generic_keccak_absorb_final_9e1(uu____2, ret); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); + size_t blocks = outlen / (size_t)144U; + size_t last = outlen - outlen % (size_t)144U; + if (blocks == (size_t)0U) { + libcrux_sha3_generic_keccak_squeeze_first_and_last_c61(&s, out); + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____4 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)144U); + Eurydice_slice o0[1U]; + memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice o1[1U]; + memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_first_block_c61(&s, o0); + core_ops_range_Range_08 iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U, + .end = blocks}), + core_ops_range_Range_08, core_ops_range_Range_08); + while (true) { + if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( + &iter, size_t, Option_08) + .tag == None) { + break; + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____5 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)144U); + Eurydice_slice o[1U]; + memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice orest[1U]; + memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_next_block_c61(&s, o); + memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice)); + } + } + if (last < outlen) { + libcrux_sha3_generic_keccak_squeeze_last_c61(s, o1); + } + } +} + +/** +A monomorphic instance of libcrux_sha3.portable.keccakx1 +with const generics +- RATE= 144 +- DELIM= 6 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_1e( + Eurydice_slice data[1U], Eurydice_slice out[1U]) { + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_9e1(copy_of_data, out); +} + +/** + A portable SHA3 224 implementation. +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest, + Eurydice_slice data) { + Eurydice_slice buf0[1U] = {data}; + Eurydice_slice buf[1U] = {digest}; + libcrux_sha3_portable_keccakx1_1e(buf0, buf); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final +with types uint64_t +with const generics +- N= 1 +- RATE= 136 +- DELIM= 6 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e2( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice last[1U]) { + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); + uint8_t blocks[1U][200U] = {{0U}}; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + if (last_len > (size_t)0U) { + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); + } + blocks[i0][last_len] = 6U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)136U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; + } + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_5a_5b(uu____3, uu____4); + libcrux_sha3_generic_keccak_keccakf1600_04(s); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.keccak +with types uint64_t +with const generics +- N= 1 +- RATE= 136 +- DELIM= 6 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_9e2( + Eurydice_slice data[1U], Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_KeccakState_17 s = + libcrux_sha3_generic_keccak_new_89_04(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) { + size_t i0 = i; + libcrux_sha3_generic_keccak_KeccakState_17 *uu____0 = &s; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice ret[1U]; + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)136U, + (size_t)136U, ret); + libcrux_sha3_generic_keccak_absorb_block_c60(uu____0, ret); + } + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U; + libcrux_sha3_generic_keccak_KeccakState_17 *uu____2 = &s; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice ret[1U]; + libcrux_sha3_portable_keccak_slice_n_5a( + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); + libcrux_sha3_generic_keccak_absorb_final_9e2(uu____2, ret); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); + size_t blocks = outlen / (size_t)136U; + size_t last = outlen - outlen % (size_t)136U; + if (blocks == (size_t)0U) { + libcrux_sha3_generic_keccak_squeeze_first_and_last_c60(&s, out); + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____4 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)136U); + Eurydice_slice o0[1U]; + memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice o1[1U]; + memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_first_block_c60(&s, o0); + core_ops_range_Range_08 iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U, + .end = blocks}), + core_ops_range_Range_08, core_ops_range_Range_08); + while (true) { + if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( + &iter, size_t, Option_08) + .tag == None) { + break; + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____5 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)136U); + Eurydice_slice o[1U]; + memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice orest[1U]; + memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_next_block_c60(&s, o); + memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice)); + } + } + if (last < outlen) { + libcrux_sha3_generic_keccak_squeeze_last_c60(s, o1); + } + } +} + +/** +A monomorphic instance of libcrux_sha3.portable.keccakx1 +with const generics +- RATE= 136 +- DELIM= 6 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ad0( + Eurydice_slice data[1U], Eurydice_slice out[1U]) { + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_9e2(copy_of_data, out); +} + +/** + A portable SHA3 256 implementation. +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest, + Eurydice_slice data) { + Eurydice_slice buf0[1U] = {data}; + Eurydice_slice buf[1U] = {digest}; + libcrux_sha3_portable_keccakx1_ad0(buf0, buf); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block +with const generics +- RATE= 104 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_7a( + uint64_t (*s)[5U], Eurydice_slice blocks[1U]) { + for (size_t i = (size_t)0U; i < (size_t)104U / (size_t)8U; i++) { + size_t i0 = i; + uint8_t uu____0[8U]; + Result_15 dst; + Eurydice_slice_to_array2( + &dst, + Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); + unwrap_26_68(dst, uu____0); + size_t uu____1 = i0 / (size_t)5U; + size_t uu____2 = i0 % (size_t)5U; + s[uu____1][uu____2] = + s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0); + } +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block_5a +with const generics +- RATE= 104 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_7a( + uint64_t (*a)[5U], Eurydice_slice b[1U]) { + uint64_t(*uu____0)[5U] = a; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[1U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_7a(uu____0, copy_of_b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block +with types uint64_t +with const generics +- N= 1 +- RATE= 104 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_c62( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice blocks[1U]) { + uint64_t(*uu____0)[5U] = s->st; + Eurydice_slice uu____1[1U]; + memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_5a_7a(uu____0, uu____1); + libcrux_sha3_generic_keccak_keccakf1600_04(s); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full +with const generics +- RATE= 104 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_7a( + uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; + libcrux_sha3_portable_keccak_load_block_7a(s, buf); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full_5a +with const generics +- RATE= 104 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_7a( + uint64_t (*a)[5U], uint8_t b[1U][200U]) { + uint64_t(*uu____0)[5U] = a; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[1U][200U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_7a(uu____0, copy_of_b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final +with types uint64_t +with const generics +- N= 1 +- RATE= 104 +- DELIM= 6 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e3( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice last[1U]) { + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); + uint8_t blocks[1U][200U] = {{0U}}; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + if (last_len > (size_t)0U) { + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); + } + blocks[i0][last_len] = 6U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)104U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; + } + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_5a_7a(uu____3, uu____4); + libcrux_sha3_generic_keccak_keccakf1600_04(s); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block +with const generics +- RATE= 104 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_7a( + uint64_t (*s)[5U], Eurydice_slice out[1U]) { + for (size_t i = (size_t)0U; i < (size_t)104U / (size_t)8U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = Eurydice_slice_subslice2( + out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); + uint8_t ret[8U]; + core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); + } +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full +with const generics +- RATE= 104 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_7a( + uint64_t (*s)[5U], uint8_t ret[1U][200U]) { + uint8_t out[200U] = {0U}; + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; + libcrux_sha3_portable_keccak_store_block_7a(s, buf); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out[200U]; + memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full_5a +with const generics +- RATE= 104 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_5a_7a( + uint64_t (*a)[5U], uint8_t ret[1U][200U]) { + libcrux_sha3_portable_keccak_store_block_full_7a(a, ret); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last +with types uint64_t +with const generics +- N= 1 +- RATE= 104 +*/ +static KRML_MUSTINLINE void +libcrux_sha3_generic_keccak_squeeze_first_and_last_c62( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + uint8_t b[1U][200U]; + libcrux_sha3_portable_keccak_store_block_full_5a_7a(s->st, b); + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; + core_ops_range_Range_08 lit; + lit.start = (size_t)0U; + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, + core_ops_range_Range_08), + uint8_t); + } +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block_5a +with const generics +- RATE= 104 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_7a( + uint64_t (*a)[5U], Eurydice_slice b[1U]) { + libcrux_sha3_portable_keccak_store_block_7a(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block +with types uint64_t +with const generics +- N= 1 +- RATE= 104 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c62( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + libcrux_sha3_portable_keccak_store_block_5a_7a(s->st, out); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block +with types uint64_t +with const generics +- N= 1 +- RATE= 104 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c62( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_keccakf1600_04(s); + libcrux_sha3_portable_keccak_store_block_5a_7a(s->st, out); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last +with types uint64_t +with const generics +- N= 1 +- RATE= 104 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_c62( + libcrux_sha3_generic_keccak_KeccakState_17 s, Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_keccakf1600_04(&s); + uint8_t b[1U][200U]; + libcrux_sha3_portable_keccak_store_block_full_5a_7a(s.st, b); + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; + core_ops_range_Range_08 lit; + lit.start = (size_t)0U; + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, + core_ops_range_Range_08), + uint8_t); + } +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.keccak +with types uint64_t +with const generics +- N= 1 +- RATE= 104 +- DELIM= 6 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_9e3( + Eurydice_slice data[1U], Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_KeccakState_17 s = + libcrux_sha3_generic_keccak_new_89_04(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)104U; i++) { + size_t i0 = i; + libcrux_sha3_generic_keccak_KeccakState_17 *uu____0 = &s; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice ret[1U]; + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)104U, + (size_t)104U, ret); + libcrux_sha3_generic_keccak_absorb_block_c62(uu____0, ret); + } + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)104U; + libcrux_sha3_generic_keccak_KeccakState_17 *uu____2 = &s; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice ret[1U]; + libcrux_sha3_portable_keccak_slice_n_5a( + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); + libcrux_sha3_generic_keccak_absorb_final_9e3(uu____2, ret); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); + size_t blocks = outlen / (size_t)104U; + size_t last = outlen - outlen % (size_t)104U; + if (blocks == (size_t)0U) { + libcrux_sha3_generic_keccak_squeeze_first_and_last_c62(&s, out); + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____4 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)104U); + Eurydice_slice o0[1U]; + memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice o1[1U]; + memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_first_block_c62(&s, o0); + core_ops_range_Range_08 iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U, + .end = blocks}), + core_ops_range_Range_08, core_ops_range_Range_08); + while (true) { + if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( + &iter, size_t, Option_08) + .tag == None) { + break; + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____5 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)104U); + Eurydice_slice o[1U]; + memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice orest[1U]; + memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_next_block_c62(&s, o); + memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice)); + } + } + if (last < outlen) { + libcrux_sha3_generic_keccak_squeeze_last_c62(s, o1); + } + } +} + +/** +A monomorphic instance of libcrux_sha3.portable.keccakx1 +with const generics +- RATE= 104 +- DELIM= 6 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_7c( + Eurydice_slice data[1U], Eurydice_slice out[1U]) { + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_9e3(copy_of_data, out); +} + +/** + A portable SHA3 384 implementation. +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest, + Eurydice_slice data) { + Eurydice_slice buf0[1U] = {data}; + Eurydice_slice buf[1U] = {digest}; + libcrux_sha3_portable_keccakx1_7c(buf0, buf); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block +with const generics +- RATE= 72 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_f8( + uint64_t (*s)[5U], Eurydice_slice blocks[1U]) { + for (size_t i = (size_t)0U; i < (size_t)72U / (size_t)8U; i++) { + size_t i0 = i; + uint8_t uu____0[8U]; + Result_15 dst; + Eurydice_slice_to_array2( + &dst, + Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); + unwrap_26_68(dst, uu____0); + size_t uu____1 = i0 / (size_t)5U; + size_t uu____2 = i0 % (size_t)5U; + s[uu____1][uu____2] = + s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0); + } +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block_5a +with const generics +- RATE= 72 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_f8( + uint64_t (*a)[5U], Eurydice_slice b[1U]) { + uint64_t(*uu____0)[5U] = a; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[1U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_f8(uu____0, copy_of_b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block +with types uint64_t +with const generics +- N= 1 +- RATE= 72 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_c63( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice blocks[1U]) { + uint64_t(*uu____0)[5U] = s->st; + Eurydice_slice uu____1[1U]; + memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_5a_f8(uu____0, uu____1); + libcrux_sha3_generic_keccak_keccakf1600_04(s); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full +with const generics +- RATE= 72 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_f8( + uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; + libcrux_sha3_portable_keccak_load_block_f8(s, buf); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full_5a +with const generics +- RATE= 72 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_f8( + uint64_t (*a)[5U], uint8_t b[1U][200U]) { + uint64_t(*uu____0)[5U] = a; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[1U][200U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_f8(uu____0, copy_of_b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final +with types uint64_t +with const generics +- N= 1 +- RATE= 72 +- DELIM= 6 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e4( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice last[1U]) { + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); + uint8_t blocks[1U][200U] = {{0U}}; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + if (last_len > (size_t)0U) { + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); + } + blocks[i0][last_len] = 6U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)72U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; + } + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_5a_f8(uu____3, uu____4); + libcrux_sha3_generic_keccak_keccakf1600_04(s); +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block +with const generics +- RATE= 72 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_f8( + uint64_t (*s)[5U], Eurydice_slice out[1U]) { + for (size_t i = (size_t)0U; i < (size_t)72U / (size_t)8U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = Eurydice_slice_subslice2( + out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); + uint8_t ret[8U]; + core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); + } +} + +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full +with const generics +- RATE= 72 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_f8( + uint64_t (*s)[5U], uint8_t ret[1U][200U]) { + uint8_t out[200U] = {0U}; + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; + libcrux_sha3_portable_keccak_store_block_f8(s, buf); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out[200U]; + memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full_5a +with const generics +- RATE= 72 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_5a_f8( + uint64_t (*a)[5U], uint8_t ret[1U][200U]) { + libcrux_sha3_portable_keccak_store_block_full_f8(a, ret); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last +with types uint64_t +with const generics +- N= 1 +- RATE= 72 +*/ +static KRML_MUSTINLINE void +libcrux_sha3_generic_keccak_squeeze_first_and_last_c63( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + uint8_t b[1U][200U]; + libcrux_sha3_portable_keccak_store_block_full_5a_f8(s->st, b); + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; + core_ops_range_Range_08 lit; + lit.start = (size_t)0U; + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, + core_ops_range_Range_08), + uint8_t); + } +} + +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_block_5a +with const generics +- RATE= 72 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_f8( + uint64_t (*a)[5U], Eurydice_slice b[1U]) { + libcrux_sha3_portable_keccak_store_block_f8(a, b); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block +with types uint64_t +with const generics +- N= 1 +- RATE= 72 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_c63( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + libcrux_sha3_portable_keccak_store_block_5a_f8(s->st, out); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block +with types uint64_t +with const generics +- N= 1 +- RATE= 72 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c63( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_keccakf1600_04(s); + libcrux_sha3_portable_keccak_store_block_5a_f8(s->st, out); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last +with types uint64_t +with const generics +- N= 1 +- RATE= 72 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_c63( + libcrux_sha3_generic_keccak_KeccakState_17 s, Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_keccakf1600_04(&s); + uint8_t b[1U][200U]; + libcrux_sha3_portable_keccak_store_block_full_5a_f8(s.st, b); + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; + core_ops_range_Range_08 lit; + lit.start = (size_t)0U; + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, + core_ops_range_Range_08), + uint8_t); + } +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.keccak +with types uint64_t +with const generics +- N= 1 +- RATE= 72 +- DELIM= 6 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_9e4( + Eurydice_slice data[1U], Eurydice_slice out[1U]) { + libcrux_sha3_generic_keccak_KeccakState_17 s = + libcrux_sha3_generic_keccak_new_89_04(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)72U; i++) { + size_t i0 = i; + libcrux_sha3_generic_keccak_KeccakState_17 *uu____0 = &s; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice ret[1U]; + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)72U, + (size_t)72U, ret); + libcrux_sha3_generic_keccak_absorb_block_c63(uu____0, ret); + } + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)72U; + libcrux_sha3_generic_keccak_KeccakState_17 *uu____2 = &s; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice ret[1U]; + libcrux_sha3_portable_keccak_slice_n_5a( + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); + libcrux_sha3_generic_keccak_absorb_final_9e4(uu____2, ret); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); + size_t blocks = outlen / (size_t)72U; + size_t last = outlen - outlen % (size_t)72U; + if (blocks == (size_t)0U) { + libcrux_sha3_generic_keccak_squeeze_first_and_last_c63(&s, out); + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____4 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)72U); + Eurydice_slice o0[1U]; + memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice o1[1U]; + memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_first_block_c63(&s, o0); + core_ops_range_Range_08 iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U, + .end = blocks}), + core_ops_range_Range_08, core_ops_range_Range_08); + while (true) { + if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( + &iter, size_t, Option_08) + .tag == None) { + break; + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____5 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)72U); + Eurydice_slice o[1U]; + memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice orest[1U]; + memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_next_block_c63(&s, o); + memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice)); + } + } + if (last < outlen) { + libcrux_sha3_generic_keccak_squeeze_last_c63(s, o1); + } + } +} + +/** +A monomorphic instance of libcrux_sha3.portable.keccakx1 +with const generics +- RATE= 72 +- DELIM= 6 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_96( + Eurydice_slice data[1U], Eurydice_slice out[1U]) { + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_9e4(copy_of_data, out); +} + +/** + A portable SHA3 512 implementation. +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest, + Eurydice_slice data) { + Eurydice_slice buf0[1U] = {data}; + Eurydice_slice buf[1U] = {digest}; + libcrux_sha3_portable_keccakx1_96(buf0, buf); +} + +/** + SHA3 224 + + Preconditions: + - `digest.len() == 28` +*/ +static KRML_MUSTINLINE void libcrux_sha3_sha224_ema(Eurydice_slice digest, + Eurydice_slice payload) { + libcrux_sha3_portable_sha224(digest, payload); +} + +/** + SHA3 224 +*/ +static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data, + uint8_t ret[28U]) { + uint8_t out[28U] = {0U}; + libcrux_sha3_sha224_ema(Eurydice_array_to_slice((size_t)28U, out, uint8_t), + data); + memcpy(ret, out, (size_t)28U * sizeof(uint8_t)); +} + +/** + SHA3 256 +*/ +static KRML_MUSTINLINE void libcrux_sha3_sha256_ema(Eurydice_slice digest, + Eurydice_slice payload) { + libcrux_sha3_portable_sha256(digest, payload); +} + +/** + SHA3 256 +*/ +static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data, + uint8_t ret[32U]) { + uint8_t out[32U] = {0U}; + libcrux_sha3_sha256_ema(Eurydice_array_to_slice((size_t)32U, out, uint8_t), + data); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); +} + +/** + SHA3 384 +*/ +static KRML_MUSTINLINE void libcrux_sha3_sha384_ema(Eurydice_slice digest, + Eurydice_slice payload) { + libcrux_sha3_portable_sha384(digest, payload); +} + +/** + SHA3 384 +*/ +static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data, + uint8_t ret[48U]) { + uint8_t out[48U] = {0U}; + libcrux_sha3_sha384_ema(Eurydice_array_to_slice((size_t)48U, out, uint8_t), + data); + memcpy(ret, out, (size_t)48U * sizeof(uint8_t)); +} + +/** + SHA3 512 +*/ +static KRML_MUSTINLINE void libcrux_sha3_sha512_ema(Eurydice_slice digest, + Eurydice_slice payload) { + libcrux_sha3_portable_sha512(digest, payload); +} + +/** + SHA3 512 +*/ +static KRML_MUSTINLINE void libcrux_sha3_sha512(Eurydice_slice data, + uint8_t ret[64U]) { + uint8_t out[64U] = {0U}; + libcrux_sha3_sha512_ema(Eurydice_array_to_slice((size_t)64U, out, uint8_t), + data); + memcpy(ret, out, (size_t)64U * sizeof(uint8_t)); +} + +/** + SHAKE 128 + + Writes `out.len()` bytes. +*/ +static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out, + Eurydice_slice data) { + libcrux_sha3_portable_shake128(out, data); +} + +/** + SHAKE 256 + + Writes `out.len()` bytes. +*/ +static KRML_MUSTINLINE void libcrux_sha3_shake256_ema(Eurydice_slice out, + Eurydice_slice data) { + libcrux_sha3_portable_shake256(out, data); +} + +static const size_t libcrux_sha3_generic_keccak__PI[24U] = { + (size_t)6U, (size_t)12U, (size_t)18U, (size_t)24U, (size_t)3U, + (size_t)9U, (size_t)10U, (size_t)16U, (size_t)22U, (size_t)1U, + (size_t)7U, (size_t)13U, (size_t)19U, (size_t)20U, (size_t)4U, + (size_t)5U, (size_t)11U, (size_t)17U, (size_t)23U, (size_t)2U, + (size_t)8U, (size_t)14U, (size_t)15U, (size_t)21U}; + +static const size_t libcrux_sha3_generic_keccak__ROTC[24U] = { + (size_t)1U, (size_t)62U, (size_t)28U, (size_t)27U, (size_t)36U, + (size_t)44U, (size_t)6U, (size_t)55U, (size_t)20U, (size_t)3U, + (size_t)10U, (size_t)43U, (size_t)25U, (size_t)39U, (size_t)41U, + (size_t)45U, (size_t)15U, (size_t)21U, (size_t)8U, (size_t)18U, + (size_t)2U, (size_t)61U, (size_t)56U, (size_t)14U}; + +/** + A portable SHA3 224 implementation. +*/ +static KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest, + Eurydice_slice data) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** + A portable SHA3 256 implementation. +*/ +static KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest, + Eurydice_slice data) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** + A portable SHA3 384 implementation. +*/ +static KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest, + Eurydice_slice data) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** + A portable SHA3 512 implementation. +*/ +static KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest, + Eurydice_slice data) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** + Run SHAKE256 on both inputs in parallel. + + Writes the two results into `out0` and `out1` +*/ +static KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, + Eurydice_slice input1, + Eurydice_slice out0, + Eurydice_slice out1) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +typedef struct libcrux_sha3_neon_x2_incremental_KeccakState_s { + libcrux_sha3_generic_keccak_KeccakState_17 state[2U]; +} libcrux_sha3_neon_x2_incremental_KeccakState; + +/** + Initialise the `KeccakState2`. +*/ +static KRML_MUSTINLINE libcrux_sha3_neon_x2_incremental_KeccakState +libcrux_sha3_neon_x2_incremental_init(void) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** + Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`. +*/ +static KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake128_absorb_final( + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, + Eurydice_slice data1) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** + Squeeze 2 times the first three blocks in parallel in the + [`KeccakState`] and return the output in `out0` and `out1`. +*/ +static KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, + Eurydice_slice out1) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** + Squeeze 2 times the next block in parallel in the + [`KeccakState`] and return the output in `out0` and `out1`. +*/ +static KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, + Eurydice_slice out1) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** + Squeeze five blocks +*/ +static KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks( + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, + Eurydice_slice out1) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** + Shake256 absorb `data0` and `data1` in the [`KeccakState`] `s`. +*/ +static KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake256_absorb_final( + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, + Eurydice_slice data1) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** + Squeeze block +*/ +static KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block( + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, + Eurydice_slice out1) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** + Squeeze next block +*/ +static KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block( + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, + Eurydice_slice out1) { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_three_blocks +with types uint64_t +with const generics +- N= 1 +- RATE= 168 +*/ +static KRML_MUSTINLINE void +libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out[1U]) { + Eurydice_slice_uint8_t_1size_t__x2 uu____0 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)168U); + Eurydice_slice o0[1U]; + memcpy(o0, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice o10[1U]; + memcpy(o10, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_first_block_c6(s, o0); + Eurydice_slice_uint8_t_1size_t__x2 uu____1 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(o10, (size_t)168U); + Eurydice_slice o1[1U]; + memcpy(o1, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice o2[1U]; + memcpy(o2, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, o1); + libcrux_sha3_generic_keccak_squeeze_next_block_c6(s, o2); +} + +/** + Squeeze three blocks +*/ +static KRML_MUSTINLINE void +libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( + libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { + Eurydice_slice buf[1U] = {out0}; + libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6(s, buf); +} + +/** +A monomorphic instance of libcrux_sha3.generic_keccak.KeccakXofState +with types uint64_t +with const generics +- $1size_t +- $168size_t +*/ +typedef struct libcrux_sha3_generic_keccak_KeccakXofState_97_s { + libcrux_sha3_generic_keccak_KeccakState_17 inner; + uint8_t buf[1U][168U]; + size_t buf_len; + bool sponge; +} libcrux_sha3_generic_keccak_KeccakXofState_97; + +typedef libcrux_sha3_generic_keccak_KeccakXofState_97 + libcrux_sha3_portable_incremental_Shake128Xof; + +/** + Consume the internal buffer and the required amount of the input to pad to + `RATE`. + + Returns the `consumed` bytes from `inputs` if there's enough buffered + content to consume, and `0` otherwise. + If `consumed > 0` is returned, `self.buf` contains a full block to be + loaded. +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.fill_buffer_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 168 +*/ +static inline size_t libcrux_sha3_generic_keccak_fill_buffer_8b_c60( + libcrux_sha3_generic_keccak_KeccakXofState_97 *self, + Eurydice_slice inputs[1U]) { + size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t); + size_t consumed = (size_t)0U; + if (self->buf_len > (size_t)0U) { + if (self->buf_len + input_len >= (size_t)168U) { + consumed = (size_t)168U - self->buf_len; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( + (size_t)168U, self->buf[i0], self->buf_len, uint8_t, size_t); + Eurydice_slice_copy( + uu____0, + Eurydice_slice_subslice_to(inputs[i0], consumed, uint8_t, size_t), + uint8_t); + } + self->buf_len = self->buf_len + consumed; + } + } + return consumed; +} + +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_full_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 168 +*/ +static inline size_t libcrux_sha3_generic_keccak_absorb_full_8b_c60( + libcrux_sha3_generic_keccak_KeccakXofState_97 *self, + Eurydice_slice inputs[1U]) { + libcrux_sha3_generic_keccak_KeccakXofState_97 *uu____0 = self; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_inputs0[1U]; + memcpy(copy_of_inputs0, inputs, (size_t)1U * sizeof(Eurydice_slice)); + size_t input_consumed = + libcrux_sha3_generic_keccak_fill_buffer_8b_c60(uu____0, copy_of_inputs0); + if (input_consumed > (size_t)0U) { + Eurydice_slice borrowed[1U]; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + uint8_t buf[168U] = {0U}; + borrowed[i] = core_array___Array_T__N__23__as_slice( + (size_t)168U, buf, uint8_t, Eurydice_slice); + } + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + borrowed[i0] = + Eurydice_array_to_slice((size_t)168U, self->buf[i0], uint8_t); + } + uint64_t(*uu____2)[5U] = self->inner.st; + Eurydice_slice uu____3[1U]; + memcpy(uu____3, borrowed, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_5a_3a(uu____2, uu____3); + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + self->buf_len = (size_t)0U; + } + size_t input_to_consume = + Eurydice_slice_len(inputs[0U], uint8_t) - input_consumed; + size_t num_blocks = input_to_consume / (size_t)168U; + size_t remainder = input_to_consume % (size_t)168U; + for (size_t i = (size_t)0U; i < num_blocks; i++) { + size_t i0 = i; + uint64_t(*uu____4)[5U] = self->inner.st; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_inputs[1U]; + memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice ret[1U]; + libcrux_sha3_portable_keccak_slice_n_5a( + copy_of_inputs, input_consumed + i0 * (size_t)168U, (size_t)168U, ret); + libcrux_sha3_portable_keccak_load_block_5a_3a(uu____4, ret); + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + } + return remainder; +} + +/** + Absorb + + This function takes any number of bytes to absorb and buffers if it's not + enough. The function assumes that all input slices in `blocks` have the same + length. + + Only a multiple of `RATE` blocks are absorbed. + For the remaining bytes [`absorb_final`] needs to be called. + + This works best with relatively small `inputs`. +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 168 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_8b_c60( + libcrux_sha3_generic_keccak_KeccakXofState_97 *self, + Eurydice_slice inputs[1U]) { + libcrux_sha3_generic_keccak_KeccakXofState_97 *uu____0 = self; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_inputs[1U]; + memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice)); + size_t input_remainder_len = + libcrux_sha3_generic_keccak_absorb_full_8b_c60(uu____0, copy_of_inputs); + if (input_remainder_len > (size_t)0U) { + size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t); + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____2 = Eurydice_array_to_subslice2( + self->buf[i0], self->buf_len, self->buf_len + input_remainder_len, + uint8_t); + Eurydice_slice_copy( + uu____2, + Eurydice_slice_subslice_from( + inputs[i0], input_len - input_remainder_len, uint8_t, size_t), + uint8_t); + } + self->buf_len = self->buf_len + input_remainder_len; + } +} + +/** +This function found in impl {(libcrux_sha3::portable::incremental::Xof<168: +usize> for libcrux_sha3::portable::incremental::Shake128Xof)} +*/ +static inline void libcrux_sha3_portable_incremental_absorb_2f( + libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice input) { + Eurydice_slice buf[1U] = {input}; + libcrux_sha3_generic_keccak_absorb_8b_c60(self, buf); +} + +/** + Absorb a final block. + + The `inputs` block may be empty. Everything in the `inputs` block beyond + `RATE` bytes is ignored. +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 168 +- DELIMITER= 31 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_8b_9e0( + libcrux_sha3_generic_keccak_KeccakXofState_97 *self, + Eurydice_slice inputs[1U]) { + libcrux_sha3_generic_keccak_KeccakXofState_97 *uu____0 = self; + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_inputs[1U]; + memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice)); + size_t input_remainder_len = + libcrux_sha3_generic_keccak_absorb_full_8b_c60(uu____0, copy_of_inputs); + size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t); + uint8_t blocks[1U][200U] = {{0U}}; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + if (self->buf_len > (size_t)0U) { + Eurydice_slice uu____2 = Eurydice_array_to_subslice2( + blocks[i0], (size_t)0U, self->buf_len, uint8_t); + Eurydice_slice_copy(uu____2, + Eurydice_array_to_subslice2(self->buf[i0], (size_t)0U, + self->buf_len, uint8_t), + uint8_t); + } + if (input_remainder_len > (size_t)0U) { + Eurydice_slice uu____3 = Eurydice_array_to_subslice2( + blocks[i0], self->buf_len, self->buf_len + input_remainder_len, + uint8_t); + Eurydice_slice_copy( + uu____3, + Eurydice_slice_subslice_from( + inputs[i0], input_len - input_remainder_len, uint8_t, size_t), + uint8_t); + } + blocks[i0][self->buf_len + input_remainder_len] = 31U; + size_t uu____4 = i0; + size_t uu____5 = (size_t)168U - (size_t)1U; + blocks[uu____4][uu____5] = (uint32_t)blocks[uu____4][uu____5] | 128U; + } + uint64_t(*uu____6)[5U] = self->inner.st; + uint8_t uu____7[1U][200U]; + memcpy(uu____7, blocks, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_5a_3a(uu____6, uu____7); + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); +} + +/** +This function found in impl {(libcrux_sha3::portable::incremental::Xof<168: +usize> for libcrux_sha3::portable::incremental::Shake128Xof)} +*/ +static inline void libcrux_sha3_portable_incremental_absorb_final_2f( + libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice input) { + Eurydice_slice buf[1U] = {input}; + libcrux_sha3_generic_keccak_absorb_final_8b_9e0(self, buf); +} + +/** + An all zero block +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.zero_block_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 168 +*/ +static inline void libcrux_sha3_generic_keccak_zero_block_8b_c60( + uint8_t ret[168U]) { + ret[0U] = 0U; + ret[1U] = 0U; + ret[2U] = 0U; + ret[3U] = 0U; + ret[4U] = 0U; + ret[5U] = 0U; + ret[6U] = 0U; + ret[7U] = 0U; + ret[8U] = 0U; + ret[9U] = 0U; + ret[10U] = 0U; + ret[11U] = 0U; + ret[12U] = 0U; + ret[13U] = 0U; + ret[14U] = 0U; + ret[15U] = 0U; + ret[16U] = 0U; + ret[17U] = 0U; + ret[18U] = 0U; + ret[19U] = 0U; + ret[20U] = 0U; + ret[21U] = 0U; + ret[22U] = 0U; + ret[23U] = 0U; + ret[24U] = 0U; + ret[25U] = 0U; + ret[26U] = 0U; + ret[27U] = 0U; + ret[28U] = 0U; + ret[29U] = 0U; + ret[30U] = 0U; + ret[31U] = 0U; + ret[32U] = 0U; + ret[33U] = 0U; + ret[34U] = 0U; + ret[35U] = 0U; + ret[36U] = 0U; + ret[37U] = 0U; + ret[38U] = 0U; + ret[39U] = 0U; + ret[40U] = 0U; + ret[41U] = 0U; + ret[42U] = 0U; + ret[43U] = 0U; + ret[44U] = 0U; + ret[45U] = 0U; + ret[46U] = 0U; + ret[47U] = 0U; + ret[48U] = 0U; + ret[49U] = 0U; + ret[50U] = 0U; + ret[51U] = 0U; + ret[52U] = 0U; + ret[53U] = 0U; + ret[54U] = 0U; + ret[55U] = 0U; + ret[56U] = 0U; + ret[57U] = 0U; + ret[58U] = 0U; + ret[59U] = 0U; + ret[60U] = 0U; + ret[61U] = 0U; + ret[62U] = 0U; + ret[63U] = 0U; + ret[64U] = 0U; + ret[65U] = 0U; + ret[66U] = 0U; + ret[67U] = 0U; + ret[68U] = 0U; + ret[69U] = 0U; + ret[70U] = 0U; + ret[71U] = 0U; + ret[72U] = 0U; + ret[73U] = 0U; + ret[74U] = 0U; + ret[75U] = 0U; + ret[76U] = 0U; + ret[77U] = 0U; + ret[78U] = 0U; + ret[79U] = 0U; + ret[80U] = 0U; + ret[81U] = 0U; + ret[82U] = 0U; + ret[83U] = 0U; + ret[84U] = 0U; + ret[85U] = 0U; + ret[86U] = 0U; + ret[87U] = 0U; + ret[88U] = 0U; + ret[89U] = 0U; + ret[90U] = 0U; + ret[91U] = 0U; + ret[92U] = 0U; + ret[93U] = 0U; + ret[94U] = 0U; + ret[95U] = 0U; + ret[96U] = 0U; + ret[97U] = 0U; + ret[98U] = 0U; + ret[99U] = 0U; + ret[100U] = 0U; + ret[101U] = 0U; + ret[102U] = 0U; + ret[103U] = 0U; + ret[104U] = 0U; + ret[105U] = 0U; + ret[106U] = 0U; + ret[107U] = 0U; + ret[108U] = 0U; + ret[109U] = 0U; + ret[110U] = 0U; + ret[111U] = 0U; + ret[112U] = 0U; + ret[113U] = 0U; + ret[114U] = 0U; + ret[115U] = 0U; + ret[116U] = 0U; + ret[117U] = 0U; + ret[118U] = 0U; + ret[119U] = 0U; + ret[120U] = 0U; + ret[121U] = 0U; + ret[122U] = 0U; + ret[123U] = 0U; + ret[124U] = 0U; + ret[125U] = 0U; + ret[126U] = 0U; + ret[127U] = 0U; + ret[128U] = 0U; + ret[129U] = 0U; + ret[130U] = 0U; + ret[131U] = 0U; + ret[132U] = 0U; + ret[133U] = 0U; + ret[134U] = 0U; + ret[135U] = 0U; + ret[136U] = 0U; + ret[137U] = 0U; + ret[138U] = 0U; + ret[139U] = 0U; + ret[140U] = 0U; + ret[141U] = 0U; + ret[142U] = 0U; + ret[143U] = 0U; + ret[144U] = 0U; + ret[145U] = 0U; + ret[146U] = 0U; + ret[147U] = 0U; + ret[148U] = 0U; + ret[149U] = 0U; + ret[150U] = 0U; + ret[151U] = 0U; + ret[152U] = 0U; + ret[153U] = 0U; + ret[154U] = 0U; + ret[155U] = 0U; + ret[156U] = 0U; + ret[157U] = 0U; + ret[158U] = 0U; + ret[159U] = 0U; + ret[160U] = 0U; + ret[161U] = 0U; + ret[162U] = 0U; + ret[163U] = 0U; + ret[164U] = 0U; + ret[165U] = 0U; + ret[166U] = 0U; + ret[167U] = 0U; +} + +/** + Generate a new keccak xof state. +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.new_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 168 +*/ +static inline libcrux_sha3_generic_keccak_KeccakXofState_97 +libcrux_sha3_generic_keccak_new_8b_c60(void) { + libcrux_sha3_generic_keccak_KeccakXofState_97 lit; + lit.inner = libcrux_sha3_generic_keccak_new_89_04(); + uint8_t ret[168U]; + libcrux_sha3_generic_keccak_zero_block_8b_c60(ret); + memcpy(lit.buf[0U], ret, (size_t)168U * sizeof(uint8_t)); + lit.buf_len = (size_t)0U; + lit.sponge = false; + return lit; +} + +/** +This function found in impl {(libcrux_sha3::portable::incremental::Xof<168: +usize> for libcrux_sha3::portable::incremental::Shake128Xof)} +*/ +static inline libcrux_sha3_generic_keccak_KeccakXofState_97 +libcrux_sha3_portable_incremental_new_2f(void) { + return libcrux_sha3_generic_keccak_new_8b_c60(); +} + +/** + `out` has the exact size we want here. It must be less than or equal to `RATE`. +*/ +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_5a +with const generics +- RATE= 168 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_5a_3a( + uint64_t (*state)[5U], Eurydice_slice out[1U]) { + size_t num_full_blocks = Eurydice_slice_len(out[0U], uint8_t) / (size_t)8U; + size_t last_block_len = Eurydice_slice_len(out[0U], uint8_t) % (size_t)8U; + for (size_t i = (size_t)0U; i < num_full_blocks; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = Eurydice_slice_subslice2( + out[0U], i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t); + uint8_t ret[8U]; + core_num__u64_9__to_le_bytes(state[i0 / (size_t)5U][i0 % (size_t)5U], ret); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); + } + if (last_block_len != (size_t)0U) { + Eurydice_slice uu____1 = Eurydice_slice_subslice2( + out[0U], num_full_blocks * (size_t)8U, + num_full_blocks * (size_t)8U + last_block_len, uint8_t); + uint8_t ret[8U]; + core_num__u64_9__to_le_bytes( + state[num_full_blocks / (size_t)5U][num_full_blocks % (size_t)5U], ret); + Eurydice_slice_copy( + uu____1, + Eurydice_array_to_subslice2(ret, (size_t)0U, last_block_len, uint8_t), + uint8_t); + } +} + +/** + Squeeze `N` x `LEN` bytes. +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 168 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c60( + libcrux_sha3_generic_keccak_KeccakXofState_97 *self, + Eurydice_slice out[1U]) { + if (self->sponge) { + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + } + size_t out_len = Eurydice_slice_len(out[0U], uint8_t); + size_t blocks = out_len / (size_t)168U; + size_t last = out_len - out_len % (size_t)168U; + size_t mid; + if ((size_t)168U >= out_len) { + mid = out_len; + } else { + mid = (size_t)168U; + } + Eurydice_slice_uint8_t_1size_t__x2 uu____0 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, mid); + Eurydice_slice out00[1U]; + memcpy(out00, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice out_rest[1U]; + memcpy(out_rest, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_store_5a_3a(self->inner.st, out00); + core_ops_range_Range_08 iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U, + .end = blocks}), + core_ops_range_Range_08, core_ops_range_Range_08); + while (true) { + if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( + &iter, size_t, Option_08) + .tag == None) { + break; + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____1 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out_rest, + (size_t)168U); + Eurydice_slice out0[1U]; + memcpy(out0, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice tmp[1U]; + memcpy(tmp, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + libcrux_sha3_portable_keccak_store_5a_3a(self->inner.st, out0); + memcpy(out_rest, tmp, (size_t)1U * sizeof(Eurydice_slice)); + } + } + if (last < out_len) { + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + libcrux_sha3_portable_keccak_store_5a_3a(self->inner.st, out_rest); + } + self->sponge = true; +} + +/** + Shake128 squeeze +*/ +/** +This function found in impl {(libcrux_sha3::portable::incremental::Xof<168: +usize> for libcrux_sha3::portable::incremental::Shake128Xof)} +*/ +static inline void libcrux_sha3_portable_incremental_squeeze_2f( + libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice out) { + Eurydice_slice buf[1U] = {out}; + libcrux_sha3_generic_keccak_squeeze_8b_c60(self, buf); +} + +/** +This function found in impl {(core::clone::Clone for +libcrux_sha3::portable::KeccakState)} +*/ +static inline libcrux_sha3_generic_keccak_KeccakState_17 +libcrux_sha3_portable_clone_3d( + libcrux_sha3_generic_keccak_KeccakState_17 *self) { + return self[0U]; +} + +/** +This function found in impl {(core::convert::From for +u32)#1} +*/ +static inline uint32_t libcrux_sha3_from_eb(libcrux_sha3_Algorithm v) { + uint32_t uu____0; + switch (v) { + case libcrux_sha3_Sha224: { + uu____0 = 1U; + break; + } + case libcrux_sha3_Sha256: { + uu____0 = 2U; + break; + } + case libcrux_sha3_Sha384: { + uu____0 = 3U; + break; + } + case libcrux_sha3_Sha512: { + uu____0 = 4U; + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, + __LINE__); + KRML_HOST_EXIT(253U); + } + } + return uu____0; +} + +/** +This function found in impl {(core::convert::From for +libcrux_sha3::Algorithm)} +*/ +static inline libcrux_sha3_Algorithm libcrux_sha3_from_2d(uint32_t v) { + libcrux_sha3_Algorithm uu____0; + switch (v) { + case 1U: { + uu____0 = libcrux_sha3_Sha224; + break; + } + case 2U: { + uu____0 = libcrux_sha3_Sha256; + break; + } + case 3U: { + uu____0 = libcrux_sha3_Sha384; + break; + } + case 4U: { + uu____0 = libcrux_sha3_Sha512; + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } + return uu____0; +} + +typedef uint8_t libcrux_sha3_Sha3_512Digest[64U]; + +typedef uint8_t libcrux_sha3_Sha3_384Digest[48U]; + +typedef uint8_t libcrux_sha3_Sha3_256Digest[32U]; + +typedef uint8_t libcrux_sha3_Sha3_224Digest[28U]; + +#if defined(__cplusplus) +} +#endif + +#define __libcrux_sha3_portable_H_DEFINED +#endif From 0273d4a24842b89ebda8dc0374f6019bb949924d Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 6 Dec 2024 16:13:33 +0000 Subject: [PATCH 08/27] more fixes for C (extracting but broken) --- libcrux-ml-dsa/src/encoding/gamma1.rs | 32 +++----- libcrux-ml-dsa/src/encoding/signature.rs | 3 +- libcrux-ml-dsa/src/helper.rs | 59 ++++++++------ libcrux-ml-dsa/src/polynomial.rs | 7 +- libcrux-ml-dsa/src/sample.rs | 97 +++++++++++++----------- libcrux-ml-dsa/src/types.rs | 4 +- 6 files changed, 106 insertions(+), 96 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/gamma1.rs b/libcrux-ml-dsa/src/encoding/gamma1.rs index 09e93f725..cf68b1fef 100644 --- a/libcrux-ml-dsa/src/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/encoding/gamma1.rs @@ -42,21 +42,13 @@ pub(crate) fn serialize< #[inline(always)] pub(crate) fn deserialize( serialized: &[u8], -) -> PolynomialRingElement { - let mut serialized_chunks = match GAMMA1_EXPONENT as u8 { - 17 => serialized.chunks(18), - 19 => serialized.chunks(20), - _ => unreachable!(), - }; - - let mut result = PolynomialRingElement::::ZERO(); - + result: &mut PolynomialRingElement, +) { for i in 0..result.simd_units.len() { - result.simd_units[i] = - SIMDUnit::gamma1_deserialize::(&serialized_chunks.next().unwrap()); + result.simd_units[i] = SIMDUnit::gamma1_deserialize::( + &serialized[i * (GAMMA1_EXPONENT + 1)..(i + 1) * (GAMMA1_EXPONENT + 1)], + ); } - - result } #[cfg(test)] @@ -199,10 +191,9 @@ mod tests { -69944, -100373, 94602, ]; - assert_eq!( - deserialize::(&bytes).to_i32_array(), - expected_coefficients - ); + let mut result = PolynomialRingElement::::ZERO(); + deserialize::(&bytes, &mut result); + assert_eq!(result.to_i32_array(), expected_coefficients); let bytes: [u8; 640] = [ 253, 11, 216, 60, 251, 71, 79, 187, 242, 250, 209, 44, 72, 206, 98, 3, 22, 91, 184, 22, @@ -270,10 +261,9 @@ mod tests { -138892, -414002, 42982, ]; - assert_eq!( - deserialize::(&bytes).to_i32_array(), - expected_coefficients - ); + let mut result = PolynomialRingElement::::ZERO(); + deserialize::(&bytes, &mut result); + assert_eq!(result.to_i32_array(), expected_coefficients); } #[cfg(not(feature = "simd256"))] diff --git a/libcrux-ml-dsa/src/encoding/signature.rs b/libcrux-ml-dsa/src/encoding/signature.rs index 763b9abca..6377f5e33 100644 --- a/libcrux-ml-dsa/src/encoding/signature.rs +++ b/libcrux-ml-dsa/src/encoding/signature.rs @@ -87,9 +87,10 @@ impl< let mut signer_response = [PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; for i in 0..COLUMNS_IN_A { - signer_response[i] = encoding::gamma1::deserialize::( + encoding::gamma1::deserialize::( &signer_response_serialized [i * GAMMA1_RING_ELEMENT_SIZE..(i + 1) * GAMMA1_RING_ELEMENT_SIZE], + &mut signer_response[i], ); } diff --git a/libcrux-ml-dsa/src/helper.rs b/libcrux-ml-dsa/src/helper.rs index ef66362c3..daccf62b5 100644 --- a/libcrux-ml-dsa/src/helper.rs +++ b/libcrux-ml-dsa/src/helper.rs @@ -1,7 +1,7 @@ /// The following macros are defined so that the extraction from Rust to C code /// can go through. -// #[cfg(eurydice)] +#[cfg(eurydice)] macro_rules! cloop { (for ($i:ident, $chunk:ident) in $val:ident.$values:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => { for $i in 0..$val.$values.len() / ($($chunk_size)*) { @@ -15,6 +15,12 @@ macro_rules! cloop { $body } }; + (for $chunk:ident in $values:ident.chunks_exact($($chunk_size:expr),*) $body:block) => { + for _cloop_i in 0..$values.len() / ($($chunk_size)*) { + let $chunk = &$values[_cloop_i*($($chunk_size)*) .. _cloop_i*($($chunk_size)*)+($($chunk_size)*)]; + $body + } + }; (for ($i:ident, $item:ident) in $val:ident.iter().enumerate() $body:block) => { for $i in 0..$val.len() { let $item = &$val[$i]; @@ -47,29 +53,32 @@ macro_rules! cloop { }; } -// #[cfg(not(eurydice))] -// macro_rules! cloop { -// (for ($i:ident, $chunk:ident) in $val:ident.$values:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => { -// for ($i, $chunk) in $val.$values.chunks_exact($($chunk_size),*).enumerate() $body -// }; -// (for ($i:ident, $chunk:ident) in $val:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => { -// for ($i, $chunk) in $val.chunks_exact($($chunk_size),*).enumerate() $body -// }; -// (for ($i:ident, $item:ident) in $val:ident.iter().enumerate() $body:block) => { -// for ($i, $item) in $val.iter().enumerate() $body -// }; -// (for $item:ident in $val:ident.iter() $body:block) => { -// for $item in $val.iter() $body -// }; -// (for ($i:ident, $item:ident) in $self:ident.$val:ident.iter().enumerate() $body:block) => { -// for ($i, $item) in $self.$val.iter().enumerate() $body -// }; -// (for ($i:ident, $item:ident) in $val:ident.into_iter().enumerate() $body:block) => { -// for ($i, $item) in $val.into_iter().enumerate() $body -// }; -// (for $i:ident in ($start:literal..$end:expr).step_by($step:literal) $body:block) => { -// for $i in ($start..$end).step_by($step) $body -// }; -// } +#[cfg(not(eurydice))] +macro_rules! cloop { + (for ($i:ident, $chunk:ident) in $val:ident.$values:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => { + for ($i, $chunk) in $val.$values.chunks_exact($($chunk_size),*).enumerate() $body + }; + (for ($i:ident, $chunk:ident) in $val:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => { + for ($i, $chunk) in $val.chunks_exact($($chunk_size),*).enumerate() $body + }; + (for $chunk:ident in $values:ident.chunks_exact($($chunk_size:expr),*) $body:block) => { + for $chunk in $values.chunks_exact($($chunk_size),*) $body + }; + (for ($i:ident, $item:ident) in $val:ident.iter().enumerate() $body:block) => { + for ($i, $item) in $val.iter().enumerate() $body + }; + (for $item:ident in $val:ident.iter() $body:block) => { + for $item in $val.iter() $body + }; + (for ($i:ident, $item:ident) in $self:ident.$val:ident.iter().enumerate() $body:block) => { + for ($i, $item) in $self.$val.iter().enumerate() $body + }; + (for ($i:ident, $item:ident) in $val:ident.into_iter().enumerate() $body:block) => { + for ($i, $item) in $val.into_iter().enumerate() $body + }; + (for $i:ident in ($start:literal..$end:expr).step_by($step:literal) $body:block) => { + for $i in ($start..$end).step_by($step) $body + }; +} pub(crate) use cloop; diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index 2b2884abe..872e24a4b 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -36,12 +36,11 @@ impl PolynomialRingElement { pub(crate) fn from_i32_array(array: &[i32]) -> Self { debug_assert!(array.len() >= 256); - let mut array_chunks = array.chunks(COEFFICIENTS_IN_SIMD_UNIT); - let mut result = Self::ZERO(); - for i in 0..SIMD_UNITS_IN_RING_ELEMENT { - result.simd_units[i] = SIMDUnit::from_coefficient_array(&array_chunks.next().unwrap()); + result.simd_units[i] = SIMDUnit::from_coefficient_array( + &array[i * COEFFICIENTS_IN_SIMD_UNIT..(i + 1) * COEFFICIENTS_IN_SIMD_UNIT], + ); } result } diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index 14bcdca69..ed61cbe7e 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -2,6 +2,7 @@ use crate::{ constants::COEFFICIENTS_IN_RING_ELEMENT, encoding, hash_functions::{shake128, shake256}, + helper::cloop, polynomial::PolynomialRingElement, simd::traits::Operations, }; @@ -14,16 +15,18 @@ fn rejection_sample_less_than_field_modulus( ) -> bool { let mut done = false; - for random_bytes in randomness.chunks(24) { - if !done { - let sampled = SIMDUnit::rejection_sample_less_than_field_modulus( - random_bytes, - &mut out[*sampled_coefficients..], - ); - *sampled_coefficients += sampled; - - if *sampled_coefficients >= COEFFICIENTS_IN_RING_ELEMENT { - done = true; + cloop! { + for random_bytes in randomness.chunks_exact(24) { + if !done { + let sampled = SIMDUnit::rejection_sample_less_than_field_modulus( + random_bytes, + &mut out[*sampled_coefficients..], + ); + *sampled_coefficients += sampled; + + if *sampled_coefficients >= COEFFICIENTS_IN_RING_ELEMENT { + done = true; + } } } } @@ -168,16 +171,18 @@ fn rejection_sample_less_than_eta_equals_2( // Since each byte can be used to sample up to 2 coefficients, and since // a single SIMDUnit can hold 8 coefficients, we pass in 4 bytes of randomness. - for random_bytes in randomness.chunks(4) { - if !done { - let sampled = SIMDUnit::rejection_sample_less_than_eta_equals_2( - random_bytes, - &mut out[*sampled_coefficients..], - ); - *sampled_coefficients += sampled; - - if *sampled_coefficients >= COEFFICIENTS_IN_RING_ELEMENT { - done = true; + cloop! { + for random_bytes in randomness.chunks_exact(4) { + if !done { + let sampled = SIMDUnit::rejection_sample_less_than_eta_equals_2( + random_bytes, + &mut out[*sampled_coefficients..], + ); + *sampled_coefficients += sampled; + + if *sampled_coefficients >= COEFFICIENTS_IN_RING_ELEMENT { + done = true; + } } } } @@ -194,16 +199,18 @@ fn rejection_sample_less_than_eta_equals_4( // Since each byte can be used to sample up to 2 coefficients, and since // a single SIMDUnit can hold 8 coefficients, we pass in 4 bytes of randomness. - for random_bytes in randomness.chunks(4) { - if !done { - let sampled = SIMDUnit::rejection_sample_less_than_eta_equals_4( - random_bytes, - &mut out[*sampled_coefficients..], - ); - *sampled_coefficients += sampled; - - if *sampled_coefficients >= COEFFICIENTS_IN_RING_ELEMENT { - done = true; + cloop! { + for random_bytes in randomness.chunks_exact(4) { + if !done { + let sampled = SIMDUnit::rejection_sample_less_than_eta_equals_4( + random_bytes, + &mut out[*sampled_coefficients..], + ); + *sampled_coefficients += sampled; + + if *sampled_coefficients >= COEFFICIENTS_IN_RING_ELEMENT { + done = true; + } } } } @@ -343,17 +350,18 @@ fn sample_mask_ring_element< const GAMMA1_EXPONENT: usize, >( seed: [u8; 66], -) -> PolynomialRingElement { + result: &mut PolynomialRingElement, +) { match GAMMA1_EXPONENT as u8 { 17 => { let mut out = [0u8; 576]; Shake256::shake256::<576>(&seed, &mut out); - encoding::gamma1::deserialize::(&out) + encoding::gamma1::deserialize::(&out, result); } 19 => { let mut out = [0u8; 640]; Shake256::shake256::<640>(&seed, &mut out); - encoding::gamma1::deserialize::(&out) + encoding::gamma1::deserialize::(&out, result); } _ => unreachable!(), } @@ -390,10 +398,10 @@ pub(crate) fn sample_mask_vector< Shake256X4::shake256_x4( &seed0, &seed1, &seed2, &seed3, &mut out0, &mut out1, &mut out2, &mut out3, ); - mask[0] = encoding::gamma1::deserialize::(&out0); - mask[1] = encoding::gamma1::deserialize::(&out1); - mask[2] = encoding::gamma1::deserialize::(&out2); - mask[3] = encoding::gamma1::deserialize::(&out3); + encoding::gamma1::deserialize::(&out0, &mut mask[0]); + encoding::gamma1::deserialize::(&out1, &mut mask[1]); + encoding::gamma1::deserialize::(&out2, &mut mask[2]); + encoding::gamma1::deserialize::(&out3, &mut mask[3]); } 19 => { let mut out0 = [0; 640]; @@ -403,10 +411,10 @@ pub(crate) fn sample_mask_vector< Shake256X4::shake256_x4( &seed0, &seed1, &seed2, &seed3, &mut out0, &mut out1, &mut out2, &mut out3, ); - mask[0] = encoding::gamma1::deserialize::(&out0); - mask[1] = encoding::gamma1::deserialize::(&out1); - mask[2] = encoding::gamma1::deserialize::(&out2); - mask[3] = encoding::gamma1::deserialize::(&out3); + encoding::gamma1::deserialize::(&out0, &mut mask[0]); + encoding::gamma1::deserialize::(&out1, &mut mask[1]); + encoding::gamma1::deserialize::(&out2, &mut mask[2]); + encoding::gamma1::deserialize::(&out3, &mut mask[3]); } _ => unreachable!(), } @@ -418,7 +426,7 @@ pub(crate) fn sample_mask_vector< *domain_separator += 1; // TODO: For 87 we may want to do another 4 and discard 1. - mask[i] = sample_mask_ring_element::(seed); + sample_mask_ring_element::(seed, &mut mask[i]); } mask @@ -669,7 +677,10 @@ mod tests { ); } - fn test_sample_challenge_ring_element_generic() { + fn test_sample_challenge_ring_element_generic< + SIMDUnit: Operations, + Shake256: shake256::DsaXof, + >() { // When TAU = 39 let seed: [u8; 32] = [ 3, 9, 159, 119, 236, 6, 207, 7, 103, 108, 187, 137, 222, 35, 37, 30, 79, 224, 204, 186, diff --git a/libcrux-ml-dsa/src/types.rs b/libcrux-ml-dsa/src/types.rs index 8cc04494d..c944ffa92 100644 --- a/libcrux-ml-dsa/src/types.rs +++ b/libcrux-ml-dsa/src/types.rs @@ -66,7 +66,7 @@ pub struct MLDSAKeyPair, } -#[derive(Debug)] +#[cfg_attr(not(eurydice), derive(Debug))] pub enum VerificationError { MalformedHintError, SignerResponseExceedsBoundError, @@ -76,7 +76,7 @@ pub enum VerificationError { VerificationContextTooLongError, } -#[derive(Debug)] +#[cfg_attr(not(eurydice), derive(Debug))] pub enum SigningError { RejectionSamplingError, ContextTooLongError, From 234b7d2b5171b5f1adc2a32822b74c821fcc43dd Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 6 Dec 2024 16:14:25 +0000 Subject: [PATCH 09/27] wip cg boilerplate --- libcrux-ml-dsa/cg/.gitignore | 1 + libcrux-ml-dsa/cg/CMakeLists.txt | 143 ++++++ libcrux-ml-dsa/cg/code_gen.txt | 2 +- libcrux-ml-dsa/cg/eurydice_glue.h | 177 ++++++++ libcrux-ml-dsa/cg/header.txt | 2 +- .../cg/intrinsics/libcrux_intrinsics_avx2.h | 216 +++++++++ libcrux-ml-dsa/cg/karamel/endianness.h | 228 ++++++++++ libcrux-ml-dsa/cg/karamel/target.h | 55 +++ libcrux-ml-dsa/cg/libcrux_core.h | 33 +- libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h | 264 +++-------- libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h | 425 +++++------------- libcrux-ml-dsa/cg/libcrux_sha3_avx2.h | 2 +- libcrux-ml-dsa/cg/libcrux_sha3_portable.h | 2 +- libcrux-ml-dsa/cg/tests/mldsa65.cc | 53 +++ 14 files changed, 1058 insertions(+), 545 deletions(-) create mode 100644 libcrux-ml-dsa/cg/.gitignore create mode 100644 libcrux-ml-dsa/cg/CMakeLists.txt create mode 100644 libcrux-ml-dsa/cg/eurydice_glue.h create mode 100644 libcrux-ml-dsa/cg/intrinsics/libcrux_intrinsics_avx2.h create mode 100644 libcrux-ml-dsa/cg/karamel/endianness.h create mode 100644 libcrux-ml-dsa/cg/karamel/target.h create mode 100644 libcrux-ml-dsa/cg/tests/mldsa65.cc diff --git a/libcrux-ml-dsa/cg/.gitignore b/libcrux-ml-dsa/cg/.gitignore new file mode 100644 index 000000000..567609b12 --- /dev/null +++ b/libcrux-ml-dsa/cg/.gitignore @@ -0,0 +1 @@ +build/ diff --git a/libcrux-ml-dsa/cg/CMakeLists.txt b/libcrux-ml-dsa/cg/CMakeLists.txt new file mode 100644 index 000000000..b16bf8883 --- /dev/null +++ b/libcrux-ml-dsa/cg/CMakeLists.txt @@ -0,0 +1,143 @@ +# cmake -B build -G "Ninja Multi-Config" +# cmake --build build +# # For release (benchmarks) +# cmake --build build --config Release + +cmake_minimum_required(VERSION 3.10) + +project(libcrux-ml-dsa + VERSION 0.1.0 + LANGUAGES C CXX +) + +set(CMAKE_C_STANDARD 11) +set(CMAKE_CXX_STANDARD 20) + +if(NOT MSVC) + add_compile_options( + -Wall + -fstack-usage + -Wunused-function + $<$:-g> + $<$:-Og> + $<$:-g> + $<$:-O3> + ) +endif(NOT MSVC) + +if((CMAKE_C_COMPILER_ID STREQUAL "Clang" AND + CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "13.0.0") OR + (CMAKE_C_COMPILER_ID STREQUAL "AppleClang" AND + CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "13.1.6")) + add_compile_options(-Werror -Wframe-larger-than=25344) +endif() + +set(CMAKE_COLOR_DIAGNOSTICS "ON") +set(CMAKE_EXPORT_COMPILE_COMMANDS 1) +include_directories( + ${PROJECT_SOURCE_DIR} + ${PROJECT_SOURCE_DIR}/karamel +) + +if(CMAKE_SYSTEM_PROCESSOR MATCHES "x86_64|amd64|AMD64") + message(STATUS "Detected an x64 architecture") + add_compile_definitions(LIBCRUX_X64) +endif() + +if(CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|arm64|arm64v8" AND DEFINED ENV{LIBCRUX_NEON}) + message(STATUS "Detected an arm64 architecture") + add_compile_definitions(LIBCRUX_AARCH64) +endif() + +# --- Tests + +# Get gtests +include(FetchContent) +FetchContent_Declare(googletest + DOWNLOAD_EXTRACT_TIMESTAMP TRUE + URL https://github.com/google/googletest/archive/refs/tags/release-1.11.0.zip +) + +# For Windows: Prevent overriding the parent project's compiler/linker settings +set(gtest_force_shared_crt ON CACHE BOOL "" FORCE) +FetchContent_MakeAvailable(googletest) + +# Get nlohmann json +FetchContent_Declare(json + DOWNLOAD_EXTRACT_TIMESTAMP TRUE + URL https://github.com/nlohmann/json/archive/refs/tags/v3.10.3.zip +) +FetchContent_MakeAvailable(json) + +add_executable(ml_dsa_test + ${PROJECT_SOURCE_DIR}/tests/mldsa65.cc +) +target_link_libraries(ml_dsa_test PRIVATE + gtest_main + nlohmann_json::nlohmann_json +) + +# add_executable(kyber_test +# ${PROJECT_SOURCE_DIR}/tests/kyber768.cc +# ) +# target_link_libraries(kyber_test PRIVATE +# gtest_main +# nlohmann_json::nlohmann_json +# ) + +# add_executable(sha3_test +# ${PROJECT_SOURCE_DIR}/tests/sha3.cc +# ) +# target_link_libraries(sha3_test PRIVATE +# gtest_main +# nlohmann_json::nlohmann_json +# ) + +# # --- Benchmarks +# if(DEFINED ENV{LIBCRUX_BENCHMARKS}) +# FetchContent_Declare(benchmark +# GIT_REPOSITORY https://github.com/google/benchmark.git +# GIT_TAG v1.8.4 +# ) +# FetchContent_MakeAvailable(benchmark) + +# add_executable(ml_dsa_bench +# ${PROJECT_SOURCE_DIR}/benches/mldsa768.cc +# ) +# target_link_libraries(ml_dsa_bench PRIVATE +# benchmark::benchmark +# ) + +# if(DEFINED ENV{SYMCRYPT_PATH}) +# message("Symcrypt path: $ENV{SYMCRYPT_PATH}") +# add_compile_definitions(LIBCRUX_SYMCRYPT) +# target_include_directories(ml_dsa_bench PRIVATE $ENV{SYMCRYPT_PATH}) +# target_link_directories(ml_dsa_bench PRIVATE $ENV{SYMCRYPT_PATH}/bin/lib) +# target_link_libraries(ml_dsa_bench PRIVATE symcrypt) +# endif(DEFINED ENV{SYMCRYPT_PATH}) + +# add_executable(ml_dsa_keygen +# ${PROJECT_SOURCE_DIR}/benches/mldsa768_keygen.cc +# ) +# target_link_libraries(ml_dsa_keygen PRIVATE +# benchmark::benchmark +# ) + +# add_executable(ml_dsa_encaps +# ${PROJECT_SOURCE_DIR}/benches/mldsa768_encaps.cc +# ) +# target_link_libraries(ml_dsa_encaps PRIVATE +# benchmark::benchmark +# ) + +# if(NOT MSVC) +# # We benchmark internal functions here that are inlined and thus not available +# # in MSVC. +# add_executable(sha3_bench +# ${PROJECT_SOURCE_DIR}/benches/sha3.cc +# ) +# target_link_libraries(sha3_bench PRIVATE +# benchmark::benchmark +# ) +# endif(NOT MSVC) +# endif(DEFINED ENV{LIBCRUX_BENCHMARKS}) diff --git a/libcrux-ml-dsa/cg/code_gen.txt b/libcrux-ml-dsa/cg/code_gen.txt index 33600f72a..6262f3ad3 100644 --- a/libcrux-ml-dsa/cg/code_gen.txt +++ b/libcrux-ml-dsa/cg/code_gen.txt @@ -3,4 +3,4 @@ Charon: a68994d00017b76a805d0115ca06c1f2c1805e79 Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 F*: b0961063393215ca65927f017720cb365a193833-dirty -Libcrux: 5a0f22fa8387080e4c4e4ac018aaddcdf944e4be +Libcrux: 11a2dcf9b3f0c4803b93a53caa737ed8eac8bfd1 diff --git a/libcrux-ml-dsa/cg/eurydice_glue.h b/libcrux-ml-dsa/cg/eurydice_glue.h new file mode 100644 index 000000000..3f9b35cc2 --- /dev/null +++ b/libcrux-ml-dsa/cg/eurydice_glue.h @@ -0,0 +1,177 @@ +/* + * SPDX-FileCopyrightText: 2024 Eurydice Contributors + * SPDX-FileCopyrightText: 2024 Cryspen Sarl + * + * SPDX-License-Identifier: MIT or Apache-2.0 + */ + +#pragma once + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include +#include +#include +#include + +#include "karamel/endianness.h" +#include "karamel/target.h" + +// SLICES, ARRAYS, ETC. + +// The MSVC C++ compiler does not support compound literals. +// This CLITERAL is used to turn `(type){...}` into `type{...}` when using a C++ +// compiler. +#if defined(__cplusplus) +#define CLITERAL(type) type +#else +#define CLITERAL(type) (type) +#endif + +// We represent a slice as a pair of an (untyped) pointer, along with the length +// of the slice, i.e. the number of elements in the slice (this is NOT the +// number of bytes). This design choice has two important consequences. +// - if you need to use `ptr`, you MUST cast it to a proper type *before* +// performing pointer +// arithmetic on it (remember that C desugars pointer arithmetic based on the +// type of the address) +// - if you need to use `len` for a C style function (e.g. memcpy, memcmp), you +// need to multiply it +// by sizeof t, where t is the type of the elements. +// +// Empty slices have `len == 0` and `ptr` always needs to be valid pointer that +// is not NULL (otherwise the construction in EURYDICE_SLICE computes `NULL + +// start`). +typedef struct { + void *ptr; + size_t len; +} Eurydice_slice; + +// Helper macro to create a slice out of a pointer x, a start index in x +// (included), and an end index in x (excluded). The argument x must be suitably +// cast to something that can decay (see remark above about how pointer +// arithmetic works in C), meaning either pointer or array type. +#define EURYDICE_SLICE(x, start, end) \ + (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start}) +#define EURYDICE_SLICE_LEN(s, _) s.len +// This macro is a pain because in case the dereferenced element type is an +// array, you cannot simply write `t x` as it would yield `int[4] x` instead, +// which is NOT correct C syntax, so we add a dedicated phase in Eurydice that +// adds an extra argument to this macro at the last minute so that we have the +// correct type of *pointers* to elements. +#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) +#define Eurydice_slice_subslice(s, r, t, _) \ + EURYDICE_SLICE((t *)s.ptr, r.start, r.end) +// Variant for when the start and end indices are statically known (i.e., the +// range argument `r` is a literal). +#define Eurydice_slice_subslice2(s, start, end, t) \ + EURYDICE_SLICE((t *)s.ptr, start, end) +#define Eurydice_slice_subslice_to(s, subslice_end_pos, t, _) \ + EURYDICE_SLICE((t *)s.ptr, 0, subslice_end_pos) +#define Eurydice_slice_subslice_from(s, subslice_start_pos, t, _) \ + EURYDICE_SLICE((t *)s.ptr, subslice_start_pos, s.len) +#define Eurydice_array_to_slice(end, x, t) \ + EURYDICE_SLICE(x, 0, \ + end) /* x is already at an array type, no need for cast */ +#define Eurydice_array_to_subslice(_arraylen, x, r, t, _) \ + EURYDICE_SLICE((t *)x, r.start, r.end) +// Same as above, variant for when start and end are statically known +#define Eurydice_array_to_subslice2(x, start, end, t) \ + EURYDICE_SLICE((t *)x, start, end) +#define Eurydice_array_to_subslice_to(_size, x, r, t, _range_t) \ + EURYDICE_SLICE((t *)x, 0, r) +#define Eurydice_array_to_subslice_from(size, x, r, t, _range_t) \ + EURYDICE_SLICE((t *)x, r, size) +#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) +#define Eurydice_slice_copy(dst, src, t) \ + memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) +#define core_array___Array_T__N__23__as_slice(len_, ptr_, t, _ret_t) \ + (CLITERAL(Eurydice_slice){.ptr = ptr_, .len = len_}) + +#define core_array___core__clone__Clone_for__Array_T__N___20__clone( \ + len, src, dst, elem_type, _ret_t) \ + (memcpy(dst, src, len * sizeof(elem_type))) +#define TryFromSliceError uint8_t + +#define Eurydice_array_eq(sz, a1, a2, t, _) \ + (memcmp(a1, a2, sz * sizeof(t)) == 0) +#define core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( \ + sz, a1, a2, t, _, _ret_t) \ + Eurydice_array_eq(sz, a1, a2, t, _) +#define core_array_equality___core__cmp__PartialEq__0___Slice_U____for__Array_T__N___3__eq( \ + sz, a1, a2, t, _, _ret_t) \ + Eurydice_array_eq(sz, a1, ((a2)->ptr), t, _) + +#define Eurydice_slice_split_at(slice, mid, element_type, ret_t) \ + (CLITERAL(ret_t){ \ + .fst = EURYDICE_SLICE((element_type *)slice.ptr, 0, mid), \ + .snd = EURYDICE_SLICE((element_type *)slice.ptr, mid, slice.len)}) +#define Eurydice_slice_split_at_mut(slice, mid, element_type, ret_t) \ + (CLITERAL(ret_t){ \ + .fst = {.ptr = slice.ptr, .len = mid}, \ + .snd = {.ptr = (char *)slice.ptr + mid * sizeof(element_type), \ + .len = slice.len - mid}}) + +// Conversion of slice to an array, rewritten (by Eurydice) to name the +// destination array, since arrays are not values in C. +// N.B.: see note in karamel/lib/Inlining.ml if you change this. +#define Eurydice_slice_to_array2(dst, src, _, t_arr) \ + Eurydice_slice_to_array3(&(dst)->tag, (char *)&(dst)->val.case_Ok, src, \ + sizeof(t_arr)) + +static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok, + Eurydice_slice src, size_t sz) { + *dst_tag = 0; + memcpy(dst_ok, src.ptr, sz); +} + +// CORE STUFF (conversions, endianness, ...) + +static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) { + store64_le(buf, v); +} +static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) { + return load64_le(buf); +} + +static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) { + return load32_le(buf); +} + +static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) { +#ifdef _MSC_VER + return __popcnt(x0); +#else + return __builtin_popcount(x0); +#endif +} + +// unsigned overflow wraparound semantics in C +static inline uint16_t core_num__u16_7__wrapping_add(uint16_t x, uint16_t y) { + return x + y; +} +static inline uint8_t core_num__u8_6__wrapping_sub(uint8_t x, uint8_t y) { + return x - y; +} + +// ITERATORS + +#define Eurydice_range_iter_next(iter_ptr, t, ret_t) \ + (((iter_ptr)->start == (iter_ptr)->end) \ + ? (CLITERAL(ret_t){.tag = None, .f0 = 0}) \ + : (CLITERAL(ret_t){.tag = Some, .f0 = (iter_ptr)->start++})) + +#define core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next \ + Eurydice_range_iter_next + +// See note in karamel/lib/Inlining.ml if you change this +#define Eurydice_into_iter(x, t, _ret_t) (x) +#define core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter \ + Eurydice_into_iter + +#if defined(__cplusplus) +} +#endif diff --git a/libcrux-ml-dsa/cg/header.txt b/libcrux-ml-dsa/cg/header.txt index 5d85f31d0..89d611dc6 100644 --- a/libcrux-ml-dsa/cg/header.txt +++ b/libcrux-ml-dsa/cg/header.txt @@ -8,5 +8,5 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 5a0f22fa8387080e4c4e4ac018aaddcdf944e4be + * Libcrux: 11a2dcf9b3f0c4803b93a53caa737ed8eac8bfd1 */ diff --git a/libcrux-ml-dsa/cg/intrinsics/libcrux_intrinsics_avx2.h b/libcrux-ml-dsa/cg/intrinsics/libcrux_intrinsics_avx2.h new file mode 100644 index 000000000..b51a17c1d --- /dev/null +++ b/libcrux-ml-dsa/cg/intrinsics/libcrux_intrinsics_avx2.h @@ -0,0 +1,216 @@ +/* + * SPDX-FileCopyrightText: 2024 Cryspen Sarl + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#ifndef __libcrux_intrinsics_avx2_H +#define __libcrux_intrinsics_avx2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include "../eurydice_glue.h" +#include "immintrin.h" + +typedef __m128i core_core_arch_x86___m128i; +typedef __m256i core_core_arch_x86___m256i; + +// Cast and Convert + +#define libcrux_intrinsics_avx2_mm256_castsi256_si128(a) \ + (_mm256_castsi256_si128(a)) + +#define libcrux_intrinsics_avx2_mm256_cvtepi16_epi32(a) \ + (_mm256_cvtepi16_epi32(a)) + +#define libcrux_intrinsics_avx2_mm256_castsi128_si256(a) \ + (_mm256_castsi128_si256(a)) + +// Initialize, Load, Store + +#define libcrux_intrinsics_avx2_mm256_setzero_si256(void) \ + (_mm256_setzero_si256()) + +#define libcrux_intrinsics_avx2_mm256_set1_epi16(a) (_mm256_set1_epi16(a)) + +#define libcrux_intrinsics_avx2_mm256_set1_epi32(a) (_mm256_set1_epi32(a)) + +#define libcrux_intrinsics_avx2_mm256_set1_epi64x(a) (_mm256_set1_epi64x(a)) + +#define libcrux_intrinsics_avx2_mm_set1_epi16(a) (_mm_set1_epi16(a)) + +#define libcrux_intrinsics_avx2_mm256_set_epi16( \ + x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15) \ + (_mm256_set_epi16(x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, \ + x13, x14, x15)) + +#define libcrux_intrinsics_avx2_mm256_set_epi8( \ + x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15, x16, \ + x17, x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, x28, x29, x30, x31) \ + (_mm256_set_epi8(x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, \ + x14, x15, x16, x17, x18, x19, x20, x21, x22, x23, x24, x25, \ + x26, x27, x28, x29, x30, x31)) + +#define libcrux_intrinsics_avx2_mm_set_epi8( \ + x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15) \ + (_mm_set_epi8(x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, \ + x14, x15)) + +#define libcrux_intrinsics_avx2_mm256_set_epi32(x0, x1, x2, x3, x4, x5, x6, \ + x7) \ + (_mm256_set_epi32(x0, x1, x2, x3, x4, x5, x6, x7)) + +#define libcrux_intrinsics_avx2_mm256_loadu_si256_i16(a) \ + (_mm256_loadu_si256((const __m256i *)a.ptr)) + +#define libcrux_intrinsics_avx2_mm256_loadu_si256_u8(a) \ + (_mm256_loadu_si256((const __m256i *)a.ptr)) + +#define libcrux_intrinsics_avx2_mm_loadu_si128(a) \ + (_mm_loadu_si128((const __m128i *)a.ptr)) + +#define libcrux_intrinsics_avx2_mm_storeu_bytes_si128(a, b) \ + (_mm_storeu_si128((__m128i *)a.ptr, b)) + +#define libcrux_intrinsics_avx2_mm256_storeu_si256_i16(a, b) \ + (_mm256_storeu_si256((__m256i *)a.ptr, b)) + +#define libcrux_intrinsics_avx2_mm256_storeu_si256_u8(a, b) \ + (_mm256_storeu_si256((__m256i *)a.ptr, b)) + +#define libcrux_intrinsics_avx2_mm_storeu_si128(a, b) \ + (_mm_storeu_si128((__m128i *)a.ptr, b)) + +// Arithmetic: Add, Sub + +#define libcrux_intrinsics_avx2_mm256_add_epi16(a, b) (_mm256_add_epi16(a, b)) + +#define libcrux_intrinsics_avx2_mm256_add_epi32(a, b) (_mm256_add_epi32(a, b)) + +#define libcrux_intrinsics_avx2_mm_add_epi16(a, b) (_mm_add_epi16(a, b)) + +#define libcrux_intrinsics_avx2_mm256_sub_epi16(a, b) (_mm256_sub_epi16(a, b)) + +#define libcrux_intrinsics_avx2_mm_sub_epi16(a, b) (_mm_sub_epi16(a, b)) + +// Arithmetic: Mul low and high, Mul-Add combinations + +#define libcrux_intrinsics_avx2_mm256_mullo_epi16(a, b) \ + (_mm256_mullo_epi16(a, b)) + +#define libcrux_intrinsics_avx2_mm256_mulhi_epi16(a, b) \ + (_mm256_mulhi_epi16(a, b)) + +#define libcrux_intrinsics_avx2_mm256_mul_epu32(a, b) (_mm256_mul_epu32(a, b)) + +#define libcrux_intrinsics_avx2_mm256_mullo_epi32(a, b) \ + (_mm256_mullo_epi32(a, b)) + +#define libcrux_intrinsics_avx2_mm_mullo_epi16(a, b) (_mm_mullo_epi16(a, b)) + +#define libcrux_intrinsics_avx2_mm_mulhi_epi16(a, b) (_mm_mulhi_epi16(a, b)) + +#define libcrux_intrinsics_avx2_mm256_madd_epi16(a, b) (_mm256_madd_epi16(a, b)) + +// Comparison + +#define libcrux_intrinsics_avx2_mm256_cmpgt_epi16(a, b) \ + (_mm256_cmpgt_epi16(a, b)) + +// Bitwise operations + +#define libcrux_intrinsics_avx2_mm256_and_si256(a, b) (_mm256_and_si256(a, b)) + +#define libcrux_intrinsics_avx2_mm256_andnot_si256(a, b) \ + (_mm256_andnot_si256(a, b)) + +#define libcrux_intrinsics_avx2_mm256_xor_si256(a, b) (_mm256_xor_si256(a, b)) + +#define libcrux_intrinsics_avx2_mm_movemask_epi8(a) (_mm_movemask_epi8(a)) + +// Shift operations +#define libcrux_intrinsics_avx2_mm256_srai_epi16(a, b, _) \ + (_mm256_srai_epi16(b, a)) + +#define libcrux_intrinsics_avx2_mm256_srli_epi16(a, b, _) \ + (_mm256_srli_epi16(b, a)) + +#define libcrux_intrinsics_avx2_mm256_slli_epi16(a, b, _) \ + (_mm256_slli_epi16(b, a)) + +#define libcrux_intrinsics_avx2_mm256_slli_epi32(a, b, _) \ + (_mm256_slli_epi32(b, a)) + +#define libcrux_intrinsics_avx2_mm256_slli_epi64_(a, b) \ + (_mm256_slli_epi64(b, a)) + +#define libcrux_intrinsics_avx2_mm256_slli_epi64(a, b, c) \ + (libcrux_intrinsics_avx2_mm256_slli_epi64_(a, b)) + +#define libcrux_intrinsics_avx2_mm256_srai_epi32(a, b, _) \ + (_mm256_srai_epi32(b, a)) + +#define libcrux_intrinsics_avx2_mm256_srli_epi32(a, b, _) \ + (_mm256_srli_epi32(b, a)) + +#define libcrux_intrinsics_avx2_mm256_sllv_epi32(a, b) (_mm256_sllv_epi32(a, b)) + +#define libcrux_intrinsics_avx2_mm256_srli_epi64_(a, b) \ + (_mm256_srli_epi64(b, a)) + +#define libcrux_intrinsics_avx2_mm256_srli_epi64(a, b, c) \ + (libcrux_intrinsics_avx2_mm256_srli_epi64_(a, b)) + +// Shuffle and Vector Interleaving + +#define libcrux_intrinsics_avx2_mm256_unpacklo_epi32(a, b) \ + (_mm256_unpacklo_epi32(a, b)) + +#define libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a, b) \ + (_mm256_unpacklo_epi64(a, b)) + +#define libcrux_intrinsics_avx2_mm256_unpackhi_epi32(a, b) \ + (_mm256_unpackhi_epi32(a, b)) + +#define libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a, b) \ + (_mm256_unpackhi_epi64(a, b)) + +#define libcrux_intrinsics_avx2_mm256_packs_epi32(a, b) \ + (_mm256_packs_epi32(a, b)) + +#define libcrux_intrinsics_avx2_mm_packs_epi16(a, b) (_mm_packs_epi16(a, b)) + +#define libcrux_intrinsics_avx2_mm256_shuffle_epi32(a, b, _) \ + (_mm256_shuffle_epi32(b, a)) + +#define libcrux_intrinsics_avx2_mm256_extracti128_si256(a, b, _) \ + (_mm256_extracti128_si256(b, a)) + +#define libcrux_intrinsics_avx2_mm256_permute4x64_epi64(a, b, _) \ + (_mm256_permute4x64_epi64(b, a)) + +#define libcrux_intrinsics_avx2_mm256_permute2x128_si256(a, b, c, d) \ + (_mm256_permute2x128_si256(b, c, a)) + +#define libcrux_intrinsics_avx2_mm256_inserti128_si256(a, b, c, _) \ + (_mm256_inserti128_si256(b, c, a)) + +#define libcrux_intrinsics_avx2_mm256_blend_epi16(a, b, c, _) \ + (_mm256_blend_epi16(b, c, a)) + +#define libcrux_intrinsics_avx2_mm256_shuffle_epi8(a, b) \ + (_mm256_shuffle_epi8(a, b)) + +#define libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32(a, b) \ + (_mm256_permutevar8x32_epi32(a, b)) + +#define libcrux_intrinsics_avx2_mm_shuffle_epi8(a, b) (_mm_shuffle_epi8(a, b)) + +#if defined(__cplusplus) +} +#endif + +#define __libcrux_intrinsics_avx2_H_DEFINED +#endif diff --git a/libcrux-ml-dsa/cg/karamel/endianness.h b/libcrux-ml-dsa/cg/karamel/endianness.h new file mode 100644 index 000000000..d59d9854d --- /dev/null +++ b/libcrux-ml-dsa/cg/karamel/endianness.h @@ -0,0 +1,228 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 and MIT Licenses. */ + +#ifndef __LOWSTAR_ENDIANNESS_H +#define __LOWSTAR_ENDIANNESS_H + +#include +#include + +/******************************************************************************/ +/* Implementing C.fst (part 2: endian-ness macros) */ +/******************************************************************************/ + +/* ... for Linux */ +#if defined(__linux__) || defined(__CYGWIN__) || \ + defined(__USE_SYSTEM_ENDIAN_H__) || defined(__GLIBC__) +#include + +/* ... for OSX */ +#elif defined(__APPLE__) +#include +#define htole64(x) OSSwapHostToLittleInt64(x) +#define le64toh(x) OSSwapLittleToHostInt64(x) +#define htobe64(x) OSSwapHostToBigInt64(x) +#define be64toh(x) OSSwapBigToHostInt64(x) + +#define htole16(x) OSSwapHostToLittleInt16(x) +#define le16toh(x) OSSwapLittleToHostInt16(x) +#define htobe16(x) OSSwapHostToBigInt16(x) +#define be16toh(x) OSSwapBigToHostInt16(x) + +#define htole32(x) OSSwapHostToLittleInt32(x) +#define le32toh(x) OSSwapLittleToHostInt32(x) +#define htobe32(x) OSSwapHostToBigInt32(x) +#define be32toh(x) OSSwapBigToHostInt32(x) + +/* ... for Solaris */ +#elif defined(__sun__) +#include +#define htole64(x) LE_64(x) +#define le64toh(x) LE_64(x) +#define htobe64(x) BE_64(x) +#define be64toh(x) BE_64(x) + +#define htole16(x) LE_16(x) +#define le16toh(x) LE_16(x) +#define htobe16(x) BE_16(x) +#define be16toh(x) BE_16(x) + +#define htole32(x) LE_32(x) +#define le32toh(x) LE_32(x) +#define htobe32(x) BE_32(x) +#define be32toh(x) BE_32(x) + +/* ... for the BSDs */ +#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__) +#include +#elif defined(__OpenBSD__) +#include + +/* ... for Windows (MSVC)... not targeting XBOX 360! */ +#elif defined(_MSC_VER) + +#include +#define htobe16(x) _byteswap_ushort(x) +#define htole16(x) (x) +#define be16toh(x) _byteswap_ushort(x) +#define le16toh(x) (x) + +#define htobe32(x) _byteswap_ulong(x) +#define htole32(x) (x) +#define be32toh(x) _byteswap_ulong(x) +#define le32toh(x) (x) + +#define htobe64(x) _byteswap_uint64(x) +#define htole64(x) (x) +#define be64toh(x) _byteswap_uint64(x) +#define le64toh(x) (x) + +/* ... for Windows (GCC-like, e.g. mingw or clang) */ +#elif (defined(_WIN32) || defined(_WIN64) || defined(__EMSCRIPTEN__)) && \ + (defined(__GNUC__) || defined(__clang__)) + +#define htobe16(x) __builtin_bswap16(x) +#define htole16(x) (x) +#define be16toh(x) __builtin_bswap16(x) +#define le16toh(x) (x) + +#define htobe32(x) __builtin_bswap32(x) +#define htole32(x) (x) +#define be32toh(x) __builtin_bswap32(x) +#define le32toh(x) (x) + +#define htobe64(x) __builtin_bswap64(x) +#define htole64(x) (x) +#define be64toh(x) __builtin_bswap64(x) +#define le64toh(x) (x) + +/* ... generic big-endian fallback code */ +/* ... AIX doesn't have __BYTE_ORDER__ (with XLC compiler) & is always + * big-endian */ +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__) || \ + defined(_AIX) + +/* byte swapping code inspired by: + * https://github.com/rweather/arduinolibs/blob/master/libraries/Crypto/utility/EndianUtil.h + * */ + +#define htobe32(x) (x) +#define be32toh(x) (x) +#define htole32(x) \ + (__extension__({ \ + uint32_t _temp = (x); \ + ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ + ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ + })) +#define le32toh(x) (htole32((x))) + +#define htobe64(x) (x) +#define be64toh(x) (x) +#define htole64(x) \ + (__extension__({ \ + uint64_t __temp = (x); \ + uint32_t __low = htobe32((uint32_t)__temp); \ + uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ + (((uint64_t)__low) << 32) | __high; \ + })) +#define le64toh(x) (htole64((x))) + +/* ... generic little-endian fallback code */ +#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + +#define htole32(x) (x) +#define le32toh(x) (x) +#define htobe32(x) \ + (__extension__({ \ + uint32_t _temp = (x); \ + ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ + ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ + })) +#define be32toh(x) (htobe32((x))) + +#define htole64(x) (x) +#define le64toh(x) (x) +#define htobe64(x) \ + (__extension__({ \ + uint64_t __temp = (x); \ + uint32_t __low = htobe32((uint32_t)__temp); \ + uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ + (((uint64_t)__low) << 32) | __high; \ + })) +#define be64toh(x) (htobe64((x))) + +/* ... couldn't determine endian-ness of the target platform */ +#else +#error "Please define __BYTE_ORDER__!" + +#endif /* defined(__linux__) || ... */ + +/* Loads and stores. These avoid undefined behavior due to unaligned memory + * accesses, via memcpy. */ + +inline static uint16_t load16(uint8_t *b) { + uint16_t x; + memcpy(&x, b, 2); + return x; +} + +inline static uint32_t load32(uint8_t *b) { + uint32_t x; + memcpy(&x, b, 4); + return x; +} + +inline static uint64_t load64(uint8_t *b) { + uint64_t x; + memcpy(&x, b, 8); + return x; +} + +inline static void store16(uint8_t *b, uint16_t i) { memcpy(b, &i, 2); } + +inline static void store32(uint8_t *b, uint32_t i) { memcpy(b, &i, 4); } + +inline static void store64(uint8_t *b, uint64_t i) { memcpy(b, &i, 8); } + +/* Legacy accessors so that this header can serve as an implementation of + * C.Endianness */ +#define load16_le(b) (le16toh(load16(b))) +#define store16_le(b, i) (store16(b, htole16(i))) +#define load16_be(b) (be16toh(load16(b))) +#define store16_be(b, i) (store16(b, htobe16(i))) + +#define load32_le(b) (le32toh(load32(b))) +#define store32_le(b, i) (store32(b, htole32(i))) +#define load32_be(b) (be32toh(load32(b))) +#define store32_be(b, i) (store32(b, htobe32(i))) + +#define load64_le(b) (le64toh(load64(b))) +#define store64_le(b, i) (store64(b, htole64(i))) +#define load64_be(b) (be64toh(load64(b))) +#define store64_be(b, i) (store64(b, htobe64(i))) + +/* Co-existence of LowStar.Endianness and FStar.Endianness generates name + * conflicts, because of course both insist on having no prefixes. Until a + * prefix is added, or until we truly retire FStar.Endianness, solve this issue + * in an elegant way. */ +#define load16_le0 load16_le +#define store16_le0 store16_le +#define load16_be0 load16_be +#define store16_be0 store16_be + +#define load32_le0 load32_le +#define store32_le0 store32_le +#define load32_be0 load32_be +#define store32_be0 store32_be + +#define load64_le0 load64_le +#define store64_le0 store64_le +#define load64_be0 load64_be +#define store64_be0 store64_be + +#define load128_le0 load128_le +#define store128_le0 store128_le +#define load128_be0 load128_be +#define store128_be0 store128_be + +#endif diff --git a/libcrux-ml-dsa/cg/karamel/target.h b/libcrux-ml-dsa/cg/karamel/target.h new file mode 100644 index 000000000..f34539303 --- /dev/null +++ b/libcrux-ml-dsa/cg/karamel/target.h @@ -0,0 +1,55 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + * Licensed under the Apache 2.0 and MIT Licenses. + * + * SPDX-FileCopyrightText: 2024 INRIA and Microsoft Corporation + * SPDX-FileCopyrightText: 2024 Cryspen Sarl + * + * SPDX-License-Identifier: MIT or Apache-2.0 + */ + +#ifndef __KRML_TARGET_H +#define __KRML_TARGET_H + +#ifndef KRML_HOST_PRINTF +#define KRML_HOST_PRINTF printf +#endif + +#if ((defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L) || \ + (defined(__cplusplus) && __cplusplus > 199711L)) && \ + (!defined(KRML_HOST_EPRINTF)) +#define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__) +#elif !(defined KRML_HOST_EPRINTF) && defined(_MSC_VER) +#define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__) +#endif + +#ifndef KRML_HOST_EXIT +#define KRML_HOST_EXIT exit +#endif + +// This does not actually force inline. +// Forcing inline increases stack usage beyond acceptable limits +#define KRML_MUSTINLINE inline + +#ifndef KRML_NOINLINE +#if defined(_MSC_VER) +#define KRML_NOINLINE __declspec(noinline) +#elif defined(__GNUC__) +#define KRML_NOINLINE __attribute__((noinline, unused)) +#else +#define KRML_NOINLINE +#warning "The KRML_NOINLINE macro is not defined for this toolchain!" +#warning "The compiler may defeat side-channel resistance with optimizations." +#warning \ + "Please locate target.h and try to fill it out with a suitable definition for this compiler." +#endif +#endif + +#ifndef KRML_ATTRIBUTE_TARGET +#if defined(__GNUC__) +#define KRML_ATTRIBUTE_TARGET(x) __attribute__((target(x))) +#else +#define KRML_ATTRIBUTE_TARGET(x) +#endif +#endif + +#endif diff --git a/libcrux-ml-dsa/cg/libcrux_core.h b/libcrux-ml-dsa/cg/libcrux_core.h index 50d5433fc..c7b7b6116 100644 --- a/libcrux-ml-dsa/cg/libcrux_core.h +++ b/libcrux-ml-dsa/cg/libcrux_core.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 5a0f22fa8387080e4c4e4ac018aaddcdf944e4be + * Libcrux: 11a2dcf9b3f0c4803b93a53caa737ed8eac8bfd1 */ #ifndef __libcrux_core_H @@ -54,19 +54,6 @@ typedef struct Option_08_s { typedef uint8_t Result_a9_tags; -/** -A monomorphic instance of core.result.Result -with types (), core_fmt_Error - -*/ -typedef struct Result_a9_s { - Result_a9_tags tag; - void *f0; -} Result_a9; - -static inline Result_a9 core_fmt__core__fmt__Formatter__a__9__write_str( - core_fmt_Formatter *x0, Prims_string x1); - static inline uint32_t core_num__i32_2__count_ones(int32_t x0); static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t x0[8U]); @@ -331,13 +318,13 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_utils_into_padded_array_b6( /** A monomorphic instance of core.option.Option -with types Eurydice_slice int32_t +with types uint8_t* */ -typedef struct Option_93_s { +typedef struct Option_3f_s { Option_08_tags tag; - Eurydice_slice f0; -} Option_93; + uint8_t *f0; +} Option_3f; /** A monomorphic instance of core.option.Option @@ -383,16 +370,6 @@ static inline void unwrap_26_55(Result_6c self, int32_t ret[8U]) { } } -/** -A monomorphic instance of core.option.Option -with types uint8_t* - -*/ -typedef struct Option_3f_s { - Option_08_tags tag; - uint8_t *f0; -} Option_3f; - typedef struct libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair_s { libcrux_ml_dsa_types_MLDSASigningKey_22 signing_key; libcrux_ml_dsa_types_MLDSAVerificationKey_ea verification_key; diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h index 6d3d3112f..9bc355151 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 5a0f22fa8387080e4c4e4ac018aaddcdf944e4be + * Libcrux: 11a2dcf9b3f0c4803b93a53caa737ed8eac8bfd1 */ #ifndef __libcrux_mldsa65_avx2_H @@ -3027,31 +3027,23 @@ static KRML_MUSTINLINE bool libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ea( Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { bool done = false; - core_slice_iter_Chunks iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( - core_slice___Slice_T___chunks(randomness, (size_t)24U, uint8_t, - core_slice_iter_Chunks), - core_slice_iter_Chunks, core_slice_iter_Chunks); - while (true) { - Option_1b uu____0 = - core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( - &iter, uint8_t, Option_1b); - if (uu____0.tag == None) { - break; - } else { - Eurydice_slice random_bytes = uu____0.f0; - if (!done) { - Eurydice_slice uu____1 = random_bytes; - size_t sampled = - libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_a2( - uu____1, Eurydice_array_to_subslice_from( - (size_t)263U, out, sampled_coefficients[0U], - int32_t, size_t)); - sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; - if (sampled_coefficients[0U] >= - LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - done = true; - } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(randomness, uint8_t) / (size_t)24U; i++) { + size_t _cloop_i = i; + Eurydice_slice random_bytes = + Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)24U, + _cloop_i * (size_t)24U + (size_t)24U, uint8_t); + if (!done) { + Eurydice_slice uu____0 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus_a2( + uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, + sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; } } } @@ -3072,20 +3064,17 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_24 libcrux_ml_dsa_polynomial_from_i32_array_ff_ea(Eurydice_slice array) { - core_slice_iter_Chunks array_chunks = core_slice___Slice_T___chunks( - array, LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, int32_t, - core_slice_iter_Chunks); libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); for (size_t i = (size_t)0U; i < LIBCRUX_ML_DSA_SIMD_TRAITS_SIMD_UNITS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i uu____0 = libcrux_ml_dsa_simd_avx2_from_coefficient_array_a2( - core_option__core__option__Option_T__TraitClause_0___unwrap( - core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( - &array_chunks, int32_t, Option_93), - Eurydice_slice, Eurydice_slice)); - result.simd_units[i0] = uu____0; + result.simd_units[i0] = libcrux_ml_dsa_simd_avx2_from_coefficient_array_a2( + Eurydice_slice_subslice2( + array, i0 * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, + int32_t)); } return result; } @@ -3964,31 +3953,23 @@ static KRML_MUSTINLINE bool libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_2_ea( Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { bool done = false; - core_slice_iter_Chunks iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( - core_slice___Slice_T___chunks(randomness, (size_t)4U, uint8_t, - core_slice_iter_Chunks), - core_slice_iter_Chunks, core_slice_iter_Chunks); - while (true) { - Option_1b uu____0 = - core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( - &iter, uint8_t, Option_1b); - if (uu____0.tag == None) { - break; - } else { - Eurydice_slice random_bytes = uu____0.f0; - if (!done) { - Eurydice_slice uu____1 = random_bytes; - size_t sampled = - libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_2_a2( - uu____1, Eurydice_array_to_subslice_from( - (size_t)263U, out, sampled_coefficients[0U], - int32_t, size_t)); - sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; - if (sampled_coefficients[0U] >= - LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - done = true; - } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) { + size_t _cloop_i = i; + Eurydice_slice random_bytes = + Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U, + _cloop_i * (size_t)4U + (size_t)4U, uint8_t); + if (!done) { + Eurydice_slice uu____0 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_2_a2( + uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, + sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; } } } @@ -4006,31 +3987,23 @@ static KRML_MUSTINLINE bool libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_ea( Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { bool done = false; - core_slice_iter_Chunks iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( - core_slice___Slice_T___chunks(randomness, (size_t)4U, uint8_t, - core_slice_iter_Chunks), - core_slice_iter_Chunks, core_slice_iter_Chunks); - while (true) { - Option_1b uu____0 = - core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( - &iter, uint8_t, Option_1b); - if (uu____0.tag == None) { - break; - } else { - Eurydice_slice random_bytes = uu____0.f0; - if (!done) { - Eurydice_slice uu____1 = random_bytes; - size_t sampled = - libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_4_a2( - uu____1, Eurydice_array_to_subslice_from( - (size_t)263U, out, sampled_coefficients[0U], - int32_t, size_t)); - sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; - if (sampled_coefficients[0U] >= - LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - done = true; - } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) { + size_t _cloop_i = i; + Eurydice_slice random_bytes = + Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U, + _cloop_i * (size_t)4U + (size_t)4U, uint8_t); + if (!done) { + Eurydice_slice uu____0 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_4_a2( + uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, + sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; } } } @@ -4964,13 +4937,7 @@ libcrux_ml_dsa_ml_dsa_65_avx2_generate_key_pair(uint8_t randomness[32U]) { } /** - The internal signing API. - - If no `domain_separation_context` is supplied, it is assumed that - `message` already contains the domain separation. -*/ -/** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_internal +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, libcrux_ml_dsa_hash_functions_simd256_Shake256, @@ -4992,9 +4959,9 @@ libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics - SIGNATURE_SIZE= 3309 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_ea( - uint8_t *signing_key, Eurydice_slice message, - Option_84 domain_separation_context, uint8_t randomness[32U]) { +static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_ea( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { KRML_HOST_EPRINTF( "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "Eurydice error: Failure(\"TODO: TraitTypes " @@ -5004,56 +4971,6 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_ea( KRML_HOST_EXIT(255U); } -/** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, -libcrux_ml_dsa_hash_functions_simd256_Shake128x4, -libcrux_ml_dsa_hash_functions_simd256_Shake256, -libcrux_ml_dsa_hash_functions_portable_Shake256Xof, -libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_ea( - uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { - Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( - context, (CLITERAL(Option_3f){.tag = None})); - Result_2e uu____1; - if (uu____0.tag == Ok) { - libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = - uu____0.val.case_Ok; - libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context0 = - domain_separation_context; - uint8_t *uu____2 = signing_key; - Eurydice_slice uu____3 = message; - Option_84 uu____4 = {.tag = Some, .f0 = domain_separation_context0}; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - uu____1 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_ea( - uu____2, uu____3, uu____4, copy_of_randomness); - } else { - uu____1 = (CLITERAL(Result_2e){ - .tag = Err, - .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}}); - } - return uu____1; -} - /** Sign. */ @@ -5281,13 +5198,7 @@ static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign_pre_hashed_shake128( } /** - The internal verification API. - - If no `domain_separation_context` is supplied, it is assumed that - `message` already contains the domain separation. -*/ -/** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_internal +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, libcrux_ml_dsa_hash_functions_simd256_Shake128x4, libcrux_ml_dsa_hash_functions_simd256_Shake256, @@ -5307,10 +5218,9 @@ libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics - MAX_ONES_IN_HINT= 55 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_41 -libcrux_ml_dsa_ml_dsa_generic_verify_internal_d1( +static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_d1( uint8_t *verification_key_serialized, Eurydice_slice message, - Option_84 domain_separation_context, uint8_t *signature_serialized) { + Eurydice_slice context, uint8_t *signature_serialized) { KRML_HOST_EPRINTF( "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "Eurydice error: Failure(\"TODO: TraitTypes " @@ -5320,50 +5230,6 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_d1( KRML_HOST_EXIT(255U); } -/** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, -libcrux_ml_dsa_hash_functions_simd256_Shake128x4, -libcrux_ml_dsa_hash_functions_simd256_Shake256, -libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_d1( - uint8_t *verification_key_serialized, Eurydice_slice message, - Eurydice_slice context, uint8_t *signature_serialized) { - Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( - context, (CLITERAL(Option_3f){.tag = None})); - Result_41 uu____1; - if (uu____0.tag == Ok) { - libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = - uu____0.val.case_Ok; - libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context0 = - domain_separation_context; - uu____1 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_d1( - verification_key_serialized, message, - (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context0}), - signature_serialized); - } else { - uu____1 = (CLITERAL(Result_41){ - .tag = Err, - .f0 = libcrux_ml_dsa_types_VerificationContextTooLongError}); - } - return uu____1; -} - /** Verify. */ diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h index 3bbbfd2e9..0df065b82 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 5a0f22fa8387080e4c4e4ac018aaddcdf944e4be + * Libcrux: 11a2dcf9b3f0c4803b93a53caa737ed8eac8bfd1 */ #ifndef __libcrux_mldsa65_portable_H @@ -532,53 +532,6 @@ libcrux_ml_dsa_samplex4_generate_domain_separator(uint8_t row, uint8_t column) { #define LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R \ (58728449ULL) -typedef struct libcrux_ml_dsa_pre_hash_DomainSeparationContext_s { - Eurydice_slice context; - Option_3f pre_hash_oid; -} libcrux_ml_dsa_pre_hash_DomainSeparationContext; - -#define libcrux_ml_dsa_pre_hash_ContextTooLongError 0 - -typedef uint8_t libcrux_ml_dsa_pre_hash_DomainSeparationError; - -/** -A monomorphic instance of core.result.Result -with types libcrux_ml_dsa_pre_hash_DomainSeparationContext, -libcrux_ml_dsa_pre_hash_DomainSeparationError - -*/ -typedef struct Result_a8_s { - Result_a9_tags tag; - union { - libcrux_ml_dsa_pre_hash_DomainSeparationContext case_Ok; - libcrux_ml_dsa_pre_hash_DomainSeparationError case_Err; - } val; -} Result_a8; - -/** - `context` must be at most 255 bytes long. -*/ -/** -This function found in impl -{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} -*/ -static inline Result_a8 libcrux_ml_dsa_pre_hash_new_45(Eurydice_slice context, - Option_3f pre_hash_oid) { - Result_a8 uu____0; - if (Eurydice_slice_len(context, uint8_t) > - LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN) { - uu____0 = (CLITERAL(Result_a8){ - .tag = Err, - .val = {.case_Err = libcrux_ml_dsa_pre_hash_ContextTooLongError}}); - } else { - uu____0 = (CLITERAL(Result_a8){ - .tag = Ok, - .val = { - .case_Ok = {.context = context, .pre_hash_oid = pre_hash_oid}}}); - } - return uu____0; -} - typedef struct libcrux_ml_dsa_pre_hash_SHAKE128_PH_s { } libcrux_ml_dsa_pre_hash_SHAKE128_PH; @@ -3702,31 +3655,23 @@ static KRML_MUSTINLINE bool libcrux_ml_dsa_sample_rejection_sample_less_than_field_modulus_ba( Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { bool done = false; - core_slice_iter_Chunks iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( - core_slice___Slice_T___chunks(randomness, (size_t)24U, uint8_t, - core_slice_iter_Chunks), - core_slice_iter_Chunks, core_slice_iter_Chunks); - while (true) { - Option_1b uu____0 = - core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( - &iter, uint8_t, Option_1b); - if (uu____0.tag == None) { - break; - } else { - Eurydice_slice random_bytes = uu____0.f0; - if (!done) { - Eurydice_slice uu____1 = random_bytes; - size_t sampled = - libcrux_ml_dsa_simd_portable_rejection_sample_less_than_field_modulus_36( - uu____1, Eurydice_array_to_subslice_from( - (size_t)263U, out, sampled_coefficients[0U], - int32_t, size_t)); - sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; - if (sampled_coefficients[0U] >= - LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - done = true; - } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(randomness, uint8_t) / (size_t)24U; i++) { + size_t _cloop_i = i; + Eurydice_slice random_bytes = + Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)24U, + _cloop_i * (size_t)24U + (size_t)24U, uint8_t); + if (!done) { + Eurydice_slice uu____0 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_portable_rejection_sample_less_than_field_modulus_36( + uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, + sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; } } } @@ -3746,9 +3691,6 @@ with const generics */ static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_9b libcrux_ml_dsa_polynomial_from_i32_array_ff_ba(Eurydice_slice array) { - core_slice_iter_Chunks array_chunks = core_slice___Slice_T___chunks( - array, LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, int32_t, - core_slice_iter_Chunks); libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); for (size_t i = (size_t)0U; @@ -3756,10 +3698,12 @@ libcrux_ml_dsa_polynomial_from_i32_array_ff_ba(Eurydice_slice array) { size_t i0 = i; libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = libcrux_ml_dsa_simd_portable_from_coefficient_array_36( - core_option__core__option__Option_T__TraitClause_0___unwrap( - core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( - &array_chunks, int32_t, Option_93), - Eurydice_slice, Eurydice_slice)); + Eurydice_slice_subslice2( + array, + i0 * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, + int32_t)); result.simd_units[i0] = uu____0; } return result; @@ -4632,31 +4576,23 @@ static KRML_MUSTINLINE bool libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_2_ba( Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { bool done = false; - core_slice_iter_Chunks iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( - core_slice___Slice_T___chunks(randomness, (size_t)4U, uint8_t, - core_slice_iter_Chunks), - core_slice_iter_Chunks, core_slice_iter_Chunks); - while (true) { - Option_1b uu____0 = - core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( - &iter, uint8_t, Option_1b); - if (uu____0.tag == None) { - break; - } else { - Eurydice_slice random_bytes = uu____0.f0; - if (!done) { - Eurydice_slice uu____1 = random_bytes; - size_t sampled = - libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_2_36( - uu____1, Eurydice_array_to_subslice_from( - (size_t)263U, out, sampled_coefficients[0U], - int32_t, size_t)); - sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; - if (sampled_coefficients[0U] >= - LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - done = true; - } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) { + size_t _cloop_i = i; + Eurydice_slice random_bytes = + Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U, + _cloop_i * (size_t)4U + (size_t)4U, uint8_t); + if (!done) { + Eurydice_slice uu____0 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_2_36( + uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, + sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; } } } @@ -4673,31 +4609,23 @@ static KRML_MUSTINLINE bool libcrux_ml_dsa_sample_rejection_sample_less_than_eta_equals_4_ba( Eurydice_slice randomness, size_t *sampled_coefficients, int32_t *out) { bool done = false; - core_slice_iter_Chunks iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( - core_slice___Slice_T___chunks(randomness, (size_t)4U, uint8_t, - core_slice_iter_Chunks), - core_slice_iter_Chunks, core_slice_iter_Chunks); - while (true) { - Option_1b uu____0 = - core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( - &iter, uint8_t, Option_1b); - if (uu____0.tag == None) { - break; - } else { - Eurydice_slice random_bytes = uu____0.f0; - if (!done) { - Eurydice_slice uu____1 = random_bytes; - size_t sampled = - libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_4_36( - uu____1, Eurydice_array_to_subslice_from( - (size_t)263U, out, sampled_coefficients[0U], - int32_t, size_t)); - sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; - if (sampled_coefficients[0U] >= - LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - done = true; - } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i++) { + size_t _cloop_i = i; + Eurydice_slice random_bytes = + Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)4U, + _cloop_i * (size_t)4U + (size_t)4U, uint8_t); + if (!done) { + Eurydice_slice uu____0 = random_bytes; + size_t sampled = + libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_4_36( + uu____0, Eurydice_array_to_subslice_from((size_t)263U, out, + sampled_coefficients[0U], + int32_t, size_t)); + sampled_coefficients[0U] = sampled_coefficients[0U] + sampled; + if (sampled_coefficients[0U] >= + LIBCRUX_ML_DSA_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + done = true; } } } @@ -5589,23 +5517,7 @@ libcrux_ml_dsa_ml_dsa_65_portable_generate_key_pair(uint8_t randomness[32U]) { } /** -A monomorphic instance of core.option.Option -with types libcrux_ml_dsa_pre_hash_DomainSeparationContext - -*/ -typedef struct Option_84_s { - Option_08_tags tag; - libcrux_ml_dsa_pre_hash_DomainSeparationContext f0; -} Option_84; - -/** - The internal signing API. - - If no `domain_separation_context` is supplied, it is assumed that - `message` already contains the domain separation. -*/ -/** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_internal +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, libcrux_ml_dsa_hash_functions_portable_Shake128X4, libcrux_ml_dsa_hash_functions_portable_Shake256, @@ -5626,9 +5538,9 @@ libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics - SIGNING_KEY_SIZE= 4032 - SIGNATURE_SIZE= 3309 */ -static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_05( - uint8_t *signing_key, Eurydice_slice message, - Option_84 domain_separation_context, uint8_t randomness[32U]) { +static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_05( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { KRML_HOST_EPRINTF( "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "Eurydice error: Failure(\"TODO: TraitTypes " @@ -5638,55 +5550,6 @@ static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_05( KRML_HOST_EXIT(255U); } -/** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_hash_functions_portable_Shake128X4, -libcrux_ml_dsa_hash_functions_portable_Shake256, -libcrux_ml_dsa_hash_functions_portable_Shake256Xof, -libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 -*/ -static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_05( - uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { - Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( - context, (CLITERAL(Option_3f){.tag = None})); - Result_2e uu____1; - if (uu____0.tag == Ok) { - libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = - uu____0.val.case_Ok; - libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context0 = - domain_separation_context; - uint8_t *uu____2 = signing_key; - Eurydice_slice uu____3 = message; - Option_84 uu____4 = {.tag = Some, .f0 = domain_separation_context0}; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - uu____1 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_05( - uu____2, uu____3, uu____4, copy_of_randomness); - } else { - uu____1 = (CLITERAL(Result_2e){ - .tag = Err, - .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}}); - } - return uu____1; -} - /** Sign. */ @@ -5836,13 +5699,7 @@ libcrux_ml_dsa_ml_dsa_65_portable_sign_pre_hashed_shake128( } /** - The internal verification API. - - If no `domain_separation_context` is supplied, it is assumed that - `message` already contains the domain separation. -*/ -/** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_internal +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, libcrux_ml_dsa_hash_functions_portable_Shake128X4, libcrux_ml_dsa_hash_functions_portable_Shake256, @@ -5861,10 +5718,9 @@ libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics - ONES_IN_VERIFIER_CHALLENGE= 49 - MAX_ONES_IN_HINT= 55 */ -static KRML_MUSTINLINE Result_41 -libcrux_ml_dsa_ml_dsa_generic_verify_internal_99( +static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_99( uint8_t *verification_key_serialized, Eurydice_slice message, - Option_84 domain_separation_context, uint8_t *signature_serialized) { + Eurydice_slice context, uint8_t *signature_serialized) { KRML_HOST_EPRINTF( "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "Eurydice error: Failure(\"TODO: TraitTypes " @@ -5874,49 +5730,6 @@ libcrux_ml_dsa_ml_dsa_generic_verify_internal_99( KRML_HOST_EXIT(255U); } -/** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_hash_functions_portable_Shake128X4, -libcrux_ml_dsa_hash_functions_portable_Shake256, -libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- SIGNATURE_SIZE= 3309 -- VERIFICATION_KEY_SIZE= 1952 -- GAMMA1_EXPONENT= 19 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- GAMMA2= 261888 -- BETA= 196 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -*/ -static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_99( - uint8_t *verification_key_serialized, Eurydice_slice message, - Eurydice_slice context, uint8_t *signature_serialized) { - Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( - context, (CLITERAL(Option_3f){.tag = None})); - Result_41 uu____1; - if (uu____0.tag == Ok) { - libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = - uu____0.val.case_Ok; - libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context0 = - domain_separation_context; - uu____1 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_99( - verification_key_serialized, message, - (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context0}), - signature_serialized); - } else { - uu____1 = (CLITERAL(Result_41){ - .tag = Err, - .f0 = libcrux_ml_dsa_types_VerificationContextTooLongError}); - } - return uu____1; -} - /** Verify. */ @@ -6040,6 +5853,11 @@ libcrux_ml_dsa_ml_dsa_65_portable_verify_pre_hashed_shake128( libcrux_ml_dsa_types_as_raw_8f_fa(signature)); } +typedef struct libcrux_ml_dsa_pre_hash_DomainSeparationContext_s { + Eurydice_slice context; + Option_3f pre_hash_oid; +} libcrux_ml_dsa_pre_hash_DomainSeparationContext; + /** Returns the pre-hash OID, if any. */ @@ -6064,6 +5882,10 @@ static inline Eurydice_slice libcrux_ml_dsa_pre_hash_context_45( return self->context; } +#define libcrux_ml_dsa_pre_hash_ContextTooLongError 0 + +typedef uint8_t libcrux_ml_dsa_pre_hash_DomainSeparationError; + #define LIBCRUX_ML_DSA_PRE_HASH_PRE_HASH_OID_LEN ((size_t)11U) typedef uint8_t libcrux_ml_dsa_pre_hash_PreHashOID[11U]; @@ -6093,6 +5915,43 @@ static const uint8_t libcrux_ml_dsa_pre_hash___libcrux_ml_dsa__pre_hash__PreHash_256__usize__for_libcrux_ml_dsa__pre_hash__SHAKE128_PH___OID [11U] = {6U, 9U, 96U, 134U, 72U, 1U, 101U, 3U, 4U, 2U, 11U}; +#define libcrux_ml_dsa_pre_hash_Ok 0 +#define libcrux_ml_dsa_pre_hash_Err 1 + +typedef uint8_t libcrux_ml_dsa_pre_hash_PreHashResult_tags; + +typedef struct libcrux_ml_dsa_pre_hash_PreHashResult_s { + libcrux_ml_dsa_pre_hash_PreHashResult_tags tag; + union { + libcrux_ml_dsa_pre_hash_DomainSeparationContext case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationError case_Err; + } val; +} libcrux_ml_dsa_pre_hash_PreHashResult; + +/** + `context` must be at most 255 bytes long. +*/ +/** +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +*/ +static inline libcrux_ml_dsa_pre_hash_PreHashResult +libcrux_ml_dsa_pre_hash_new_45(Eurydice_slice context, Option_3f pre_hash_oid) { + libcrux_ml_dsa_pre_hash_PreHashResult uu____0; + if (Eurydice_slice_len(context, uint8_t) > + LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN) { + uu____0 = (CLITERAL(libcrux_ml_dsa_pre_hash_PreHashResult){ + .tag = libcrux_ml_dsa_pre_hash_Err, + .val = {.case_Err = libcrux_ml_dsa_pre_hash_ContextTooLongError}}); + } else { + uu____0 = (CLITERAL(libcrux_ml_dsa_pre_hash_PreHashResult){ + .tag = libcrux_ml_dsa_pre_hash_Ok, + .val = { + .case_Ok = {.context = context, .pre_hash_oid = pre_hash_oid}}}); + } + return uu____0; +} + static KRML_MUSTINLINE bool libcrux_ml_dsa_sample_inside_out_shuffle( Eurydice_slice randomness, size_t *out_index, uint64_t *signs, int32_t *result) { @@ -6199,72 +6058,10 @@ libcrux_ml_dsa_simd_portable_vector_type_clone_ae( return self[0U]; } -/** -This function found in impl {(core::fmt::Debug for -libcrux_ml_dsa::types::SigningError)#7} -*/ -static inline Result_a9 libcrux_ml_dsa_types_fmt_16( - libcrux_ml_dsa_types_SigningError *self, core_fmt_Formatter *f) { - core_fmt_Formatter *uu____0 = f; - Prims_string uu____1; - switch (self[0U]) { - case libcrux_ml_dsa_types_RejectionSamplingError: { - uu____1 = "RejectionSamplingError"; - break; - } - case libcrux_ml_dsa_types_ContextTooLongError: { - uu____1 = "ContextTooLongError"; - break; - } - default: { - KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, - __LINE__); - KRML_HOST_EXIT(253U); - } - } - return core_fmt__core__fmt__Formatter__a__9__write_str(uu____0, uu____1); -} - -/** -This function found in impl {(core::fmt::Debug for -libcrux_ml_dsa::types::VerificationError)#6} -*/ -static inline Result_a9 libcrux_ml_dsa_types_fmt_7e( - libcrux_ml_dsa_types_VerificationError *self, core_fmt_Formatter *f) { - core_fmt_Formatter *uu____0 = f; - Prims_string uu____1; - switch (self[0U]) { - case libcrux_ml_dsa_types_MalformedHintError: { - uu____1 = "MalformedHintError"; - break; - } - case libcrux_ml_dsa_types_SignerResponseExceedsBoundError: { - uu____1 = "SignerResponseExceedsBoundError"; - break; - } - case libcrux_ml_dsa_types_CommitmentHashesDontMatchError: { - uu____1 = "CommitmentHashesDontMatchError"; - break; - } - case libcrux_ml_dsa_types_VerificationContextTooLongError: { - uu____1 = "VerificationContextTooLongError"; - break; - } - default: { - KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__, - __LINE__); - KRML_HOST_EXIT(253U); - } - } - return core_fmt__core__fmt__Formatter__a__9__write_str(uu____0, uu____1); -} - typedef int32_t libcrux_ml_dsa_simd_traits_FieldElementTimesMontgomeryR; typedef int32_t libcrux_ml_dsa_simd_portable_vector_type_FieldElement; -typedef Result_a8 libcrux_ml_dsa_pre_hash_PreHashResult; - typedef struct libcrux_ml_dsa_hash_functions_portable_Shake128_s { } libcrux_ml_dsa_hash_functions_portable_Shake128; diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h index 3c2909209..5b4eb7f14 100644 --- a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 5a0f22fa8387080e4c4e4ac018aaddcdf944e4be + * Libcrux: 11a2dcf9b3f0c4803b93a53caa737ed8eac8bfd1 */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h index ee42379c7..807e69f7c 100644 --- a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 5a0f22fa8387080e4c4e4ac018aaddcdf944e4be + * Libcrux: 11a2dcf9b3f0c4803b93a53caa737ed8eac8bfd1 */ #ifndef __libcrux_sha3_portable_H diff --git a/libcrux-ml-dsa/cg/tests/mldsa65.cc b/libcrux-ml-dsa/cg/tests/mldsa65.cc new file mode 100644 index 000000000..e1e4bdb33 --- /dev/null +++ b/libcrux-ml-dsa/cg/tests/mldsa65.cc @@ -0,0 +1,53 @@ +/* + * Copyright 2023 Cryspen Sarl + * + * Licensed under the Apache License, Version 2.0 or MIT. + * - http://www.apache.org/licenses/LICENSE-2.0 + * - http://opensource.org/licenses/MIT + */ + +#include + +#include "libcrux_mldsa65_portable.h" + +template +Eurydice_slice mk_slice(T *x, size_t len) +{ + Eurydice_slice s; + s.ptr = (void *)x; + s.len = len; + return s; +} + +TEST(MlDsa65TestPortable, ConsistencyTest) +{ + // Generate key pair + uint8_t randomness[32]; + for (int i = 0; i < 32; i++) + { + randomness[i] = 13; + } + auto key_pair = libcrux_ml_dsa_ml_dsa_65_portable_generate_key_pair(randomness); + + // Sign + uint8_t msg[79] = {0}; + for (int i = 0; i < 32; i++) + { + randomness[i] = 0x55; + } + uint8_t context[0]; + auto ctxt = libcrux_ml_dsa_ml_dsa_65_portable_sign( + &key_pair.signing_key, + mk_slice(&msg, 79), + mk_slice(&context, 0), + randomness); + + // // Verify + // uint8_t sharedSecret2[LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE]; + // libcrux_ml_kem_mlkem768_portable_decapsulate(&key_pair.sk, &ctxt.fst, sharedSecret2); + + // EXPECT_EQ(0, + // memcmp(ctxt.snd, + // sharedSecret2, + // LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE)); +} From 8723dfe44ec033d255ddf24b65572826b8ec547b Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 6 Dec 2024 17:39:42 +0000 Subject: [PATCH 10/27] update serialize --- libcrux-ml-dsa/src/encoding/gamma1.rs | 46 +++++-------------- libcrux-ml-dsa/src/encoding/signature.rs | 7 ++- libcrux-ml-dsa/src/simd/avx2.rs | 4 +- .../src/simd/avx2/encoding/gamma1.rs | 20 ++++---- libcrux-ml-dsa/src/simd/portable.rs | 4 +- .../src/simd/portable/encoding/gamma1.rs | 29 ++++-------- libcrux-ml-dsa/src/simd/traits.rs | 2 +- 7 files changed, 36 insertions(+), 76 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/gamma1.rs b/libcrux-ml-dsa/src/encoding/gamma1.rs index cf68b1fef..08b56eabd 100644 --- a/libcrux-ml-dsa/src/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/encoding/gamma1.rs @@ -1,41 +1,15 @@ use crate::{polynomial::PolynomialRingElement, simd::traits::Operations}; #[inline(always)] -pub(crate) fn serialize< - SIMDUnit: Operations, - const GAMMA1_EXPONENT: usize, - const OUTPUT_BYTES: usize, ->( +pub(crate) fn serialize( re: PolynomialRingElement, -) -> [u8; OUTPUT_BYTES] { - let mut serialized = [0u8; OUTPUT_BYTES]; - - match GAMMA1_EXPONENT as u8 { - 17 => { - const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 18; - - for (i, simd_unit) in re.simd_units.iter().enumerate() { - serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT] - .copy_from_slice(&SIMDUnit::gamma1_serialize::( - *simd_unit, - )); - } - - serialized - } - 19 => { - const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 20; - - for (i, simd_unit) in re.simd_units.iter().enumerate() { - serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT] - .copy_from_slice(&SIMDUnit::gamma1_serialize::( - *simd_unit, - )); - } - - serialized - } - _ => unreachable!(), + serialized: &mut [u8], // OUTPUT_BYTES +) { + for (i, simd_unit) in re.simd_units.iter().enumerate() { + SIMDUnit::gamma1_serialize::( + *simd_unit, + &mut serialized[i * (GAMMA1_EXPONENT + 1)..(i + 1) * (GAMMA1_EXPONENT + 1)], + ); } } @@ -126,7 +100,9 @@ mod tests { 117, 5, 185, 26, 141, 188, 106, 44, 164, 240, 119, ]; - assert_eq!(serialize::(re), expected_bytes); + let mut result = [0u8; 640]; + serialize::(re, &mut result); + assert_eq!(result, expected_bytes); } fn test_deserialize_generic() { diff --git a/libcrux-ml-dsa/src/encoding/signature.rs b/libcrux-ml-dsa/src/encoding/signature.rs index 6377f5e33..a25f693bf 100644 --- a/libcrux-ml-dsa/src/encoding/signature.rs +++ b/libcrux-ml-dsa/src/encoding/signature.rs @@ -41,10 +41,9 @@ impl< offset += COMMITMENT_HASH_SIZE; for i in 0..COLUMNS_IN_A { - signature[offset..offset + GAMMA1_RING_ELEMENT_SIZE].copy_from_slice( - &encoding::gamma1::serialize::( - self.signer_response[i], - ), + encoding::gamma1::serialize::( + self.signer_response[i], + &mut signature[offset..offset + GAMMA1_RING_ELEMENT_SIZE], ); offset += GAMMA1_RING_ELEMENT_SIZE; } diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 0792ec002..dba465b2a 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -86,8 +86,8 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - fn gamma1_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE] { - encoding::gamma1::serialize::(simd_unit.coefficients) + fn gamma1_serialize(simd_unit: Self, serialized: &mut [u8]) { + encoding::gamma1::serialize::(simd_unit.coefficients, serialized) } #[inline(always)] fn gamma1_deserialize(serialized: &[u8]) -> Self { diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs index 80b666707..dae75a905 100644 --- a/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/simd/avx2/encoding/gamma1.rs @@ -1,9 +1,7 @@ use libcrux_intrinsics::avx2::*; #[inline(always)] -fn serialize_when_gamma1_is_2_pow_17( - simd_unit: Vec256, -) -> [u8; OUTPUT_SIZE] { +fn serialize_when_gamma1_is_2_pow_17(simd_unit: Vec256, out: &mut [u8]) { let mut serialized = [0u8; 32]; const GAMMA1: i32 = 1 << 17; @@ -27,13 +25,11 @@ fn serialize_when_gamma1_is_2_pow_17( let upper_4 = mm256_extracti128_si256::<1>(adjacent_4_combined); mm_storeu_bytes_si128(&mut serialized[9..25], upper_4); - serialized[0..18].try_into().unwrap() + out.copy_from_slice(&serialized[0..18]); } #[inline(always)] -fn serialize_when_gamma1_is_2_pow_19( - simd_unit: Vec256, -) -> [u8; OUTPUT_SIZE] { +fn serialize_when_gamma1_is_2_pow_19(simd_unit: Vec256, out: &mut [u8]) { let mut serialized = [0u8; 32]; const GAMMA1: i32 = 1 << 19; @@ -61,14 +57,14 @@ fn serialize_when_gamma1_is_2_pow_19( let upper_4 = mm256_extracti128_si256::<1>(adjacent_4_combined); mm_storeu_bytes_si128(&mut serialized[10..26], upper_4); - serialized[0..20].try_into().unwrap() + out.copy_from_slice(&serialized[0..20]) } #[inline(always)] -pub(crate) fn serialize(simd_unit: Vec256) -> [u8; OUTPUT_SIZE] { - match OUTPUT_SIZE as u8 { - 18 => serialize_when_gamma1_is_2_pow_17::(simd_unit), - 20 => serialize_when_gamma1_is_2_pow_19::(simd_unit), +pub(crate) fn serialize(simd_unit: Vec256, serialized: &mut [u8]) { + match GAMMA1_EXPONENT as u8 { + 17 => serialize_when_gamma1_is_2_pow_17(simd_unit, serialized), + 19 => serialize_when_gamma1_is_2_pow_19(simd_unit, serialized), _ => unreachable!(), } } diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index f0c02d10e..1e96793c7 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -69,8 +69,8 @@ impl Operations for PortableSIMDUnit { sample::rejection_sample_less_than_eta_equals_4(randomness, out) } - fn gamma1_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE] { - encoding::gamma1::serialize(simd_unit) + fn gamma1_serialize(simd_unit: Self, serialized: &mut [u8]) { + encoding::gamma1::serialize::(simd_unit, serialized) } fn gamma1_deserialize(serialized: &[u8]) -> Self { encoding::gamma1::deserialize::(serialized) diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs index 3dbb5f20a..33a4e864a 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs @@ -1,13 +1,9 @@ use super::super::vector_type::{PortableSIMDUnit, ZERO}; -// This function is marked public since it is called in the corresponding AVX2 code. + #[inline(always)] -pub fn serialize_when_gamma1_is_2_pow_17( - simd_unit: PortableSIMDUnit, -) -> [u8; OUTPUT_SIZE] { +fn serialize_when_gamma1_is_2_pow_17(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { const GAMMA1: i32 = 1 << 17; - let mut serialized = [0u8; OUTPUT_SIZE]; - for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() { let coefficient0 = GAMMA1 - coefficients[0]; let coefficient1 = GAMMA1 - coefficients[1]; @@ -33,18 +29,12 @@ pub fn serialize_when_gamma1_is_2_pow_17( serialized[9 * i + 7] = (coefficient3 >> 2) as u8; serialized[9 * i + 8] = (coefficient3 >> 10) as u8; } - - serialized } #[inline(always)] -fn serialize_when_gamma1_is_2_pow_19( - simd_unit: PortableSIMDUnit, -) -> [u8; OUTPUT_SIZE] { +fn serialize_when_gamma1_is_2_pow_19(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { const GAMMA1: i32 = 1 << 19; - let mut serialized = [0u8; OUTPUT_SIZE]; - for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() { let coefficient0 = GAMMA1 - coefficients[0]; let coefficient1 = GAMMA1 - coefficients[1]; @@ -58,16 +48,15 @@ fn serialize_when_gamma1_is_2_pow_19( serialized[5 * i + 3] = (coefficient1 >> 4) as u8; serialized[5 * i + 4] = (coefficient1 >> 12) as u8; } - - serialized } #[inline(always)] -pub(crate) fn serialize( +pub(crate) fn serialize( simd_unit: PortableSIMDUnit, -) -> [u8; OUTPUT_SIZE] { - match OUTPUT_SIZE as u8 { - 18 => serialize_when_gamma1_is_2_pow_17::(simd_unit), - 20 => serialize_when_gamma1_is_2_pow_19::(simd_unit), + serialized: &mut [u8], +) { + match GAMMA1_EXPONENT as u8 { + 17 => serialize_when_gamma1_is_2_pow_17(simd_unit, serialized), + 19 => serialize_when_gamma1_is_2_pow_19(simd_unit, serialized), _ => unreachable!(), } } diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index d851dab1a..72a9eccb3 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -53,7 +53,7 @@ pub(crate) trait Operations: Copy + Clone { // Encoding operations // Gamma1 - fn gamma1_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE]; + fn gamma1_serialize(simd_unit: Self, serialized: &mut [u8]); fn gamma1_deserialize(serialized: &[u8]) -> Self; // Commitment From b7df319108b5cea23f7f7c963c6574e8b266ee9a Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 6 Dec 2024 17:54:31 +0000 Subject: [PATCH 11/27] more loop cleanups --- libcrux-ml-dsa/src/encoding/gamma1.rs | 14 +++--- libcrux-ml-dsa/src/encoding/signing_key.rs | 3 +- libcrux-ml-dsa/src/encoding/t0.rs | 53 +++++++++++----------- 3 files changed, 36 insertions(+), 34 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/gamma1.rs b/libcrux-ml-dsa/src/encoding/gamma1.rs index 08b56eabd..20c7e6a5b 100644 --- a/libcrux-ml-dsa/src/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/encoding/gamma1.rs @@ -1,15 +1,17 @@ -use crate::{polynomial::PolynomialRingElement, simd::traits::Operations}; +use crate::{helper::cloop, polynomial::PolynomialRingElement, simd::traits::Operations}; #[inline(always)] pub(crate) fn serialize( re: PolynomialRingElement, serialized: &mut [u8], // OUTPUT_BYTES ) { - for (i, simd_unit) in re.simd_units.iter().enumerate() { - SIMDUnit::gamma1_serialize::( - *simd_unit, - &mut serialized[i * (GAMMA1_EXPONENT + 1)..(i + 1) * (GAMMA1_EXPONENT + 1)], - ); + cloop! { + for (i, simd_unit) in re.simd_units.iter().enumerate() { + SIMDUnit::gamma1_serialize::( + *simd_unit, + &mut serialized[i * (GAMMA1_EXPONENT + 1)..(i + 1) * (GAMMA1_EXPONENT + 1)], + ); + } } } diff --git a/libcrux-ml-dsa/src/encoding/signing_key.rs b/libcrux-ml-dsa/src/encoding/signing_key.rs index 6a33c4ecc..0bc31df00 100644 --- a/libcrux-ml-dsa/src/encoding/signing_key.rs +++ b/libcrux-ml-dsa/src/encoding/signing_key.rs @@ -67,8 +67,7 @@ pub(crate) fn generate_serialized< cloop! { for ring_element in t0.iter() { - signing_key_serialized[offset..offset + RING_ELEMENT_OF_T0S_SIZE] - .copy_from_slice(&encoding::t0::serialize::(*ring_element)); + encoding::t0::serialize::(*ring_element, &mut signing_key_serialized[offset..offset + RING_ELEMENT_OF_T0S_SIZE]); offset += RING_ELEMENT_OF_T0S_SIZE; } } diff --git a/libcrux-ml-dsa/src/encoding/t0.rs b/libcrux-ml-dsa/src/encoding/t0.rs index 07943c2b3..aec3c11c0 100644 --- a/libcrux-ml-dsa/src/encoding/t0.rs +++ b/libcrux-ml-dsa/src/encoding/t0.rs @@ -3,37 +3,36 @@ // --------------------------------------------------------------------------- use crate::{ - constants::RING_ELEMENT_OF_T0S_SIZE, ntt::ntt, polynomial::PolynomialRingElement, - simd::traits::Operations, + constants::RING_ELEMENT_OF_T0S_SIZE, helper::cloop, ntt::ntt, + polynomial::PolynomialRingElement, simd::traits::Operations, }; +const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 13; + #[inline(always)] pub(crate) fn serialize( re: PolynomialRingElement, -) -> [u8; RING_ELEMENT_OF_T0S_SIZE] { - let mut serialized = [0u8; RING_ELEMENT_OF_T0S_SIZE]; - - const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 13; - - for (i, simd_unit) in re.simd_units.iter().enumerate() { - serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT] - .copy_from_slice(&SIMDUnit::t0_serialize(*simd_unit)); + serialized: &mut [u8], // RING_ELEMENT_OF_T0S_SIZE +) { + cloop! { + for (i, simd_unit) in re.simd_units.iter().enumerate() { + // XXX: make t0_deserialize take &mut serialized? + serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT] + .copy_from_slice(&SIMDUnit::t0_serialize(*simd_unit)); + } } - - serialized } #[inline(always)] -fn deserialize(serialized: &[u8]) -> PolynomialRingElement { - let mut serialized_chunks = serialized.chunks(13); - - let mut result = PolynomialRingElement::ZERO(); - +fn deserialize( + serialized: &[u8], + result: &mut PolynomialRingElement, +) { for i in 0..result.simd_units.len() { - result.simd_units[i] = SIMDUnit::t0_deserialize(&serialized_chunks.next().unwrap()); + result.simd_units[i] = SIMDUnit::t0_deserialize( + &serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT], + ); } - - result } #[inline(always)] @@ -43,7 +42,8 @@ pub(crate) fn deserialize_to_vector_then_ntt::ZERO(); DIMENSION]; for (i, bytes) in serialized.chunks(RING_ELEMENT_OF_T0S_SIZE).enumerate() { - ring_elements[i] = ntt(deserialize::(bytes)); + deserialize::(bytes, &mut ring_elements[i]); + ring_elements[i] = ntt(ring_elements[i]); } ring_elements @@ -104,7 +104,9 @@ mod tests { 114, 203, 81, 128, 188, 172, 90, 39, 25, 122, 156, 12, 71, 57, 204, 234, 227, ]; - assert_eq!(serialize::(re), expected_bytes); + let mut result = [0u8; RING_ELEMENT_OF_T0S_SIZE]; + serialize::(re, &mut result); + assert_eq!(result, expected_bytes); } fn test_deserialize_generic() { let serialized = [ @@ -154,10 +156,9 @@ mod tests { 2487, -1527, 2834, -3089, 1724, 3858, -2130, 3301, -1565, ]; - assert_eq!( - deserialize::(&serialized).to_i32_array(), - expected_coefficients - ); + let mut deserialized = PolynomialRingElement::::ZERO(); + deserialize::(&serialized, &mut deserialized); + assert_eq!(deserialized.to_i32_array(), expected_coefficients); } #[cfg(not(feature = "simd256"))] From ce52b8302c13a452f2fde8c8197158d5baea9377 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 6 Dec 2024 18:22:25 +0000 Subject: [PATCH 12/27] more loop cleanups --- libcrux-ml-dsa/src/encoding/error.rs | 74 ++++++------------- libcrux-ml-dsa/src/encoding/signing_key.rs | 16 ++-- libcrux-ml-dsa/src/simd/avx2.rs | 4 +- .../src/simd/avx2/encoding/error.rs | 19 +++-- libcrux-ml-dsa/src/simd/portable.rs | 4 +- .../src/simd/portable/encoding/error.rs | 26 ++----- libcrux-ml-dsa/src/simd/traits.rs | 2 +- 7 files changed, 59 insertions(+), 86 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/error.rs b/libcrux-ml-dsa/src/encoding/error.rs index 80080945c..9d62d4fec 100644 --- a/libcrux-ml-dsa/src/encoding/error.rs +++ b/libcrux-ml-dsa/src/encoding/error.rs @@ -1,60 +1,33 @@ // Functions for serializing and deserializing an error ring element. -use crate::{ntt::ntt, polynomial::PolynomialRingElement, simd::traits::Operations}; +use crate::{helper::cloop, ntt::ntt, polynomial::PolynomialRingElement, simd::traits::Operations}; #[inline(always)] pub(crate) fn serialize( re: PolynomialRingElement, -) -> [u8; OUTPUT_SIZE] { - let mut serialized = [0u8; OUTPUT_SIZE]; - - match ETA as u8 { - 2 => { - const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 3; - - for (i, simd_unit) in re.simd_units.iter().enumerate() { - serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT] - .copy_from_slice(&SIMDUnit::error_serialize::( - *simd_unit, - )); - } - - serialized + serialized: &mut [u8], //OUTPUT_SIZE +) { + let output_bytes_per_simd_unit = if ETA == 2 { 3 } else { 4 }; + cloop! { + for (i, simd_unit) in re.simd_units.iter().enumerate() { + SIMDUnit::error_serialize::( + *simd_unit,&mut serialized[i * output_bytes_per_simd_unit..(i + 1) * output_bytes_per_simd_unit] + ); } - 4 => { - const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 4; - - for (i, simd_unit) in re.simd_units.iter().enumerate() { - serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT] - .copy_from_slice(&SIMDUnit::error_serialize::( - *simd_unit, - )); - } - - serialized - } - _ => unreachable!(), } } #[inline(always)] fn deserialize( serialized: &[u8], -) -> PolynomialRingElement { - let mut serialized_chunks = match ETA as u8 { - 2 => serialized.chunks(3), - 4 => serialized.chunks(4), - _ => unreachable!(), - }; - - let mut result = PolynomialRingElement::ZERO(); + result: &mut PolynomialRingElement, +) { + let chunk_size = if ETA == 2 { 3 } else { 4 }; for i in 0..result.simd_units.len() { result.simd_units[i] = - SIMDUnit::error_deserialize::(&serialized_chunks.next().unwrap()); + SIMDUnit::error_deserialize::(&serialized[i * chunk_size..(i + 1) * chunk_size]); } - - result } #[inline(always)] @@ -68,8 +41,11 @@ pub(crate) fn deserialize_to_vector_then_ntt< ) -> [PolynomialRingElement; DIMENSION] { let mut ring_elements = [PolynomialRingElement::::ZERO(); DIMENSION]; - for (i, bytes) in serialized.chunks(RING_ELEMENT_SIZE).enumerate() { - ring_elements[i] = ntt(deserialize::(bytes)); + cloop! { + for (i, bytes) in serialized.chunks_exact(RING_ELEMENT_SIZE).enumerate() { + deserialize::(bytes, &mut ring_elements[i]); + ring_elements[i] = ntt(ring_elements[i]); + } } ring_elements @@ -104,10 +80,9 @@ mod tests { 0, 2, -1, ]; - assert_eq!( - deserialize::(&serialized).to_i32_array(), - expected_coefficients - ); + let mut deserialized = PolynomialRingElement::::ZERO(); + deserialize::(&serialized, &mut deserialized); + assert_eq!(deserialized.to_i32_array(), expected_coefficients); let serialized = [ 22, 103, 55, 49, 34, 65, 50, 129, 52, 65, 21, 85, 82, 69, 3, 55, 52, 101, 80, 64, 114, @@ -133,10 +108,9 @@ mod tests { 1, 3, ]; - assert_eq!( - deserialize::(&serialized).to_i32_array(), - expected_coefficients - ); + let mut deserialized = PolynomialRingElement::::ZERO(); + deserialize::(&serialized, &mut deserialized); + assert_eq!(deserialized.to_i32_array(), expected_coefficients); } #[cfg(not(feature = "simd256"))] diff --git a/libcrux-ml-dsa/src/encoding/signing_key.rs b/libcrux-ml-dsa/src/encoding/signing_key.rs index 0bc31df00..fe7209e01 100644 --- a/libcrux-ml-dsa/src/encoding/signing_key.rs +++ b/libcrux-ml-dsa/src/encoding/signing_key.rs @@ -49,8 +49,9 @@ pub(crate) fn generate_serialized< cloop! { for ring_element in s1.iter() { - signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE].copy_from_slice( - &encoding::error::serialize::(*ring_element), + encoding::error::serialize::( + *ring_element, + &mut signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE], ); offset += ERROR_RING_ELEMENT_SIZE; } @@ -58,8 +59,9 @@ pub(crate) fn generate_serialized< cloop! { for ring_element in s2.iter() { - signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE].copy_from_slice( - &encoding::error::serialize::(*ring_element), + encoding::error::serialize::( + *ring_element, + &mut signing_key_serialized[offset..offset + ERROR_RING_ELEMENT_SIZE], ); offset += ERROR_RING_ELEMENT_SIZE; } @@ -67,7 +69,10 @@ pub(crate) fn generate_serialized< cloop! { for ring_element in t0.iter() { - encoding::t0::serialize::(*ring_element, &mut signing_key_serialized[offset..offset + RING_ELEMENT_OF_T0S_SIZE]); + encoding::t0::serialize::( + *ring_element, + &mut signing_key_serialized[offset..offset + RING_ELEMENT_OF_T0S_SIZE], + ); offset += RING_ELEMENT_OF_T0S_SIZE; } } @@ -118,6 +123,7 @@ pub(crate) fn deserialize_then_ntt< ERROR_RING_ELEMENT_SIZE, >(s2_serialized); + // XXX: write *_as_ntt directly into the output above let t0_as_ntt = encoding::t0::deserialize_to_vector_then_ntt::(t0_serialized); diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index dba465b2a..0142a7597 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -100,8 +100,8 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - fn error_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE] { - encoding::error::serialize::(simd_unit.coefficients) + fn error_serialize(simd_unit: Self, serialized: &mut [u8]) { + encoding::error::serialize::(simd_unit.coefficients, serialized) } #[inline(always)] fn error_deserialize(serialized: &[u8]) -> Self { diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs index 0d9095166..dcc82f753 100644 --- a/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/avx2/encoding/error.rs @@ -1,7 +1,7 @@ use libcrux_intrinsics::avx2::*; #[inline(always)] -fn serialize_when_eta_is_2(simd_unit: Vec256) -> [u8; OUTPUT_SIZE] { +fn serialize_when_eta_is_2(simd_unit: Vec256, out: &mut [u8]) { let mut serialized = [0u8; 16]; const ETA: i32 = 2; @@ -34,10 +34,11 @@ fn serialize_when_eta_is_2(simd_unit: Vec256) -> [u8; mm_storeu_bytes_si128(&mut serialized[0..16], adjacent_6_combined); - serialized[0..3].try_into().unwrap() + out.copy_from_slice(&serialized[0..3]); } + #[inline(always)] -fn serialize_when_eta_is_4(simd_unit: Vec256) -> [u8; OUTPUT_SIZE] { +fn serialize_when_eta_is_4(simd_unit: Vec256, out: &mut [u8]) { let mut serialized = [0u8; 16]; const ETA: i32 = 4; @@ -61,13 +62,14 @@ fn serialize_when_eta_is_4(simd_unit: Vec256) -> [u8; mm_storeu_bytes_si128(&mut serialized[0..16], adjacent_4_combined); - serialized[0..4].try_into().unwrap() + out.copy_from_slice(&serialized[0..4]) } + #[inline(always)] -pub fn serialize(simd_unit: Vec256) -> [u8; OUTPUT_SIZE] { - match OUTPUT_SIZE as u8 { - 3 => serialize_when_eta_is_2::(simd_unit), - 4 => serialize_when_eta_is_4::(simd_unit), +pub fn serialize(simd_unit: Vec256, serialized: &mut [u8]) { + match ETA as u8 { + 2 => serialize_when_eta_is_2(simd_unit, serialized), + 4 => serialize_when_eta_is_4(simd_unit, serialized), _ => unreachable!(), } } @@ -94,6 +96,7 @@ fn deserialize_to_unsigned_when_eta_is_2(bytes: &[u8]) -> Vec256 { mm256_and_si256(coefficients, mm256_set1_epi32(COEFFICIENT_MASK)) } + #[inline(always)] fn deserialize_to_unsigned_when_eta_is_4(bytes: &[u8]) -> Vec256 { debug_assert!(bytes.len() == 4); diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 1e96793c7..6478ac271 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -80,8 +80,8 @@ impl Operations for PortableSIMDUnit { encoding::commitment::serialize(simd_unit) } - fn error_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE] { - encoding::error::serialize(simd_unit) + fn error_serialize(simd_unit: Self, serialized: &mut [u8]) { + encoding::error::serialize::(simd_unit, serialized) } fn error_deserialize(serialized: &[u8]) -> Self { encoding::error::deserialize::(serialized) diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs index 5581cc2a4..bc27ff3a3 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs @@ -1,10 +1,7 @@ use super::super::vector_type::{PortableSIMDUnit, ZERO}; #[inline(always)] -fn serialize_when_eta_is_2( - simd_unit: PortableSIMDUnit, -) -> [u8; OUTPUT_SIZE] { - let mut serialized = [0u8; OUTPUT_SIZE]; +fn serialize_when_eta_is_2(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { const ETA: i32 = 2; let coefficient0 = (ETA - simd_unit.coefficients[0]) as u8; @@ -20,14 +17,10 @@ fn serialize_when_eta_is_2( serialized[1] = (coefficient5 << 7) | (coefficient4 << 4) | (coefficient3 << 1) | (coefficient2 >> 2); serialized[2] = (coefficient7 << 5) | (coefficient6 << 2) | (coefficient5 >> 1); - - serialized } + #[inline(always)] -fn serialize_when_eta_is_4( - simd_unit: PortableSIMDUnit, -) -> [u8; OUTPUT_SIZE] { - let mut serialized = [0u8; OUTPUT_SIZE]; +fn serialize_when_eta_is_4(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { const ETA: i32 = 4; for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() { @@ -36,16 +29,13 @@ fn serialize_when_eta_is_4( serialized[i] = (coefficient1 << 4) | coefficient0; } - - serialized } + #[inline(always)] -pub(crate) fn serialize( - simd_unit: PortableSIMDUnit, -) -> [u8; OUTPUT_SIZE] { - match OUTPUT_SIZE as u8 { - 3 => serialize_when_eta_is_2::(simd_unit), - 4 => serialize_when_eta_is_4::(simd_unit), +pub(crate) fn serialize(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { + match ETA as u8 { + 2 => serialize_when_eta_is_2(simd_unit, serialized), + 4 => serialize_when_eta_is_4(simd_unit, serialized), _ => unreachable!(), } } diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index 72a9eccb3..38b7bf3d4 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -60,7 +60,7 @@ pub(crate) trait Operations: Copy + Clone { fn commitment_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE]; // Error - fn error_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE]; + fn error_serialize(simd_unit: Self, serialized: &mut [u8]); fn error_deserialize(serialized: &[u8]) -> Self; // t0 From 05d9103534945cd1e884b1321589ecb43c1a0e05 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 6 Dec 2024 19:37:14 +0000 Subject: [PATCH 13/27] more loop cleanups --- libcrux-ml-dsa/src/arithmetic.rs | 28 ++-- libcrux-ml-dsa/src/encoding/commitment.rs | 12 +- libcrux-ml-dsa/src/encoding/signature.rs | 14 +- libcrux-ml-dsa/src/encoding/t1.rs | 10 +- .../src/encoding/verification_key.rs | 11 +- libcrux-ml-dsa/src/helper.rs | 22 ++- libcrux-ml-dsa/src/matrix.rs | 19 ++- libcrux-ml-dsa/src/ml_dsa_generic.rs | 28 +++- libcrux-ml-dsa/src/pre_hash.rs | 35 ++--- .../src/simd/portable/arithmetic.rs | 39 ++--- .../src/simd/portable/encoding/error.rs | 21 ++- .../src/simd/portable/encoding/gamma1.rs | 134 ++++++++++-------- .../src/simd/portable/encoding/t1.rs | 46 +++--- 13 files changed, 251 insertions(+), 168 deletions(-) diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index ff91f65a7..f0fde7f73 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -1,5 +1,5 @@ use crate::{ - constants::COEFFICIENTS_IN_RING_ELEMENT, polynomial::PolynomialRingElement, + constants::COEFFICIENTS_IN_RING_ELEMENT, helper::cloop, polynomial::PolynomialRingElement, simd::traits::Operations, }; @@ -13,8 +13,10 @@ pub(crate) fn vector_infinity_norm_exceeds( ) -> PolynomialRingElement { let mut out = PolynomialRingElement::ZERO(); - for (i, simd_unit) in re.simd_units.iter().enumerate() { - out.simd_units[i] = SIMDUnit::shift_left_then_reduce::(*simd_unit); + cloop! { + for (i, simd_unit) in re.simd_units.iter().enumerate() { + out.simd_units[i] = SIMDUnit::shift_left_then_reduce::(*simd_unit); + } } out @@ -43,12 +47,16 @@ pub(crate) fn power2round_vector( let mut t0 = [PolynomialRingElement::::ZERO(); DIMENSION]; let mut t1 = [PolynomialRingElement::::ZERO(); DIMENSION]; - for (i, ring_element) in t.iter().enumerate() { - for (j, simd_unit) in ring_element.simd_units.iter().enumerate() { - let (t0_unit, t1_unit) = SIMDUnit::power2round(*simd_unit); + cloop! { + for (i, ring_element) in t.iter().enumerate() { + cloop!{ + for (j, simd_unit) in ring_element.simd_units.iter().enumerate() { + let (t0_unit, t1_unit) = SIMDUnit::power2round(*simd_unit); - t0[i].simd_units[j] = t0_unit; - t1[i].simd_units[j] = t1_unit; + t0[i].simd_units[j] = t0_unit; + t1[i].simd_units[j] = t1_unit; + } + } } } diff --git a/libcrux-ml-dsa/src/encoding/commitment.rs b/libcrux-ml-dsa/src/encoding/commitment.rs index f5a12e789..ecb4d48ba 100644 --- a/libcrux-ml-dsa/src/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/encoding/commitment.rs @@ -1,4 +1,4 @@ -use crate::{polynomial::PolynomialRingElement, simd::traits::Operations}; +use crate::{helper::cloop, polynomial::PolynomialRingElement, simd::traits::Operations}; #[inline(always)] fn serialize( @@ -55,10 +55,12 @@ pub(crate) fn serialize_vector< let mut serialized = [0u8; OUTPUT_SIZE]; let mut offset: usize = 0; - for ring_element in vector.iter() { - serialized[offset..offset + RING_ELEMENT_SIZE] - .copy_from_slice(&serialize::(*ring_element)); - offset += RING_ELEMENT_SIZE; + cloop! { + for ring_element in vector.iter() { + serialized[offset..offset + RING_ELEMENT_SIZE] + .copy_from_slice(&serialize::(*ring_element)); + offset += RING_ELEMENT_SIZE; + } } serialized diff --git a/libcrux-ml-dsa/src/encoding/signature.rs b/libcrux-ml-dsa/src/encoding/signature.rs index a25f693bf..6fc115d02 100644 --- a/libcrux-ml-dsa/src/encoding/signature.rs +++ b/libcrux-ml-dsa/src/encoding/signature.rs @@ -141,13 +141,13 @@ impl< } if malformed_hint { - Err(VerificationError::MalformedHintError) - } else { - Ok(Signature { - commitment_hash: commitment_hash.try_into().unwrap(), - signer_response, - hint, - }) + return Err(VerificationError::MalformedHintError); } + + Ok(Signature { + commitment_hash: commitment_hash.try_into().unwrap(), + signer_response, + hint, + }) } } diff --git a/libcrux-ml-dsa/src/encoding/t1.rs b/libcrux-ml-dsa/src/encoding/t1.rs index 0bbe3ea4f..07d3c5b72 100644 --- a/libcrux-ml-dsa/src/encoding/t1.rs +++ b/libcrux-ml-dsa/src/encoding/t1.rs @@ -1,5 +1,5 @@ use crate::{ - constants::RING_ELEMENT_OF_T1S_SIZE, polynomial::PolynomialRingElement, + constants::RING_ELEMENT_OF_T1S_SIZE, helper::cloop, polynomial::PolynomialRingElement, simd::traits::Operations, }; @@ -13,9 +13,11 @@ pub(crate) fn serialize( const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 10; - for (i, simd_unit) in re.simd_units.iter().enumerate() { - serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT] - .copy_from_slice(&SIMDUnit::t1_serialize(*simd_unit)); + cloop! { + for (i, simd_unit) in re.simd_units.iter().enumerate() { + serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT] + .copy_from_slice(&SIMDUnit::t1_serialize(*simd_unit)); + } } serialized diff --git a/libcrux-ml-dsa/src/encoding/verification_key.rs b/libcrux-ml-dsa/src/encoding/verification_key.rs index c278c518b..85dd728d5 100644 --- a/libcrux-ml-dsa/src/encoding/verification_key.rs +++ b/libcrux-ml-dsa/src/encoding/verification_key.rs @@ -1,6 +1,7 @@ use crate::{ constants::{RING_ELEMENT_OF_T1S_SIZE, SEED_FOR_A_SIZE}, encoding::t1, + helper::cloop, polynomial::PolynomialRingElement, simd::traits::Operations, }; @@ -18,10 +19,12 @@ pub(crate) fn generate_serialized< let mut verification_key_serialized = [0u8; VERIFICATION_KEY_SIZE]; verification_key_serialized[0..SEED_FOR_A_SIZE].copy_from_slice(seed_for_A); - for (i, ring_element) in t1.iter().enumerate() { - let offset = SEED_FOR_A_SIZE + (i * RING_ELEMENT_OF_T1S_SIZE); - verification_key_serialized[offset..offset + RING_ELEMENT_OF_T1S_SIZE] - .copy_from_slice(&t1::serialize::(*ring_element)); + cloop! { + for (i, ring_element) in t1.iter().enumerate() { + let offset = SEED_FOR_A_SIZE + (i * RING_ELEMENT_OF_T1S_SIZE); + verification_key_serialized[offset..offset + RING_ELEMENT_OF_T1S_SIZE] + .copy_from_slice(&t1::serialize::(*ring_element)); + } } verification_key_serialized diff --git a/libcrux-ml-dsa/src/helper.rs b/libcrux-ml-dsa/src/helper.rs index daccf62b5..3ac46df57 100644 --- a/libcrux-ml-dsa/src/helper.rs +++ b/libcrux-ml-dsa/src/helper.rs @@ -28,8 +28,8 @@ macro_rules! cloop { } }; (for $item:ident in $val:ident.iter() $body:block) => { - for _cloop_i in 0..$val.len() { - let $item = &$val[_cloop_i]; + for _cloop_j in 0..$val.len() { + let $item = &$val[_cloop_j]; $body } }; @@ -45,6 +45,18 @@ macro_rules! cloop { $body } }; + (for ($i:ident, $item:ident) in $val:ident.$values:ident.into_iter().enumerate() $body:block) => { + for $i in 0..$val.$values.len() { + let $item = $val.$values[$i]; + $body + } + }; + (for $item:ident in $val:ident.$values:ident.into_iter() $body:block) => { + for _cloop_k in 0..$val.$values.len() { + let $item = $val.$values[_cloop_k]; + $body + } + }; (for $i:ident in ($start:literal..$end:expr).step_by($step:literal) $body:block) => { for $i in $start..$end / $step { let $i = $i * $step; @@ -76,6 +88,12 @@ macro_rules! cloop { (for ($i:ident, $item:ident) in $val:ident.into_iter().enumerate() $body:block) => { for ($i, $item) in $val.into_iter().enumerate() $body }; + (for ($i:ident, $item:ident) in $val:ident.$values:ident.into_iter().enumerate() $body:block) => { + for ($i, $item) in $val.$values.into_iter().enumerate() $body + }; + (for $item:ident in $val:ident.$values:ident.into_iter() $body:block) => { + for $item in $val.$values.into_iter() $body + }; (for $i:ident in ($start:literal..$end:expr).step_by($step:literal) $body:block) => { for $i in ($start..$end).step_by($step) $body }; diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index 47b9a5b26..a981c4860 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -1,6 +1,7 @@ use crate::{ arithmetic::shift_left_then_reduce, constants::BITS_IN_LOWER_PART_OF_T, + helper::cloop, ntt::{invert_ntt_montgomery, ntt, ntt_multiply_montgomery}, polynomial::PolynomialRingElement, simd::traits::Operations, @@ -21,14 +22,18 @@ pub(crate) fn compute_As1_plus_s2< let mut result = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; let s1_ntt = s1.map(|s| ntt::(s)); - for (i, row) in A_as_ntt.iter().enumerate() { - for (j, ring_element) in row.iter().enumerate() { - let product = ntt_multiply_montgomery::(ring_element, &s1_ntt[j]); - result[i] = PolynomialRingElement::add(&result[i], &product); + cloop! { + for (i, row) in A_as_ntt.iter().enumerate() { + cloop!{ + for (j, ring_element) in row.iter().enumerate() { + let product = ntt_multiply_montgomery::(ring_element, &s1_ntt[j]); + result[i] = PolynomialRingElement::add(&result[i], &product); + } + } + + result[i] = invert_ntt_montgomery::(result[i]); + result[i] = PolynomialRingElement::add(&result[i], &s2[i]); } - - result[i] = invert_ntt_montgomery::(result[i]); - result[i] = PolynomialRingElement::add(&result[i], &s2[i]); } result diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 3883b01e0..e76a816be 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -126,7 +126,10 @@ pub(crate) fn sign_pre_hashed< return Err(SigningError::ContextTooLongError); } let pre_hashed_message = PH::hash::(message); - let domain_separation_context = DomainSeparationContext::new(context, Some(&PH::OID))?; + let domain_separation_context = match DomainSeparationContext::new(context, Some(PH::oid())) { + Ok(dsc) => dsc, + Err(_) => return Err(SigningError::ContextTooLongError), + }; sign_internal::< SIMDUnit, Shake128X4, @@ -183,7 +186,10 @@ pub(crate) fn sign< context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { - let domain_separation_context = DomainSeparationContext::new(context, None)?; + let domain_separation_context = match DomainSeparationContext::new(context, None) { + Ok(dsc) => dsc, + Err(_) => return Err(SigningError::ContextTooLongError), + }; sign_internal::< SIMDUnit, Shake128X4, @@ -482,12 +488,16 @@ pub(crate) fn verify_internal< ); let signature = - Signature::::deserialize::< + match Signature::::deserialize::< GAMMA1_EXPONENT, GAMMA1_RING_ELEMENT_SIZE, MAX_ONES_IN_HINT, SIGNATURE_SIZE, - >(signature_serialized)?; + >(signature_serialized) + { + Ok(s) => s, + Err(e) => return Err(e), + }; // We use if-else branches because early returns will not go through hax. if !vector_infinity_norm_exceeds::( @@ -578,7 +588,10 @@ pub(crate) fn verify< signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { // We manually do the matching here to make Eurydice happy. - let domain_separation_context = DomainSeparationContext::new(context, None)?; + let domain_separation_context = match DomainSeparationContext::new(context, None) { + Ok(dsc) => dsc, + Err(_) => return Err(VerificationError::VerificationContextTooLongError), + }; verify_internal::< SIMDUnit, Shake128X4, @@ -635,7 +648,10 @@ pub(crate) fn verify_pre_hashed< signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { let pre_hashed_message = PH::hash::(message); - let domain_separation_context = DomainSeparationContext::new(context, Some(&PH::OID))?; + let domain_separation_context = match DomainSeparationContext::new(context, Some(PH::oid())) { + Ok(dsc) => dsc, + Err(_) => return Err(VerificationError::VerificationContextTooLongError), + }; verify_internal::< SIMDUnit, diff --git a/libcrux-ml-dsa/src/pre_hash.rs b/libcrux-ml-dsa/src/pre_hash.rs index 7c259c26c..1e678a770 100644 --- a/libcrux-ml-dsa/src/pre_hash.rs +++ b/libcrux-ml-dsa/src/pre_hash.rs @@ -12,7 +12,7 @@ pub(crate) type PreHashOID = [u8; PRE_HASH_OID_LEN]; pub(crate) trait PreHash { /// The object identifier (OID) of the hash function or XOF used /// to perform the pre-hashing of the message. - const OID: PreHashOID; + fn oid() -> PreHashOID; /// Used to derive the pre-hash PH of the message before signing. fn hash(message: &[u8]) -> [u8; DIGEST_LEN]; @@ -23,10 +23,14 @@ pub(crate) trait PreHash { /// digest length 256 bytes. pub(crate) struct SHAKE128_PH(); +const SHAKE128_OID: PreHashOID = [ + 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0b, +]; + impl PreHash<256> for SHAKE128_PH { - const OID: PreHashOID = [ - 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0b, - ]; + fn oid() -> PreHashOID { + SHAKE128_OID + } #[inline(always)] fn hash(message: &[u8]) -> [u8; 256] { @@ -41,7 +45,7 @@ impl PreHash<256> for SHAKE128_PH { /// the hash function or XOF used for pre-hashing. pub(crate) struct DomainSeparationContext<'a> { context: &'a [u8], - pre_hash_oid: Option<&'a PreHashOID>, + pre_hash_oid: Option, } pub(crate) enum DomainSeparationError { @@ -52,18 +56,15 @@ pub(crate) type PreHashResult<'a> = Result, DomainSe impl<'a> DomainSeparationContext<'a> { /// `context` must be at most 255 bytes long. - pub(crate) fn new( - context: &'a [u8], - pre_hash_oid: Option<&'a PreHashOID>, - ) -> PreHashResult<'a> { + pub(crate) fn new(context: &'a [u8], pre_hash_oid: Option) -> PreHashResult<'a> { if context.len() > CONTEXT_MAX_LEN { - Err(DomainSeparationError::ContextTooLongError) - } else { - Ok(Self { - context, - pre_hash_oid, - }) + return Err(DomainSeparationError::ContextTooLongError); } + + Ok(Self { + context, + pre_hash_oid, + }) } /// Returns the context, guaranteed to be at most 255 bytes long. @@ -72,8 +73,8 @@ impl<'a> DomainSeparationContext<'a> { } /// Returns the pre-hash OID, if any. - pub fn pre_hash_oid(&self) -> Option<&PreHashOID> { - self.pre_hash_oid + pub fn pre_hash_oid(&self) -> &Option { + &self.pre_hash_oid } } diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index f4c269470..d803487a8 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -1,6 +1,7 @@ use super::vector_type::{FieldElement, PortableSIMDUnit, ZERO}; use crate::{ constants::BITS_IN_LOWER_PART_OF_T, + helper::cloop, simd::traits::{ FieldElementTimesMontgomeryR, FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, }, @@ -115,11 +116,13 @@ pub fn power2round(simd_unit: PortableSIMDUnit) -> (PortableSIMDUnit, PortableSI let mut t0_simd_unit = ZERO(); let mut t1_simd_unit = ZERO(); - for (i, t) in simd_unit.coefficients.into_iter().enumerate() { - let (t0, t1) = power2round_element(t); + cloop! { + for (i, t) in simd_unit.coefficients.into_iter().enumerate() { + let (t0, t1) = power2round_element(t); - t0_simd_unit.coefficients[i] = t0; - t1_simd_unit.coefficients[i] = t1; + t0_simd_unit.coefficients[i] = t0; + t1_simd_unit.coefficients[i] = t1; + } } (t0_simd_unit, t1_simd_unit) @@ -138,19 +141,21 @@ pub fn infinity_norm_exceeds(simd_unit: PortableSIMDUnit, bound: i32) -> bool { // TODO: We can break out of this loop early if need be, but the most // straightforward way to do so (returning false) will not go through hax; // revisit if performance is impacted. - for coefficient in simd_unit.coefficients.into_iter() { - debug_assert!(coefficient > -FIELD_MODULUS && coefficient < FIELD_MODULUS); - // This norm is calculated using the absolute value of the - // signed representative in the range: - // - // -FIELD_MODULUS / 2 < r <= FIELD_MODULUS / 2. - // - // So if the coefficient is negative, get its absolute value, but - // don't convert it into a different representation. - let sign = coefficient >> 31; - let normalized = coefficient - (sign & (2 * coefficient)); - - exceeds = exceeds || normalized >= bound; + cloop! { + for coefficient in simd_unit.coefficients.into_iter() { + debug_assert!(coefficient > -FIELD_MODULUS && coefficient < FIELD_MODULUS); + // This norm is calculated using the absolute value of the + // signed representative in the range: + // + // -FIELD_MODULUS / 2 < r <= FIELD_MODULUS / 2. + // + // So if the coefficient is negative, get its absolute value, but + // don't convert it into a different representation. + let sign = coefficient >> 31; + let normalized = coefficient - (sign & (2 * coefficient)); + + exceeds = exceeds || normalized >= bound; + } } exceeds diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs index bc27ff3a3..4013a5152 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs @@ -1,3 +1,5 @@ +use crate::helper::cloop; + use super::super::vector_type::{PortableSIMDUnit, ZERO}; #[inline(always)] @@ -23,11 +25,13 @@ fn serialize_when_eta_is_2(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { fn serialize_when_eta_is_4(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { const ETA: i32 = 4; - for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() { - let coefficient0 = (ETA - coefficients[0]) as u8; - let coefficient1 = (ETA - coefficients[1]) as u8; + cloop! { + for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() { + let coefficient0 = (ETA - coefficients[0]) as u8; + let coefficient1 = (ETA - coefficients[1]) as u8; - serialized[i] = (coefficient1 << 4) | coefficient0; + serialized[i] = (coefficient1 << 4) | coefficient0; + } } } @@ -62,6 +66,7 @@ fn deserialize_when_eta_is_2(serialized: &[u8]) -> PortableSIMDUnit { simd_unit } + #[inline(always)] fn deserialize_when_eta_is_4(serialized: &[u8]) -> PortableSIMDUnit { debug_assert!(serialized.len() == 4); @@ -69,9 +74,11 @@ fn deserialize_when_eta_is_4(serialized: &[u8]) -> PortableSIMDUnit { let mut simd_unit = ZERO(); const ETA: i32 = 4; - for (i, byte) in serialized.iter().enumerate() { - simd_unit.coefficients[2 * i] = ETA - ((byte & 0xF) as i32); - simd_unit.coefficients[2 * i + 1] = ETA - ((byte >> 4) as i32); + cloop! { + for (i, byte) in serialized.iter().enumerate() { + simd_unit.coefficients[2 * i] = ETA - ((byte & 0xF) as i32); + simd_unit.coefficients[2 * i + 1] = ETA - ((byte >> 4) as i32); + } } simd_unit diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs index 33a4e864a..1976639f8 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs @@ -1,33 +1,37 @@ +use crate::helper::cloop; + use super::super::vector_type::{PortableSIMDUnit, ZERO}; #[inline(always)] fn serialize_when_gamma1_is_2_pow_17(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { const GAMMA1: i32 = 1 << 17; - for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() { - let coefficient0 = GAMMA1 - coefficients[0]; - let coefficient1 = GAMMA1 - coefficients[1]; - let coefficient2 = GAMMA1 - coefficients[2]; - let coefficient3 = GAMMA1 - coefficients[3]; + cloop! { + for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() { + let coefficient0 = GAMMA1 - coefficients[0]; + let coefficient1 = GAMMA1 - coefficients[1]; + let coefficient2 = GAMMA1 - coefficients[2]; + let coefficient3 = GAMMA1 - coefficients[3]; - serialized[9 * i] = coefficient0 as u8; - serialized[9 * i + 1] = (coefficient0 >> 8) as u8; + serialized[9 * i] = coefficient0 as u8; + serialized[9 * i + 1] = (coefficient0 >> 8) as u8; - serialized[9 * i + 2] = (coefficient0 >> 16) as u8; - serialized[9 * i + 2] |= (coefficient1 << 2) as u8; + serialized[9 * i + 2] = (coefficient0 >> 16) as u8; + serialized[9 * i + 2] |= (coefficient1 << 2) as u8; - serialized[9 * i + 3] = (coefficient1 >> 6) as u8; + serialized[9 * i + 3] = (coefficient1 >> 6) as u8; - serialized[9 * i + 4] = (coefficient1 >> 14) as u8; - serialized[9 * i + 4] |= (coefficient2 << 4) as u8; + serialized[9 * i + 4] = (coefficient1 >> 14) as u8; + serialized[9 * i + 4] |= (coefficient2 << 4) as u8; - serialized[9 * i + 5] = (coefficient2 >> 4) as u8; + serialized[9 * i + 5] = (coefficient2 >> 4) as u8; - serialized[9 * i + 6] = (coefficient2 >> 12) as u8; - serialized[9 * i + 6] |= (coefficient3 << 6) as u8; + serialized[9 * i + 6] = (coefficient2 >> 12) as u8; + serialized[9 * i + 6] |= (coefficient3 << 6) as u8; - serialized[9 * i + 7] = (coefficient3 >> 2) as u8; - serialized[9 * i + 8] = (coefficient3 >> 10) as u8; + serialized[9 * i + 7] = (coefficient3 >> 2) as u8; + serialized[9 * i + 8] = (coefficient3 >> 10) as u8; + } } } @@ -35,20 +39,23 @@ fn serialize_when_gamma1_is_2_pow_17(simd_unit: PortableSIMDUnit, serialized: &m fn serialize_when_gamma1_is_2_pow_19(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { const GAMMA1: i32 = 1 << 19; - for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() { - let coefficient0 = GAMMA1 - coefficients[0]; - let coefficient1 = GAMMA1 - coefficients[1]; + cloop! { + for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() { + let coefficient0 = GAMMA1 - coefficients[0]; + let coefficient1 = GAMMA1 - coefficients[1]; - serialized[5 * i] = coefficient0 as u8; - serialized[5 * i + 1] = (coefficient0 >> 8) as u8; + serialized[5 * i] = coefficient0 as u8; + serialized[5 * i + 1] = (coefficient0 >> 8) as u8; - serialized[5 * i + 2] = (coefficient0 >> 16) as u8; - serialized[5 * i + 2] |= (coefficient1 << 4) as u8; + serialized[5 * i + 2] = (coefficient0 >> 16) as u8; + serialized[5 * i + 2] |= (coefficient1 << 4) as u8; - serialized[5 * i + 3] = (coefficient1 >> 4) as u8; - serialized[5 * i + 4] = (coefficient1 >> 12) as u8; + serialized[5 * i + 3] = (coefficient1 >> 4) as u8; + serialized[5 * i + 4] = (coefficient1 >> 12) as u8; + } } } + #[inline(always)] pub(crate) fn serialize( simd_unit: PortableSIMDUnit, @@ -72,35 +79,38 @@ fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8]) -> PortableSIMDUnit { let mut simd_unit = ZERO(); - for (i, bytes) in serialized.chunks_exact(9).enumerate() { - let mut coefficient0 = bytes[0] as i32; - coefficient0 |= (bytes[1] as i32) << 8; - coefficient0 |= (bytes[2] as i32) << 16; - coefficient0 &= GAMMA1_TIMES_2_BITMASK; - - let mut coefficient1 = (bytes[2] as i32) >> 2; - coefficient1 |= (bytes[3] as i32) << 6; - coefficient1 |= (bytes[4] as i32) << 14; - coefficient1 &= GAMMA1_TIMES_2_BITMASK; - - let mut coefficient2 = (bytes[4] as i32) >> 4; - coefficient2 |= (bytes[5] as i32) << 4; - coefficient2 |= (bytes[6] as i32) << 12; - coefficient2 &= GAMMA1_TIMES_2_BITMASK; - - let mut coefficient3 = (bytes[6] as i32) >> 6; - coefficient3 |= (bytes[7] as i32) << 2; - coefficient3 |= (bytes[8] as i32) << 10; - coefficient3 &= GAMMA1_TIMES_2_BITMASK; - - simd_unit.coefficients[4 * i] = GAMMA1 - coefficient0; - simd_unit.coefficients[4 * i + 1] = GAMMA1 - coefficient1; - simd_unit.coefficients[4 * i + 2] = GAMMA1 - coefficient2; - simd_unit.coefficients[4 * i + 3] = GAMMA1 - coefficient3; + cloop! { + for (i, bytes) in serialized.chunks_exact(9).enumerate() { + let mut coefficient0 = bytes[0] as i32; + coefficient0 |= (bytes[1] as i32) << 8; + coefficient0 |= (bytes[2] as i32) << 16; + coefficient0 &= GAMMA1_TIMES_2_BITMASK; + + let mut coefficient1 = (bytes[2] as i32) >> 2; + coefficient1 |= (bytes[3] as i32) << 6; + coefficient1 |= (bytes[4] as i32) << 14; + coefficient1 &= GAMMA1_TIMES_2_BITMASK; + + let mut coefficient2 = (bytes[4] as i32) >> 4; + coefficient2 |= (bytes[5] as i32) << 4; + coefficient2 |= (bytes[6] as i32) << 12; + coefficient2 &= GAMMA1_TIMES_2_BITMASK; + + let mut coefficient3 = (bytes[6] as i32) >> 6; + coefficient3 |= (bytes[7] as i32) << 2; + coefficient3 |= (bytes[8] as i32) << 10; + coefficient3 &= GAMMA1_TIMES_2_BITMASK; + + simd_unit.coefficients[4 * i] = GAMMA1 - coefficient0; + simd_unit.coefficients[4 * i + 1] = GAMMA1 - coefficient1; + simd_unit.coefficients[4 * i + 2] = GAMMA1 - coefficient2; + simd_unit.coefficients[4 * i + 3] = GAMMA1 - coefficient3; + } } simd_unit } + #[inline(always)] fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8]) -> PortableSIMDUnit { // Each set of 5 bytes deserializes to 2 elements, and since each PortableSIMDUnit @@ -112,18 +122,20 @@ fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8]) -> PortableSIMDUnit { let mut simd_unit = ZERO(); - for (i, bytes) in serialized.chunks_exact(5).enumerate() { - let mut coefficient0 = bytes[0] as i32; - coefficient0 |= (bytes[1] as i32) << 8; - coefficient0 |= (bytes[2] as i32) << 16; - coefficient0 &= GAMMA1_TIMES_2_BITMASK; + cloop! { + for (i, bytes) in serialized.chunks_exact(5).enumerate() { + let mut coefficient0 = bytes[0] as i32; + coefficient0 |= (bytes[1] as i32) << 8; + coefficient0 |= (bytes[2] as i32) << 16; + coefficient0 &= GAMMA1_TIMES_2_BITMASK; - let mut coefficient1 = (bytes[2] as i32) >> 4; - coefficient1 |= (bytes[3] as i32) << 4; - coefficient1 |= (bytes[4] as i32) << 12; + let mut coefficient1 = (bytes[2] as i32) >> 4; + coefficient1 |= (bytes[3] as i32) << 4; + coefficient1 |= (bytes[4] as i32) << 12; - simd_unit.coefficients[2 * i] = GAMMA1 - coefficient0; - simd_unit.coefficients[2 * i + 1] = GAMMA1 - coefficient1; + simd_unit.coefficients[2 * i] = GAMMA1 - coefficient0; + simd_unit.coefficients[2 * i + 1] = GAMMA1 - coefficient1; + } } simd_unit diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs index c0fc9de40..5e39a338c 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs @@ -1,4 +1,4 @@ -use crate::constants::BITS_IN_UPPER_PART_OF_T; +use crate::{constants::BITS_IN_UPPER_PART_OF_T, helper::cloop}; use super::super::vector_type::{PortableSIMDUnit, ZERO}; @@ -6,15 +6,17 @@ use super::super::vector_type::{PortableSIMDUnit, ZERO}; pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 10] { let mut serialized = [0u8; 10]; - for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() { - serialized[5 * i] = (coefficients[0] & 0xFF) as u8; - serialized[5 * i + 1] = - ((coefficients[1] & 0x3F) as u8) << 2 | ((coefficients[0] >> 8) & 0x03) as u8; - serialized[5 * i + 2] = - ((coefficients[2] & 0x0F) as u8) << 4 | ((coefficients[1] >> 6) & 0x0F) as u8; - serialized[5 * i + 3] = - ((coefficients[3] & 0x03) as u8) << 6 | ((coefficients[2] >> 4) & 0x3F) as u8; - serialized[5 * i + 4] = ((coefficients[3] >> 2) & 0xFF) as u8; + cloop! { + for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() { + serialized[5 * i] = (coefficients[0] & 0xFF) as u8; + serialized[5 * i + 1] = + ((coefficients[1] & 0x3F) as u8) << 2 | ((coefficients[0] >> 8) & 0x03) as u8; + serialized[5 * i + 2] = + ((coefficients[2] & 0x0F) as u8) << 4 | ((coefficients[1] >> 6) & 0x0F) as u8; + serialized[5 * i + 3] = + ((coefficients[3] & 0x03) as u8) << 6 | ((coefficients[2] >> 4) & 0x3F) as u8; + serialized[5 * i + 4] = ((coefficients[3] >> 2) & 0xFF) as u8; + } } serialized @@ -27,17 +29,19 @@ pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { let mut simd_unit = ZERO(); let mask = (1 << BITS_IN_UPPER_PART_OF_T) - 1; - for (i, bytes) in serialized.chunks_exact(5).enumerate() { - let byte0 = bytes[0] as i32; - let byte1 = bytes[1] as i32; - let byte2 = bytes[2] as i32; - let byte3 = bytes[3] as i32; - let byte4 = bytes[4] as i32; - - simd_unit.coefficients[4 * i] = (byte0 | (byte1 << 8)) & mask; - simd_unit.coefficients[4 * i + 1] = ((byte1 >> 2) | (byte2 << 6)) & mask; - simd_unit.coefficients[4 * i + 2] = ((byte2 >> 4) | (byte3 << 4)) & mask; - simd_unit.coefficients[4 * i + 3] = ((byte3 >> 6) | (byte4 << 2)) & mask; + cloop! { + for (i, bytes) in serialized.chunks_exact(5).enumerate() { + let byte0 = bytes[0] as i32; + let byte1 = bytes[1] as i32; + let byte2 = bytes[2] as i32; + let byte3 = bytes[3] as i32; + let byte4 = bytes[4] as i32; + + simd_unit.coefficients[4 * i] = (byte0 | (byte1 << 8)) & mask; + simd_unit.coefficients[4 * i + 1] = ((byte1 >> 2) | (byte2 << 6)) & mask; + simd_unit.coefficients[4 * i + 2] = ((byte2 >> 4) | (byte3 << 4)) & mask; + simd_unit.coefficients[4 * i + 3] = ((byte3 >> 6) | (byte4 << 2)) & mask; + } } simd_unit From 3485de7beb6c6fa80145fb882a9cf31239121714 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Sat, 7 Dec 2024 07:01:02 +0000 Subject: [PATCH 14/27] more loop cleanups --- libcrux-ml-dsa/src/encoding/commitment.rs | 56 +++++-------------- libcrux-ml-dsa/src/simd/avx2.rs | 4 +- .../src/simd/avx2/encoding/commitment.rs | 8 +-- libcrux-ml-dsa/src/simd/portable.rs | 4 +- .../src/simd/portable/encoding/commitment.rs | 42 +++++++------- libcrux-ml-dsa/src/simd/traits.rs | 2 +- 6 files changed, 45 insertions(+), 71 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/commitment.rs b/libcrux-ml-dsa/src/encoding/commitment.rs index ecb4d48ba..169c75654 100644 --- a/libcrux-ml-dsa/src/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/encoding/commitment.rs @@ -1,45 +1,16 @@ use crate::{helper::cloop, polynomial::PolynomialRingElement, simd::traits::Operations}; #[inline(always)] -fn serialize( - re: PolynomialRingElement, -) -> [u8; OUTPUT_SIZE] { - let mut serialized = [0u8; OUTPUT_SIZE]; - - match OUTPUT_SIZE as u8 { - 128 => { - // The commitment has coefficients in [0,15] => each coefficient occupies - // 4 bits. Each SIMD unit contains 8 elements, which means each - // SIMD unit will serialize to (8 * 4) / 8 = 4 bytes. - const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 4; - - for (i, simd_unit) in re.simd_units.iter().enumerate() { - serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT] - .copy_from_slice( - &SIMDUnit::commitment_serialize::(*simd_unit), - ); - } - - serialized - } - - 192 => { - // The commitment has coefficients in [0,15] => each coefficient occupies - // 6 bits. Each SIMD unit contains 8 elements, which means each - // SIMD unit will serialize to (8 * 6) / 8 = 6 bytes. - const OUTPUT_BYTES_PER_SIMD_UNIT: usize = 6; - - for (i, simd_unit) in re.simd_units.iter().enumerate() { - serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT] - .copy_from_slice( - &SIMDUnit::commitment_serialize::(*simd_unit), - ); - } +fn serialize(re: PolynomialRingElement, serialized: &mut [u8]) { + let output_bytes_per_simd_unit = serialized.len() / (8 * 4); - serialized + cloop! { + for (i, simd_unit) in re.simd_units.iter().enumerate() { + SIMDUnit::commitment_serialize( + *simd_unit, + &mut serialized[i * output_bytes_per_simd_unit..(i + 1) * output_bytes_per_simd_unit], + ); } - - _ => unreachable!(), } } @@ -57,8 +28,7 @@ pub(crate) fn serialize_vector< cloop! { for ring_element in vector.iter() { - serialized[offset..offset + RING_ELEMENT_SIZE] - .copy_from_slice(&serialize::(*ring_element)); + serialize::(*ring_element, &mut serialized[offset..offset + RING_ELEMENT_SIZE]); offset += RING_ELEMENT_SIZE; } } @@ -107,7 +77,9 @@ mod tests { 149, ]; - assert_eq!(serialize::(re), serialized); + let mut result = [0u8; 192]; + serialize::(re, &mut result); + assert_eq!(result, serialized); // Test serialization when LOW_ORDER_ROUNDING_RANGE = 261,888 let coefficients = [ @@ -134,7 +106,9 @@ mod tests { 64, 117, 190, 98, 179, 38, 80, 88, 89, 9, 34, 243, 128, 219, 98, 11, ]; - assert_eq!(serialize::(re), serialized); + let mut result = [0u8; 128]; + serialize::(re, &mut result); + assert_eq!(result, serialized); } #[cfg(not(feature = "simd256"))] diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 0142a7597..d337bab1a 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -95,8 +95,8 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - fn commitment_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE] { - encoding::commitment::serialize::(simd_unit.coefficients) + fn commitment_serialize(simd_unit: Self, serialized: &mut [u8]) { + encoding::commitment::serialize(simd_unit.coefficients, serialized) } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/avx2/encoding/commitment.rs b/libcrux-ml-dsa/src/simd/avx2/encoding/commitment.rs index c8a3e40a1..de6f45d6e 100644 --- a/libcrux-ml-dsa/src/simd/avx2/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/simd/avx2/encoding/commitment.rs @@ -1,10 +1,10 @@ use libcrux_intrinsics::avx2::*; #[inline(always)] -pub fn serialize(simd_unit: Vec256) -> [u8; OUTPUT_SIZE] { +pub(in crate::simd::avx2) fn serialize(simd_unit: Vec256, out: &mut [u8]) { let mut serialized = [0u8; 19]; - match OUTPUT_SIZE as u8 { + match out.len() as u8 { 4 => { let adjacent_2_combined = mm256_sllv_epi32(simd_unit, mm256_set_epi32(0, 28, 0, 28, 0, 28, 0, 28)); @@ -25,7 +25,7 @@ pub fn serialize(simd_unit: Vec256) -> [u8; OUTPUT_SIZ mm_storeu_bytes_si128(&mut serialized[0..16], adjacent_4_combined); - serialized[0..4].try_into().unwrap() + out.copy_from_slice(&serialized[0..4]); } 6 => { @@ -56,7 +56,7 @@ pub fn serialize(simd_unit: Vec256) -> [u8; OUTPUT_SIZ let upper_3 = mm256_extracti128_si256::<1>(adjacent_3_combined); mm_storeu_bytes_si128(&mut serialized[3..19], upper_3); - serialized[0..6].try_into().unwrap() + out.copy_from_slice(&serialized[0..6]); } _ => unreachable!(), diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 6478ac271..fff2c9b98 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -76,8 +76,8 @@ impl Operations for PortableSIMDUnit { encoding::gamma1::deserialize::(serialized) } - fn commitment_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE] { - encoding::commitment::serialize(simd_unit) + fn commitment_serialize(simd_unit: Self, serialized: &mut [u8]) { + encoding::commitment::serialize(simd_unit, serialized) } fn error_serialize(simd_unit: Self, serialized: &mut [u8]) { diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs index 6ffafe423..7265d973f 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs @@ -1,38 +1,38 @@ +use crate::helper::cloop; + use super::super::vector_type::PortableSIMDUnit; #[inline(always)] -pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; OUTPUT_SIZE] { - let mut serialized = [0u8; OUTPUT_SIZE]; - - match OUTPUT_SIZE as u8 { +pub fn serialize(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { + match serialized.len() as u8 { 4 => { // The commitment has coefficients in [0,15] => each coefficient occupies // 4 bits. - for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() { - let coefficient0 = coefficients[0] as u8; - let coefficient1 = coefficients[1] as u8; + cloop! { + for (i, coefficients) in simd_unit.coefficients.chunks_exact(2).enumerate() { + let coefficient0 = coefficients[0] as u8; + let coefficient1 = coefficients[1] as u8; - serialized[i] = (coefficient1 << 4) | coefficient0; + serialized[i] = (coefficient1 << 4) | coefficient0; + } } - - serialized } 6 => { // The commitment has coefficients in [0,43] => each coefficient occupies // 6 bits. - for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() { - let coefficient0 = coefficients[0] as u8; - let coefficient1 = coefficients[1] as u8; - let coefficient2 = coefficients[2] as u8; - let coefficient3 = coefficients[3] as u8; - - serialized[3 * i] = (coefficient1 << 6) | coefficient0; - serialized[3 * i + 1] = (coefficient2 << 4) | coefficient1 >> 2; - serialized[3 * i + 2] = (coefficient3 << 2) | coefficient2 >> 4; + cloop! { + for (i, coefficients) in simd_unit.coefficients.chunks_exact(4).enumerate() { + let coefficient0 = coefficients[0] as u8; + let coefficient1 = coefficients[1] as u8; + let coefficient2 = coefficients[2] as u8; + let coefficient3 = coefficients[3] as u8; + + serialized[3 * i] = (coefficient1 << 6) | coefficient0; + serialized[3 * i + 1] = (coefficient2 << 4) | coefficient1 >> 2; + serialized[3 * i + 2] = (coefficient3 << 2) | coefficient2 >> 4; + } } - - serialized } _ => unreachable!(), diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index 38b7bf3d4..30505cedb 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -57,7 +57,7 @@ pub(crate) trait Operations: Copy + Clone { fn gamma1_deserialize(serialized: &[u8]) -> Self; // Commitment - fn commitment_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE]; + fn commitment_serialize(simd_unit: Self, serialized: &mut [u8]); // Error fn error_serialize(simd_unit: Self, serialized: &mut [u8]); From 5686e51625fd092f7954b98668be4f9f3e3f0143 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Sat, 7 Dec 2024 10:32:10 +0000 Subject: [PATCH 15/27] more cleanup for hax/eurydice --- libcrux-ml-dsa/src/matrix.rs | 30 ++++++----- libcrux-ml-dsa/src/ml_dsa_generic.rs | 80 ++++++++++++++-------------- 2 files changed, 58 insertions(+), 52 deletions(-) diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index a981c4860..e5ed49f05 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -125,21 +125,25 @@ pub(crate) fn compute_w_approx< ) -> [PolynomialRingElement; ROWS_IN_A] { let mut result = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; - for (i, row) in A_as_ntt.iter().enumerate() { - for (j, ring_element) in row.iter().enumerate() { - let product = ntt_multiply_montgomery(&ring_element, &ntt(signer_response[j])); + cloop! { + for (i, row) in A_as_ntt.iter().enumerate() { + cloop! { + for (j, ring_element) in row.iter().enumerate() { + let product = ntt_multiply_montgomery(&ring_element, &ntt(signer_response[j])); - result[i] = PolynomialRingElement::::add(&result[i], &product); - } + result[i] = PolynomialRingElement::::add(&result[i], &product); + } + } - let t1_shifted = - shift_left_then_reduce::(t1[i]); - let challenge_times_t1_shifted = - ntt_multiply_montgomery(&verifier_challenge_as_ntt, &ntt(t1_shifted)); - result[i] = invert_ntt_montgomery(PolynomialRingElement::::subtract( - &result[i], - &challenge_times_t1_shifted, - )); + let t1_shifted = + shift_left_then_reduce::(t1[i]); + let challenge_times_t1_shifted = + ntt_multiply_montgomery(&verifier_challenge_as_ntt, &ntt(t1_shifted)); + result[i] = invert_ntt_montgomery(PolynomialRingElement::::subtract( + &result[i], + &challenge_times_t1_shifted, + )); + } } result diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index e76a816be..9dad8ee1f 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -352,53 +352,55 @@ pub(crate) fn sign_internal< signer_response_candidate, (1 << GAMMA1_EXPONENT) - BETA, ) { - } else { - if vector_infinity_norm_exceeds::( - w0_minus_challenge_times_s2, - GAMMA2 - BETA, - ) { - } else { - let challenge_times_t0 = vector_times_ring_element::( - &t0_as_ntt, - &verifier_challenge_as_ntt, - ); - if vector_infinity_norm_exceeds::(challenge_times_t0, GAMMA2) { - } else { - let w0_minus_c_times_s2_plus_c_times_t0 = add_vectors::( - &w0_minus_challenge_times_s2, - &challenge_times_t0, - ); - let (hint_candidate, ones_in_hint) = make_hint::( - w0_minus_c_times_s2_plus_c_times_t0, - commitment, - ); - - if ones_in_hint > MAX_ONES_IN_HINT { - } else { - attempt = REJECTION_SAMPLE_BOUND_SIGN; // exit loop now - commitment_hash = Some(commitment_hash_candidate); - signer_response = Some(signer_response_candidate); - hint = Some(hint_candidate); - } - } - } + continue; + } + + if vector_infinity_norm_exceeds::( + w0_minus_challenge_times_s2, + GAMMA2 - BETA, + ) { + continue; + } + + let challenge_times_t0 = vector_times_ring_element::( + &t0_as_ntt, + &verifier_challenge_as_ntt, + ); + if vector_infinity_norm_exceeds::(challenge_times_t0, GAMMA2) { + continue; } + + let w0_minus_c_times_s2_plus_c_times_t0 = + add_vectors::(&w0_minus_challenge_times_s2, &challenge_times_t0); + let (hint_candidate, ones_in_hint) = make_hint::( + w0_minus_c_times_s2_plus_c_times_t0, + commitment, + ); + + if ones_in_hint > MAX_ONES_IN_HINT { + continue; + } + + attempt = REJECTION_SAMPLE_BOUND_SIGN; // exit loop now + commitment_hash = Some(commitment_hash_candidate); + signer_response = Some(signer_response_candidate); + hint = Some(hint_candidate); } let commitment_hash = match commitment_hash { - Some(commitment_hash) => Ok(commitment_hash), - None => Err(SigningError::RejectionSamplingError), - }?; + Some(commitment_hash) => commitment_hash, + None => return Err(SigningError::RejectionSamplingError), + }; let signer_response = match signer_response { - Some(signer_response) => Ok(signer_response), - None => Err(SigningError::RejectionSamplingError), - }?; + Some(signer_response) => signer_response, + None => return Err(SigningError::RejectionSamplingError), + }; let hint = match hint { - Some(hint) => Ok(hint), - None => Err(SigningError::RejectionSamplingError), - }?; + Some(hint) => hint, + None => return Err(SigningError::RejectionSamplingError), + }; let signature = Signature:: { commitment_hash, From d0dff3082f14c43ac616a8b8ee220eecfb6a050f Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Sat, 7 Dec 2024 10:41:03 +0000 Subject: [PATCH 16/27] extracting portable without eurydice failures --- libcrux-ml-dsa/src/encoding/t0.rs | 8 +++++--- libcrux-ml-dsa/src/matrix.rs | 24 +++++++++++++++--------- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/t0.rs b/libcrux-ml-dsa/src/encoding/t0.rs index aec3c11c0..f59186d10 100644 --- a/libcrux-ml-dsa/src/encoding/t0.rs +++ b/libcrux-ml-dsa/src/encoding/t0.rs @@ -41,9 +41,11 @@ pub(crate) fn deserialize_to_vector_then_ntt [PolynomialRingElement; DIMENSION] { let mut ring_elements = [PolynomialRingElement::::ZERO(); DIMENSION]; - for (i, bytes) in serialized.chunks(RING_ELEMENT_OF_T0S_SIZE).enumerate() { - deserialize::(bytes, &mut ring_elements[i]); - ring_elements[i] = ntt(ring_elements[i]); + cloop! { + for (i, bytes) in serialized.chunks_exact(RING_ELEMENT_OF_T0S_SIZE).enumerate() { + deserialize::(bytes, &mut ring_elements[i]); + ring_elements[i] = ntt(ring_elements[i]); + } } ring_elements diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index e5ed49f05..83c00fa0e 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -52,13 +52,17 @@ pub(crate) fn compute_A_times_mask< ) -> [PolynomialRingElement; ROWS_IN_A] { let mut result = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; - for (i, row) in A_as_ntt.iter().enumerate() { - for (j, ring_element) in row.iter().enumerate() { - let product = ntt_multiply_montgomery(&ring_element, &ntt(mask[j])); - result[i] = PolynomialRingElement::::add(&result[i], &product); - } + cloop! { + for (i, row) in A_as_ntt.iter().enumerate() { + cloop! { + for (j, ring_element) in row.iter().enumerate() { + let product = ntt_multiply_montgomery(&ring_element, &ntt(mask[j])); + result[i] = PolynomialRingElement::::add(&result[i], &product); + } + } - result[i] = invert_ntt_montgomery(result[i]); + result[i] = invert_ntt_montgomery(result[i]); + } } result @@ -72,9 +76,11 @@ pub(crate) fn vector_times_ring_element [PolynomialRingElement; DIMENSION] { let mut result = [PolynomialRingElement::::ZERO(); DIMENSION]; - for (i, vector_ring_element) in vector.iter().enumerate() { - result[i] = - invert_ntt_montgomery(ntt_multiply_montgomery(vector_ring_element, ring_element)); + cloop! { + for (i, vector_ring_element) in vector.iter().enumerate() { + result[i] = + invert_ntt_montgomery(ntt_multiply_montgomery(vector_ring_element, ring_element)); + } } result From d4b51bcb3af12fb1358ed37830e33cbd72d31590 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Sat, 7 Dec 2024 12:51:15 +0000 Subject: [PATCH 17/27] fixes for hax --- libcrux-ml-dsa/src/encoding/commitment.rs | 1 + libcrux-ml-dsa/src/encoding/error.rs | 2 + libcrux-ml-dsa/src/encoding/gamma1.rs | 2 + libcrux-ml-dsa/src/encoding/t0.rs | 2 + libcrux-ml-dsa/src/ml_dsa_generic.rs | 70 ++++++++++--------- .../src/simd/portable/encoding/commitment.rs | 2 + .../src/simd/portable/encoding/error.rs | 1 + .../src/simd/portable/encoding/gamma1.rs | 2 + 8 files changed, 50 insertions(+), 32 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/commitment.rs b/libcrux-ml-dsa/src/encoding/commitment.rs index 169c75654..c5c5580ea 100644 --- a/libcrux-ml-dsa/src/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/encoding/commitment.rs @@ -12,6 +12,7 @@ fn serialize(re: PolynomialRingElement, serializ ); } } + () } #[inline(always)] diff --git a/libcrux-ml-dsa/src/encoding/error.rs b/libcrux-ml-dsa/src/encoding/error.rs index 9d62d4fec..93a6cd665 100644 --- a/libcrux-ml-dsa/src/encoding/error.rs +++ b/libcrux-ml-dsa/src/encoding/error.rs @@ -15,6 +15,7 @@ pub(crate) fn serialize( result.simd_units[i] = SIMDUnit::error_deserialize::(&serialized[i * chunk_size..(i + 1) * chunk_size]); } + () } #[inline(always)] diff --git a/libcrux-ml-dsa/src/encoding/gamma1.rs b/libcrux-ml-dsa/src/encoding/gamma1.rs index 20c7e6a5b..1849b9ff7 100644 --- a/libcrux-ml-dsa/src/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/encoding/gamma1.rs @@ -13,6 +13,7 @@ pub(crate) fn serialize( ); } } + () } #[inline(always)] @@ -25,6 +26,7 @@ pub(crate) fn deserialize( &serialized[i * (GAMMA1_EXPONENT + 1)..(i + 1) * (GAMMA1_EXPONENT + 1)], ); } + () } #[cfg(test)] diff --git a/libcrux-ml-dsa/src/encoding/t0.rs b/libcrux-ml-dsa/src/encoding/t0.rs index f59186d10..a44cffe34 100644 --- a/libcrux-ml-dsa/src/encoding/t0.rs +++ b/libcrux-ml-dsa/src/encoding/t0.rs @@ -21,6 +21,7 @@ pub(crate) fn serialize( .copy_from_slice(&SIMDUnit::t0_serialize(*simd_unit)); } } + () } #[inline(always)] @@ -33,6 +34,7 @@ fn deserialize( &serialized[i * OUTPUT_BYTES_PER_SIMD_UNIT..(i + 1) * OUTPUT_BYTES_PER_SIMD_UNIT], ); } + () } #[inline(always)] diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 9dad8ee1f..c3020c87e 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -352,39 +352,45 @@ pub(crate) fn sign_internal< signer_response_candidate, (1 << GAMMA1_EXPONENT) - BETA, ) { - continue; - } - - if vector_infinity_norm_exceeds::( - w0_minus_challenge_times_s2, - GAMMA2 - BETA, - ) { - continue; - } - - let challenge_times_t0 = vector_times_ring_element::( - &t0_as_ntt, - &verifier_challenge_as_ntt, - ); - if vector_infinity_norm_exceeds::(challenge_times_t0, GAMMA2) { - continue; - } - - let w0_minus_c_times_s2_plus_c_times_t0 = - add_vectors::(&w0_minus_challenge_times_s2, &challenge_times_t0); - let (hint_candidate, ones_in_hint) = make_hint::( - w0_minus_c_times_s2_plus_c_times_t0, - commitment, - ); - - if ones_in_hint > MAX_ONES_IN_HINT { - continue; + // XXX: https://github.com/hacspec/hax/issues/1171 + // continue; + } else { + if vector_infinity_norm_exceeds::( + w0_minus_challenge_times_s2, + GAMMA2 - BETA, + ) { + // XXX: https://github.com/hacspec/hax/issues/1171 + // continue; + } else { + let challenge_times_t0 = vector_times_ring_element::( + &t0_as_ntt, + &verifier_challenge_as_ntt, + ); + if vector_infinity_norm_exceeds::(challenge_times_t0, GAMMA2) { + // XXX: https://github.com/hacspec/hax/issues/1171 + // continue; + } else { + let w0_minus_c_times_s2_plus_c_times_t0 = add_vectors::( + &w0_minus_challenge_times_s2, + &challenge_times_t0, + ); + let (hint_candidate, ones_in_hint) = make_hint::( + w0_minus_c_times_s2_plus_c_times_t0, + commitment, + ); + + if ones_in_hint > MAX_ONES_IN_HINT { + // XXX: https://github.com/hacspec/hax/issues/1171 + // continue; + } else { + attempt = REJECTION_SAMPLE_BOUND_SIGN; // exit loop now + commitment_hash = Some(commitment_hash_candidate); + signer_response = Some(signer_response_candidate); + hint = Some(hint_candidate); + } + } + } } - - attempt = REJECTION_SAMPLE_BOUND_SIGN; // exit loop now - commitment_hash = Some(commitment_hash_candidate); - signer_response = Some(signer_response_candidate); - hint = Some(hint_candidate); } let commitment_hash = match commitment_hash { diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs index 7265d973f..cfc65ef45 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs @@ -16,6 +16,7 @@ pub fn serialize(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { serialized[i] = (coefficient1 << 4) | coefficient0; } } + () } 6 => { @@ -33,6 +34,7 @@ pub fn serialize(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { serialized[3 * i + 2] = (coefficient3 << 2) | coefficient2 >> 4; } } + () } _ => unreachable!(), diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs index 4013a5152..5e84a571a 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs @@ -33,6 +33,7 @@ fn serialize_when_eta_is_4(simd_unit: PortableSIMDUnit, serialized: &mut [u8]) { serialized[i] = (coefficient1 << 4) | coefficient0; } } + () } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs index 1976639f8..5cb53f344 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs @@ -33,6 +33,7 @@ fn serialize_when_gamma1_is_2_pow_17(simd_unit: PortableSIMDUnit, serialized: &m serialized[9 * i + 8] = (coefficient3 >> 10) as u8; } } + () } #[inline(always)] @@ -54,6 +55,7 @@ fn serialize_when_gamma1_is_2_pow_19(simd_unit: PortableSIMDUnit, serialized: &m serialized[5 * i + 4] = (coefficient1 >> 12) as u8; } } + () } #[inline(always)] From 523b6312be01e2df3f20b3e8472c86b46dec211c Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Sat, 7 Dec 2024 19:05:58 +0000 Subject: [PATCH 18/27] C and F* extraction --- libcrux-ml-dsa/src/encoding/t1.rs | 19 ++-- .../src/encoding/verification_key.rs | 3 +- libcrux-ml-dsa/src/matrix.rs | 15 ++- libcrux-ml-dsa/src/ml_dsa_generic.rs | 95 +++++++++---------- libcrux-ml-dsa/src/sample.rs | 24 ++--- libcrux-ml-dsa/src/simd/portable/sample.rs | 74 ++++++++------- 6 files changed, 120 insertions(+), 110 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/t1.rs b/libcrux-ml-dsa/src/encoding/t1.rs index 07d3c5b72..4f72fe98b 100644 --- a/libcrux-ml-dsa/src/encoding/t1.rs +++ b/libcrux-ml-dsa/src/encoding/t1.rs @@ -25,16 +25,12 @@ pub(crate) fn serialize( pub(crate) fn deserialize( serialized: &[u8], -) -> PolynomialRingElement { - let mut serialized_chunks = serialized.chunks(10); - - let mut result = PolynomialRingElement::ZERO(); - + result: &mut PolynomialRingElement, +) { for i in 0..result.simd_units.len() { - result.simd_units[i] = SIMDUnit::t1_deserialize(&serialized_chunks.next().unwrap()); + result.simd_units[i] = SIMDUnit::t1_deserialize(&serialized[i * 10..(i + 1) * 10]); } - - result + () } #[cfg(test)] @@ -126,10 +122,9 @@ mod tests { 226, 479, 381, 932, 464, 451, 915, 206, 410, 402, 900, ]; - assert_eq!( - deserialize::(&serialized).to_i32_array(), - expected_coefficients - ); + let mut deserialized = PolynomialRingElement::::ZERO(); + deserialize::(&serialized, &mut deserialized); + assert_eq!(deserialized.to_i32_array(), expected_coefficients); } #[cfg(not(feature = "simd256"))] diff --git a/libcrux-ml-dsa/src/encoding/verification_key.rs b/libcrux-ml-dsa/src/encoding/verification_key.rs index 85dd728d5..82fe68a53 100644 --- a/libcrux-ml-dsa/src/encoding/verification_key.rs +++ b/libcrux-ml-dsa/src/encoding/verification_key.rs @@ -46,8 +46,9 @@ pub(crate) fn deserialize< let (seed_for_A, serialized_remaining) = serialized.split_at(SEED_FOR_A_SIZE); for i in 0..ROWS_IN_A { - t1[i] = t1::deserialize::( + t1::deserialize::( &serialized_remaining[i * RING_ELEMENT_OF_T1S_SIZE..(i + 1) * RING_ELEMENT_OF_T1S_SIZE], + &mut t1[i], ); } diff --git a/libcrux-ml-dsa/src/matrix.rs b/libcrux-ml-dsa/src/matrix.rs index 83c00fa0e..fdab00401 100644 --- a/libcrux-ml-dsa/src/matrix.rs +++ b/libcrux-ml-dsa/src/matrix.rs @@ -51,12 +51,13 @@ pub(crate) fn compute_A_times_mask< mask: &[PolynomialRingElement; COLUMNS_IN_A], ) -> [PolynomialRingElement; ROWS_IN_A] { let mut result = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; + let mask_ntt = mask.map(|s| ntt::(s)); cloop! { for (i, row) in A_as_ntt.iter().enumerate() { cloop! { for (j, ring_element) in row.iter().enumerate() { - let product = ntt_multiply_montgomery(&ring_element, &ntt(mask[j])); + let product = ntt_multiply_montgomery(&ring_element, &mask_ntt[j]); result[i] = PolynomialRingElement::::add(&result[i], &product); } } @@ -125,17 +126,22 @@ pub(crate) fn compute_w_approx< const COLUMNS_IN_A: usize, >( A_as_ntt: &[[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A], - signer_response: [PolynomialRingElement; COLUMNS_IN_A], + mut signer_response: [PolynomialRingElement; COLUMNS_IN_A], verifier_challenge_as_ntt: PolynomialRingElement, t1: [PolynomialRingElement; ROWS_IN_A], ) -> [PolynomialRingElement; ROWS_IN_A] { let mut result = [PolynomialRingElement::::ZERO(); ROWS_IN_A]; + // Move signer response into NTT + for i in 0..signer_response.len() { + signer_response[i] = ntt(signer_response[i]); + } + cloop! { for (i, row) in A_as_ntt.iter().enumerate() { cloop! { for (j, ring_element) in row.iter().enumerate() { - let product = ntt_multiply_montgomery(&ring_element, &ntt(signer_response[j])); + let product = ntt_multiply_montgomery(&ring_element, &signer_response[j]); result[i] = PolynomialRingElement::::add(&result[i], &product); } @@ -143,8 +149,9 @@ pub(crate) fn compute_w_approx< let t1_shifted = shift_left_then_reduce::(t1[i]); + let t1_shifted = ntt(t1_shifted); let challenge_times_t1_shifted = - ntt_multiply_montgomery(&verifier_challenge_as_ntt, &ntt(t1_shifted)); + ntt_multiply_montgomery(&verifier_challenge_as_ntt, &t1_shifted); result[i] = invert_ntt_montgomery(PolynomialRingElement::::subtract( &result[i], &challenge_times_t1_shifted, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index c3020c87e..717861772 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -508,65 +508,64 @@ pub(crate) fn verify_internal< }; // We use if-else branches because early returns will not go through hax. - if !vector_infinity_norm_exceeds::( + if vector_infinity_norm_exceeds::( signature.signer_response, (2 << GAMMA1_EXPONENT) - BETA, ) { - let A_as_ntt = - samplex4::matrix_A::(into_padded_array(&seed_for_A)); + return Err(VerificationError::SignerResponseExceedsBoundError); + } + let A_as_ntt = + samplex4::matrix_A::(into_padded_array(&seed_for_A)); - let mut verification_key_hash = [0; BYTES_FOR_VERIFICATION_KEY_HASH]; - Shake256::shake256::( - verification_key_serialized, - &mut verification_key_hash, - ); - let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; - derive_message_representative::( - verification_key_hash, - domain_separation_context, - message, - &mut message_representative, - ); + let mut verification_key_hash = [0; BYTES_FOR_VERIFICATION_KEY_HASH]; + Shake256::shake256::( + verification_key_serialized, + &mut verification_key_hash, + ); + let mut message_representative = [0; MESSAGE_REPRESENTATIVE_SIZE]; + derive_message_representative::( + verification_key_hash, + domain_separation_context, + message, + &mut message_representative, + ); - let verifier_challenge_as_ntt = ntt(sample_challenge_ring_element::< - SIMDUnit, - Shake256, - ONES_IN_VERIFIER_CHALLENGE, - COMMITMENT_HASH_SIZE, - >(signature.commitment_hash)); + let verifier_challenge_as_ntt = ntt(sample_challenge_ring_element::< + SIMDUnit, + Shake256, + ONES_IN_VERIFIER_CHALLENGE, + COMMITMENT_HASH_SIZE, + >(signature.commitment_hash)); - let w_approx = compute_w_approx::( - &A_as_ntt, - signature.signer_response, - verifier_challenge_as_ntt, - t1, - ); + let w_approx = compute_w_approx::( + &A_as_ntt, + signature.signer_response, + verifier_challenge_as_ntt, + t1, + ); - let mut commitment_hash = [0; COMMITMENT_HASH_SIZE]; - { - let commitment = use_hint::(signature.hint, w_approx); - let commitment_serialized = encoding::commitment::serialize_vector::< - SIMDUnit, - ROWS_IN_A, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - >(commitment); + let mut commitment_hash = [0; COMMITMENT_HASH_SIZE]; + { + let commitment = use_hint::(signature.hint, w_approx); + let commitment_serialized = encoding::commitment::serialize_vector::< + SIMDUnit, + ROWS_IN_A, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + >(commitment); - let mut shake = Shake256Xof::init(); - shake.absorb(&message_representative); - shake.absorb_final(&commitment_serialized); + let mut shake = Shake256Xof::init(); + shake.absorb(&message_representative); + shake.absorb_final(&commitment_serialized); - shake.squeeze(&mut commitment_hash); - } + shake.squeeze(&mut commitment_hash); + } - if signature.commitment_hash != commitment_hash { - Err(VerificationError::CommitmentHashesDontMatchError) - } else { - Ok(()) - } - } else { - Err(VerificationError::SignerResponseExceedsBoundError) + if signature.commitment_hash == commitment_hash { + return Ok(()); } + + return Err(VerificationError::CommitmentHashesDontMatchError); } #[allow(non_snake_case)] diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index ed61cbe7e..96ab1655f 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -441,18 +441,20 @@ fn inside_out_shuffle( ) -> bool { let mut done = false; - for byte in randomness { - if !done { - let sample_at = *byte as usize; - if sample_at <= *out_index { - result[*out_index] = result[sample_at]; - *out_index += 1; - - result[sample_at] = 1 - 2 * ((*signs & 1) as i32); - *signs >>= 1; - } + cloop! { + for byte in randomness.iter() { + if !done { + let sample_at = *byte as usize; + if sample_at <= *out_index { + result[*out_index] = result[sample_at]; + *out_index += 1; - done = *out_index == result.len(); + result[sample_at] = 1 - 2 * ((*signs & 1) as i32); + *signs >>= 1; + } + + done = *out_index == result.len(); + } } } diff --git a/libcrux-ml-dsa/src/simd/portable/sample.rs b/libcrux-ml-dsa/src/simd/portable/sample.rs index 3f06380c5..8025024a5 100644 --- a/libcrux-ml-dsa/src/simd/portable/sample.rs +++ b/libcrux-ml-dsa/src/simd/portable/sample.rs @@ -1,19 +1,21 @@ -use crate::constants::FIELD_MODULUS; +use crate::{constants::FIELD_MODULUS, helper::cloop}; #[inline(always)] pub fn rejection_sample_less_than_field_modulus(randomness: &[u8], out: &mut [i32]) -> usize { let mut sampled = 0; - for bytes in randomness.chunks(3) { - let b0 = bytes[0] as i32; - let b1 = bytes[1] as i32; - let b2 = bytes[2] as i32; + cloop! { + for bytes in randomness.chunks_exact(3) { + let b0 = bytes[0] as i32; + let b1 = bytes[1] as i32; + let b2 = bytes[2] as i32; - let coefficient = ((b2 << 16) | (b1 << 8) | b0) & 0x00_7F_FF_FF; + let coefficient = ((b2 << 16) | (b1 << 8) | b0) & 0x00_7F_FF_FF; - if coefficient < FIELD_MODULUS { - out[sampled] = coefficient; - sampled += 1; + if coefficient < FIELD_MODULUS { + out[sampled] = coefficient; + sampled += 1; + } } } @@ -24,28 +26,30 @@ pub fn rejection_sample_less_than_field_modulus(randomness: &[u8], out: &mut [i3 pub fn rejection_sample_less_than_eta_equals_2(randomness: &[u8], out: &mut [i32]) -> usize { let mut sampled = 0; - for byte in randomness { - let try_0 = byte & 0xF; - let try_1 = byte >> 4; + cloop! { + for byte in randomness.iter() { + let try_0 = byte & 0xF; + let try_1 = byte >> 4; - if try_0 < 15 { - let try_0 = try_0 as i32; + if try_0 < 15 { + let try_0 = try_0 as i32; - // (try_0 * 26) >> 7 computes ⌊try_0 / 5⌋ - let try_0_mod_5 = try_0 - ((try_0 * 26) >> 7) * 5; + // (try_0 * 26) >> 7 computes ⌊try_0 / 5⌋ + let try_0_mod_5 = try_0 - ((try_0 * 26) >> 7) * 5; - out[sampled] = 2 - try_0_mod_5; + out[sampled] = 2 - try_0_mod_5; - sampled += 1; - } + sampled += 1; + } - if try_1 < 15 { - let try_1 = try_1 as i32; - let try_1_mod_5 = try_1 - ((try_1 * 26) >> 7) * 5; + if try_1 < 15 { + let try_1 = try_1 as i32; + let try_1_mod_5 = try_1 - ((try_1 * 26) >> 7) * 5; - out[sampled] = 2 - try_1_mod_5; + out[sampled] = 2 - try_1_mod_5; - sampled += 1; + sampled += 1; + } } } @@ -56,18 +60,20 @@ pub fn rejection_sample_less_than_eta_equals_2(randomness: &[u8], out: &mut [i32 pub fn rejection_sample_less_than_eta_equals_4(randomness: &[u8], out: &mut [i32]) -> usize { let mut sampled = 0; - for byte in randomness { - let try_0 = byte & 0xF; - let try_1 = byte >> 4; + cloop! { + for byte in randomness.iter() { + let try_0 = byte & 0xF; + let try_1 = byte >> 4; - if try_0 < 9 { - out[sampled] = 4 - (try_0 as i32); - sampled += 1; - } + if try_0 < 9 { + out[sampled] = 4 - (try_0 as i32); + sampled += 1; + } - if try_1 < 9 { - out[sampled] = 4 - (try_1 as i32); - sampled += 1; + if try_1 < 9 { + out[sampled] = 4 - (try_1 as i32); + sampled += 1; + } } } From 776fe1b5882f65bb375a064e963e03e1e57f0a2a Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Sat, 7 Dec 2024 19:06:41 +0000 Subject: [PATCH 19/27] C extraction; not working --- libcrux-ml-dsa/cg/CMakeLists.txt | 2 +- libcrux-ml-dsa/cg/code_gen.txt | 2 +- libcrux-ml-dsa/cg/eurydice_glue.h | 17 + libcrux-ml-dsa/cg/header.txt | 2 +- libcrux-ml-dsa/cg/libcrux_core.h | 189 +- libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h | 3354 ++++++++++++- libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h | 4697 +++++++++++++++--- libcrux-ml-dsa/cg/libcrux_sha3_avx2.h | 2 +- libcrux-ml-dsa/cg/libcrux_sha3_portable.h | 2 +- libcrux-ml-dsa/cg/tests/mldsa65.cc | 28 +- 10 files changed, 7418 insertions(+), 877 deletions(-) diff --git a/libcrux-ml-dsa/cg/CMakeLists.txt b/libcrux-ml-dsa/cg/CMakeLists.txt index b16bf8883..ad60c81f9 100644 --- a/libcrux-ml-dsa/cg/CMakeLists.txt +++ b/libcrux-ml-dsa/cg/CMakeLists.txt @@ -29,7 +29,7 @@ if((CMAKE_C_COMPILER_ID STREQUAL "Clang" AND CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "13.0.0") OR (CMAKE_C_COMPILER_ID STREQUAL "AppleClang" AND CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "13.1.6")) - add_compile_options(-Werror -Wframe-larger-than=25344) + # add_compile_options(-Werror -Wframe-larger-than=25344) endif() set(CMAKE_COLOR_DIAGNOSTICS "ON") diff --git a/libcrux-ml-dsa/cg/code_gen.txt b/libcrux-ml-dsa/cg/code_gen.txt index 6262f3ad3..ff59781b4 100644 --- a/libcrux-ml-dsa/cg/code_gen.txt +++ b/libcrux-ml-dsa/cg/code_gen.txt @@ -3,4 +3,4 @@ Charon: a68994d00017b76a805d0115ca06c1f2c1805e79 Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 F*: b0961063393215ca65927f017720cb365a193833-dirty -Libcrux: 11a2dcf9b3f0c4803b93a53caa737ed8eac8bfd1 +Libcrux: d4b51bcb3af12fb1358ed37830e33cbd72d31590 diff --git a/libcrux-ml-dsa/cg/eurydice_glue.h b/libcrux-ml-dsa/cg/eurydice_glue.h index 3f9b35cc2..77124b063 100644 --- a/libcrux-ml-dsa/cg/eurydice_glue.h +++ b/libcrux-ml-dsa/cg/eurydice_glue.h @@ -157,6 +157,23 @@ static inline uint8_t core_num__u8_6__wrapping_sub(uint8_t x, uint8_t y) { return x - y; } +#define core_option__core__option__Option_T__TraitClause_0___is_some(o, _t, \ + _ret_t) \ + (o)->tag + + +static inline uint8_t +Eurydice_bitand_pv_u8(uint8_t *p, uint8_t v) +{ + return (*p) & v; +} + +static inline uint8_t +Eurydice_shr_pv_u8(uint8_t *p, int32_t v) +{ + return (*p) >> v; +} + // ITERATORS #define Eurydice_range_iter_next(iter_ptr, t, ret_t) \ diff --git a/libcrux-ml-dsa/cg/header.txt b/libcrux-ml-dsa/cg/header.txt index 89d611dc6..17dad08f7 100644 --- a/libcrux-ml-dsa/cg/header.txt +++ b/libcrux-ml-dsa/cg/header.txt @@ -8,5 +8,5 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 11a2dcf9b3f0c4803b93a53caa737ed8eac8bfd1 + * Libcrux: d4b51bcb3af12fb1358ed37830e33cbd72d31590 */ diff --git a/libcrux-ml-dsa/cg/libcrux_core.h b/libcrux-ml-dsa/cg/libcrux_core.h index c7b7b6116..4cf1b281a 100644 --- a/libcrux-ml-dsa/cg/libcrux_core.h +++ b/libcrux-ml-dsa/cg/libcrux_core.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 11a2dcf9b3f0c4803b93a53caa737ed8eac8bfd1 + * Libcrux: d4b51bcb3af12fb1358ed37830e33cbd72d31590 */ #ifndef __libcrux_core_H @@ -34,10 +34,15 @@ static inline uint8_t Eurydice_bitand_pv_u8(uint8_t *x, uint8_t y); static inline uint8_t Eurydice_shr_pv_u8(uint8_t *x, int32_t y); +#define Ok 0 +#define Err 1 + +typedef uint8_t Result_a9_tags; + #define None 0 #define Some 1 -typedef uint8_t Option_08_tags; +typedef uint8_t Option_d8_tags; /** A monomorphic instance of core.option.Option @@ -45,15 +50,10 @@ with types size_t */ typedef struct Option_08_s { - Option_08_tags tag; + Option_d8_tags tag; size_t f0; } Option_08; -#define Ok 0 -#define Err 1 - -typedef uint8_t Result_a9_tags; - static inline uint32_t core_num__i32_2__count_ones(int32_t x0); static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t x0[8U]); @@ -165,6 +165,40 @@ typedef struct Result_41_s { libcrux_ml_dsa_types_VerificationError f0; } Result_41; +/** +A monomorphic instance of core.result.Result +with types uint8_t[48size_t], core_array_TryFromSliceError + +*/ +typedef struct Result_ae_s { + Result_a9_tags tag; + union { + uint8_t case_Ok[48U]; + TryFromSliceError case_Err; + } val; +} Result_ae; + +/** +This function found in impl {core::result::Result[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of core.result.unwrap_26 +with types uint8_t[48size_t], core_array_TryFromSliceError + +*/ +static inline void unwrap_26_28(Result_ae self, uint8_t ret[48U]) { + if (self.tag == Ok) { + uint8_t f0[48U]; + memcpy(f0, self.val.case_Ok, (size_t)48U * sizeof(uint8_t)); + memcpy(ret, f0, (size_t)48U * sizeof(uint8_t)); + } else { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "unwrap not Ok"); + KRML_HOST_EXIT(255U); + } +} + /** A monomorphic instance of libcrux_ml_dsa.types.MLDSAVerificationKey with const generics @@ -191,6 +225,26 @@ static inline uint8_t *libcrux_ml_dsa_types_as_raw_66_97( return self->value; } +/** +A monomorphic instance of core.option.Option +with types int32_t[256size_t][6size_t] + +*/ +typedef struct Option_f0_s { + Option_d8_tags tag; + int32_t f0[6U][256U]; +} Option_f0; + +/** +A monomorphic instance of core.option.Option +with types uint8_t[48size_t] + +*/ +typedef struct Option_67_s { + Option_d8_tags tag; + uint8_t f0[48U]; +} Option_67; + #define libcrux_ml_dsa_types_RejectionSamplingError 0 #define libcrux_ml_dsa_types_ContextTooLongError 1 @@ -210,6 +264,95 @@ typedef struct Result_2e_s { } val; } Result_2e; +/** + Build +*/ +/** +This function found in impl {libcrux_ml_dsa::types::MLDSASignature#4} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.types.new_8f +with const generics +- SIZE= 3309 +*/ +static inline libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature +libcrux_ml_dsa_types_new_8f_fa(uint8_t value[3309U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[3309U]; + memcpy(copy_of_value, value, (size_t)3309U * sizeof(uint8_t)); + libcrux_ml_dsa_ml_dsa_65_MLDSA65Signature lit; + memcpy(lit.value, copy_of_value, (size_t)3309U * sizeof(uint8_t)); + return lit; +} + +/** +A monomorphic instance of core.result.Result +with types uint8_t[64size_t], core_array_TryFromSliceError + +*/ +typedef struct Result_f2_s { + Result_a9_tags tag; + union { + uint8_t case_Ok[64U]; + TryFromSliceError case_Err; + } val; +} Result_f2; + +/** +This function found in impl {core::result::Result[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of core.result.unwrap_26 +with types uint8_t[64size_t], core_array_TryFromSliceError + +*/ +static inline void unwrap_26_4b(Result_f2 self, uint8_t ret[64U]) { + if (self.tag == Ok) { + uint8_t f0[64U]; + memcpy(f0, self.val.case_Ok, (size_t)64U * sizeof(uint8_t)); + memcpy(ret, f0, (size_t)64U * sizeof(uint8_t)); + } else { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "unwrap not Ok"); + KRML_HOST_EXIT(255U); + } +} + +/** +A monomorphic instance of core.result.Result +with types uint8_t[32size_t], core_array_TryFromSliceError + +*/ +typedef struct Result_fb_s { + Result_a9_tags tag; + union { + uint8_t case_Ok[32U]; + TryFromSliceError case_Err; + } val; +} Result_fb; + +/** +This function found in impl {core::result::Result[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of core.result.unwrap_26 +with types uint8_t[32size_t], core_array_TryFromSliceError + +*/ +static inline void unwrap_26_b3(Result_fb self, uint8_t ret[32U]) { + if (self.tag == Ok) { + uint8_t f0[32U]; + memcpy(f0, self.val.case_Ok, (size_t)32U * sizeof(uint8_t)); + memcpy(ret, f0, (size_t)32U * sizeof(uint8_t)); + } else { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "unwrap not Ok"); + KRML_HOST_EXIT(255U); + } +} + /** A monomorphic instance of libcrux_ml_dsa.types.MLDSASigningKey with const generics @@ -316,26 +459,6 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_utils_into_padded_array_b6( memcpy(ret, out, (size_t)34U * sizeof(uint8_t)); } -/** -A monomorphic instance of core.option.Option -with types uint8_t* - -*/ -typedef struct Option_3f_s { - Option_08_tags tag; - uint8_t *f0; -} Option_3f; - -/** -A monomorphic instance of core.option.Option -with types Eurydice_slice uint8_t - -*/ -typedef struct Option_1b_s { - Option_08_tags tag; - Eurydice_slice f0; -} Option_1b; - /** A monomorphic instance of core.result.Result with types int32_t[8size_t], core_array_TryFromSliceError @@ -370,6 +493,16 @@ static inline void unwrap_26_55(Result_6c self, int32_t ret[8U]) { } } +/** +A monomorphic instance of core.option.Option +with types uint8_t[11size_t] + +*/ +typedef struct Option_30_s { + Option_d8_tags tag; + uint8_t f0[11U]; +} Option_30; + typedef struct libcrux_ml_dsa_ml_dsa_65_MLDSA65KeyPair_s { libcrux_ml_dsa_types_MLDSASigningKey_22 signing_key; libcrux_ml_dsa_types_MLDSAVerificationKey_ea verification_key; diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h index 9bc355151..7c5698cb0 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 11a2dcf9b3f0c4803b93a53caa737ed8eac8bfd1 + * Libcrux: d4b51bcb3af12fb1358ed37830e33cbd72d31590 */ #ifndef __libcrux_mldsa65_avx2_H @@ -912,9 +912,94 @@ libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta_equals_4_a2( #define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ ((int32_t)1 << 17U) +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_when_gamma1_is_2_pow_17( + __m256i simd_unit, Eurydice_slice out) { + uint8_t serialized[32U] = {0U}; + __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1), + simd_unit); + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)14, (int32_t)0, (int32_t)14, + (int32_t)0, (int32_t)14, (int32_t)0, (int32_t)14)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)14, adjacent_2_combined, __m256i); + __m256i every_second_element = libcrux_intrinsics_avx2_mm256_bsrli_epi128( + (int32_t)8, adjacent_2_combined0, __m256i); + __m256i every_second_element_shifted = + libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)36, + every_second_element, __m256i); + __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_add_epi64( + adjacent_2_combined0, every_second_element_shifted); + __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_srlv_epi64( + adjacent_4_combined, + libcrux_intrinsics_avx2_mm256_set_epi64x((int64_t)28, (int64_t)0, + (int64_t)28, (int64_t)0)); + __m128i lower_4 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined0); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), + lower_4); + __m128i upper_4 = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, adjacent_4_combined0, __m128i); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)9U, (size_t)25U, uint8_t), + upper_4); + Eurydice_slice uu____0 = out; + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)18U, uint8_t), + uint8_t); +} + #define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ ((int32_t)1 << 19U) +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_when_gamma1_is_2_pow_19( + __m256i simd_unit, Eurydice_slice out) { + uint8_t serialized[32U] = {0U}; + __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1), + simd_unit); + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)12, (int32_t)0, (int32_t)12, + (int32_t)0, (int32_t)12, (int32_t)0, (int32_t)12)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)12, adjacent_2_combined, __m256i); + __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)12, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)8, + (int8_t)4, (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)0, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)12, (int8_t)11, (int8_t)10, (int8_t)9, (int8_t)8, (int8_t)4, + (int8_t)3, (int8_t)2, (int8_t)1, (int8_t)0)); + __m128i lower_4 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), + lower_4); + __m128i upper_4 = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, adjacent_4_combined, __m128i); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)10U, (size_t)26U, + uint8_t), + upper_4); + Eurydice_slice uu____0 = out; + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)20U, uint8_t), + uint8_t); +} + #define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ ((int32_t)1 << 17U) @@ -997,12 +1082,208 @@ libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( coefficients1); } +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_commitment_serialize(__m256i simd_unit, + Eurydice_slice out) { + uint8_t serialized[19U] = {0U}; + switch ((uint8_t)Eurydice_slice_len(out, uint8_t)) { + case 4U: { + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28, + (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)28, adjacent_2_combined, __m256i); + __m256i adjacent_4_combined = + libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6, + (int32_t)2, (int32_t)4, (int32_t)0)); + __m128i adjacent_4_combined0 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined); + __m128i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + adjacent_4_combined0, + libcrux_intrinsics_avx2_mm_set_epi8(240U, 240U, 240U, 240U, 240U, + 240U, 240U, 240U, 240U, 240U, + 240U, 240U, 12U, 4U, 8U, 0U)); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, + uint8_t), + adjacent_4_combined1); + Eurydice_slice uu____0 = out; + Eurydice_slice_copy(uu____0, + Eurydice_array_to_subslice2(serialized, (size_t)0U, + (size_t)4U, uint8_t), + uint8_t); + break; + } + case 6U: { + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)26, (int32_t)0, (int32_t)26, + (int32_t)0, (int32_t)26, (int32_t)0, (int32_t)26)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)26, adjacent_2_combined, __m256i); + __m256i adjacent_3_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, (int8_t)1, + (int8_t)0, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)9, (int8_t)8, + (int8_t)1, (int8_t)0)); + __m256i adjacent_3_combined0 = libcrux_intrinsics_avx2_mm256_mullo_epi16( + adjacent_3_combined, + libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, + (int16_t)1, (int16_t)1, (int16_t)1 << 4U, (int16_t)1, (int16_t)1, + (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, (int16_t)1, + (int16_t)1 << 4U)); + __m256i adjacent_3_combined1 = libcrux_intrinsics_avx2_mm256_srlv_epi32( + adjacent_3_combined0, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)4, (int32_t)0, + (int32_t)0, (int32_t)0, (int32_t)4)); + __m128i lower_3 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_3_combined1); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, + uint8_t), + lower_3); + __m128i upper_3 = libcrux_intrinsics_avx2_mm256_extracti128_si256( + (int32_t)1, adjacent_3_combined1, __m128i); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)3U, (size_t)19U, + uint8_t), + upper_3); + Eurydice_slice uu____1 = out; + Eurydice_slice_copy(uu____1, + Eurydice_array_to_subslice2(serialized, (size_t)0U, + (size_t)6U, uint8_t), + uint8_t); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_commitment_serialize_a2( + __m256i simd_unit, Eurydice_slice serialized) { + libcrux_ml_dsa_simd_avx2_encoding_commitment_serialize(simd_unit, serialized); +} + #define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA \ ((int32_t)2) +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_2( + __m256i simd_unit, Eurydice_slice out) { + uint8_t serialized[16U] = {0U}; + __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA), + simd_unit); + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)29, (int32_t)0, (int32_t)29, + (int32_t)0, (int32_t)29, (int32_t)0, (int32_t)29)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)29, adjacent_2_combined, __m256i); + __m256i adjacent_4_combined = libcrux_intrinsics_avx2_mm256_shuffle_epi8( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi8( + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)8, (int8_t)-1, (int8_t)0, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)-1, + (int8_t)-1, (int8_t)-1, (int8_t)-1, (int8_t)8, (int8_t)-1, + (int8_t)0)); + __m256i adjacent_4_combined0 = libcrux_intrinsics_avx2_mm256_madd_epi16( + adjacent_4_combined, + libcrux_intrinsics_avx2_mm256_set_epi16( + (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, + (int16_t)0, (int16_t)1 << 6U, (int16_t)1, (int16_t)0, (int16_t)0, + (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)0, (int16_t)1 << 6U, + (int16_t)1)); + __m256i adjacent_6_combined = + libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( + adjacent_4_combined0, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, + (int32_t)0, (int32_t)4, (int32_t)0)); + __m128i adjacent_6_combined0 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_6_combined); + __m128i adjacent_6_combined1 = libcrux_intrinsics_avx2_mm_sllv_epi32( + adjacent_6_combined0, + libcrux_intrinsics_avx2_mm_set_epi32((int32_t)0, (int32_t)0, (int32_t)0, + (int32_t)20)); + __m128i adjacent_6_combined2 = libcrux_intrinsics_avx2_mm_srli_epi64( + (int32_t)20, adjacent_6_combined1, __m128i); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), + adjacent_6_combined2); + Eurydice_slice uu____0 = out; + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)3U, uint8_t), + uint8_t); +} + #define LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA \ ((int32_t)4) +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_4( + __m256i simd_unit, Eurydice_slice out) { + uint8_t serialized[16U] = {0U}; + __m256i simd_unit_shifted = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_AVX2_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA), + simd_unit); + __m256i adjacent_2_combined = libcrux_intrinsics_avx2_mm256_sllv_epi32( + simd_unit_shifted, libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28, + (int32_t)0, (int32_t)28, (int32_t)0, (int32_t)28)); + __m256i adjacent_2_combined0 = libcrux_intrinsics_avx2_mm256_srli_epi64( + (int32_t)28, adjacent_2_combined, __m256i); + __m256i adjacent_4_combined = + libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32( + adjacent_2_combined0, + libcrux_intrinsics_avx2_mm256_set_epi32( + (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)0, (int32_t)6, + (int32_t)2, (int32_t)4, (int32_t)0)); + __m128i adjacent_4_combined0 = + libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_4_combined); + __m128i adjacent_4_combined1 = libcrux_intrinsics_avx2_mm_shuffle_epi8( + adjacent_4_combined0, libcrux_intrinsics_avx2_mm_set_epi8( + 240U, 240U, 240U, 240U, 240U, 240U, 240U, 240U, + 240U, 240U, 240U, 240U, 12U, 4U, 8U, 0U)); + libcrux_intrinsics_avx2_mm_storeu_bytes_si128( + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), + adjacent_4_combined1); + Eurydice_slice uu____0 = out; + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)4U, uint8_t), + uint8_t); +} + KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i libcrux_ml_dsa_simd_avx2_encoding_t0_change_interval(__m256i simd_unit) { @@ -4482,6 +4763,113 @@ libcrux_ml_dsa_samplex4_sample_s1_and_s2_4d(uint8_t seed[66U]) { KRML_HOST_EXIT(255U); } +/** +A monomorphic instance of libcrux_ml_dsa.ntt.ntt +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24 +libcrux_ml_dsa_ntt_ntt_ea( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re) { + __m256i uu____0[32U]; + memcpy(uu____0, re.simd_units, (size_t)32U * sizeof(__m256i)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 lit; + __m256i ret[32U]; + libcrux_ml_dsa_simd_avx2_ntt_a2(uu____0, ret); + memcpy(lit.simd_units, ret, (size_t)32U * sizeof(__m256i)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.matrix.compute_As1_plus_s2.closure +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_24 +libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_fe( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s) { + return libcrux_ml_dsa_ntt_ntt_ea(s); +} + +/** +A monomorphic instance of libcrux_ml_dsa.ntt.ntt_multiply_montgomery +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24 +libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *lhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 out = + libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)32U, out.simd_units, __m256i), + __m256i); + i++) { + size_t i0 = i; + out.simd_units[i0] = libcrux_ml_dsa_simd_avx2_montgomery_multiply_a2( + lhs->simd_units[i0], rhs->simd_units[i0]); + } + return out; +} + +/** +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.add_ff +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24 +libcrux_ml_dsa_polynomial_add_ff_ea( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *self, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 sum = + libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)32U, sum.simd_units, __m256i), + __m256i); + i++) { + size_t i0 = i; + sum.simd_units[i0] = libcrux_ml_dsa_simd_avx2_add_a2(&self->simd_units[i0], + &rhs->simd_units[i0]); + } + return sum; +} + +/** +A monomorphic instance of libcrux_ml_dsa.ntt.invert_ntt_montgomery +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24 +libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re) { + __m256i uu____0[32U]; + memcpy(uu____0, re.simd_units, (size_t)32U * sizeof(__m256i)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 lit; + __m256i ret[32U]; + libcrux_ml_dsa_simd_avx2_invert_ntt_montgomery_a2(uu____0, ret); + memcpy(lit.simd_units, ret, (size_t)32U * sizeof(__m256i)); + return lit; +} + /** Compute InvertNTT(Â ◦ ŝ₁) + s₂ */ @@ -4498,17 +4886,54 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_As1_plus_s2_fe( libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *s1, libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *s2, libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::slice::iter::{core::iter::traits::iterator::Iterator for " - "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " - "@Array[" - "TraitClause@0, TraitClause@1], " - "C@1>>[core::marker::Sized<@Array[TraitClause@0, TraitClause@1], C@1>>] " - "enumerate\")\n"); - KRML_HOST_EXIT(255U); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1[5U]; + memcpy( + copy_of_s1, s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1_ntt[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + s1_ntt[i] = + libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_fe(copy_of_s1[i]); + } + for (size_t i0 = (size_t)0U; + i0 < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, A_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]); + i0++) { + size_t i1 = i0; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *row = A_as_ntt[i1]; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, row, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + i++) { + size_t j = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = + &row[j]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 product = + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(ring_element, + &s1_ntt[j]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 = + libcrux_ml_dsa_polynomial_add_ff_ea(&result[i1], &product); + result[i1] = uu____1; + } + result[i1] = libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea(result[i1]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____3 = + libcrux_ml_dsa_polynomial_add_ff_ea(&result[i1], &s2[i1]); + result[i1] = uu____3; + } + memcpy( + ret, result, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); } typedef struct @@ -4528,16 +4953,89 @@ static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2 libcrux_ml_dsa_arithmetic_power2round_vector_a3( libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t[6U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::slice::iter::{core::iter::traits::iterator::Iterator for " - "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " - "libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, " - "TraitClause@1]>[core::marker::Sized[TraitClause@0, TraitClause@1]>] " - "enumerate\")\n"); - KRML_HOST_EXIT(255U); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + t0[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + t1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + for (size_t i0 = (size_t)0U; + i0 < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, t, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + i0++) { + size_t i1 = i0; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = &t[i1]; + for (size_t i = (size_t)0U; + i < + Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)32U, ring_element->simd_units, __m256i), + __m256i); + i++) { + size_t j = i; + __m256i *simd_unit = &ring_element->simd_units[j]; + libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_power2round_a2(simd_unit[0U]); + __m256i t0_unit = uu____0.fst; + __m256i t1_unit = uu____0.snd; + t0[i1].simd_units[j] = t0_unit; + t1[i1].simd_units[j] = t1_unit; + } + } + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t0[6U]; + memcpy( + copy_of_t0, t0, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t1[6U]; + memcpy( + copy_of_t1, t1, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2 + lit; + memcpy( + lit.fst, copy_of_t0, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + memcpy( + lit.snd, copy_of_t1, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.t1.serialize +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t1_serialize_ea( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re, uint8_t ret[320U]) { + uint8_t serialized[320U] = {0U}; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i), + __m256i); + i++) { + size_t i0 = i; + __m256i *simd_unit = &re.simd_units[i0]; + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + serialized, + i0 * LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, + uint8_t); + uint8_t ret0[10U]; + libcrux_ml_dsa_simd_avx2_t1_serialize_a2(simd_unit[0U], ret0); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)10U, ret0, uint8_t), uint8_t); + } + memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } /** @@ -4553,16 +5051,31 @@ libcrux_ml_dsa_encoding_verification_key_generate_serialized_fe( Eurydice_slice seed_for_A, libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U], uint8_t ret[1952U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::slice::iter::{core::iter::traits::iterator::Iterator for " - "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " - "libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, " - "TraitClause@1]>[core::marker::Sized[TraitClause@0, TraitClause@1]>] " - "enumerate\")\n"); - KRML_HOST_EXIT(255U); + uint8_t verification_key_serialized[1952U] = {0U}; + Eurydice_slice_copy(Eurydice_array_to_subslice2( + verification_key_serialized, (size_t)0U, + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t), + seed_for_A, uint8_t); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, t1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = &t1[i0]; + size_t offset = LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE + + i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE; + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + verification_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, uint8_t); + uint8_t ret0[320U]; + libcrux_ml_dsa_encoding_t1_serialize_ea(ring_element[0U], ret0); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)320U, ret0, uint8_t), uint8_t); + } + memcpy(ret, verification_key_serialized, (size_t)1952U * sizeof(uint8_t)); } /** @@ -4593,6 +5106,34 @@ libcrux_ml_dsa_hash_functions_simd256_shake256_d9_24(Eurydice_slice input, libcrux_ml_dsa_hash_functions_simd256_shake256_24(input, out); } +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.encoding.error.serialize +with const generics +- ETA= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_error_serialize_ac( + __m256i simd_unit, Eurydice_slice serialized) { + libcrux_ml_dsa_simd_avx2_encoding_error_serialize_when_eta_is_4(simd_unit, + serialized); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.error_serialize_a2 +with const generics +- ETA= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_error_serialize_a2_ac( + __m256i simd_unit, Eurydice_slice serialized) { + libcrux_ml_dsa_simd_avx2_encoding_error_serialize_ac(simd_unit, serialized); +} + /** A monomorphic instance of libcrux_ml_dsa.encoding.error.serialize with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit @@ -4602,14 +5143,23 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_serialize_a8( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re, uint8_t ret[128U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::slice::iter::{core::iter::traits::iterator::Iterator for " - "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " - "T@0>[TraitClause@0] enumerate\")\n"); - KRML_HOST_EXIT(255U); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re, + Eurydice_slice serialized) { + size_t output_bytes_per_simd_unit; + output_bytes_per_simd_unit = (size_t)4U; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i), + __m256i); + i++) { + size_t i0 = i; + __m256i *simd_unit = &re.simd_units[i0]; + libcrux_ml_dsa_simd_avx2_error_serialize_a2_ac( + simd_unit[0U], + Eurydice_slice_subslice2(serialized, i0 * output_bytes_per_simd_unit, + (i0 + (size_t)1U) * output_bytes_per_simd_unit, + uint8_t)); + } } /** @@ -4620,14 +5170,25 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_serialize_ea( - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re, uint8_t ret[416U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::slice::iter::{core::iter::traits::iterator::Iterator for " - "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " - "T@0>[TraitClause@0] enumerate\")\n"); - KRML_HOST_EXIT(255U); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re, + Eurydice_slice serialized) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i), + __m256i); + i++) { + size_t i0 = i; + __m256i *simd_unit = &re.simd_units[i0]; + Eurydice_slice uu____0 = Eurydice_slice_subslice2( + serialized, i0 * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, + uint8_t); + uint8_t ret[13U]; + libcrux_ml_dsa_simd_avx2_t0_serialize_a2(simd_unit[0U], ret); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)13U, ret, uint8_t), uint8_t); + } } /** @@ -4683,15 +5244,14 @@ libcrux_ml_dsa_encoding_signing_key_generate_serialized_a9( libcrux_ml_dsa_polynomial_PolynomialRingElement_24), libcrux_ml_dsa_polynomial_PolynomialRingElement_24); i++) { - size_t _cloop_i = i; + size_t _cloop_j = i; libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = - &s1[_cloop_i]; - Eurydice_slice uu____1 = Eurydice_array_to_subslice2( - signing_key_serialized, offset, offset + (size_t)128U, uint8_t); - uint8_t ret0[128U]; - libcrux_ml_dsa_encoding_error_serialize_a8(ring_element[0U], ret0); - Eurydice_slice_copy( - uu____1, Eurydice_array_to_slice((size_t)128U, ret0, uint8_t), uint8_t); + &s1[_cloop_j]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 = + ring_element[0U]; + libcrux_ml_dsa_encoding_error_serialize_a8( + uu____1, Eurydice_array_to_subslice2(signing_key_serialized, offset, + offset + (size_t)128U, uint8_t)); offset = offset + (size_t)128U; } for (size_t i = (size_t)0U; @@ -4701,15 +5261,14 @@ libcrux_ml_dsa_encoding_signing_key_generate_serialized_a9( libcrux_ml_dsa_polynomial_PolynomialRingElement_24), libcrux_ml_dsa_polynomial_PolynomialRingElement_24); i++) { - size_t _cloop_i = i; + size_t _cloop_j = i; libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = - &s2[_cloop_i]; - Eurydice_slice uu____2 = Eurydice_array_to_subslice2( - signing_key_serialized, offset, offset + (size_t)128U, uint8_t); - uint8_t ret0[128U]; - libcrux_ml_dsa_encoding_error_serialize_a8(ring_element[0U], ret0); - Eurydice_slice_copy( - uu____2, Eurydice_array_to_slice((size_t)128U, ret0, uint8_t), uint8_t); + &s2[_cloop_j]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 = + ring_element[0U]; + libcrux_ml_dsa_encoding_error_serialize_a8( + uu____2, Eurydice_array_to_subslice2(signing_key_serialized, offset, + offset + (size_t)128U, uint8_t)); offset = offset + (size_t)128U; } for (size_t i = (size_t)0U; @@ -4719,16 +5278,16 @@ libcrux_ml_dsa_encoding_signing_key_generate_serialized_a9( libcrux_ml_dsa_polynomial_PolynomialRingElement_24), libcrux_ml_dsa_polynomial_PolynomialRingElement_24); i++) { - size_t _cloop_i = i; + size_t _cloop_j = i; libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = - &t0[_cloop_i]; - Eurydice_slice uu____3 = Eurydice_array_to_subslice2( - signing_key_serialized, offset, - offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, uint8_t); - uint8_t ret0[416U]; - libcrux_ml_dsa_encoding_t0_serialize_ea(ring_element[0U], ret0); - Eurydice_slice_copy( - uu____3, Eurydice_array_to_slice((size_t)416U, ret0, uint8_t), uint8_t); + &t0[_cloop_j]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____3 = + ring_element[0U]; + libcrux_ml_dsa_encoding_t0_serialize_ea( + uu____3, Eurydice_array_to_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, + uint8_t)); offset = offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE; } memcpy(ret, signing_key_serialized, (size_t)4032U * sizeof(uint8_t)); @@ -4937,38 +5496,1841 @@ libcrux_ml_dsa_ml_dsa_65_avx2_generate_key_pair(uint8_t randomness[32U]) { } /** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, -libcrux_ml_dsa_hash_functions_simd256_Shake128x4, -libcrux_ml_dsa_hash_functions_simd256_Shake256, -libcrux_ml_dsa_hash_functions_portable_Shake256Xof, -libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics +A monomorphic instance of K. +with types size_t, core_core_arch_x86___m256i + +*/ +typedef struct tuple_bb_s { + size_t fst; + __m256i snd; +} tuple_bb; + +/** +A monomorphic instance of K. +with types uint8_t[32size_t], uint8_t[32size_t], uint8_t[64size_t], +libcrux_ml_dsa_polynomial_PolynomialRingElement +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[5size_t], +libcrux_ml_dsa_polynomial_PolynomialRingElement +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[6size_t], +libcrux_ml_dsa_polynomial_PolynomialRingElement +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[6size_t] + +*/ +typedef struct tuple_f00_s { + uint8_t fst[32U]; + uint8_t snd[32U]; + uint8_t thd[64U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f3[5U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f4[6U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f5[6U]; +} tuple_f00; + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.encoding.error.deserialize +with const generics +- ETA= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_ac( + Eurydice_slice serialized) { + __m256i unsigned = + libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_to_unsigned_ac( + serialized); + return libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)(size_t)4U), unsigned); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.error_deserialize_a2 +with const generics +- ETA= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_error_deserialize_a2_ac(Eurydice_slice serialized) { + return libcrux_ml_dsa_simd_avx2_encoding_error_deserialize_ac(serialized); +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.error.deserialize +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ETA= 4 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_deserialize_4d( + Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) { + size_t chunk_size; + chunk_size = (size_t)4U; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)32U, result->simd_units, __m256i), + __m256i); + i++) { + size_t i0 = i; + __m256i uu____0 = libcrux_ml_dsa_simd_avx2_error_deserialize_a2_ac( + Eurydice_slice_subslice2(serialized, i0 * chunk_size, + (i0 + (size_t)1U) * chunk_size, uint8_t)); + result->simd_units[i0] = uu____0; + } +} + +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.error.deserialize_to_vector_then_ntt with types +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics +- DIMENSION= 5 +- ETA= 4 +- RING_ELEMENT_SIZE= 128 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_5b( + Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[5U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ring_elements[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)128U; i++) { + size_t i0 = i; + Eurydice_slice bytes = + Eurydice_slice_subslice2(serialized, i0 * (size_t)128U, + i0 * (size_t)128U + (size_t)128U, uint8_t); + libcrux_ml_dsa_encoding_error_deserialize_4d(bytes, &ring_elements[i0]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = + libcrux_ml_dsa_ntt_ntt_ea(ring_elements[i0]); + ring_elements[i0] = uu____0; + } + memcpy( + ret, ring_elements, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.error.deserialize_to_vector_then_ntt with types +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics +- DIMENSION= 6 +- ETA= 4 +- RING_ELEMENT_SIZE= 128 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_ef( + Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ring_elements[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)128U; i++) { + size_t i0 = i; + Eurydice_slice bytes = + Eurydice_slice_subslice2(serialized, i0 * (size_t)128U, + i0 * (size_t)128U + (size_t)128U, uint8_t); + libcrux_ml_dsa_encoding_error_deserialize_4d(bytes, &ring_elements[i0]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = + libcrux_ml_dsa_ntt_ntt_ea(ring_elements[i0]); + ring_elements[i0] = uu____0; + } + memcpy( + ret, ring_elements, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.t0.deserialize +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_deserialize_ea( + Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)32U, result->simd_units, __m256i), + __m256i); + i++) { + size_t i0 = i; + __m256i uu____0 = + libcrux_ml_dsa_simd_avx2_t0_deserialize_a2(Eurydice_slice_subslice2( + serialized, + i0 * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, + uint8_t)); + result->simd_units[i0] = uu____0; + } +} + +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.t0.deserialize_to_vector_then_ntt with types +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics +- DIMENSION= 6 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_a3( + Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ring_elements[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(serialized, uint8_t) / + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE; + i++) { + size_t i0 = i; + Eurydice_slice bytes = Eurydice_slice_subslice2( + serialized, i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, + i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE + + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, + uint8_t); + libcrux_ml_dsa_encoding_t0_deserialize_ea(bytes, &ring_elements[i0]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = + libcrux_ml_dsa_ntt_ntt_ea(ring_elements[i0]); + ring_elements[i0] = uu____0; + } + memcpy( + ret, ring_elements, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.signing_key.deserialize_then_ntt with types +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit with const generics - ROWS_IN_A= 6 - COLUMNS_IN_A= 5 - ETA= 4 - ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 - SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_ea( - uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes " - "core::result::{core::ops::try_trait::Try for core::result::Result[TraitClause@0, TraitClause@1]}#26[TraitClause@0, " - "TraitClause@1]::Residual\")\n"); - KRML_HOST_EXIT(255U); +static KRML_MUSTINLINE tuple_f00 +libcrux_ml_dsa_encoding_signing_key_deserialize_then_ntt_b6( + uint8_t *serialized) { + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)4032U, serialized, uint8_t), + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, + Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_A = uu____0.fst; + Eurydice_slice remaining_serialized0 = uu____0.snd; + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + remaining_serialized0, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_signing = uu____1.fst; + Eurydice_slice remaining_serialized1 = uu____1.snd; + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( + remaining_serialized1, + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH, uint8_t, + Eurydice_slice_uint8_t_x2); + Eurydice_slice verification_key_hash = uu____2.fst; + Eurydice_slice remaining_serialized2 = uu____2.snd; + Eurydice_slice_uint8_t_x2 uu____3 = + Eurydice_slice_split_at(remaining_serialized2, (size_t)128U * (size_t)5U, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice s1_serialized = uu____3.fst; + Eurydice_slice remaining_serialized = uu____3.snd; + Eurydice_slice_uint8_t_x2 uu____4 = + Eurydice_slice_split_at(remaining_serialized, (size_t)128U * (size_t)6U, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice s2_serialized = uu____4.fst; + Eurydice_slice t0_serialized = uu____4.snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1_as_ntt[5U]; + libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_5b(s1_serialized, + s1_as_ntt); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2_as_ntt[6U]; + libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_ef(s2_serialized, + s2_as_ntt); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0_as_ntt[6U]; + libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_a3(t0_serialized, + t0_as_ntt); + uint8_t uu____5[32U]; + Result_fb dst0; + Eurydice_slice_to_array2(&dst0, seed_for_A, Eurydice_slice, uint8_t[32U]); + unwrap_26_b3(dst0, uu____5); + uint8_t uu____6[32U]; + Result_fb dst1; + Eurydice_slice_to_array2(&dst1, seed_for_signing, Eurydice_slice, + uint8_t[32U]); + unwrap_26_b3(dst1, uu____6); + uint8_t uu____7[64U]; + Result_f2 dst; + Eurydice_slice_to_array2(&dst, verification_key_hash, Eurydice_slice, + uint8_t[64U]); + unwrap_26_4b(dst, uu____7); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1_as_ntt[5U]; + memcpy( + copy_of_s1_as_ntt, s1_as_ntt, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s2_as_ntt[6U]; + memcpy( + copy_of_s2_as_ntt, s2_as_ntt, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t0_as_ntt[6U]; + memcpy( + copy_of_t0_as_ntt, t0_as_ntt, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + tuple_f00 lit; + memcpy(lit.fst, uu____5, (size_t)32U * sizeof(uint8_t)); + memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); + memcpy(lit.thd, uu____7, (size_t)64U * sizeof(uint8_t)); + memcpy( + lit.f3, copy_of_s1_as_ntt, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + memcpy( + lit.f4, copy_of_s2_as_ntt, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + memcpy( + lit.f5, copy_of_t0_as_ntt, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + return lit; +} + +/** +A monomorphic instance of core.option.Option +with types libcrux_ml_dsa_polynomial_PolynomialRingElement +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[5size_t] + +*/ +typedef struct Option_a4_s { + Option_d8_tags tag; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 f0[5U]; +} Option_a4; + +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_x4 +with const generics +- OUT_LEN= 576 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_simd256_shake256_x4_1b( + Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, + Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2, + uint8_t *out3) { + libcrux_sha3_avx2_x4_shake256( + input0, input1, input2, input3, + Eurydice_array_to_slice((size_t)576U, out0, uint8_t), + Eurydice_array_to_slice((size_t)576U, out1, uint8_t), + Eurydice_array_to_slice((size_t)576U, out2, uint8_t), + Eurydice_array_to_slice((size_t)576U, out3, uint8_t)); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4 +for libcrux_ml_dsa::hash_functions::simd256::Shake256x4)#2} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_x4_fb +with const generics +- OUT_LEN= 576 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_simd256_shake256_x4_fb_1b( + Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, + Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2, + uint8_t *out3) { + libcrux_ml_dsa_hash_functions_simd256_shake256_x4_1b( + input0, input1, input2, input3, out0, out1, out2, out3); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.encoding.gamma1.deserialize +with const generics +- GAMMA1_EXPONENT= 19 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_36( + Eurydice_slice serialized) { + return libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( + serialized); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.gamma1_deserialize_a2 +with const generics +- GAMMA1_EXPONENT= 19 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_gamma1_deserialize_a2_36(Eurydice_slice serialized) { + return libcrux_ml_dsa_simd_avx2_encoding_gamma1_deserialize_36(serialized); +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.gamma1.deserialize +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- GAMMA1_EXPONENT= 19 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_deserialize_05( + Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)32U, result->simd_units, __m256i), + __m256i); + i++) { + size_t i0 = i; + __m256i uu____0 = libcrux_ml_dsa_simd_avx2_gamma1_deserialize_a2_36( + Eurydice_slice_subslice2(serialized, i0 * ((size_t)19U + (size_t)1U), + (i0 + (size_t)1U) * ((size_t)19U + (size_t)1U), + uint8_t)); + result->simd_units[i0] = uu____0; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_x4 +with const generics +- OUT_LEN= 640 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_simd256_shake256_x4_c8( + Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, + Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2, + uint8_t *out3) { + libcrux_sha3_avx2_x4_shake256( + input0, input1, input2, input3, + Eurydice_array_to_slice((size_t)640U, out0, uint8_t), + Eurydice_array_to_slice((size_t)640U, out1, uint8_t), + Eurydice_array_to_slice((size_t)640U, out2, uint8_t), + Eurydice_array_to_slice((size_t)640U, out3, uint8_t)); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4 +for libcrux_ml_dsa::hash_functions::simd256::Shake256x4)#2} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_x4_fb +with const generics +- OUT_LEN= 640 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_simd256_shake256_x4_fb_c8( + Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, + Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2, + uint8_t *out3) { + libcrux_ml_dsa_hash_functions_simd256_shake256_x4_c8( + input0, input1, input2, input3, out0, out1, out2, out3); +} + +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256 +with const generics +- OUTPUT_LENGTH= 576 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_simd256_shake256_1b( + Eurydice_slice input, uint8_t *out) { + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)576U, out, uint8_t), input); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof +for libcrux_ml_dsa::hash_functions::simd256::Shake256)#1} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_d9 +with const generics +- OUTPUT_LENGTH= 576 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_simd256_shake256_d9_1b(Eurydice_slice input, + uint8_t *out) { + libcrux_ml_dsa_hash_functions_simd256_shake256_1b(input, out); +} + +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256 +with const generics +- OUTPUT_LENGTH= 640 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_simd256_shake256_c8( + Eurydice_slice input, uint8_t *out) { + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)640U, out, uint8_t), input); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof +for libcrux_ml_dsa::hash_functions::simd256::Shake256)#1} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.simd256.shake256_d9 +with const generics +- OUTPUT_LENGTH= 640 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_simd256_shake256_d9_c8(Eurydice_slice input, + uint8_t *out) { + libcrux_ml_dsa_hash_functions_simd256_shake256_c8(input, out); +} + +/** +A monomorphic instance of libcrux_ml_dsa.sample.sample_mask_ring_element +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake256 with const generics +- GAMMA1_EXPONENT= 19 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_ring_element_d9( + uint8_t seed[66U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) { + uint8_t out[640U] = {0U}; + libcrux_ml_dsa_hash_functions_simd256_shake256_d9_c8( + Eurydice_array_to_slice((size_t)66U, seed, uint8_t), out); + libcrux_ml_dsa_encoding_gamma1_deserialize_05( + Eurydice_array_to_slice((size_t)640U, out, uint8_t), result); +} + +/** +A monomorphic instance of libcrux_ml_dsa.sample.sample_mask_vector +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake256, +libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics +- DIMENSION= 5 +- GAMMA1_EXPONENT= 19 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_vector_51( + uint8_t seed[66U], uint16_t *domain_separator, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[5U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 mask[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + mask[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed0[66U]; + memcpy(copy_of_seed0, seed, (size_t)66U * sizeof(uint8_t)); + uint8_t seed0[66U]; + libcrux_ml_dsa_sample_update_seed(copy_of_seed0, domain_separator, seed0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed1[66U]; + memcpy(copy_of_seed1, seed, (size_t)66U * sizeof(uint8_t)); + uint8_t seed1[66U]; + libcrux_ml_dsa_sample_update_seed(copy_of_seed1, domain_separator, seed1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed2[66U]; + memcpy(copy_of_seed2, seed, (size_t)66U * sizeof(uint8_t)); + uint8_t seed2[66U]; + libcrux_ml_dsa_sample_update_seed(copy_of_seed2, domain_separator, seed2); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed3[66U]; + memcpy(copy_of_seed3, seed, (size_t)66U * sizeof(uint8_t)); + uint8_t seed3[66U]; + libcrux_ml_dsa_sample_update_seed(copy_of_seed3, domain_separator, seed3); + uint8_t out0[640U] = {0U}; + uint8_t out1[640U] = {0U}; + uint8_t out2[640U] = {0U}; + uint8_t out3[640U] = {0U}; + libcrux_ml_dsa_hash_functions_simd256_shake256_x4_fb_c8( + Eurydice_array_to_slice((size_t)66U, seed0, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed1, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed2, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed3, uint8_t), out0, out1, out2, + out3); + libcrux_ml_dsa_encoding_gamma1_deserialize_05( + Eurydice_array_to_slice((size_t)640U, out0, uint8_t), mask); + libcrux_ml_dsa_encoding_gamma1_deserialize_05( + Eurydice_array_to_slice((size_t)640U, out1, uint8_t), &mask[1U]); + libcrux_ml_dsa_encoding_gamma1_deserialize_05( + Eurydice_array_to_slice((size_t)640U, out2, uint8_t), &mask[2U]); + libcrux_ml_dsa_encoding_gamma1_deserialize_05( + Eurydice_array_to_slice((size_t)640U, out3, uint8_t), &mask[3U]); + for (size_t i = (size_t)4U; i < (size_t)5U; i++) { + size_t i0 = i; + seed[64U] = (uint8_t)domain_separator[0U]; + seed[65U] = (uint8_t)((uint32_t)domain_separator[0U] >> 8U); + domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[66U]; + memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_sample_sample_mask_ring_element_d9(copy_of_seed, &mask[i0]); + } + memcpy( + ret, mask, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.matrix.compute_A_times_mask.closure +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_24 +libcrux_ml_dsa_matrix_compute_A_times_mask_closure_fe( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s) { + return libcrux_ml_dsa_ntt_ntt_ea(s); +} + +/** + Compute InvertNTT(Â ◦ ŷ) +*/ +/** +A monomorphic instance of libcrux_ml_dsa.matrix.compute_A_times_mask +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_A_times_mask_fe( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*A_as_ntt)[5U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *mask, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_mask[5U]; + memcpy( + copy_of_mask, mask, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 mask_ntt[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + mask_ntt[i] = + libcrux_ml_dsa_matrix_compute_A_times_mask_closure_fe(copy_of_mask[i]); + } + for (size_t i0 = (size_t)0U; + i0 < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, A_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]); + i0++) { + size_t i1 = i0; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *row = A_as_ntt[i1]; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, row, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + i++) { + size_t j = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = + &row[j]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 product = + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(ring_element, + &mask_ntt[j]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 = + libcrux_ml_dsa_polynomial_add_ff_ea(&result[i1], &product); + result[i1] = uu____1; + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 = + libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea(result[i1]); + result[i1] = uu____2; + } + memcpy( + ret, result, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.arithmetic.decompose +with const generics +- GAMMA2= 261888 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE core_core_arch_x86___m256i_x2 +libcrux_ml_dsa_simd_avx2_arithmetic_decompose_80(__m256i r) { + __m256i r2 = + libcrux_ml_dsa_simd_avx2_arithmetic_to_unsigned_representatives(r); + __m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( + (LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2); + int32_t ALPHA = (int32_t)261888 * (int32_t)2; + __m256i ceil_of_r_by_128 = libcrux_intrinsics_avx2_mm256_add_epi32( + r2, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)127)); + __m256i ceil_of_r_by_1280 = libcrux_intrinsics_avx2_mm256_srai_epi32( + (int32_t)7, ceil_of_r_by_128, __m256i); + __m256i r1; + switch (ALPHA) { + case 190464: { + __m256i result = libcrux_intrinsics_avx2_mm256_mullo_epi32( + ceil_of_r_by_1280, + libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)11275)); + __m256i result0 = libcrux_intrinsics_avx2_mm256_add_epi32( + result, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1 << 23U)); + __m256i result1 = libcrux_intrinsics_avx2_mm256_srai_epi32( + (int32_t)24, result0, __m256i); + __m256i mask = libcrux_intrinsics_avx2_mm256_sub_epi32( + libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)43), result1); + __m256i mask0 = + libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)31, mask, __m256i); + __m256i not_result = + libcrux_intrinsics_avx2_mm256_xor_si256(result1, mask0); + r1 = libcrux_intrinsics_avx2_mm256_and_si256(result1, not_result); + break; + } + case 523776: { + __m256i result = libcrux_intrinsics_avx2_mm256_mullo_epi32( + ceil_of_r_by_1280, + libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1025)); + __m256i result0 = libcrux_intrinsics_avx2_mm256_add_epi32( + result, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1 << 21U)); + __m256i result1 = libcrux_intrinsics_avx2_mm256_srai_epi32( + (int32_t)22, result0, __m256i); + r1 = libcrux_intrinsics_avx2_mm256_and_si256( + result1, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)15)); + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } + __m256i r0 = libcrux_intrinsics_avx2_mm256_mullo_epi32( + r1, libcrux_intrinsics_avx2_mm256_set1_epi32(ALPHA)); + __m256i r00 = libcrux_intrinsics_avx2_mm256_sub_epi32(r2, r0); + __m256i mask = + libcrux_intrinsics_avx2_mm256_sub_epi32(field_modulus_halved, r00); + __m256i mask0 = + libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)31, mask, __m256i); + __m256i field_modulus_and_mask = libcrux_intrinsics_avx2_mm256_and_si256( + mask0, libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS)); + __m256i r01 = + libcrux_intrinsics_avx2_mm256_sub_epi32(r00, field_modulus_and_mask); + return (CLITERAL(core_core_arch_x86___m256i_x2){.fst = r01, .snd = r1}); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.decompose_a2 +with const generics +- GAMMA2= 261888 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2 +libcrux_ml_dsa_simd_avx2_decompose_a2_80(__m256i simd_unit) { + core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_arithmetic_decompose_80(simd_unit); + __m256i lower = uu____0.fst; + __m256i upper = uu____0.snd; + return (CLITERAL(libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2){ + .fst = lower, .snd = upper}); +} + +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.decompose_vector +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- DIMENSION= 6 +- GAMMA2= 261888 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2 + libcrux_ml_dsa_arithmetic_decompose_vector_fe( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 vector_low[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + vector_low[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 vector_high[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + vector_high[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; + i < + Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)32U, vector_low->simd_units, __m256i), + __m256i); + i++) { + size_t j = i; + libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_decompose_a2_80(t[i1].simd_units[j]); + __m256i low = uu____0.fst; + __m256i high = uu____0.snd; + vector_low[i1].simd_units[j] = low; + vector_high[i1].simd_units[j] = high; + } + } + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_vector_low[6U]; + memcpy( + copy_of_vector_low, vector_low, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_vector_high[6U]; + memcpy( + copy_of_vector_high, vector_high, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2 + lit; + memcpy( + lit.fst, copy_of_vector_low, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + memcpy( + lit.snd, copy_of_vector_high, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.commitment.serialize +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_commitment_serialize_ea( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re, + Eurydice_slice serialized) { + size_t output_bytes_per_simd_unit = + Eurydice_slice_len(serialized, uint8_t) / ((size_t)8U * (size_t)4U); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i), + __m256i); + i++) { + size_t i0 = i; + __m256i *simd_unit = &re.simd_units[i0]; + libcrux_ml_dsa_simd_avx2_commitment_serialize_a2( + simd_unit[0U], + Eurydice_slice_subslice2(serialized, i0 * output_bytes_per_simd_unit, + (i0 + (size_t)1U) * output_bytes_per_simd_unit, + uint8_t)); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.commitment.serialize_vector +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- DIMENSION= 6 +- RING_ELEMENT_SIZE= 128 +- OUTPUT_SIZE= 768 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_commitment_serialize_vector_ef( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 vector[6U], + uint8_t ret[768U]) { + uint8_t serialized[768U] = {0U}; + size_t offset = (size_t)0U; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + i++) { + size_t _cloop_j = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = + &vector[_cloop_j]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = + ring_element[0U]; + libcrux_ml_dsa_encoding_commitment_serialize_ea( + uu____0, Eurydice_array_to_subslice2(serialized, offset, + offset + (size_t)128U, uint8_t)); + offset = offset + (size_t)128U; + } + memcpy(ret, serialized, (size_t)768U * sizeof(uint8_t)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.sample.sample_challenge_ring_element +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake256 with const generics +- NUMBER_OF_ONES= 49 +- SEED_SIZE= 48 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24 +libcrux_ml_dsa_sample_sample_challenge_ring_element_8a(uint8_t seed[48U]) { + libcrux_sha3_portable_KeccakState state = + libcrux_ml_dsa_hash_functions_simd256_init_absorb_final_d9( + Eurydice_array_to_slice((size_t)48U, seed, uint8_t)); + uint8_t randomness0[136U]; + libcrux_ml_dsa_hash_functions_simd256_squeeze_first_block_d9(&state, + randomness0); + uint8_t ret[8U]; + Result_15 dst; + Eurydice_slice_to_array2( + &dst, + Eurydice_array_to_subslice2(randomness0, (size_t)0U, (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); + unwrap_26_68(dst, ret); + uint64_t signs = core_num__u64_9__from_le_bytes(ret); + int32_t result[256U] = {0U}; + size_t out_index = + Eurydice_slice_len(Eurydice_array_to_slice((size_t)256U, result, int32_t), + int32_t) - + (size_t)49U; + Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( + (size_t)136U, randomness0, (size_t)8U, uint8_t, size_t); + bool done = libcrux_ml_dsa_sample_inside_out_shuffle(uu____0, &out_index, + &signs, result); + while (true) { + if (done) { + break; + } else { + uint8_t randomness[136U]; + libcrux_ml_dsa_hash_functions_simd256_squeeze_next_block_d9(&state, + randomness); + done = libcrux_ml_dsa_sample_inside_out_shuffle( + Eurydice_array_to_slice((size_t)136U, randomness, uint8_t), + &out_index, &signs, result); + } + } + return libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( + Eurydice_array_to_slice((size_t)256U, result, int32_t)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.matrix.vector_times_ring_element +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- DIMENSION= 5 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_vector_times_ring_element_1f( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[5U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *vector_ring_element = + &vector[i0]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = + libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea( + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(vector_ring_element, + ring_element)); + result[i0] = uu____0; + } + memcpy( + ret, result, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.matrix.vector_times_ring_element +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- DIMENSION= 6 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_vector_times_ring_element_a3( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *vector_ring_element = + &vector[i0]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = + libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea( + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(vector_ring_element, + ring_element)); + result[i0] = uu____0; + } + memcpy( + ret, result, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.matrix.add_vectors +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- DIMENSION= 5 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_add_vectors_1f( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *lhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[5U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = + libcrux_ml_dsa_polynomial_add_ff_ea(&lhs[i0], &rhs[i0]); + result[i0] = uu____0; + } + memcpy( + ret, result, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); +} + +/** +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.subtract_ff +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24 +libcrux_ml_dsa_polynomial_subtract_ff_ea( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *self, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 difference = + libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)32U, difference.simd_units, __m256i), + __m256i); + i++) { + size_t i0 = i; + difference.simd_units[i0] = libcrux_ml_dsa_simd_avx2_subtract_a2( + &self->simd_units[i0], &rhs->simd_units[i0]); + } + return difference; +} + +/** +A monomorphic instance of libcrux_ml_dsa.matrix.subtract_vectors +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- DIMENSION= 6 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_subtract_vectors_a3( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *lhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = + libcrux_ml_dsa_polynomial_subtract_ff_ea(&lhs[i0], &rhs[i0]); + result[i0] = uu____0; + } + memcpy( + ret, result, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); +} + +/** +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.infinity_norm_exceeds_ff +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline bool libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ea( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *self, int32_t bound) { + bool exceeds = false; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)32U, self->simd_units, __m256i), + __m256i); + i++) { + size_t i0 = i; + bool uu____0; + if (exceeds) { + uu____0 = true; + } else { + uu____0 = libcrux_ml_dsa_simd_avx2_infinity_norm_exceeds_a2( + self->simd_units[i0], bound); + } + exceeds = uu____0; + } + return exceeds; +} + +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.vector_infinity_norm_exceeds +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- DIMENSION= 5 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE bool +libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_1f( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 vector[5U], + int32_t bound) { + bool exceeds = false; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + i++) { + size_t _cloop_j = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = + &vector[_cloop_j]; + bool uu____0; + if (exceeds) { + uu____0 = true; + } else { + uu____0 = libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ea( + ring_element, bound); + } + exceeds = uu____0; + } + return exceeds; +} + +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.vector_infinity_norm_exceeds +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- DIMENSION= 6 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE bool +libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_a3( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 vector[6U], + int32_t bound) { + bool exceeds = false; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + i++) { + size_t _cloop_j = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = + &vector[_cloop_j]; + bool uu____0; + if (exceeds) { + uu____0 = true; + } else { + uu____0 = libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ea( + ring_element, bound); + } + exceeds = uu____0; + } + return exceeds; +} + +/** +A monomorphic instance of libcrux_ml_dsa.matrix.add_vectors +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- DIMENSION= 6 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_add_vectors_a3( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *lhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *rhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = + libcrux_ml_dsa_polynomial_add_ff_ea(&lhs[i0], &rhs[i0]); + result[i0] = uu____0; + } + memcpy( + ret, result, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); +} + +/** +A monomorphic instance of K. +with types size_t, libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit + +*/ +typedef struct tuple_25_s { + size_t fst; + __m256i snd; +} tuple_25; + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.arithmetic.compute_hint +with const generics +- GAMMA2= 261888 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE tuple_bb +libcrux_ml_dsa_simd_avx2_arithmetic_compute_hint_80(__m256i low, __m256i high) { + __m256i gamma2 = libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)261888); + __m256i minus_gamma2 = + libcrux_intrinsics_avx2_mm256_set1_epi32(-(int32_t)261888); + __m256i low_within_bound = libcrux_intrinsics_avx2_mm256_cmpgt_epi32( + libcrux_intrinsics_avx2_mm256_abs_epi32(low), gamma2); + __m256i low_equals_minus_gamma2 = + libcrux_intrinsics_avx2_mm256_cmpeq_epi32(low, minus_gamma2); + __m256i low_equals_minus_gamma2_and_high_is_nonzero = + libcrux_intrinsics_avx2_mm256_sign_epi32(low_equals_minus_gamma2, high); + __m256i hints = libcrux_intrinsics_avx2_mm256_or_si256( + low_within_bound, low_equals_minus_gamma2_and_high_is_nonzero); + int32_t hints_mask = libcrux_intrinsics_avx2_mm256_movemask_ps( + libcrux_intrinsics_avx2_mm256_castsi256_ps(hints)); + uint32_t uu____0 = core_num__i32_2__count_ones(hints_mask); + return (CLITERAL(tuple_bb){ + .fst = (size_t)uu____0, + .snd = libcrux_intrinsics_avx2_mm256_and_si256( + hints, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1))}); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.compute_hint_a2 +with const generics +- GAMMA2= 261888 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE tuple_25 +libcrux_ml_dsa_simd_avx2_compute_hint_a2_80(__m256i low, __m256i high) { + tuple_bb uu____0 = + libcrux_ml_dsa_simd_avx2_arithmetic_compute_hint_80(low, high); + size_t count = uu____0.fst; + __m256i hint = uu____0.snd; + return (CLITERAL(tuple_25){.fst = count, .snd = hint}); +} + +/** +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.to_i32_array_ff +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_polynomial_to_i32_array_ff_ea( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *self, + int32_t ret[256U]) { + int32_t result[256U] = {0U}; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)32U, self->simd_units, __m256i), + __m256i); + i++) { + size_t i0 = i; + __m256i *simd_unit = &self->simd_units[i0]; + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + result, i0 * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, + int32_t); + int32_t ret0[8U]; + libcrux_ml_dsa_simd_avx2_to_coefficient_array_a2(simd_unit, ret0); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret0, int32_t), int32_t); + } + memcpy(ret, result, (size_t)256U * sizeof(int32_t)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.make_hint +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- DIMENSION= 6 +- GAMMA2= 261888 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE tuple_e6 libcrux_ml_dsa_arithmetic_make_hint_fe( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 low[6U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 high[6U]) { + int32_t hint[6U][256U] = {{0U}}; + size_t true_hints = (size_t)0U; + for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { + size_t i1 = i0; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 hint_simd = + libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)32U, hint_simd.simd_units, __m256i), + __m256i); + i++) { + size_t j = i; + tuple_25 uu____0 = libcrux_ml_dsa_simd_avx2_compute_hint_a2_80( + low[i1].simd_units[j], high[i1].simd_units[j]); + size_t one_hints_count = uu____0.fst; + __m256i current_hint = uu____0.snd; + hint_simd.simd_units[j] = current_hint; + true_hints = true_hints + one_hints_count; + } + int32_t uu____1[256U]; + libcrux_ml_dsa_polynomial_to_i32_array_ff_ea(&hint_simd, uu____1); + memcpy(hint[i1], uu____1, (size_t)256U * sizeof(int32_t)); + } + /* Passing arrays by value in Rust generates a copy in C */ + int32_t copy_of_hint[6U][256U]; + memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U])); + tuple_e6 lit; + memcpy(lit.fst, copy_of_hint, (size_t)6U * sizeof(int32_t[256U])); + lit.snd = true_hints; + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.signature.Signature +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- $48size_t +- $5size_t +- $6size_t +*/ +typedef struct libcrux_ml_dsa_encoding_signature_Signature_ca_s { + uint8_t commitment_hash[48U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 signer_response[5U]; + int32_t hint[6U][256U]; +} libcrux_ml_dsa_encoding_signature_Signature_ca; + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.encoding.gamma1.serialize +with const generics +- GAMMA1_EXPONENT= 19 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_36( + __m256i simd_unit, Eurydice_slice serialized) { + libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_when_gamma1_is_2_pow_19( + simd_unit, serialized); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.gamma1_serialize_a2 +with const generics +- GAMMA1_EXPONENT= 19 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_simd_avx2_gamma1_serialize_a2_36( + __m256i simd_unit, Eurydice_slice serialized) { + libcrux_ml_dsa_simd_avx2_encoding_gamma1_serialize_36(simd_unit, serialized); +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.gamma1.serialize +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- GAMMA1_EXPONENT= 19 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_serialize_05( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re, + Eurydice_slice serialized) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i), + __m256i); + i++) { + size_t i0 = i; + __m256i *simd_unit = &re.simd_units[i0]; + libcrux_ml_dsa_simd_avx2_gamma1_serialize_a2_36( + simd_unit[0U], + Eurydice_slice_subslice2(serialized, i0 * ((size_t)19U + (size_t)1U), + (i0 + (size_t)1U) * ((size_t)19U + (size_t)1U), + uint8_t)); + } +} + +/** +This function found in impl +{libcrux_ml_dsa::encoding::signature::Signature[TraitClause@0, TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.encoding.signature.serialize_92 +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- COMMITMENT_HASH_SIZE= 48 +- COLUMNS_IN_A= 5 +- ROWS_IN_A= 6 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- MAX_ONES_IN_HINT= 55 +- SIGNATURE_SIZE= 3309 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_signature_serialize_92_cc( + libcrux_ml_dsa_encoding_signature_Signature_ca *self, uint8_t ret[3309U]) { + uint8_t signature[3309U] = {0U}; + size_t offset = (size_t)0U; + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + signature, offset, offset + (size_t)48U, uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_slice((size_t)48U, self->commitment_hash, uint8_t), + uint8_t); + offset = offset + (size_t)48U; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 = + self->signer_response[i0]; + libcrux_ml_dsa_encoding_gamma1_serialize_05( + uu____1, Eurydice_array_to_subslice2(signature, offset, + offset + (size_t)640U, uint8_t)); + offset = offset + (size_t)640U; + } + size_t true_hints_seen = (size_t)0U; + for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)256U, self->hint[i1], int32_t), + int32_t); + i++) { + size_t j = i; + if (self->hint[i1][j] == (int32_t)1) { + signature[offset + true_hints_seen] = (uint8_t)j; + true_hints_seen++; + } + } + signature[offset + (size_t)55U + i1] = (uint8_t)true_hints_seen; + } + memcpy(ret, signature, (size_t)3309U * sizeof(uint8_t)); +} + +/** + The internal signing API. + + If no `domain_separation_context` is supplied, it is assumed that + `message` already contains the domain separation. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_internal +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake128x4, +libcrux_ml_dsa_hash_functions_simd256_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_ea( + uint8_t *signing_key, Eurydice_slice message, + Option_84 domain_separation_context, uint8_t randomness[32U]) { + tuple_f00 uu____0 = + libcrux_ml_dsa_encoding_signing_key_deserialize_then_ntt_b6(signing_key); + uint8_t seed_for_A[32U]; + memcpy(seed_for_A, uu____0.fst, (size_t)32U * sizeof(uint8_t)); + uint8_t seed_for_signing[32U]; + memcpy(seed_for_signing, uu____0.snd, (size_t)32U * sizeof(uint8_t)); + uint8_t verification_key_hash[64U]; + memcpy(verification_key_hash, uu____0.thd, (size_t)64U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1_as_ntt[5U]; + memcpy( + s1_as_ntt, uu____0.f3, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2_as_ntt[6U]; + memcpy( + s2_as_ntt, uu____0.f4, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t0_as_ntt[6U]; + memcpy( + t0_as_ntt, uu____0.f5, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A_as_ntt[6U][5U]; + uint8_t ret[34U]; + libcrux_ml_dsa_utils_into_padded_array_b6( + Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret); + libcrux_ml_dsa_samplex4_matrix_A_fe(ret, A_as_ntt); + uint8_t message_representative[64U] = {0U}; + uint8_t uu____1[64U]; + memcpy(uu____1, verification_key_hash, (size_t)64U * sizeof(uint8_t)); + libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b( + uu____1, domain_separation_context, message, message_representative); + uint8_t mask_seed[64U] = {0U}; + libcrux_sha3_portable_incremental_Shake256Xof shake0 = + libcrux_ml_dsa_hash_functions_portable_init_83(); + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake0, Eurydice_array_to_slice((size_t)32U, seed_for_signing, uint8_t)); + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake0, Eurydice_array_to_slice((size_t)32U, randomness, uint8_t)); + libcrux_ml_dsa_hash_functions_portable_absorb_final_83( + &shake0, + Eurydice_array_to_slice((size_t)64U, message_representative, uint8_t)); + libcrux_ml_dsa_hash_functions_portable_squeeze_83( + &shake0, Eurydice_array_to_slice((size_t)64U, mask_seed, uint8_t)); + uint16_t domain_separator_for_mask = 0U; + int32_t BETA = (int32_t)((size_t)49U * (size_t)4U); + size_t attempt = (size_t)0U; + Option_67 commitment_hash0 = {.tag = None}; + Option_a4 signer_response0 = {.tag = None}; + Option_f0 hint0 = {.tag = None}; + while (true) { + if (attempt < LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN) { + attempt++; + uint8_t uu____2[66U]; + libcrux_ml_dsa_utils_into_padded_array_20( + Eurydice_array_to_slice((size_t)64U, mask_seed, uint8_t), uu____2); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 mask[5U]; + libcrux_ml_dsa_sample_sample_mask_vector_51( + uu____2, &domain_separator_for_mask, mask); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A_times_mask[6U]; + libcrux_ml_dsa_matrix_compute_A_times_mask_fe(A_as_ntt, mask, + A_times_mask); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + copy_of_A_times_mask[6U]; + memcpy(copy_of_A_times_mask, A_times_mask, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_6size_t__x2 + uu____4 = libcrux_ml_dsa_arithmetic_decompose_vector_fe( + copy_of_A_times_mask); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 w0[6U]; + memcpy(w0, uu____4.fst, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 commitment[6U]; + memcpy(commitment, uu____4.snd, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + uint8_t commitment_hash_candidate[48U] = {0U}; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + copy_of_commitment0[6U]; + memcpy(copy_of_commitment0, commitment, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + uint8_t commitment_serialized[768U]; + libcrux_ml_dsa_encoding_commitment_serialize_vector_ef( + copy_of_commitment0, commitment_serialized); + libcrux_sha3_portable_incremental_Shake256Xof shake = + libcrux_ml_dsa_hash_functions_portable_init_83(); + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake, Eurydice_array_to_slice((size_t)64U, message_representative, + uint8_t)); + libcrux_ml_dsa_hash_functions_portable_absorb_final_83( + &shake, Eurydice_array_to_slice((size_t)768U, commitment_serialized, + uint8_t)); + libcrux_ml_dsa_hash_functions_portable_squeeze_83( + &shake, Eurydice_array_to_slice((size_t)48U, + commitment_hash_candidate, uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_commitment_hash_candidate[48U]; + memcpy(copy_of_commitment_hash_candidate, commitment_hash_candidate, + (size_t)48U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + verifier_challenge_as_ntt = libcrux_ml_dsa_ntt_ntt_ea( + libcrux_ml_dsa_sample_sample_challenge_ring_element_8a( + copy_of_commitment_hash_candidate)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 challenge_times_s1[5U]; + libcrux_ml_dsa_matrix_vector_times_ring_element_1f( + s1_as_ntt, &verifier_challenge_as_ntt, challenge_times_s1); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 challenge_times_s2[6U]; + libcrux_ml_dsa_matrix_vector_times_ring_element_a3( + s2_as_ntt, &verifier_challenge_as_ntt, challenge_times_s2); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + signer_response_candidate[5U]; + libcrux_ml_dsa_matrix_add_vectors_1f(mask, challenge_times_s1, + signer_response_candidate); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + w0_minus_challenge_times_s2[6U]; + libcrux_ml_dsa_matrix_subtract_vectors_a3(w0, challenge_times_s2, + w0_minus_challenge_times_s2); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + copy_of_signer_response_candidate[5U]; + memcpy(copy_of_signer_response_candidate, signer_response_candidate, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_1f( + copy_of_signer_response_candidate, + ((int32_t)1 << (uint32_t)(size_t)19U) - BETA)) { + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + copy_of_w0_minus_challenge_times_s2[6U]; + memcpy(copy_of_w0_minus_challenge_times_s2, w0_minus_challenge_times_s2, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_a3( + copy_of_w0_minus_challenge_times_s2, (int32_t)261888 - BETA)) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + challenge_times_t0[6U]; + libcrux_ml_dsa_matrix_vector_times_ring_element_a3( + t0_as_ntt, &verifier_challenge_as_ntt, challenge_times_t0); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + copy_of_challenge_times_t0[6U]; + memcpy( + copy_of_challenge_times_t0, challenge_times_t0, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_a3( + copy_of_challenge_times_t0, (int32_t)261888)) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + w0_minus_c_times_s2_plus_c_times_t0[6U]; + libcrux_ml_dsa_matrix_add_vectors_a3( + w0_minus_challenge_times_s2, challenge_times_t0, + w0_minus_c_times_s2_plus_c_times_t0); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + copy_of_w0_minus_c_times_s2_plus_c_times_t0[6U]; + memcpy( + copy_of_w0_minus_c_times_s2_plus_c_times_t0, + w0_minus_c_times_s2_plus_c_times_t0, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + copy_of_commitment[6U]; + memcpy( + copy_of_commitment, commitment, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + tuple_e6 uu____12 = libcrux_ml_dsa_arithmetic_make_hint_fe( + copy_of_w0_minus_c_times_s2_plus_c_times_t0, + copy_of_commitment); + int32_t hint_candidate[6U][256U]; + memcpy(hint_candidate, uu____12.fst, + (size_t)6U * sizeof(int32_t[256U])); + size_t ones_in_hint = uu____12.snd; + if (!(ones_in_hint > (size_t)55U)) { + attempt = LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_commitment_hash_candidate0[48U]; + memcpy(copy_of_commitment_hash_candidate0, + commitment_hash_candidate, (size_t)48U * sizeof(uint8_t)); + Option_67 lit0; + lit0.tag = Some; + memcpy(lit0.f0, copy_of_commitment_hash_candidate0, + (size_t)48U * sizeof(uint8_t)); + commitment_hash0 = lit0; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + copy_of_signer_response_candidate0[5U]; + memcpy( + copy_of_signer_response_candidate0, signer_response_candidate, + (size_t)5U * + sizeof( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + Option_a4 lit1; + lit1.tag = Some; + memcpy( + lit1.f0, copy_of_signer_response_candidate0, + (size_t)5U * + sizeof( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + signer_response0 = lit1; + /* Passing arrays by value in Rust generates a copy in C */ + int32_t copy_of_hint_candidate[6U][256U]; + memcpy(copy_of_hint_candidate, hint_candidate, + (size_t)6U * sizeof(int32_t[256U])); + Option_f0 lit; + lit.tag = Some; + memcpy(lit.f0, copy_of_hint_candidate, + (size_t)6U * sizeof(int32_t[256U])); + hint0 = lit; + } + } + } + } + } else { + break; + } + } + Result_2e uu____16; + if (commitment_hash0.tag == None) { + uu____16 = (CLITERAL(Result_2e){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_RejectionSamplingError}}); + } else { + uint8_t commitment_hash1[48U]; + memcpy(commitment_hash1, commitment_hash0.f0, + (size_t)48U * sizeof(uint8_t)); + uint8_t commitment_hash[48U]; + memcpy(commitment_hash, commitment_hash1, (size_t)48U * sizeof(uint8_t)); + if (signer_response0.tag == None) { + uu____16 = (CLITERAL(Result_2e){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_RejectionSamplingError}}); + } else { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 signer_response1[5U]; + memcpy(signer_response1, signer_response0.f0, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 signer_response[5U]; + memcpy(signer_response, signer_response1, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + if (hint0.tag == None) { + uu____16 = (CLITERAL(Result_2e){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_RejectionSamplingError}}); + } else { + int32_t hint1[6U][256U]; + memcpy(hint1, hint0.f0, (size_t)6U * sizeof(int32_t[256U])); + int32_t hint[6U][256U]; + memcpy(hint, hint1, (size_t)6U * sizeof(int32_t[256U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_commitment_hash[48U]; + memcpy(copy_of_commitment_hash, commitment_hash, + (size_t)48U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + copy_of_signer_response[5U]; + memcpy(copy_of_signer_response, signer_response, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + /* Passing arrays by value in Rust generates a copy in C */ + int32_t copy_of_hint[6U][256U]; + memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U])); + uint8_t signature[3309U]; + libcrux_ml_dsa_encoding_signature_Signature_ca lit0; + memcpy(lit0.commitment_hash, copy_of_commitment_hash, + (size_t)48U * sizeof(uint8_t)); + memcpy(lit0.signer_response, copy_of_signer_response, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + memcpy(lit0.hint, copy_of_hint, (size_t)6U * sizeof(int32_t[256U])); + libcrux_ml_dsa_encoding_signature_serialize_92_cc(&lit0, signature); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_signature[3309U]; + memcpy(copy_of_signature, signature, (size_t)3309U * sizeof(uint8_t)); + Result_2e lit; + lit.tag = Ok; + lit.val.case_Ok = libcrux_ml_dsa_types_new_8f_fa(copy_of_signature); + uu____16 = lit; + return uu____16; + } + } + } + return uu____16; +} + +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake128x4, +libcrux_ml_dsa_hash_functions_simd256_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_ea( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( + context, (CLITERAL(Option_30){.tag = None})); + Result_2e uu____1; + if (uu____0.tag == Ok) { + libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = + dsc; + uint8_t *uu____2 = signing_key; + Eurydice_slice uu____3 = message; + Option_84 uu____4 = {.tag = Some, .f0 = domain_separation_context}; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + uu____1 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_ea( + uu____2, uu____3, uu____4, copy_of_randomness); + } else { + uu____1 = (CLITERAL(Result_2e){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}}); + } + return uu____1; } /** @@ -5096,10 +7458,42 @@ libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_6e(uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"expression_of_operand Constant: " - "TraitClause@13OID\")\n"); - KRML_HOST_EXIT(255U); + Result_2e uu____0; + if (Eurydice_slice_len(context, uint8_t) > + LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN) { + uu____0 = (CLITERAL(Result_2e){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}}); + } else { + uint8_t pre_hashed_message[256U]; + libcrux_ml_dsa_pre_hash_hash_bd_54(message, pre_hashed_message); + Eurydice_slice uu____1 = context; + Option_30 lit; + lit.tag = Some; + uint8_t ret[11U]; + libcrux_ml_dsa_pre_hash_oid_bd(ret); + memcpy(lit.f0, ret, (size_t)11U * sizeof(uint8_t)); + Result_a8 uu____2 = libcrux_ml_dsa_pre_hash_new_45(uu____1, lit); + if (uu____2.tag == Ok) { + libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____2.val.case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationContext + domain_separation_context = dsc; + uint8_t *uu____3 = signing_key; + Eurydice_slice uu____4 = + Eurydice_array_to_slice((size_t)256U, pre_hashed_message, uint8_t); + Option_84 uu____5 = {.tag = Some, .f0 = domain_separation_context}; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + uu____0 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_ea( + uu____3, uu____4, uu____5, copy_of_randomness); + } else { + uu____0 = (CLITERAL(Result_2e){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}}); + } + } + return uu____0; } /** @@ -5197,6 +7591,709 @@ static inline Result_2e libcrux_ml_dsa_ml_dsa_65_avx2_sign_pre_hashed_shake128( uu____0, uu____1, uu____2, copy_of_randomness); } +/** +A monomorphic instance of K. +with types uint8_t[32size_t], libcrux_ml_dsa_polynomial_PolynomialRingElement +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[6size_t] + +*/ +typedef struct tuple_930_s { + uint8_t fst[32U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 snd[6U]; +} tuple_930; + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.t1.deserialize +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_dsa_encoding_t1_deserialize_ea( + Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *result) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)32U, result->simd_units, __m256i), + __m256i); + i++) { + size_t i0 = i; + __m256i uu____0 = libcrux_ml_dsa_simd_avx2_t1_deserialize_a2( + Eurydice_slice_subslice2(serialized, i0 * (size_t)10U, + (i0 + (size_t)1U) * (size_t)10U, uint8_t)); + result->simd_units[i0] = uu____0; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.verification_key.deserialize +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ROWS_IN_A= 6 +- VERIFICATION_KEY_SIZE= 1952 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE tuple_930 +libcrux_ml_dsa_encoding_verification_key_deserialize_fe(uint8_t *serialized) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + t1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)1952U, serialized, uint8_t), + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, + Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_A = uu____0.fst; + Eurydice_slice serialized_remaining = uu____0.snd; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + size_t i0 = i; + libcrux_ml_dsa_encoding_t1_deserialize_ea( + Eurydice_slice_subslice2( + serialized_remaining, + i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, + uint8_t), + &t1[i0]); + } + uint8_t uu____1[32U]; + Result_fb dst; + Eurydice_slice_to_array2(&dst, seed_for_A, Eurydice_slice, uint8_t[32U]); + unwrap_26_b3(dst, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t1[6U]; + memcpy( + copy_of_t1, t1, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + tuple_930 lit; + memcpy(lit.fst, uu____1, (size_t)32U * sizeof(uint8_t)); + memcpy( + lit.snd, copy_of_t1, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + return lit; +} + +/** +A monomorphic instance of core.result.Result +with types libcrux_ml_dsa_encoding_signature_Signature +libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit[[$6size_t]][[$5size_t]][[$48size_t]], +libcrux_ml_dsa_types_VerificationError + +*/ +typedef struct Result_ef0_s { + Result_a9_tags tag; + union { + libcrux_ml_dsa_encoding_signature_Signature_ca case_Ok; + libcrux_ml_dsa_types_VerificationError case_Err; + } val; +} Result_ef0; + +/** +This function found in impl +{libcrux_ml_dsa::encoding::signature::Signature[TraitClause@0, TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.encoding.signature.deserialize_92 +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- COMMITMENT_HASH_SIZE= 48 +- COLUMNS_IN_A= 5 +- ROWS_IN_A= 6 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- MAX_ONES_IN_HINT= 55 +- SIGNATURE_SIZE= 3309 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Result_ef0 +libcrux_ml_dsa_encoding_signature_deserialize_92_cc(uint8_t *serialized) { + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)3309U, serialized, uint8_t), (size_t)48U, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice commitment_hash = uu____0.fst; + Eurydice_slice rest_of_serialized = uu____0.snd; + Eurydice_slice_uint8_t_x2 uu____1 = + Eurydice_slice_split_at(rest_of_serialized, (size_t)640U * (size_t)5U, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice signer_response_serialized = uu____1.fst; + Eurydice_slice hint_serialized = uu____1.snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 signer_response[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + signer_response[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + size_t i0 = i; + libcrux_ml_dsa_encoding_gamma1_deserialize_05( + Eurydice_slice_subslice2(signer_response_serialized, i0 * (size_t)640U, + (i0 + (size_t)1U) * (size_t)640U, uint8_t), + &signer_response[i0]); + } + int32_t hint[6U][256U] = {{0U}}; + size_t previous_true_hints_seen = (size_t)0U; + size_t i = (size_t)0U; + bool malformed_hint = false; + while (true) { + if (i < (size_t)6U) { + if (malformed_hint) { + break; + } else { + size_t current_true_hints_seen = (size_t)Eurydice_slice_index( + hint_serialized, (size_t)55U + i, uint8_t, uint8_t *); + size_t j; + bool uu____2; + bool uu____3; + size_t uu____4; + size_t uu____5; + bool uu____6; + size_t uu____7; + size_t uu____8; + bool uu____9; + uint8_t uu____10; + size_t uu____11; + uint8_t uu____12; + size_t uu____13; + size_t uu____14; + bool uu____15; + size_t uu____16; + size_t uu____17; + uint8_t uu____18; + size_t uu____19; + bool uu____20; + size_t uu____21; + if (!(current_true_hints_seen < previous_true_hints_seen)) { + if (!(previous_true_hints_seen > (size_t)55U)) { + j = previous_true_hints_seen; + while (true) { + uu____2 = malformed_hint; + if (uu____2) { + break; + } else { + uu____4 = j; + uu____5 = current_true_hints_seen; + uu____3 = uu____4 < uu____5; + if (uu____3) { + uu____7 = j; + uu____8 = previous_true_hints_seen; + uu____6 = uu____7 > uu____8; + if (uu____6) { + uu____11 = j; + uu____10 = Eurydice_slice_index(hint_serialized, uu____11, + uint8_t, uint8_t *); + uu____14 = j; + uu____13 = uu____14 - (size_t)1U; + uu____12 = Eurydice_slice_index(hint_serialized, uu____13, + uint8_t, uint8_t *); + uu____9 = uu____10 <= uu____12; + if (uu____9) { + malformed_hint = true; + uu____15 = malformed_hint; + if (!uu____15) { + uu____16 = i; + uu____19 = j; + uu____18 = Eurydice_slice_index( + hint_serialized, uu____19, uint8_t, uint8_t *); + uu____17 = (size_t)uu____18; + hint[uu____16][uu____17] = (int32_t)1; + j++; + } + continue; + } + } + uu____15 = malformed_hint; + if (!uu____15) { + uu____16 = i; + uu____19 = j; + uu____18 = Eurydice_slice_index(hint_serialized, uu____19, + uint8_t, uint8_t *); + uu____17 = (size_t)uu____18; + hint[uu____16][uu____17] = (int32_t)1; + j++; + } + } else { + break; + } + } + } + uu____20 = malformed_hint; + if (!uu____20) { + uu____21 = current_true_hints_seen; + previous_true_hints_seen = uu____21; + i++; + } + continue; + } + } + malformed_hint = true; + j = previous_true_hints_seen; + while (true) { + uu____2 = malformed_hint; + if (uu____2) { + break; + } else { + uu____4 = j; + uu____5 = current_true_hints_seen; + uu____3 = uu____4 < uu____5; + if (uu____3) { + uu____7 = j; + uu____8 = previous_true_hints_seen; + uu____6 = uu____7 > uu____8; + if (uu____6) { + uu____11 = j; + uu____10 = Eurydice_slice_index(hint_serialized, uu____11, + uint8_t, uint8_t *); + uu____14 = j; + uu____13 = uu____14 - (size_t)1U; + uu____12 = Eurydice_slice_index(hint_serialized, uu____13, + uint8_t, uint8_t *); + uu____9 = uu____10 <= uu____12; + if (uu____9) { + malformed_hint = true; + uu____15 = malformed_hint; + if (!uu____15) { + uu____16 = i; + uu____19 = j; + uu____18 = Eurydice_slice_index(hint_serialized, uu____19, + uint8_t, uint8_t *); + uu____17 = (size_t)uu____18; + hint[uu____16][uu____17] = (int32_t)1; + j++; + } + continue; + } + } + uu____15 = malformed_hint; + if (!uu____15) { + uu____16 = i; + uu____19 = j; + uu____18 = Eurydice_slice_index(hint_serialized, uu____19, + uint8_t, uint8_t *); + uu____17 = (size_t)uu____18; + hint[uu____16][uu____17] = (int32_t)1; + j++; + } + } else { + break; + } + } + } + uu____20 = malformed_hint; + if (!uu____20) { + uu____21 = current_true_hints_seen; + previous_true_hints_seen = uu____21; + i++; + } + } + } else { + break; + } + } + i = previous_true_hints_seen; + while (true) { + if (i < (size_t)55U) { + if (malformed_hint) { + break; + } else { + if (Eurydice_slice_index(hint_serialized, i, uint8_t, uint8_t *) != + 0U) { + malformed_hint = true; + } + i++; + } + } else { + break; + } + } + Result_ef0 uu____22; + if (malformed_hint) { + uu____22 = (CLITERAL(Result_ef0){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_MalformedHintError}}); + } else { + uint8_t uu____23[48U]; + Result_ae dst; + Eurydice_slice_to_array2(&dst, commitment_hash, Eurydice_slice, + uint8_t[48U]); + unwrap_26_28(dst, uu____23); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + copy_of_signer_response[5U]; + memcpy(copy_of_signer_response, signer_response, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + /* Passing arrays by value in Rust generates a copy in C */ + int32_t copy_of_hint[6U][256U]; + memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U])); + Result_ef0 lit; + lit.tag = Ok; + memcpy(lit.val.case_Ok.commitment_hash, uu____23, + (size_t)48U * sizeof(uint8_t)); + memcpy(lit.val.case_Ok.signer_response, copy_of_signer_response, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + memcpy(lit.val.case_Ok.hint, copy_of_hint, + (size_t)6U * sizeof(int32_t[256U])); + uu____22 = lit; + } + return uu____22; +} + +/** +A monomorphic instance of +libcrux_ml_dsa.simd.avx2.arithmetic.shift_left_then_reduce with const generics +- SHIFT_BY= 13 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_arithmetic_shift_left_then_reduce_84( + __m256i simd_unit) { + __m256i shifted = + libcrux_intrinsics_avx2_mm256_slli_epi32((int32_t)13, simd_unit, __m256i); + __m256i quotient = libcrux_intrinsics_avx2_mm256_add_epi32( + shifted, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)1 << 22U)); + __m256i quotient0 = + libcrux_intrinsics_avx2_mm256_srai_epi32((int32_t)23, quotient, __m256i); + __m256i quotient_times_field_modulus = + libcrux_intrinsics_avx2_mm256_mullo_epi32( + quotient0, libcrux_intrinsics_avx2_mm256_set1_epi32( + LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS)); + return libcrux_intrinsics_avx2_mm256_sub_epi32(shifted, + quotient_times_field_modulus); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.shift_left_then_reduce_a2 +with const generics +- SHIFT_BY= 13 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_shift_left_then_reduce_a2_84(__m256i simd_unit) { + return libcrux_ml_dsa_simd_avx2_arithmetic_shift_left_then_reduce_84( + simd_unit); +} + +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.shift_left_then_reduce +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- SHIFT_BY= 13 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_24 +libcrux_ml_dsa_arithmetic_shift_left_then_reduce_68( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 out = + libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)32U, re.simd_units, __m256i), + __m256i); + i++) { + size_t i0 = i; + __m256i *simd_unit = &re.simd_units[i0]; + out.simd_units[i0] = + libcrux_ml_dsa_simd_avx2_shift_left_then_reduce_a2_84(simd_unit[0U]); + } + return out; +} + +/** + Compute InvertNTT(Â ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ)) +*/ +/** +A monomorphic instance of libcrux_ml_dsa.matrix.compute_w_approx +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_w_approx_fe( + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 (*A_as_ntt)[5U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 signer_response[5U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + verifier_challenge_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, signer_response, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____0 = + libcrux_ml_dsa_ntt_ntt_ea(signer_response[i0]); + signer_response[i0] = uu____0; + } + for (size_t i0 = (size_t)0U; + i0 < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, A_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24[5U]); + i0++) { + size_t i1 = i0; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *row = A_as_ntt[i1]; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, row, + libcrux_ml_dsa_polynomial_PolynomialRingElement_24), + libcrux_ml_dsa_polynomial_PolynomialRingElement_24); + i++) { + size_t j = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 *ring_element = + &row[j]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 product = + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea(ring_element, + &signer_response[j]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____1 = + libcrux_ml_dsa_polynomial_add_ff_ea(&result[i1], &product); + result[i1] = uu____1; + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1_shifted = + libcrux_ml_dsa_arithmetic_shift_left_then_reduce_68(t1[i1]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1_shifted0 = + libcrux_ml_dsa_ntt_ntt_ea(t1_shifted); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + challenge_times_t1_shifted = + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ea( + &verifier_challenge_as_ntt, &t1_shifted0); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____2 = + libcrux_ml_dsa_ntt_invert_ntt_montgomery_ea( + libcrux_ml_dsa_polynomial_subtract_ff_ea( + &result[i1], &challenge_times_t1_shifted)); + result[i1] = uu____2; + } + memcpy( + ret, result, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.arithmetic.use_hint +with const generics +- GAMMA2= 261888 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_arithmetic_use_hint_80(__m256i r, __m256i hint) { + core_core_arch_x86___m256i_x2 uu____0 = + libcrux_ml_dsa_simd_avx2_arithmetic_decompose_80(r); + __m256i r0 = uu____0.fst; + __m256i r1 = uu____0.snd; + __m256i all_zeros = libcrux_intrinsics_avx2_mm256_setzero_si256(); + __m256i negate_hints = + libcrux_intrinsics_avx2_vec256_blendv_epi32(all_zeros, hint, r0); + __m256i negate_hints0 = libcrux_intrinsics_avx2_mm256_slli_epi32( + (int32_t)1, negate_hints, __m256i); + __m256i hints = libcrux_intrinsics_avx2_mm256_sub_epi32(hint, negate_hints0); + __m256i r1_plus_hints = libcrux_intrinsics_avx2_mm256_add_epi32(r1, hints); + return libcrux_intrinsics_avx2_mm256_and_si256( + r1_plus_hints, libcrux_intrinsics_avx2_mm256_set1_epi32((int32_t)15)); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::avx2::vector_type::AVX2SIMDUnit)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.simd.avx2.use_hint_a2 +with const generics +- GAMMA2= 261888 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_dsa_simd_avx2_use_hint_a2_80(__m256i simd_unit, __m256i hint) { + return libcrux_ml_dsa_simd_avx2_arithmetic_use_hint_80(simd_unit, hint); +} + +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.use_hint +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit +with const generics +- DIMENSION= 6 +- GAMMA2= 261888 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_use_hint_fe( + int32_t hint[6U][256U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 re_vector[6U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 result[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); + } + for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { + size_t i1 = i0; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 hint_simd = + libcrux_ml_dsa_polynomial_from_i32_array_ff_ea( + Eurydice_array_to_slice((size_t)256U, hint[i1], int32_t)); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)32U, result->simd_units, __m256i), + __m256i); + i++) { + size_t j = i; + __m256i uu____0 = libcrux_ml_dsa_simd_avx2_use_hint_a2_80( + re_vector[i1].simd_units[j], hint_simd.simd_units[j]); + result[i1].simd_units[j] = uu____0; + } + } + memcpy( + ret, result, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); +} + +/** + The internal verification API. + + If no `domain_separation_context` is supplied, it is assumed that + `message` already contains the domain separation. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_internal +with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, +libcrux_ml_dsa_hash_functions_simd256_Shake128x4, +libcrux_ml_dsa_hash_functions_simd256_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE Result_41 +libcrux_ml_dsa_ml_dsa_generic_verify_internal_d1( + uint8_t *verification_key_serialized, Eurydice_slice message, + Option_84 domain_separation_context, uint8_t *signature_serialized) { + tuple_930 uu____0 = libcrux_ml_dsa_encoding_verification_key_deserialize_fe( + verification_key_serialized); + uint8_t seed_for_A[32U]; + memcpy(seed_for_A, uu____0.fst, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 t1[6U]; + memcpy( + t1, uu____0.snd, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + Result_ef0 uu____1 = + libcrux_ml_dsa_encoding_signature_deserialize_92_cc(signature_serialized); + Result_41 uu____2; + if (uu____1.tag == Ok) { + libcrux_ml_dsa_encoding_signature_Signature_ca s = uu____1.val.case_Ok; + libcrux_ml_dsa_encoding_signature_Signature_ca signature = s; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____3[5U]; + memcpy(uu____3, signature.signer_response, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + if (libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_1f( + uu____3, ((int32_t)2 << (uint32_t)(size_t)19U) - (int32_t)196)) { + uu____2 = (CLITERAL(Result_41){ + .tag = Err, + .f0 = libcrux_ml_dsa_types_SignerResponseExceedsBoundError}); + } else { + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 A_as_ntt[6U][5U]; + uint8_t ret[34U]; + libcrux_ml_dsa_utils_into_padded_array_b6( + Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret); + libcrux_ml_dsa_samplex4_matrix_A_fe(ret, A_as_ntt); + uint8_t verification_key_hash[64U] = {0U}; + libcrux_ml_dsa_hash_functions_simd256_shake256_d9_24( + Eurydice_array_to_slice((size_t)1952U, verification_key_serialized, + uint8_t), + verification_key_hash); + uint8_t message_representative[64U] = {0U}; + uint8_t uu____4[64U]; + memcpy(uu____4, verification_key_hash, (size_t)64U * sizeof(uint8_t)); + libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b( + uu____4, domain_separation_context, message, message_representative); + uint8_t uu____5[48U]; + memcpy(uu____5, signature.commitment_hash, (size_t)48U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 + verifier_challenge_as_ntt = libcrux_ml_dsa_ntt_ntt_ea( + libcrux_ml_dsa_sample_sample_challenge_ring_element_8a(uu____5)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24(*uu____6)[5U] = + A_as_ntt; + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____7[5U]; + memcpy(uu____7, signature.signer_response, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 uu____8 = + verifier_challenge_as_ntt; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_t1[6U]; + memcpy(copy_of_t1, t1, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 w_approx[6U]; + libcrux_ml_dsa_matrix_compute_w_approx_fe(uu____6, uu____7, uu____8, + copy_of_t1, w_approx); + uint8_t commitment_hash[48U] = {0U}; + int32_t uu____10[6U][256U]; + memcpy(uu____10, signature.hint, (size_t)6U * sizeof(int32_t[256U])); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_w_approx[6U]; + memcpy(copy_of_w_approx, w_approx, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 commitment[6U]; + libcrux_ml_dsa_arithmetic_use_hint_fe(uu____10, copy_of_w_approx, + commitment); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_commitment[6U]; + memcpy(copy_of_commitment, commitment, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); + uint8_t commitment_serialized[768U]; + libcrux_ml_dsa_encoding_commitment_serialize_vector_ef( + copy_of_commitment, commitment_serialized); + libcrux_sha3_portable_incremental_Shake256Xof shake = + libcrux_ml_dsa_hash_functions_portable_init_83(); + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake, Eurydice_array_to_slice((size_t)64U, message_representative, + uint8_t)); + libcrux_ml_dsa_hash_functions_portable_absorb_final_83( + &shake, Eurydice_array_to_slice((size_t)768U, commitment_serialized, + uint8_t)); + libcrux_ml_dsa_hash_functions_portable_squeeze_83( + &shake, + Eurydice_array_to_slice((size_t)48U, commitment_hash, uint8_t)); + if (core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( + (size_t)48U, signature.commitment_hash, commitment_hash, uint8_t, + uint8_t, bool)) { + uu____2 = (CLITERAL(Result_41){.tag = Ok}); + } else { + uu____2 = (CLITERAL(Result_41){ + .tag = Err, + .f0 = libcrux_ml_dsa_types_CommitmentHashesDontMatchError}); + } + } + } else { + libcrux_ml_dsa_types_VerificationError e = uu____1.val.case_Err; + uu____2 = (CLITERAL(Result_41){.tag = Err, .f0 = e}); + } + return uu____2; +} + /** A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, @@ -5221,13 +8318,23 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_d1( uint8_t *verification_key_serialized, Eurydice_slice message, Eurydice_slice context, uint8_t *signature_serialized) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes " - "core::result::{core::ops::try_trait::Try for core::result::Result[TraitClause@0, TraitClause@1]}#26[TraitClause@0, " - "TraitClause@1]::Residual\")\n"); - KRML_HOST_EXIT(255U); + Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( + context, (CLITERAL(Option_30){.tag = None})); + Result_41 uu____1; + if (uu____0.tag == Ok) { + libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = + dsc; + uu____1 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_d1( + verification_key_serialized, message, + (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}), + signature_serialized); + } else { + uu____1 = (CLITERAL(Result_41){ + .tag = Err, + .f0 = libcrux_ml_dsa_types_VerificationContextTooLongError}); + } + return uu____1; } /** @@ -5334,10 +8441,31 @@ static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_07( uint8_t *verification_key_serialized, Eurydice_slice message, Eurydice_slice context, uint8_t *signature_serialized) { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"expression_of_operand Constant: " - "TraitClause@11OID\")\n"); - KRML_HOST_EXIT(255U); + uint8_t pre_hashed_message[256U]; + libcrux_ml_dsa_pre_hash_hash_bd_54(message, pre_hashed_message); + Eurydice_slice uu____0 = context; + Option_30 lit; + lit.tag = Some; + uint8_t ret[11U]; + libcrux_ml_dsa_pre_hash_oid_bd(ret); + memcpy(lit.f0, ret, (size_t)11U * sizeof(uint8_t)); + Result_a8 uu____1 = libcrux_ml_dsa_pre_hash_new_45(uu____0, lit); + Result_41 uu____2; + if (uu____1.tag == Ok) { + libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____1.val.case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = + dsc; + uu____2 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_d1( + verification_key_serialized, + Eurydice_array_to_slice((size_t)256U, pre_hashed_message, uint8_t), + (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}), + signature_serialized); + } else { + uu____2 = (CLITERAL(Result_41){ + .tag = Err, + .f0 = libcrux_ml_dsa_types_VerificationContextTooLongError}); + } + return uu____2; } /** diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h index 0df065b82..a1c766bfb 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 11a2dcf9b3f0c4803b93a53caa737ed8eac8bfd1 + * Libcrux: d4b51bcb3af12fb1358ed37830e33cbd72d31590 */ #ifndef __libcrux_mldsa65_portable_H @@ -69,17 +69,7 @@ extern "C" { #define LIBCRUX_ML_DSA_CONSTANTS_SIGNING_RANDOMNESS_SIZE ((size_t)32U) -#define LIBCRUX_ML_DSA_ENCODING_COMMITMENT_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT \ - ((size_t)6U) - -#define LIBCRUX_ML_DSA_ENCODING_ERROR_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT \ - ((size_t)4U) - -#define LIBCRUX_ML_DSA_ENCODING_GAMMA1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT \ - ((size_t)20U) - -#define LIBCRUX_ML_DSA_ENCODING_T0_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT \ - ((size_t)13U) +#define LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT ((size_t)13U) #define LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT \ ((size_t)10U) @@ -406,6 +396,7 @@ libcrux_ml_dsa::hash_functions::portable::Shake256Xof)#4} */ static inline void libcrux_ml_dsa_hash_functions_portable_squeeze_83( libcrux_sha3_portable_incremental_Shake256Xof *self, Eurydice_slice out) { + printf("squeeze out len: %lu\n", out.len); libcrux_sha3_portable_incremental_squeeze_68(self, out); } @@ -532,8 +523,131 @@ libcrux_ml_dsa_samplex4_generate_domain_separator(uint8_t row, uint8_t column) { #define LIBCRUX_ML_DSA_SIMD_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R \ (58728449ULL) -typedef struct libcrux_ml_dsa_pre_hash_SHAKE128_PH_s { -} libcrux_ml_dsa_pre_hash_SHAKE128_PH; +typedef struct libcrux_ml_dsa_pre_hash_DomainSeparationContext_s { + Eurydice_slice context; + Option_30 pre_hash_oid; +} libcrux_ml_dsa_pre_hash_DomainSeparationContext; + +#define libcrux_ml_dsa_pre_hash_ContextTooLongError 0 + +typedef uint8_t libcrux_ml_dsa_pre_hash_DomainSeparationError; + +/** +A monomorphic instance of core.result.Result +with types libcrux_ml_dsa_pre_hash_DomainSeparationContext, +libcrux_ml_dsa_pre_hash_DomainSeparationError + +*/ +typedef struct Result_a8_s { + Result_a9_tags tag; + union { + libcrux_ml_dsa_pre_hash_DomainSeparationContext case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationError case_Err; + } val; +} Result_a8; + +/** + `context` must be at most 255 bytes long. +*/ +/** +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +*/ +static inline Result_a8 libcrux_ml_dsa_pre_hash_new_45(Eurydice_slice context, + Option_30 pre_hash_oid) { + Result_a8 uu____0; + if (Eurydice_slice_len(context, uint8_t) > + LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN) { + uu____0 = (CLITERAL(Result_a8){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_pre_hash_ContextTooLongError}}); + } else { + uu____0 = (CLITERAL(Result_a8){ + .tag = Ok, + .val = { + .case_Ok = {.context = context, .pre_hash_oid = pre_hash_oid}}}); + } + return uu____0; +} + +/** + Returns the pre-hash OID, if any. +*/ +/** +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +*/ +static inline Option_30 *libcrux_ml_dsa_pre_hash_pre_hash_oid_45( + libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { + return &self->pre_hash_oid; +} + +/** + Returns the context, guaranteed to be at most 255 bytes long. +*/ +/** +This function found in impl +{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} +*/ +static inline Eurydice_slice libcrux_ml_dsa_pre_hash_context_45( + libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { + return self->context; +} + +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_update_seed( + uint8_t seed[66U], uint16_t *domain_separator, uint8_t ret[66U]) { + seed[64U] = (uint8_t)domain_separator[0U]; + seed[65U] = (uint8_t)((uint32_t)domain_separator[0U] >> 8U); + domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U; + memcpy(ret, seed, (size_t)66U * sizeof(uint8_t)); +} + +static KRML_MUSTINLINE bool libcrux_ml_dsa_sample_inside_out_shuffle( + Eurydice_slice randomness, size_t *out_index, uint64_t *signs, + int32_t *result) { + bool done = false; + for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t); + i++) { + size_t _cloop_j = i; + uint8_t *byte = + &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *); + if (!done) { + size_t sample_at = (size_t)byte[0U]; + if (sample_at <= out_index[0U]) { + result[out_index[0U]] = result[sample_at]; + out_index[0U] = out_index[0U] + (size_t)1U; + result[sample_at] = + (int32_t)1 - (int32_t)2 * (int32_t)(signs[0U] & 1ULL); + signs[0U] = signs[0U] >> 1U; + size_t uu____0 = out_index[0U]; + done = uu____0 == Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)256U, result, int32_t), + int32_t); + } else { + size_t uu____1 = out_index[0U]; + done = uu____1 == Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)256U, result, int32_t), + int32_t); + } + } + } + return done; +} + +static const uint8_t libcrux_ml_dsa_pre_hash_SHAKE128_OID[11U] = { + 6U, 9U, 96U, 134U, 72U, 1U, 101U, 3U, 4U, 2U, 11U}; + +/** +This function found in impl {(libcrux_ml_dsa::pre_hash::PreHash<256: usize> for +libcrux_ml_dsa::pre_hash::SHAKE128_PH)} +*/ +static inline void libcrux_ml_dsa_pre_hash_oid_bd(uint8_t ret[11U]) { + memcpy(ret, libcrux_ml_dsa_pre_hash_SHAKE128_OID, + (size_t)11U * sizeof(uint8_t)); +} + +// typedef struct libcrux_ml_dsa_pre_hash_SHAKE128_PH_s { +// } libcrux_ml_dsa_pre_hash_SHAKE128_PH; typedef struct libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_s { int32_t coefficients[8U]; @@ -662,12 +776,35 @@ static KRML_MUSTINLINE bool libcrux_ml_dsa_simd_portable_arithmetic_infinity_norm_exceeds( libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, int32_t bound) { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes " - "core::array::iter::{core::iter::traits::iterator::" - "Iterator for core::array::iter::IntoIter[TraitClause@0]}#2[TraitClause@0]::Item\")\n"); - KRML_HOST_EXIT(255U); + bool exceeds = false; + core_ops_range_Range_08 lit; + lit.start = (size_t)0U; + lit.end = Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, simd_unit.coefficients, int32_t), + int32_t); + core_ops_range_Range_08 iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + lit, core_ops_range_Range_08, core_ops_range_Range_08); + while (true) { + Option_08 uu____0 = + core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( + &iter, size_t, Option_08); + if (uu____0.tag == None) { + return exceeds; + } else { + size_t _cloop_k = uu____0.f0; + int32_t coefficient = simd_unit.coefficients[_cloop_k]; + int32_t sign = coefficient >> 31U; + int32_t normalized = coefficient - (sign & (int32_t)2 * coefficient); + bool uu____1; + if (exceeds) { + uu____1 = true; + } else { + uu____1 = normalized >= bound; + } + exceeds = uu____1; + } + } } /** @@ -750,6 +887,25 @@ libcrux_ml_dsa_simd_portable_arithmetic_reduce_element(int32_t fe) { return fe - quotient * LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS; } +typedef struct int32_t_x2_s { + int32_t fst; + int32_t snd; +} int32_t_x2; + +static KRML_MUSTINLINE int32_t_x2 +libcrux_ml_dsa_simd_portable_arithmetic_power2round_element(int32_t t) { + int32_t t2 = t + (t >> 31U & LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + int32_t t1 = + (t2 - (int32_t)1 + + ((int32_t)1 + << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - + (size_t)1U))) >> + (uint32_t)LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T; + int32_t t0 = + t2 - (t1 << (uint32_t)LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T); + return (CLITERAL(int32_t_x2){.fst = t0, .snd = t1}); +} + typedef struct libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2_s { libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit fst; libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit snd; @@ -758,13 +914,27 @@ typedef struct libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2_s { static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2 libcrux_ml_dsa_simd_portable_arithmetic_power2round( libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::array::iter::{core::iter::traits::iterator::Iterator for " - "core::array::iter::IntoIter[TraitClause@0]}#2[core::marker::Sized] enumerate\")\n"); - KRML_HOST_EXIT(255U); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t0_simd_unit = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t1_simd_unit = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)8U, simd_unit.coefficients, int32_t), + int32_t); + i++) { + size_t i0 = i; + int32_t t = simd_unit.coefficients[i0]; + int32_t_x2 uu____0 = + libcrux_ml_dsa_simd_portable_arithmetic_power2round_element(t); + int32_t t0 = uu____0.fst; + int32_t t1 = uu____0.snd; + t0_simd_unit.coefficients[i0] = t0; + t1_simd_unit.coefficients[i0] = t1; + } + return ( + CLITERAL(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2){ + .fst = t0_simd_unit, .snd = t1_simd_unit}); } /** @@ -781,30 +951,22 @@ static KRML_MUSTINLINE size_t libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_field_modulus( Eurydice_slice randomness, Eurydice_slice out) { size_t sampled = (size_t)0U; - core_slice_iter_Chunks iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( - core_slice___Slice_T___chunks(randomness, (size_t)3U, uint8_t, - core_slice_iter_Chunks), - core_slice_iter_Chunks, core_slice_iter_Chunks); - while (true) { - Option_1b uu____0 = - core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T__TraitClause_0___71__next( - &iter, uint8_t, Option_1b); - if (uu____0.tag == None) { - break; - } else { - Eurydice_slice bytes = uu____0.f0; - int32_t b0 = - (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); - int32_t b1 = - (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *); - int32_t b2 = - (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *); - int32_t coefficient = ((b2 << 16U | b1 << 8U) | b0) & (int32_t)8388607; - if (coefficient < LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS) { - Eurydice_slice_index(out, sampled, int32_t, int32_t *) = coefficient; - sampled++; - } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(randomness, uint8_t) / (size_t)3U; i++) { + size_t _cloop_i = i; + Eurydice_slice bytes = + Eurydice_slice_subslice2(randomness, _cloop_i * (size_t)3U, + _cloop_i * (size_t)3U + (size_t)3U, uint8_t); + int32_t b0 = + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); + int32_t b1 = + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *); + int32_t b2 = + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *); + int32_t coefficient = ((b2 << 16U | b1 << 8U) | b0) & (int32_t)8388607; + if (coefficient < LIBCRUX_ML_DSA_CONSTANTS_FIELD_MODULUS) { + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = coefficient; + sampled++; } } return sampled; @@ -825,35 +987,26 @@ static KRML_MUSTINLINE size_t libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_2( Eurydice_slice randomness, Eurydice_slice out) { size_t sampled = (size_t)0U; - core_slice_iter_Iter iter = - core_slice_iter___core__iter__traits__collect__IntoIterator_for___a___Slice_T____1__into_iter( - randomness, uint8_t, core_slice_iter_Iter); - while (true) { - Option_3f uu____0 = - core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Iter__a__T__TraitClause_0___182__next( - &iter, uint8_t, Option_3f); - if (uu____0.tag == None) { - break; - } else { - uint8_t *byte = uu____0.f0; - uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U); - uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4); - if (try_0 < 15U) { - int32_t try_00 = (int32_t)try_0; - int32_t try_0_mod_5 = - try_00 - (try_00 * (int32_t)26 >> 7U) * (int32_t)5; - Eurydice_slice_index(out, sampled, int32_t, int32_t *) = - (int32_t)2 - try_0_mod_5; - sampled++; - } - if (try_1 < 15U) { - int32_t try_10 = (int32_t)try_1; - int32_t try_1_mod_5 = - try_10 - (try_10 * (int32_t)26 >> 7U) * (int32_t)5; - Eurydice_slice_index(out, sampled, int32_t, int32_t *) = - (int32_t)2 - try_1_mod_5; - sampled++; - } + for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t); + i++) { + size_t _cloop_j = i; + uint8_t *byte = + &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *); + uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U); + uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4); + if (try_0 < 15U) { + int32_t try_00 = (int32_t)try_0; + int32_t try_0_mod_5 = try_00 - (try_00 * (int32_t)26 >> 7U) * (int32_t)5; + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)2 - try_0_mod_5; + sampled++; + } + if (try_1 < 15U) { + int32_t try_10 = (int32_t)try_1; + int32_t try_1_mod_5 = try_10 - (try_10 * (int32_t)26 >> 7U) * (int32_t)5; + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)2 - try_1_mod_5; + sampled++; } } return sampled; @@ -874,29 +1027,22 @@ static KRML_MUSTINLINE size_t libcrux_ml_dsa_simd_portable_sample_rejection_sample_less_than_eta_equals_4( Eurydice_slice randomness, Eurydice_slice out) { size_t sampled = (size_t)0U; - core_slice_iter_Iter iter = - core_slice_iter___core__iter__traits__collect__IntoIterator_for___a___Slice_T____1__into_iter( - randomness, uint8_t, core_slice_iter_Iter); - while (true) { - Option_3f uu____0 = - core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Iter__a__T__TraitClause_0___182__next( - &iter, uint8_t, Option_3f); - if (uu____0.tag == None) { - break; - } else { - uint8_t *byte = uu____0.f0; - uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U); - uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4); - if (try_0 < 9U) { - Eurydice_slice_index(out, sampled, int32_t, int32_t *) = - (int32_t)4 - (int32_t)try_0; - sampled++; - } - if (try_1 < 9U) { - Eurydice_slice_index(out, sampled, int32_t, int32_t *) = - (int32_t)4 - (int32_t)try_1; - sampled++; - } + for (size_t i = (size_t)0U; i < Eurydice_slice_len(randomness, uint8_t); + i++) { + size_t _cloop_j = i; + uint8_t *byte = + &Eurydice_slice_index(randomness, _cloop_j, uint8_t, uint8_t *); + uint8_t try_0 = Eurydice_bitand_pv_u8(byte, 15U); + uint8_t try_1 = Eurydice_shr_pv_u8(byte, (int32_t)4); + if (try_0 < 9U) { + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)4 - (int32_t)try_0; + sampled++; + } + if (try_1 < 9U) { + Eurydice_slice_index(out, sampled, int32_t, int32_t *) = + (int32_t)4 - (int32_t)try_1; + sampled++; } } return sampled; @@ -913,33 +1059,402 @@ libcrux_ml_dsa_simd_portable_rejection_sample_less_than_eta_equals_4_36( randomness, out); } +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + ((int32_t)1 << 17U) + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_17( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + Eurydice_slice serialized) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)8U, simd_unit.coefficients, int32_t), + int32_t) / + (size_t)4U; + i++) { + size_t i0 = i; + Eurydice_slice coefficients = + Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)4U, + i0 * (size_t)4U + (size_t)4U, int32_t); + int32_t coefficient0 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t *); + int32_t coefficient1 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t *); + int32_t coefficient2 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)2U, int32_t, int32_t *); + int32_t coefficient3 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)3U, int32_t, int32_t *); + Eurydice_slice_index(serialized, (size_t)9U * i0, uint8_t, uint8_t *) = + (uint8_t)coefficient0; + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)1U, uint8_t, + uint8_t *) = (uint8_t)(coefficient0 >> 8U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)2U, uint8_t, + uint8_t *) = (uint8_t)(coefficient0 >> 16U); + size_t uu____0 = (size_t)9U * i0 + (size_t)2U; + Eurydice_slice_index(serialized, uu____0, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____0, uint8_t, + uint8_t *) | + (uint32_t)(uint8_t)(coefficient1 << 2U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)3U, uint8_t, + uint8_t *) = (uint8_t)(coefficient1 >> 6U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)4U, uint8_t, + uint8_t *) = (uint8_t)(coefficient1 >> 14U); + size_t uu____1 = (size_t)9U * i0 + (size_t)4U; + Eurydice_slice_index(serialized, uu____1, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____1, uint8_t, + uint8_t *) | + (uint32_t)(uint8_t)(coefficient2 << 4U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)5U, uint8_t, + uint8_t *) = (uint8_t)(coefficient2 >> 4U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)6U, uint8_t, + uint8_t *) = (uint8_t)(coefficient2 >> 12U); + size_t uu____2 = (size_t)9U * i0 + (size_t)6U; + Eurydice_slice_index(serialized, uu____2, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____2, uint8_t, + uint8_t *) | + (uint32_t)(uint8_t)(coefficient3 << 6U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)7U, uint8_t, + uint8_t *) = (uint8_t)(coefficient3 >> 2U); + Eurydice_slice_index(serialized, (size_t)9U * i0 + (size_t)8U, uint8_t, + uint8_t *) = (uint8_t)(coefficient3 >> 10U); + } +} + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + ((int32_t)1 << 19U) + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_19( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + Eurydice_slice serialized) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)8U, simd_unit.coefficients, int32_t), + int32_t) / + (size_t)2U; + i++) { + size_t i0 = i; + Eurydice_slice coefficients = + Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)2U, + i0 * (size_t)2U + (size_t)2U, int32_t); + int32_t coefficient0 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t *); + int32_t coefficient1 = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - + Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t *); + Eurydice_slice_index(serialized, (size_t)5U * i0, uint8_t, uint8_t *) = + (uint8_t)coefficient0; + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)1U, uint8_t, + uint8_t *) = (uint8_t)(coefficient0 >> 8U); + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)2U, uint8_t, + uint8_t *) = (uint8_t)(coefficient0 >> 16U); + size_t uu____0 = (size_t)5U * i0 + (size_t)2U; + Eurydice_slice_index(serialized, uu____0, uint8_t, uint8_t *) = + (uint32_t)Eurydice_slice_index(serialized, uu____0, uint8_t, + uint8_t *) | + (uint32_t)(uint8_t)(coefficient1 << 4U); + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)3U, uint8_t, + uint8_t *) = (uint8_t)(coefficient1 >> 4U); + Eurydice_slice_index(serialized, (size_t)5U * i0 + (size_t)4U, uint8_t, + uint8_t *) = (uint8_t)(coefficient1 >> 12U); + } +} + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + ((int32_t)1 << 17U) + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK \ + ((LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ + << 1U) - \ + (int32_t)1) + static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_17( Eurydice_slice serialized) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::slice::iter::{core::iter::traits::iterator::Iterator for " - "core::slice::iter::ChunksExact<\'a, T>[TraitClause@0]}#90<\'_, " - "u8>[core::marker::Sized] enumerate\")\n"); - KRML_HOST_EXIT(255U); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)9U; i++) { + size_t i0 = i; + Eurydice_slice bytes = Eurydice_slice_subslice2( + serialized, i0 * (size_t)9U, i0 * (size_t)9U + (size_t)9U, uint8_t); + int32_t coefficient0 = + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); + coefficient0 = + coefficient0 | + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) + << 8U; + coefficient0 = + coefficient0 | + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) + << 16U; + coefficient0 = + coefficient0 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK; + int32_t coefficient1 = + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) >> + 2U; + coefficient1 = + coefficient1 | + (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *) + << 6U; + coefficient1 = + coefficient1 | + (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) + << 14U; + coefficient1 = + coefficient1 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK; + int32_t coefficient2 = + (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) >> + 4U; + coefficient2 = + coefficient2 | + (int32_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *) + << 4U; + coefficient2 = + coefficient2 | + (int32_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) + << 12U; + coefficient2 = + coefficient2 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK; + int32_t coefficient3 = + (int32_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) >> + 6U; + coefficient3 = + coefficient3 | + (int32_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *) + << 2U; + coefficient3 = + coefficient3 | + (int32_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *) + << 10U; + coefficient3 = + coefficient3 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK; + simd_unit.coefficients[(size_t)4U * i0] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + coefficient0; + simd_unit.coefficients[(size_t)4U * i0 + (size_t)1U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + coefficient1; + simd_unit.coefficients[(size_t)4U * i0 + (size_t)2U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + coefficient2; + simd_unit.coefficients[(size_t)4U * i0 + (size_t)3U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 - + coefficient3; + } + return simd_unit; } +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + ((int32_t)1 << 19U) + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_BITMASK \ + ((LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ + << 1U) - \ + (int32_t)1) + static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( Eurydice_slice serialized) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::slice::iter::{core::iter::traits::iterator::Iterator for " - "core::slice::iter::ChunksExact<\'a, T>[TraitClause@0]}#90<\'_, " - "u8>[core::marker::Sized] enumerate\")\n"); - KRML_HOST_EXIT(255U); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)5U; i++) { + size_t i0 = i; + Eurydice_slice bytes = Eurydice_slice_subslice2( + serialized, i0 * (size_t)5U, i0 * (size_t)5U + (size_t)5U, uint8_t); + int32_t coefficient0 = + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); + coefficient0 = + coefficient0 | + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) + << 8U; + coefficient0 = + coefficient0 | + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) + << 16U; + coefficient0 = + coefficient0 & + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_BITMASK; + int32_t coefficient1 = + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) >> + 4U; + coefficient1 = + coefficient1 | + (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *) + << 4U; + coefficient1 = + coefficient1 | + (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) + << 12U; + simd_unit.coefficients[(size_t)2U * i0] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - + coefficient0; + simd_unit.coefficients[(size_t)2U * i0 + (size_t)1U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 - + coefficient1; + } + return simd_unit; +} + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_commitment_serialize( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + Eurydice_slice serialized) { + switch ((uint8_t)Eurydice_slice_len(serialized, uint8_t)) { + case 4U: { + for (size_t i = (size_t)0U; + i < + Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)8U, simd_unit.coefficients, int32_t), + int32_t) / + (size_t)2U; + i++) { + size_t i0 = i; + Eurydice_slice coefficients = + Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)2U, + i0 * (size_t)2U + (size_t)2U, int32_t); + uint8_t coefficient0 = (uint8_t)Eurydice_slice_index( + coefficients, (size_t)0U, int32_t, int32_t *); + uint8_t coefficient1 = (uint8_t)Eurydice_slice_index( + coefficients, (size_t)1U, int32_t, int32_t *); + Eurydice_slice_index(serialized, i0, uint8_t, uint8_t *) = + (uint32_t)coefficient1 << 4U | (uint32_t)coefficient0; + } + break; + } + case 6U: { + for (size_t i = (size_t)0U; + i < + Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)8U, simd_unit.coefficients, int32_t), + int32_t) / + (size_t)4U; + i++) { + size_t i0 = i; + Eurydice_slice coefficients = + Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)4U, + i0 * (size_t)4U + (size_t)4U, int32_t); + uint8_t coefficient0 = (uint8_t)Eurydice_slice_index( + coefficients, (size_t)0U, int32_t, int32_t *); + uint8_t coefficient1 = (uint8_t)Eurydice_slice_index( + coefficients, (size_t)1U, int32_t, int32_t *); + uint8_t coefficient2 = (uint8_t)Eurydice_slice_index( + coefficients, (size_t)2U, int32_t, int32_t *); + uint8_t coefficient3 = (uint8_t)Eurydice_slice_index( + coefficients, (size_t)3U, int32_t, int32_t *); + Eurydice_slice_index(serialized, (size_t)3U * i0, uint8_t, uint8_t *) = + (uint32_t)coefficient1 << 6U | (uint32_t)coefficient0; + Eurydice_slice_index(serialized, (size_t)3U * i0 + (size_t)1U, uint8_t, + uint8_t *) = + (uint32_t)coefficient2 << 4U | (uint32_t)coefficient1 >> 2U; + Eurydice_slice_index(serialized, (size_t)3U * i0 + (size_t)2U, uint8_t, + uint8_t *) = + (uint32_t)coefficient3 << 2U | (uint32_t)coefficient2 >> 4U; + } + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +static inline void libcrux_ml_dsa_simd_portable_commitment_serialize_36( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + Eurydice_slice serialized) { + libcrux_ml_dsa_simd_portable_encoding_commitment_serialize(simd_unit, + serialized); } #define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA \ ((int32_t)2) +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_2( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + Eurydice_slice serialized) { + uint8_t coefficient0 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit.coefficients[0U]); + uint8_t coefficient1 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit.coefficients[1U]); + uint8_t coefficient2 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit.coefficients[2U]); + uint8_t coefficient3 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit.coefficients[3U]); + uint8_t coefficient4 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit.coefficients[4U]); + uint8_t coefficient5 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit.coefficients[5U]); + uint8_t coefficient6 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit.coefficients[6U]); + uint8_t coefficient7 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_2_ETA - + simd_unit.coefficients[7U]); + Eurydice_slice_index(serialized, (size_t)0U, uint8_t, uint8_t *) = + ((uint32_t)coefficient2 << 6U | (uint32_t)coefficient1 << 3U) | + (uint32_t)coefficient0; + Eurydice_slice_index(serialized, (size_t)1U, uint8_t, uint8_t *) = + (((uint32_t)coefficient5 << 7U | (uint32_t)coefficient4 << 4U) | + (uint32_t)coefficient3 << 1U) | + (uint32_t)coefficient2 >> 2U; + Eurydice_slice_index(serialized, (size_t)2U, uint8_t, uint8_t *) = + ((uint32_t)coefficient7 << 5U | (uint32_t)coefficient6 << 2U) | + (uint32_t)coefficient5 >> 1U; +} + +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA \ + ((int32_t)4) + +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_4( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + Eurydice_slice serialized) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)8U, simd_unit.coefficients, int32_t), + int32_t) / + (size_t)2U; + i++) { + size_t i0 = i; + Eurydice_slice coefficients = + Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)2U, + i0 * (size_t)2U + (size_t)2U, int32_t); + uint8_t coefficient0 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA - + Eurydice_slice_index(coefficients, (size_t)0U, int32_t, + int32_t *)); + uint8_t coefficient1 = + (uint8_t)(LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA - + Eurydice_slice_index(coefficients, (size_t)1U, int32_t, + int32_t *)); + Eurydice_slice_index(serialized, i0, uint8_t, uint8_t *) = + (uint32_t)coefficient1 << 4U | (uint32_t)coefficient0; + } +} + #define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_2_ETA \ ((int32_t)2) @@ -981,18 +1496,30 @@ libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_2( return simd_unit; } +#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA \ + ((int32_t)4) + static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_4( Eurydice_slice serialized) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::slice::iter::{core::iter::traits::iterator::Iterator for " - "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " - "u8>[core::marker::Sized] enumerate\")\n"); - KRML_HOST_EXIT(255U); -} - + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t); + i++) { + size_t i0 = i; + uint8_t *byte = &Eurydice_slice_index(serialized, i0, uint8_t, uint8_t *); + uint8_t uu____0 = Eurydice_bitand_pv_u8(byte, 15U); + simd_unit.coefficients[(size_t)2U * i0] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA - + (int32_t)uu____0; + uint8_t uu____1 = Eurydice_shr_pv_u8(byte, (int32_t)4); + simd_unit.coefficients[(size_t)2U * i0 + (size_t)1U] = + LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA - + (int32_t)uu____1; + } + return simd_unit; +} + static KRML_MUSTINLINE int32_t libcrux_ml_dsa_simd_portable_encoding_t0_change_t0_interval(int32_t t0) { return ((int32_t)1 @@ -1187,13 +1714,55 @@ libcrux_ml_dsa_simd_portable_t0_deserialize_36(Eurydice_slice serialized) { static KRML_MUSTINLINE void libcrux_ml_dsa_simd_portable_encoding_t1_serialize( libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, uint8_t ret[10U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::slice::iter::{core::iter::traits::iterator::Iterator for " - "core::slice::iter::ChunksExact<\'a, T>[TraitClause@0]}#90<\'_, " - "i32>[core::marker::Sized] enumerate\")\n"); - KRML_HOST_EXIT(255U); + uint8_t serialized[10U] = {0U}; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)8U, simd_unit.coefficients, int32_t), + int32_t) / + (size_t)4U; + i++) { + size_t i0 = i; + Eurydice_slice coefficients = + Eurydice_array_to_subslice2(simd_unit.coefficients, i0 * (size_t)4U, + i0 * (size_t)4U + (size_t)4U, int32_t); + serialized[(size_t)5U * i0] = + (uint8_t)(Eurydice_slice_index(coefficients, (size_t)0U, int32_t, + int32_t *) & + (int32_t)255); + serialized[(size_t)5U * i0 + (size_t)1U] = + (uint32_t)(uint8_t)(Eurydice_slice_index(coefficients, (size_t)1U, + int32_t, int32_t *) & + (int32_t)63) + << 2U | + (uint32_t)(uint8_t)(Eurydice_slice_index(coefficients, (size_t)0U, + int32_t, int32_t *) >> + 8U & + (int32_t)3); + serialized[(size_t)5U * i0 + (size_t)2U] = + (uint32_t)(uint8_t)(Eurydice_slice_index(coefficients, (size_t)2U, + int32_t, int32_t *) & + (int32_t)15) + << 4U | + (uint32_t)(uint8_t)(Eurydice_slice_index(coefficients, (size_t)1U, + int32_t, int32_t *) >> + 6U & + (int32_t)15); + serialized[(size_t)5U * i0 + (size_t)3U] = + (uint32_t)(uint8_t)(Eurydice_slice_index(coefficients, (size_t)3U, + int32_t, int32_t *) & + (int32_t)3) + << 6U | + (uint32_t)(uint8_t)(Eurydice_slice_index(coefficients, (size_t)2U, + int32_t, int32_t *) >> + 4U & + (int32_t)63); + serialized[(size_t)5U * i0 + (size_t)4U] = + (uint8_t)(Eurydice_slice_index(coefficients, (size_t)3U, int32_t, + int32_t *) >> + 2U & + (int32_t)255); + } + memcpy(ret, serialized, (size_t)10U * sizeof(uint8_t)); } /** @@ -1209,13 +1778,35 @@ static inline void libcrux_ml_dsa_simd_portable_t1_serialize_36( static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit libcrux_ml_dsa_simd_portable_encoding_t1_deserialize( Eurydice_slice serialized) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::slice::iter::{core::iter::traits::iterator::Iterator for " - "core::slice::iter::ChunksExact<\'a, T>[TraitClause@0]}#90<\'_, " - "u8>[core::marker::Sized] enumerate\")\n"); - KRML_HOST_EXIT(255U); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + int32_t mask = ((int32_t)1 << (uint32_t) + LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_UPPER_PART_OF_T) - + (int32_t)1; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)5U; i++) { + size_t i0 = i; + Eurydice_slice bytes = Eurydice_slice_subslice2( + serialized, i0 * (size_t)5U, i0 * (size_t)5U + (size_t)5U, uint8_t); + int32_t byte0 = + (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); + int32_t byte1 = + (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *); + int32_t byte2 = + (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *); + int32_t byte3 = + (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *); + int32_t byte4 = + (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *); + simd_unit.coefficients[(size_t)4U * i0] = (byte0 | byte1 << 8U) & mask; + simd_unit.coefficients[(size_t)4U * i0 + (size_t)1U] = + (byte1 >> 2U | byte2 << 6U) & mask; + simd_unit.coefficients[(size_t)4U * i0 + (size_t)2U] = + (byte2 >> 4U | byte3 << 4U) & mask; + simd_unit.coefficients[(size_t)4U * i0 + (size_t)3U] = + (byte3 >> 6U | byte4 << 2U) & mask; + } + return simd_unit; } /** @@ -4834,64 +5425,6 @@ static KRML_MUSTINLINE return lit; } -/** -A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_4_by_4 -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics -- ETA= 4 -- S1_DIMENSION= 5 -- S2_DIMENSION= 6 -*/ -static KRML_MUSTINLINE tuple_ce -libcrux_ml_dsa_samplex4_sample_s1_and_s2_4_by_4_fe(uint8_t seed_base[66U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - s1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base[66U]; - memcpy(copy_of_seed_base, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( - copy_of_seed_base, 0U, 1U, 2U, 3U); - s1[0U] = four.fst; - s1[1U] = four.snd; - s1[2U] = four.thd; - s1[3U] = four.f3; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base0[66U]; - memcpy(copy_of_seed_base0, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four0 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( - copy_of_seed_base0, 4U, 5U, 6U, 7U); - s2[0U] = four0.fst; - s2[1U] = four0.snd; - s2[2U] = four0.thd; - s2[3U] = four0.f3; - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1[5U]; - memcpy( - copy_of_s1, s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s2[6U]; - memcpy( - copy_of_s2, s2, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - tuple_ce lit; - memcpy( - lit.fst, copy_of_s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - memcpy( - lit.snd, copy_of_s2, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - return lit; -} - /** A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_5_by_6 with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, @@ -4959,83 +5492,6 @@ libcrux_ml_dsa_samplex4_sample_s1_and_s2_5_by_6_fe(uint8_t seed_base[66U]) { return lit; } -/** -A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_7_by_8 -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics -- ETA= 4 -- S1_DIMENSION= 5 -- S2_DIMENSION= 6 -*/ -static KRML_MUSTINLINE tuple_ce -libcrux_ml_dsa_samplex4_sample_s1_and_s2_7_by_8_fe(uint8_t seed_base[66U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - s1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); - } - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base[66U]; - memcpy(copy_of_seed_base, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( - copy_of_seed_base, 0U, 1U, 2U, 3U); - s1[0U] = four.fst; - s1[1U] = four.snd; - s1[2U] = four.thd; - s1[3U] = four.f3; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base0[66U]; - memcpy(copy_of_seed_base0, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four0 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( - copy_of_seed_base0, 4U, 5U, 6U, 7U); - s1[4U] = four0.fst; - s1[5U] = four0.snd; - s1[6U] = four0.thd; - s2[0U] = four0.f3; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base1[66U]; - memcpy(copy_of_seed_base1, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four1 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( - copy_of_seed_base1, 8U, 9U, 10U, 11U); - s2[1U] = four1.fst; - s2[2U] = four1.snd; - s2[3U] = four1.thd; - s2[4U] = four1.f3; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base2[66U]; - memcpy(copy_of_seed_base2, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x4 - four2 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_92( - copy_of_seed_base2, 12U, 13U, 14U, 15U); - s2[5U] = four2.fst; - s2[6U] = four2.snd; - s2[7U] = four2.thd; - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1[5U]; - memcpy( - copy_of_s1, s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s2[6U]; - memcpy( - copy_of_s2, s2, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - tuple_ce lit; - memcpy( - lit.fst, copy_of_s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - memcpy( - lit.snd, copy_of_s2, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); - return lit; -} - /** A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2 with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, @@ -5048,20 +5504,6 @@ static KRML_MUSTINLINE tuple_ce libcrux_ml_dsa_samplex4_sample_s1_and_s2_fe(uint8_t seed[66U]) { uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)5U, .snd = (uint8_t)(size_t)6U}; switch (uu____0.fst) { - case 4U: { - switch (uu____0.snd) { - case 4U: { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[66U]; - memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); - return libcrux_ml_dsa_samplex4_sample_s1_and_s2_4_by_4_fe( - copy_of_seed); - } - default: { - } - } - break; - } case 5U: { switch (uu____0.snd) { case 6U: { @@ -5076,20 +5518,6 @@ libcrux_ml_dsa_samplex4_sample_s1_and_s2_fe(uint8_t seed[66U]) { } break; } - case 7U: { - switch (uu____0.snd) { - case 8U: { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[66U]; - memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); - return libcrux_ml_dsa_samplex4_sample_s1_and_s2_7_by_8_fe( - copy_of_seed); - } - default: { - } - } - break; - } default: { } } @@ -5098,6 +5526,124 @@ libcrux_ml_dsa_samplex4_sample_s1_and_s2_fe(uint8_t seed[66U]) { KRML_HOST_EXIT(255U); } +/** +A monomorphic instance of libcrux_ml_dsa.ntt.ntt +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics + +*/ +static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b +libcrux_ml_dsa_ntt_ntt_ba( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0[32U]; + memcpy(uu____0, re.simd_units, + (size_t)32U * + sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b lit; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]; + libcrux_ml_dsa_simd_portable_ntt_36(uu____0, ret); + memcpy(lit.simd_units, ret, + (size_t)32U * + sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.matrix.compute_As1_plus_s2.closure +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_9b +libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_2f( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s) { + return libcrux_ml_dsa_ntt_ntt_ba(s); +} + +/** +A monomorphic instance of libcrux_ml_dsa.ntt.ntt_multiply_montgomery +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics + +*/ +static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b +libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *lhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b out = + libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, out.simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_montgomery_multiply_36( + lhs->simd_units[i0], rhs->simd_units[i0]); + out.simd_units[i0] = uu____0; + } + return out; +} + +/** +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.add_ff +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics + +*/ +static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b +libcrux_ml_dsa_polynomial_add_ff_ba( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *self, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b sum = + libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, sum.simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_add_36(&self->simd_units[i0], + &rhs->simd_units[i0]); + sum.simd_units[i0] = uu____0; + } + return sum; +} + +/** +A monomorphic instance of libcrux_ml_dsa.ntt.invert_ntt_montgomery +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics + +*/ +static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b +libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0[32U]; + memcpy(uu____0, re.simd_units, + (size_t)32U * + sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b lit; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit ret[32U]; + libcrux_ml_dsa_simd_portable_invert_ntt_montgomery_36(uu____0, ret); + memcpy(lit.simd_units, ret, + (size_t)32U * + sizeof(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit)); + return lit; +} + /** Compute InvertNTT(Â ◦ ŝ₁) + s₂ */ @@ -5113,17 +5659,54 @@ static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_As1_plus_s2_2f( libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *s1, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *s2, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::slice::iter::{core::iter::traits::iterator::Iterator for " - "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " - "@Array[" - "TraitClause@0, TraitClause@1], " - "C@1>>[core::marker::Sized<@Array[TraitClause@0, TraitClause@1], C@1>>] " - "enumerate\")\n"); - KRML_HOST_EXIT(255U); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1[5U]; + memcpy( + copy_of_s1, s1, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1_ntt[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + s1_ntt[i] = + libcrux_ml_dsa_matrix_compute_As1_plus_s2_closure_2f(copy_of_s1[i]); + } + for (size_t i0 = (size_t)0U; + i0 < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, A_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]); + i0++) { + size_t i1 = i0; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *row = A_as_ntt[i1]; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, row, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + i++) { + size_t j = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = + &row[j]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b product = + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(ring_element, + &s1_ntt[j]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 = + libcrux_ml_dsa_polynomial_add_ff_ba(&result[i1], &product); + result[i1] = uu____1; + } + result[i1] = libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba(result[i1]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____3 = + libcrux_ml_dsa_polynomial_add_ff_ba(&result[i1], &s2[i1]); + result[i1] = uu____3; + } + memcpy( + ret, result, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); } typedef struct @@ -5142,23 +5725,102 @@ static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2 libcrux_ml_dsa_arithmetic_power2round_vector_07( libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t[6U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::slice::iter::{core::iter::traits::iterator::Iterator for " - "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " - "libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, " - "TraitClause@1]>[core::marker::Sized[TraitClause@0, TraitClause@1]>] " - "enumerate\")\n"); - KRML_HOST_EXIT(255U); -} - -/** -A monomorphic instance of -libcrux_ml_dsa.encoding.verification_key.generate_serialized with types -libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics -- ROWS_IN_A= 6 + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + t0[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + t1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + for (size_t i0 = (size_t)0U; + i0 < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, t, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + i0++) { + size_t i1 = i0; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = &t[i1]; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, ring_element->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = + &ring_element->simd_units[j]; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2 uu____0 = + libcrux_ml_dsa_simd_portable_power2round_36(simd_unit[0U]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t0_unit = + uu____0.fst; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit t1_unit = + uu____0.snd; + t0[i1].simd_units[j] = t0_unit; + t1[i1].simd_units[j] = t1_unit; + } + } + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t0[6U]; + memcpy( + copy_of_t0, t0, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t1[6U]; + memcpy( + copy_of_t1, t1, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2 + lit; + memcpy( + lit.fst, copy_of_t0, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + memcpy( + lit.snd, copy_of_t1, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.t1.serialize +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics + +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t1_serialize_ba( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re, uint8_t ret[320U]) { + uint8_t serialized[320U] = {0U}; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, re.simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = + &re.simd_units[i0]; + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + serialized, + i0 * LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_ENCODING_T1_SERIALIZE_OUTPUT_BYTES_PER_SIMD_UNIT, + uint8_t); + uint8_t ret0[10U]; + libcrux_ml_dsa_simd_portable_t1_serialize_36(simd_unit[0U], ret0); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)10U, ret0, uint8_t), uint8_t); + } + memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.verification_key.generate_serialized with types +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics +- ROWS_IN_A= 6 - VERIFICATION_KEY_SIZE= 1952 */ static KRML_MUSTINLINE void @@ -5166,16 +5828,31 @@ libcrux_ml_dsa_encoding_verification_key_generate_serialized_2f( Eurydice_slice seed_for_A, libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U], uint8_t ret[1952U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::slice::iter::{core::iter::traits::iterator::Iterator for " - "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " - "libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, " - "TraitClause@1]>[core::marker::Sized[TraitClause@0, TraitClause@1]>] " - "enumerate\")\n"); - KRML_HOST_EXIT(255U); + uint8_t verification_key_serialized[1952U] = {0U}; + Eurydice_slice_copy(Eurydice_array_to_subslice2( + verification_key_serialized, (size_t)0U, + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t), + seed_for_A, uint8_t); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, t1, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = &t1[i0]; + size_t offset = LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE + + i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE; + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + verification_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, uint8_t); + uint8_t ret0[320U]; + libcrux_ml_dsa_encoding_t1_serialize_ba(ring_element[0U], ret0); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)320U, ret0, uint8_t), uint8_t); + } + memcpy(ret, verification_key_serialized, (size_t)1952U * sizeof(uint8_t)); } /** @@ -5204,6 +5881,35 @@ libcrux_ml_dsa_hash_functions_portable_shake256_5c_24(Eurydice_slice input, libcrux_ml_dsa_hash_functions_portable_shake256_24(input, out); } +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.encoding.error.serialize +with const generics +- ETA= 4 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_error_serialize_ac( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + Eurydice_slice serialized) { + libcrux_ml_dsa_simd_portable_encoding_error_serialize_when_eta_is_4( + simd_unit, serialized); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.error_serialize_36 +with const generics +- ETA= 4 +*/ +static inline void libcrux_ml_dsa_simd_portable_error_serialize_36_ac( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + Eurydice_slice serialized) { + libcrux_ml_dsa_simd_portable_encoding_error_serialize_ac(simd_unit, + serialized); +} + /** A monomorphic instance of libcrux_ml_dsa.encoding.error.serialize with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit @@ -5212,14 +5918,26 @@ with const generics - OUTPUT_SIZE= 128 */ static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_serialize_ea( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re, uint8_t ret[128U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::slice::iter::{core::iter::traits::iterator::Iterator for " - "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " - "T@0>[TraitClause@0] enumerate\")\n"); - KRML_HOST_EXIT(255U); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re, + Eurydice_slice serialized) { + size_t output_bytes_per_simd_unit; + output_bytes_per_simd_unit = (size_t)4U; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, re.simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = + &re.simd_units[i0]; + libcrux_ml_dsa_simd_portable_error_serialize_36_ac( + simd_unit[0U], + Eurydice_slice_subslice2(serialized, i0 * output_bytes_per_simd_unit, + (i0 + (size_t)1U) * output_bytes_per_simd_unit, + uint8_t)); + } } /** @@ -5229,14 +5947,28 @@ with const generics */ static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_serialize_ba( - libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re, uint8_t ret[416U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"Error looking trait impl: " - "core::slice::iter::{core::iter::traits::iterator::Iterator for " - "core::slice::iter::Iter<\'a, T>[TraitClause@0]}#182<\'_, " - "T@0>[TraitClause@0] enumerate\")\n"); - KRML_HOST_EXIT(255U); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re, + Eurydice_slice serialized) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, re.simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = + &re.simd_units[i0]; + Eurydice_slice uu____0 = Eurydice_slice_subslice2( + serialized, i0 * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, + uint8_t); + uint8_t ret[13U]; + libcrux_ml_dsa_simd_portable_t0_serialize_36(simd_unit[0U], ret); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)13U, ret, uint8_t), uint8_t); + } } /** @@ -5291,15 +6023,14 @@ libcrux_ml_dsa_encoding_signing_key_generate_serialized_d2( libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); i++) { - size_t _cloop_i = i; + size_t _cloop_j = i; libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = - &s1[_cloop_i]; - Eurydice_slice uu____1 = Eurydice_array_to_subslice2( - signing_key_serialized, offset, offset + (size_t)128U, uint8_t); - uint8_t ret0[128U]; - libcrux_ml_dsa_encoding_error_serialize_ea(ring_element[0U], ret0); - Eurydice_slice_copy( - uu____1, Eurydice_array_to_slice((size_t)128U, ret0, uint8_t), uint8_t); + &s1[_cloop_j]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 = + ring_element[0U]; + libcrux_ml_dsa_encoding_error_serialize_ea( + uu____1, Eurydice_array_to_subslice2(signing_key_serialized, offset, + offset + (size_t)128U, uint8_t)); offset = offset + (size_t)128U; } for (size_t i = (size_t)0U; @@ -5309,15 +6040,14 @@ libcrux_ml_dsa_encoding_signing_key_generate_serialized_d2( libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); i++) { - size_t _cloop_i = i; + size_t _cloop_j = i; libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = - &s2[_cloop_i]; - Eurydice_slice uu____2 = Eurydice_array_to_subslice2( - signing_key_serialized, offset, offset + (size_t)128U, uint8_t); - uint8_t ret0[128U]; - libcrux_ml_dsa_encoding_error_serialize_ea(ring_element[0U], ret0); - Eurydice_slice_copy( - uu____2, Eurydice_array_to_slice((size_t)128U, ret0, uint8_t), uint8_t); + &s2[_cloop_j]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 = + ring_element[0U]; + libcrux_ml_dsa_encoding_error_serialize_ea( + uu____2, Eurydice_array_to_subslice2(signing_key_serialized, offset, + offset + (size_t)128U, uint8_t)); offset = offset + (size_t)128U; } for (size_t i = (size_t)0U; @@ -5327,16 +6057,16 @@ libcrux_ml_dsa_encoding_signing_key_generate_serialized_d2( libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); i++) { - size_t _cloop_i = i; + size_t _cloop_j = i; libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = - &t0[_cloop_i]; - Eurydice_slice uu____3 = Eurydice_array_to_subslice2( - signing_key_serialized, offset, - offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, uint8_t); - uint8_t ret0[416U]; - libcrux_ml_dsa_encoding_t0_serialize_ba(ring_element[0U], ret0); - Eurydice_slice_copy( - uu____3, Eurydice_array_to_slice((size_t)416U, ret0, uint8_t), uint8_t); + &t0[_cloop_j]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____3 = + ring_element[0U]; + libcrux_ml_dsa_encoding_t0_serialize_ba( + uu____3, Eurydice_array_to_subslice2( + signing_key_serialized, offset, + offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, + uint8_t)); offset = offset + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE; } memcpy(ret, signing_key_serialized, (size_t)4032U * sizeof(uint8_t)); @@ -5517,185 +6247,2851 @@ libcrux_ml_dsa_ml_dsa_65_portable_generate_key_pair(uint8_t randomness[32U]) { } /** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_hash_functions_portable_Shake128X4, -libcrux_ml_dsa_hash_functions_portable_Shake256, -libcrux_ml_dsa_hash_functions_portable_Shake256Xof, -libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 -*/ -static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_05( - uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes " - "core::result::{core::ops::try_trait::Try for core::result::Result[TraitClause@0, TraitClause@1]}#26[TraitClause@0, " - "TraitClause@1]::Residual\")\n"); - KRML_HOST_EXIT(255U); -} +A monomorphic instance of K. +with types int32_t[256size_t][6size_t], size_t -/** - Sign. */ +typedef struct tuple_e6_s { + int32_t fst[6U][256U]; + size_t snd; +} tuple_e6; + /** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.sign with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 -- ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 +A monomorphic instance of core.option.Option +with types libcrux_ml_dsa_pre_hash_DomainSeparationContext + */ -static inline Result_2e -libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3( - uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { - uint8_t *uu____0 = signing_key; - Eurydice_slice uu____1 = message; - Eurydice_slice uu____2 = context; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_sign_05(uu____0, uu____1, uu____2, - copy_of_randomness); -} +typedef struct Option_84_s { + Option_d8_tags tag; + libcrux_ml_dsa_pre_hash_DomainSeparationContext f0; +} Option_84; /** - Generate an ML-DSA-65 Signature +A monomorphic instance of K. +with types uint8_t[32size_t], uint8_t[32size_t], uint8_t[64size_t], +libcrux_ml_dsa_polynomial_PolynomialRingElement +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[5size_t], +libcrux_ml_dsa_polynomial_PolynomialRingElement +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[6size_t], +libcrux_ml_dsa_polynomial_PolynomialRingElement +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[6size_t] - The parameter `context` is used for domain separation - and is a byte string of length at most 255 bytes. It - may also be empty. */ -static inline Result_2e libcrux_ml_dsa_ml_dsa_65_portable_sign( - libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, - Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { - uint8_t *uu____0 = libcrux_ml_dsa_types_as_raw_9b_09(signing_key); - Eurydice_slice uu____1 = message; - Eurydice_slice uu____2 = context; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3( - uu____0, uu____1, uu____2, copy_of_randomness); -} +typedef struct tuple_f0_s { + uint8_t fst[32U]; + uint8_t snd[32U]; + uint8_t thd[64U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f3[5U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f4[6U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f5[6U]; +} tuple_f0; /** -A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_pre_hashed -with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, -libcrux_ml_dsa_hash_functions_portable_Shake128, -libcrux_ml_dsa_hash_functions_portable_Shake128X4, -libcrux_ml_dsa_hash_functions_portable_Shake256, -libcrux_ml_dsa_hash_functions_portable_Shake256Xof, -libcrux_ml_dsa_hash_functions_portable_Shake256X4, -libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics -- PH_DIGEST_LEN= 256 -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 +A monomorphic instance of +libcrux_ml_dsa.simd.portable.encoding.error.deserialize with const generics - ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 */ -static KRML_MUSTINLINE Result_2e -libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_0d(uint8_t *signing_key, - Eurydice_slice message, - Eurydice_slice context, - uint8_t randomness[32U]) { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"expression_of_operand Constant: " - "TraitClause@13OID\")\n"); - KRML_HOST_EXIT(255U); +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_encoding_error_deserialize_ac( + Eurydice_slice serialized) { + return libcrux_ml_dsa_simd_portable_encoding_error_deserialize_when_eta_is_4( + serialized); } /** - Sign (pre-hashed). +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} */ /** -A monomorphic instance of -libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.sign_pre_hashed_shake128 +A monomorphic instance of libcrux_ml_dsa.simd.portable.error_deserialize_36 with const generics -- ROWS_IN_A= 6 -- COLUMNS_IN_A= 5 - ETA= 4 -- ERROR_RING_ELEMENT_SIZE= 128 -- GAMMA1_EXPONENT= 19 -- GAMMA2= 261888 -- COMMITMENT_RING_ELEMENT_SIZE= 128 -- COMMITMENT_VECTOR_SIZE= 768 -- COMMITMENT_HASH_SIZE= 48 -- ONES_IN_VERIFIER_CHALLENGE= 49 -- MAX_ONES_IN_HINT= 55 -- GAMMA1_RING_ELEMENT_SIZE= 640 -- SIGNING_KEY_SIZE= 4032 -- SIGNATURE_SIZE= 3309 */ -static inline Result_2e -libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_pre_hashed_shake128_f3( - uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, - uint8_t randomness[32U]) { - uint8_t *uu____0 = signing_key; - Eurydice_slice uu____1 = message; - Eurydice_slice uu____2 = context; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_0d( - uu____0, uu____1, uu____2, copy_of_randomness); +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_error_deserialize_36_ac( + Eurydice_slice serialized) { + return libcrux_ml_dsa_simd_portable_encoding_error_deserialize_ac(serialized); } /** - Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing - - The parameter `context` is used for domain separation - and is a byte string of length at most 255 bytes. It +A monomorphic instance of libcrux_ml_dsa.encoding.error.deserialize +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ETA= 4 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_error_deserialize_73( + Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) { + size_t chunk_size; + chunk_size = (size_t)4U; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, result->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_error_deserialize_36_ac( + Eurydice_slice_subslice2(serialized, i0 * chunk_size, + (i0 + (size_t)1U) * chunk_size, uint8_t)); + result->simd_units[i0] = uu____0; + } +} + +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.error.deserialize_to_vector_then_ntt with types +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics +- DIMENSION= 5 +- ETA= 4 +- RING_ELEMENT_SIZE= 128 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_76( + Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[5U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ring_elements[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)128U; i++) { + size_t i0 = i; + Eurydice_slice bytes = + Eurydice_slice_subslice2(serialized, i0 * (size_t)128U, + i0 * (size_t)128U + (size_t)128U, uint8_t); + libcrux_ml_dsa_encoding_error_deserialize_73(bytes, &ring_elements[i0]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = + libcrux_ml_dsa_ntt_ntt_ba(ring_elements[i0]); + ring_elements[i0] = uu____0; + } + memcpy( + ret, ring_elements, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.error.deserialize_to_vector_then_ntt with types +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics +- DIMENSION= 6 +- ETA= 4 +- RING_ELEMENT_SIZE= 128 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_5d( + Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ring_elements[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)128U; i++) { + size_t i0 = i; + Eurydice_slice bytes = + Eurydice_slice_subslice2(serialized, i0 * (size_t)128U, + i0 * (size_t)128U + (size_t)128U, uint8_t); + libcrux_ml_dsa_encoding_error_deserialize_73(bytes, &ring_elements[i0]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = + libcrux_ml_dsa_ntt_ntt_ba(ring_elements[i0]); + ring_elements[i0] = uu____0; + } + memcpy( + ret, ring_elements, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.t0.deserialize +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics + +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_t0_deserialize_ba( + Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, result->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_t0_deserialize_36(Eurydice_slice_subslice2( + serialized, + i0 * LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_ENCODING_T0_OUTPUT_BYTES_PER_SIMD_UNIT, + uint8_t)); + result->simd_units[i0] = uu____0; + } +} + +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.t0.deserialize_to_vector_then_ntt with types +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics +- DIMENSION= 6 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_07( + Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ring_elements[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + ring_elements[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(serialized, uint8_t) / + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE; + i++) { + size_t i0 = i; + Eurydice_slice bytes = Eurydice_slice_subslice2( + serialized, i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, + i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE + + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T0S_SIZE, + uint8_t); + libcrux_ml_dsa_encoding_t0_deserialize_ba(bytes, &ring_elements[i0]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = + libcrux_ml_dsa_ntt_ntt_ba(ring_elements[i0]); + ring_elements[i0] = uu____0; + } + memcpy( + ret, ring_elements, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.encoding.signing_key.deserialize_then_ntt with types +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- SIGNING_KEY_SIZE= 4032 +*/ +static KRML_MUSTINLINE tuple_f0 +libcrux_ml_dsa_encoding_signing_key_deserialize_then_ntt_c6( + uint8_t *serialized) { + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)4032U, serialized, uint8_t), + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, + Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_A = uu____0.fst; + Eurydice_slice remaining_serialized0 = uu____0.snd; + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + remaining_serialized0, LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_SIGNING_SIZE, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_signing = uu____1.fst; + Eurydice_slice remaining_serialized1 = uu____1.snd; + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( + remaining_serialized1, + LIBCRUX_ML_DSA_CONSTANTS_BYTES_FOR_VERIFICATION_KEY_HASH, uint8_t, + Eurydice_slice_uint8_t_x2); + Eurydice_slice verification_key_hash = uu____2.fst; + Eurydice_slice remaining_serialized2 = uu____2.snd; + Eurydice_slice_uint8_t_x2 uu____3 = + Eurydice_slice_split_at(remaining_serialized2, (size_t)128U * (size_t)5U, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice s1_serialized = uu____3.fst; + Eurydice_slice remaining_serialized = uu____3.snd; + Eurydice_slice_uint8_t_x2 uu____4 = + Eurydice_slice_split_at(remaining_serialized, (size_t)128U * (size_t)6U, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice s2_serialized = uu____4.fst; + Eurydice_slice t0_serialized = uu____4.snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1_as_ntt[5U]; + libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_76(s1_serialized, + s1_as_ntt); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2_as_ntt[6U]; + libcrux_ml_dsa_encoding_error_deserialize_to_vector_then_ntt_5d(s2_serialized, + s2_as_ntt); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0_as_ntt[6U]; + libcrux_ml_dsa_encoding_t0_deserialize_to_vector_then_ntt_07(t0_serialized, + t0_as_ntt); + uint8_t uu____5[32U]; + Result_fb dst0; + Eurydice_slice_to_array2(&dst0, seed_for_A, Eurydice_slice, uint8_t[32U]); + unwrap_26_b3(dst0, uu____5); + uint8_t uu____6[32U]; + Result_fb dst1; + Eurydice_slice_to_array2(&dst1, seed_for_signing, Eurydice_slice, + uint8_t[32U]); + unwrap_26_b3(dst1, uu____6); + uint8_t uu____7[64U]; + Result_f2 dst; + Eurydice_slice_to_array2(&dst, verification_key_hash, Eurydice_slice, + uint8_t[64U]); + unwrap_26_4b(dst, uu____7); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s1_as_ntt[5U]; + memcpy( + copy_of_s1_as_ntt, s1_as_ntt, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_s2_as_ntt[6U]; + memcpy( + copy_of_s2_as_ntt, s2_as_ntt, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t0_as_ntt[6U]; + memcpy( + copy_of_t0_as_ntt, t0_as_ntt, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + tuple_f0 lit; + memcpy(lit.fst, uu____5, (size_t)32U * sizeof(uint8_t)); + memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); + memcpy(lit.thd, uu____7, (size_t)64U * sizeof(uint8_t)); + memcpy( + lit.f3, copy_of_s1_as_ntt, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + memcpy( + lit.f4, copy_of_s2_as_ntt, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + memcpy( + lit.f5, copy_of_t0_as_ntt, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + return lit; +} + +/** + This corresponds to line 6 in algorithm 7 in FIPS 204 (line 7 in algorithm + 8, resp.). + + If `domain_separation_context` is supplied, applies domain + separation and length encoding to the context string, + before appending the message (in the regular variant) or the + pre-hash OID as well as the pre-hashed message digest. Otherwise, + it is assumed that `message` already contains domain separation + information. + + In FIPS 204 M' is the concatenation of the domain separated context, any + potential pre-hash OID and the message (or the message pre-hash). We do not + explicitely construct the concatenation in memory since it is of statically + unknown length, but feed its components directly into the incremental XOF. + + Refer to line 10 of Algorithm 2 (and line 5 of Algorithm 3, resp.) in [FIPS + 204](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#section.5) + for details on the domain separation for regular ML-DSA. Line + 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation + for the HashMl-DSA variant. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.derive_message_representative with types +libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics + +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b( + uint8_t verification_key_hash[64U], Option_84 domain_separation_context, + Eurydice_slice message, uint8_t *message_representative) { + libcrux_sha3_portable_incremental_Shake256Xof shake = + libcrux_ml_dsa_hash_functions_portable_init_83(); + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake, + Eurydice_array_to_slice((size_t)64U, verification_key_hash, uint8_t)); + if (domain_separation_context.tag == Some) { + libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context0 = + domain_separation_context.f0; + libcrux_sha3_portable_incremental_Shake256Xof *uu____0 = &shake; + uint8_t buf0[1U] = { + (uint8_t)core_option__core__option__Option_T__TraitClause_0___is_some( + libcrux_ml_dsa_pre_hash_pre_hash_oid_45( + &domain_separation_context0), + uint8_t[11U], bool)}; + libcrux_ml_dsa_hash_functions_portable_absorb_83( + uu____0, Eurydice_array_to_slice((size_t)1U, buf0, uint8_t)); + libcrux_sha3_portable_incremental_Shake256Xof *uu____1 = &shake; + uint8_t buf[1U] = {(uint8_t)Eurydice_slice_len( + libcrux_ml_dsa_pre_hash_context_45(&domain_separation_context0), + uint8_t)}; + libcrux_ml_dsa_hash_functions_portable_absorb_83( + uu____1, Eurydice_array_to_slice((size_t)1U, buf, uint8_t)); + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake, + libcrux_ml_dsa_pre_hash_context_45(&domain_separation_context0)); + Option_30 *uu____2 = + libcrux_ml_dsa_pre_hash_pre_hash_oid_45(&domain_separation_context0); + if (uu____2->tag == Some) { + uint8_t *pre_hash_oid = uu____2->f0; + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake, Eurydice_array_to_slice((size_t)11U, pre_hash_oid, uint8_t)); + } + } + libcrux_ml_dsa_hash_functions_portable_absorb_final_83(&shake, message); + libcrux_ml_dsa_hash_functions_portable_squeeze_83( + &shake, + Eurydice_array_to_slice((size_t)64U, message_representative, uint8_t)); +} + +/** +A monomorphic instance of core.option.Option +with types libcrux_ml_dsa_polynomial_PolynomialRingElement +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[5size_t] + +*/ +typedef struct Option_f3_s { + Option_d8_tags tag; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b f0[5U]; +} Option_f3; + +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256 +with const generics +- OUTPUT_LENGTH= 576 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake256_1b( + Eurydice_slice input, uint8_t *out) { + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)576U, out, uint8_t), input); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4 +for libcrux_ml_dsa::hash_functions::portable::Shake256X4)#3} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_x4_50 +with const generics +- OUT_LEN= 576 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_shake256_x4_50_1b( + Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, + Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2, + uint8_t *out3) { + libcrux_ml_dsa_hash_functions_portable_shake256_1b(input0, out0); + libcrux_ml_dsa_hash_functions_portable_shake256_1b(input1, out1); + libcrux_ml_dsa_hash_functions_portable_shake256_1b(input2, out2); + libcrux_ml_dsa_hash_functions_portable_shake256_1b(input3, out3); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.simd.portable.encoding.gamma1.deserialize with const generics +- GAMMA1_EXPONENT= 19 +*/ +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_36( + Eurydice_slice serialized) { + return libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_when_gamma1_is_2_pow_19( + serialized); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.gamma1_deserialize_36 +with const generics +- GAMMA1_EXPONENT= 19 +*/ +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_gamma1_deserialize_36_36( + Eurydice_slice serialized) { + return libcrux_ml_dsa_simd_portable_encoding_gamma1_deserialize_36( + serialized); +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.gamma1.deserialize +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- GAMMA1_EXPONENT= 19 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_deserialize_61( + Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, result->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_gamma1_deserialize_36_36( + Eurydice_slice_subslice2( + serialized, i0 * ((size_t)19U + (size_t)1U), + (i0 + (size_t)1U) * ((size_t)19U + (size_t)1U), uint8_t)); + result->simd_units[i0] = uu____0; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256 +with const generics +- OUTPUT_LENGTH= 640 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake256_c8( + Eurydice_slice input, uint8_t *out) { + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)640U, out, uint8_t), input); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::XofX4 +for libcrux_ml_dsa::hash_functions::portable::Shake256X4)#3} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_x4_50 +with const generics +- OUT_LEN= 640 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_shake256_x4_50_c8( + Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, + Eurydice_slice input3, uint8_t *out0, uint8_t *out1, uint8_t *out2, + uint8_t *out3) { + libcrux_ml_dsa_hash_functions_portable_shake256_c8(input0, out0); + libcrux_ml_dsa_hash_functions_portable_shake256_c8(input1, out1); + libcrux_ml_dsa_hash_functions_portable_shake256_c8(input2, out2); + libcrux_ml_dsa_hash_functions_portable_shake256_c8(input3, out3); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof +for libcrux_ml_dsa::hash_functions::portable::Shake256)#2} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_5c +with const generics +- OUTPUT_LENGTH= 576 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_shake256_5c_1b(Eurydice_slice input, + uint8_t *out) { + libcrux_ml_dsa_hash_functions_portable_shake256_1b(input, out); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake256::DsaXof +for libcrux_ml_dsa::hash_functions::portable::Shake256)#2} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake256_5c +with const generics +- OUTPUT_LENGTH= 640 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_shake256_5c_c8(Eurydice_slice input, + uint8_t *out) { + libcrux_ml_dsa_hash_functions_portable_shake256_c8(input, out); +} + +/** +A monomorphic instance of libcrux_ml_dsa.sample.sample_mask_ring_element +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake256 with const generics +- GAMMA1_EXPONENT= 19 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_ring_element_20( + uint8_t seed[66U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) { + uint8_t out[640U] = {0U}; + libcrux_ml_dsa_hash_functions_portable_shake256_5c_c8( + Eurydice_array_to_slice((size_t)66U, seed, uint8_t), out); + libcrux_ml_dsa_encoding_gamma1_deserialize_61( + Eurydice_array_to_slice((size_t)640U, out, uint8_t), result); +} + +/** +A monomorphic instance of libcrux_ml_dsa.sample.sample_mask_vector +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics +- DIMENSION= 5 +- GAMMA1_EXPONENT= 19 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_sample_sample_mask_vector_0e( + uint8_t seed[66U], uint16_t *domain_separator, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[5U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b mask[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + mask[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed0[66U]; + memcpy(copy_of_seed0, seed, (size_t)66U * sizeof(uint8_t)); + uint8_t seed0[66U]; + libcrux_ml_dsa_sample_update_seed(copy_of_seed0, domain_separator, seed0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed1[66U]; + memcpy(copy_of_seed1, seed, (size_t)66U * sizeof(uint8_t)); + uint8_t seed1[66U]; + libcrux_ml_dsa_sample_update_seed(copy_of_seed1, domain_separator, seed1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed2[66U]; + memcpy(copy_of_seed2, seed, (size_t)66U * sizeof(uint8_t)); + uint8_t seed2[66U]; + libcrux_ml_dsa_sample_update_seed(copy_of_seed2, domain_separator, seed2); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed3[66U]; + memcpy(copy_of_seed3, seed, (size_t)66U * sizeof(uint8_t)); + uint8_t seed3[66U]; + libcrux_ml_dsa_sample_update_seed(copy_of_seed3, domain_separator, seed3); + uint8_t out0[640U] = {0U}; + uint8_t out1[640U] = {0U}; + uint8_t out2[640U] = {0U}; + uint8_t out3[640U] = {0U}; + libcrux_ml_dsa_hash_functions_portable_shake256_x4_50_c8( + Eurydice_array_to_slice((size_t)66U, seed0, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed1, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed2, uint8_t), + Eurydice_array_to_slice((size_t)66U, seed3, uint8_t), out0, out1, out2, + out3); + libcrux_ml_dsa_encoding_gamma1_deserialize_61( + Eurydice_array_to_slice((size_t)640U, out0, uint8_t), mask); + libcrux_ml_dsa_encoding_gamma1_deserialize_61( + Eurydice_array_to_slice((size_t)640U, out1, uint8_t), &mask[1U]); + libcrux_ml_dsa_encoding_gamma1_deserialize_61( + Eurydice_array_to_slice((size_t)640U, out2, uint8_t), &mask[2U]); + libcrux_ml_dsa_encoding_gamma1_deserialize_61( + Eurydice_array_to_slice((size_t)640U, out3, uint8_t), &mask[3U]); + for (size_t i = (size_t)4U; i < (size_t)5U; i++) { + size_t i0 = i; + seed[64U] = (uint8_t)domain_separator[0U]; + seed[65U] = (uint8_t)((uint32_t)domain_separator[0U] >> 8U); + domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[66U]; + memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); + libcrux_ml_dsa_sample_sample_mask_ring_element_20(copy_of_seed, &mask[i0]); + } + memcpy( + ret, mask, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.matrix.compute_A_times_mask.closure +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +static inline libcrux_ml_dsa_polynomial_PolynomialRingElement_9b +libcrux_ml_dsa_matrix_compute_A_times_mask_closure_2f( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s) { + return libcrux_ml_dsa_ntt_ntt_ba(s); +} + +/** + Compute InvertNTT(Â ◦ ŷ) +*/ +/** +A monomorphic instance of libcrux_ml_dsa.matrix.compute_A_times_mask +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_A_times_mask_2f( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*A_as_ntt)[5U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *mask, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_mask[5U]; + memcpy( + copy_of_mask, mask, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b mask_ntt[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + mask_ntt[i] = + libcrux_ml_dsa_matrix_compute_A_times_mask_closure_2f(copy_of_mask[i]); + } + for (size_t i0 = (size_t)0U; + i0 < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, A_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]); + i0++) { + size_t i1 = i0; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *row = A_as_ntt[i1]; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, row, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + i++) { + size_t j = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = + &row[j]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b product = + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(ring_element, + &mask_ntt[j]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 = + libcrux_ml_dsa_polynomial_add_ff_ba(&result[i1], &product); + result[i1] = uu____1; + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 = + libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba(result[i1]); + result[i1] = uu____2; + } + memcpy( + ret, result, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); +} + +/** +A monomorphic instance of +libcrux_ml_dsa.simd.portable.arithmetic.decompose_element with const generics +- GAMMA2= 261888 +*/ +static KRML_MUSTINLINE int32_t_x2 +libcrux_ml_dsa_simd_portable_arithmetic_decompose_element_80(int32_t r) { + int32_t r2 = r + (r >> 31U & LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + int32_t ALPHA = (int32_t)261888 * (int32_t)2; + int32_t ceil_of_r_by_128 = (r2 + (int32_t)127) >> 7U; + int32_t r1; + switch (ALPHA) { + case 190464: { + int32_t result = + (ceil_of_r_by_128 * (int32_t)11275 + ((int32_t)1 << 23U)) >> 24U; + r1 = (result ^ ((int32_t)43 - result) >> 31U) & result; + break; + } + case 523776: { + int32_t result = + (ceil_of_r_by_128 * (int32_t)1025 + ((int32_t)1 << 21U)) >> 22U; + r1 = result & (int32_t)15; + break; + } + default: { + KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, + "panic!"); + KRML_HOST_EXIT(255U); + } + } + int32_t r0 = r2 - r1 * ALPHA; + r0 = r0 - + (((LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS - (int32_t)1) / (int32_t)2 - + r0) >> + 31U & + LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); + return (CLITERAL(int32_t_x2){.fst = r0, .snd = r1}); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.arithmetic.decompose +with const generics +- GAMMA2= 261888 +*/ +static KRML_MUSTINLINE + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2 + libcrux_ml_dsa_simd_portable_arithmetic_decompose_80( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit low = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit high = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, low.coefficients, int32_t), + int32_t); + i++) { + size_t i0 = i; + int32_t_x2 uu____0 = + libcrux_ml_dsa_simd_portable_arithmetic_decompose_element_80( + simd_unit.coefficients[i0]); + int32_t low_part = uu____0.fst; + int32_t high_part = uu____0.snd; + low.coefficients[i0] = low_part; + high.coefficients[i0] = high_part; + } + return ( + CLITERAL(libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2){ + .fst = low, .snd = high}); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.decompose_36 +with const generics +- GAMMA2= 261888 +*/ +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2 +libcrux_ml_dsa_simd_portable_decompose_36_80( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) { + return libcrux_ml_dsa_simd_portable_arithmetic_decompose_80(simd_unit); +} + +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.decompose_vector +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- DIMENSION= 6 +- GAMMA2= 261888 +*/ +static KRML_MUSTINLINE + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2 + libcrux_ml_dsa_arithmetic_decompose_vector_2f( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b vector_low[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + vector_low[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b vector_high[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + vector_high[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, vector_low->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_x2 uu____0 = + libcrux_ml_dsa_simd_portable_decompose_36_80(t[i1].simd_units[j]); + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit low = + uu____0.fst; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit high = + uu____0.snd; + vector_low[i1].simd_units[j] = low; + vector_high[i1].simd_units[j] = high; + } + } + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_vector_low[6U]; + memcpy( + copy_of_vector_low, vector_low, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_vector_high[6U]; + memcpy( + copy_of_vector_high, vector_high, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2 + lit; + memcpy( + lit.fst, copy_of_vector_low, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + memcpy( + lit.snd, copy_of_vector_high, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.commitment.serialize +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics + +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_commitment_serialize_ba( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re, + Eurydice_slice serialized) { + size_t output_bytes_per_simd_unit = + Eurydice_slice_len(serialized, uint8_t) / ((size_t)8U * (size_t)4U); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, re.simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = + &re.simd_units[i0]; + libcrux_ml_dsa_simd_portable_commitment_serialize_36( + simd_unit[0U], + Eurydice_slice_subslice2(serialized, i0 * output_bytes_per_simd_unit, + (i0 + (size_t)1U) * output_bytes_per_simd_unit, + uint8_t)); + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.commitment.serialize_vector +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- DIMENSION= 6 +- RING_ELEMENT_SIZE= 128 +- OUTPUT_SIZE= 768 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_encoding_commitment_serialize_vector_5d( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b vector[6U], + uint8_t ret[768U]) { + uint8_t serialized[768U] = {0U}; + size_t offset = (size_t)0U; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + i++) { + size_t _cloop_j = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = + &vector[_cloop_j]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = + ring_element[0U]; + libcrux_ml_dsa_encoding_commitment_serialize_ba( + uu____0, Eurydice_array_to_subslice2(serialized, offset, + offset + (size_t)128U, uint8_t)); + offset = offset + (size_t)128U; + } + memcpy(ret, serialized, (size_t)768U * sizeof(uint8_t)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.sample.sample_challenge_ring_element +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake256 with const generics +- NUMBER_OF_ONES= 49 +- SEED_SIZE= 48 +*/ +static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b +libcrux_ml_dsa_sample_sample_challenge_ring_element_83(uint8_t seed[48U]) { + libcrux_sha3_portable_KeccakState state = + libcrux_ml_dsa_hash_functions_portable_init_absorb_final_5c( + Eurydice_array_to_slice((size_t)48U, seed, uint8_t)); + uint8_t randomness0[136U]; + libcrux_ml_dsa_hash_functions_portable_squeeze_first_block_5c(&state, + randomness0); + uint8_t ret[8U]; + Result_15 dst; + Eurydice_slice_to_array2( + &dst, + Eurydice_array_to_subslice2(randomness0, (size_t)0U, (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); + unwrap_26_68(dst, ret); + uint64_t signs = core_num__u64_9__from_le_bytes(ret); + int32_t result[256U] = {0U}; + size_t out_index = + Eurydice_slice_len(Eurydice_array_to_slice((size_t)256U, result, int32_t), + int32_t) - + (size_t)49U; + Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( + (size_t)136U, randomness0, (size_t)8U, uint8_t, size_t); + bool done = libcrux_ml_dsa_sample_inside_out_shuffle(uu____0, &out_index, + &signs, result); + while (true) { + if (done) { + break; + } else { + uint8_t randomness[136U]; + libcrux_ml_dsa_hash_functions_portable_squeeze_next_block_5c(&state, + randomness); + done = libcrux_ml_dsa_sample_inside_out_shuffle( + Eurydice_array_to_slice((size_t)136U, randomness, uint8_t), + &out_index, &signs, result); + } + } + return libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( + Eurydice_array_to_slice((size_t)256U, result, int32_t)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.matrix.vector_times_ring_element +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- DIMENSION= 5 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_vector_times_ring_element_4f( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[5U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *vector_ring_element = + &vector[i0]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = + libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba( + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(vector_ring_element, + ring_element)); + result[i0] = uu____0; + } + memcpy( + ret, result, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.matrix.vector_times_ring_element +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- DIMENSION= 6 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_vector_times_ring_element_07( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *vector_ring_element = + &vector[i0]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = + libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba( + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(vector_ring_element, + ring_element)); + result[i0] = uu____0; + } + memcpy( + ret, result, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.matrix.add_vectors +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- DIMENSION= 5 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_add_vectors_4f( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *lhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[5U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = + libcrux_ml_dsa_polynomial_add_ff_ba(&lhs[i0], &rhs[i0]); + result[i0] = uu____0; + } + memcpy( + ret, result, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); +} + +/** +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.subtract_ff +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics + +*/ +static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b +libcrux_ml_dsa_polynomial_subtract_ff_ba( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *self, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b difference = + libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, difference.simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_subtract_36(&self->simd_units[i0], + &rhs->simd_units[i0]); + difference.simd_units[i0] = uu____0; + } + return difference; +} + +/** +A monomorphic instance of libcrux_ml_dsa.matrix.subtract_vectors +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- DIMENSION= 6 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_subtract_vectors_07( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *lhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = + libcrux_ml_dsa_polynomial_subtract_ff_ba(&lhs[i0], &rhs[i0]); + result[i0] = uu____0; + } + memcpy( + ret, result, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); +} + +/** +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.infinity_norm_exceeds_ff +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics + +*/ +static inline bool libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ba( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *self, int32_t bound) { + bool exceeds = false; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, self->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + bool uu____0; + if (exceeds) { + uu____0 = true; + } else { + uu____0 = libcrux_ml_dsa_simd_portable_infinity_norm_exceeds_36( + self->simd_units[i0], bound); + } + exceeds = uu____0; + } + return exceeds; +} + +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.vector_infinity_norm_exceeds +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- DIMENSION= 5 +*/ +static KRML_MUSTINLINE bool +libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_4f( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b vector[5U], + int32_t bound) { + bool exceeds = false; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + i++) { + size_t _cloop_j = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = + &vector[_cloop_j]; + bool uu____0; + if (exceeds) { + uu____0 = true; + } else { + uu____0 = libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ba( + ring_element, bound); + } + exceeds = uu____0; + } + return exceeds; +} + +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.vector_infinity_norm_exceeds +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- DIMENSION= 6 +*/ +static KRML_MUSTINLINE bool +libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_07( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b vector[6U], + int32_t bound) { + bool exceeds = false; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, vector, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + i++) { + size_t _cloop_j = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = + &vector[_cloop_j]; + bool uu____0; + if (exceeds) { + uu____0 = true; + } else { + uu____0 = libcrux_ml_dsa_polynomial_infinity_norm_exceeds_ff_ba( + ring_element, bound); + } + exceeds = uu____0; + } + return exceeds; +} + +/** +A monomorphic instance of libcrux_ml_dsa.matrix.add_vectors +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- DIMENSION= 6 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_add_vectors_07( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *lhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *rhs, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = + libcrux_ml_dsa_polynomial_add_ff_ba(&lhs[i0], &rhs[i0]); + result[i0] = uu____0; + } + memcpy( + ret, result, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); +} + +/** +A monomorphic instance of K. +with types size_t, libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit + +*/ +typedef struct tuple_ca_s { + size_t fst; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit snd; +} tuple_ca; + +/** +A monomorphic instance of +libcrux_ml_dsa.simd.portable.arithmetic.compute_one_hint with const generics +- GAMMA2= 261888 +*/ +static KRML_MUSTINLINE int32_t +libcrux_ml_dsa_simd_portable_arithmetic_compute_one_hint_80(int32_t low, + int32_t high) { + int32_t uu____0; + if (!(low > (int32_t)261888)) { + if (!(low < -(int32_t)261888)) { + if (low == -(int32_t)261888) { + if (!(high != (int32_t)0)) { + uu____0 = (int32_t)0; + return uu____0; + } + } else { + uu____0 = (int32_t)0; + return uu____0; + } + } + } + uu____0 = (int32_t)1; + return uu____0; +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.arithmetic.compute_hint +with const generics +- GAMMA2= 261888 +*/ +static KRML_MUSTINLINE tuple_ca +libcrux_ml_dsa_simd_portable_arithmetic_compute_hint_80( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit low, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit high) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit hint = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + size_t one_hints_count = (size_t)0U; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)8U, hint.coefficients, int32_t), + int32_t); + i++) { + size_t i0 = i; + hint.coefficients[i0] = + libcrux_ml_dsa_simd_portable_arithmetic_compute_one_hint_80( + low.coefficients[i0], high.coefficients[i0]); + one_hints_count = one_hints_count + (size_t)hint.coefficients[i0]; + } + return (CLITERAL(tuple_ca){.fst = one_hints_count, .snd = hint}); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.compute_hint_36 +with const generics +- GAMMA2= 261888 +*/ +static inline tuple_ca libcrux_ml_dsa_simd_portable_compute_hint_36_80( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit low, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit high) { + return libcrux_ml_dsa_simd_portable_arithmetic_compute_hint_80(low, high); +} + +/** +This function found in impl +{libcrux_ml_dsa::polynomial::PolynomialRingElement[TraitClause@0, +TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.polynomial.to_i32_array_ff +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics + +*/ +static inline void libcrux_ml_dsa_polynomial_to_i32_array_ff_ba( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *self, + int32_t ret[256U]) { + int32_t result[256U] = {0U}; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, self->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = + &self->simd_units[i0]; + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + result, i0 * LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_SIMD_TRAITS_COEFFICIENTS_IN_SIMD_UNIT, + int32_t); + int32_t ret0[8U]; + libcrux_ml_dsa_simd_portable_to_coefficient_array_36(simd_unit, ret0); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret0, int32_t), int32_t); + } + memcpy(ret, result, (size_t)256U * sizeof(int32_t)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.make_hint +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- DIMENSION= 6 +- GAMMA2= 261888 +*/ +static KRML_MUSTINLINE tuple_e6 libcrux_ml_dsa_arithmetic_make_hint_2f( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b low[6U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b high[6U]) { + int32_t hint[6U][256U] = {{0U}}; + size_t true_hints = (size_t)0U; + for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { + size_t i1 = i0; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b hint_simd = + libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, hint_simd.simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t j = i; + tuple_ca uu____0 = libcrux_ml_dsa_simd_portable_compute_hint_36_80( + low[i1].simd_units[j], high[i1].simd_units[j]); + size_t one_hints_count = uu____0.fst; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit current_hint = + uu____0.snd; + hint_simd.simd_units[j] = current_hint; + true_hints = true_hints + one_hints_count; + } + int32_t uu____1[256U]; + libcrux_ml_dsa_polynomial_to_i32_array_ff_ba(&hint_simd, uu____1); + memcpy(hint[i1], uu____1, (size_t)256U * sizeof(int32_t)); + } + /* Passing arrays by value in Rust generates a copy in C */ + int32_t copy_of_hint[6U][256U]; + memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U])); + tuple_e6 lit; + memcpy(lit.fst, copy_of_hint, (size_t)6U * sizeof(int32_t[256U])); + lit.snd = true_hints; + return lit; +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.signature.Signature +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- $48size_t +- $5size_t +- $6size_t +*/ +typedef struct libcrux_ml_dsa_encoding_signature_Signature_44_s { + uint8_t commitment_hash[48U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b signer_response[5U]; + int32_t hint[6U][256U]; +} libcrux_ml_dsa_encoding_signature_Signature_44; + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.encoding.gamma1.serialize +with const generics +- GAMMA1_EXPONENT= 19 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_36( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + Eurydice_slice serialized) { + libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_when_gamma1_is_2_pow_19( + simd_unit, serialized); +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.gamma1_serialize_36 +with const generics +- GAMMA1_EXPONENT= 19 +*/ +static inline void libcrux_ml_dsa_simd_portable_gamma1_serialize_36_36( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + Eurydice_slice serialized) { + libcrux_ml_dsa_simd_portable_encoding_gamma1_serialize_36(simd_unit, + serialized); +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.gamma1.serialize +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- GAMMA1_EXPONENT= 19 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_gamma1_serialize_61( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re, + Eurydice_slice serialized) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, re.simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = + &re.simd_units[i0]; + libcrux_ml_dsa_simd_portable_gamma1_serialize_36_36( + simd_unit[0U], + Eurydice_slice_subslice2(serialized, i0 * ((size_t)19U + (size_t)1U), + (i0 + (size_t)1U) * ((size_t)19U + (size_t)1U), + uint8_t)); + } +} + +/** +This function found in impl +{libcrux_ml_dsa::encoding::signature::Signature[TraitClause@0, TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.encoding.signature.serialize_92 +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- COMMITMENT_HASH_SIZE= 48 +- COLUMNS_IN_A= 5 +- ROWS_IN_A= 6 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- MAX_ONES_IN_HINT= 55 +- SIGNATURE_SIZE= 3309 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_encoding_signature_serialize_92_76( + libcrux_ml_dsa_encoding_signature_Signature_44 *self, uint8_t ret[3309U]) { + uint8_t signature[3309U] = {0U}; + size_t offset = (size_t)0U; + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + signature, offset, offset + (size_t)48U, uint8_t); + Eurydice_slice_copy( + uu____0, + Eurydice_array_to_slice((size_t)48U, self->commitment_hash, uint8_t), + uint8_t); + offset = offset + (size_t)48U; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 = + self->signer_response[i0]; + libcrux_ml_dsa_encoding_gamma1_serialize_61( + uu____1, Eurydice_array_to_subslice2(signature, offset, + offset + (size_t)640U, uint8_t)); + offset = offset + (size_t)640U; + } + size_t true_hints_seen = (size_t)0U; + for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)256U, self->hint[i1], int32_t), + int32_t); + i++) { + size_t j = i; + if (self->hint[i1][j] == (int32_t)1) { + signature[offset + true_hints_seen] = (uint8_t)j; + true_hints_seen++; + } + } + signature[offset + (size_t)55U + i1] = (uint8_t)true_hints_seen; + } + memcpy(ret, signature, (size_t)3309U * sizeof(uint8_t)); +} + +/** + The internal signing API. + + If no `domain_separation_context` is supplied, it is assumed that + `message` already contains the domain separation. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_internal +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128X4, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_internal_05( + uint8_t *signing_key, Eurydice_slice message, + Option_84 domain_separation_context, uint8_t randomness[32U]) { + tuple_f0 uu____0 = + libcrux_ml_dsa_encoding_signing_key_deserialize_then_ntt_c6(signing_key); + uint8_t seed_for_A[32U]; + memcpy(seed_for_A, uu____0.fst, (size_t)32U * sizeof(uint8_t)); + uint8_t seed_for_signing[32U]; + memcpy(seed_for_signing, uu____0.snd, (size_t)32U * sizeof(uint8_t)); + uint8_t verification_key_hash[64U]; + memcpy(verification_key_hash, uu____0.thd, (size_t)64U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s1_as_ntt[5U]; + memcpy( + s1_as_ntt, uu____0.f3, + (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b s2_as_ntt[6U]; + memcpy( + s2_as_ntt, uu____0.f4, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t0_as_ntt[6U]; + memcpy( + t0_as_ntt, uu____0.f5, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A_as_ntt[6U][5U]; + uint8_t ret[34U]; + libcrux_ml_dsa_utils_into_padded_array_b6( + Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret); + libcrux_ml_dsa_samplex4_matrix_A_2f(ret, A_as_ntt); + uint8_t message_representative[64U] = {0U}; + uint8_t uu____1[64U]; + memcpy(uu____1, verification_key_hash, (size_t)64U * sizeof(uint8_t)); + libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b( + uu____1, domain_separation_context, message, message_representative); + uint8_t mask_seed[64U] = {0U}; + libcrux_sha3_portable_incremental_Shake256Xof shake0 = + libcrux_ml_dsa_hash_functions_portable_init_83(); + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake0, Eurydice_array_to_slice((size_t)32U, seed_for_signing, uint8_t)); + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake0, Eurydice_array_to_slice((size_t)32U, randomness, uint8_t)); + libcrux_ml_dsa_hash_functions_portable_absorb_final_83( + &shake0, + Eurydice_array_to_slice((size_t)64U, message_representative, uint8_t)); + libcrux_ml_dsa_hash_functions_portable_squeeze_83( + &shake0, Eurydice_array_to_slice((size_t)64U, mask_seed, uint8_t)); + uint16_t domain_separator_for_mask = 0U; + int32_t BETA = (int32_t)((size_t)49U * (size_t)4U); + size_t attempt = (size_t)0U; + Option_67 commitment_hash0 = {.tag = None}; + Option_f3 signer_response0 = {.tag = None}; + Option_f0 hint0 = {.tag = None}; + while (true) { + if (attempt < LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN) { + attempt++; + uint8_t uu____2[66U]; + libcrux_ml_dsa_utils_into_padded_array_20( + Eurydice_array_to_slice((size_t)64U, mask_seed, uint8_t), uu____2); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b mask[5U]; + libcrux_ml_dsa_sample_sample_mask_vector_0e( + uu____2, &domain_separator_for_mask, mask); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A_times_mask[6U]; + libcrux_ml_dsa_matrix_compute_A_times_mask_2f(A_as_ntt, mask, + A_times_mask); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + copy_of_A_times_mask[6U]; + memcpy(copy_of_A_times_mask, A_times_mask, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_6size_t__x2 + uu____4 = libcrux_ml_dsa_arithmetic_decompose_vector_2f( + copy_of_A_times_mask); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b w0[6U]; + memcpy(w0, uu____4.fst, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b commitment[6U]; + memcpy(commitment, uu____4.snd, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + uint8_t commitment_hash_candidate[48U] = {0U}; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + copy_of_commitment0[6U]; + memcpy(copy_of_commitment0, commitment, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + uint8_t commitment_serialized[768U]; + libcrux_ml_dsa_encoding_commitment_serialize_vector_5d( + copy_of_commitment0, commitment_serialized); + libcrux_sha3_portable_incremental_Shake256Xof shake = + libcrux_ml_dsa_hash_functions_portable_init_83(); + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake, Eurydice_array_to_slice((size_t)64U, message_representative, + uint8_t)); + libcrux_ml_dsa_hash_functions_portable_absorb_final_83( + &shake, Eurydice_array_to_slice((size_t)768U, commitment_serialized, + uint8_t)); + libcrux_ml_dsa_hash_functions_portable_squeeze_83( + &shake, Eurydice_array_to_slice((size_t)48U, + commitment_hash_candidate, uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_commitment_hash_candidate[48U]; + memcpy(copy_of_commitment_hash_candidate, commitment_hash_candidate, + (size_t)48U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + verifier_challenge_as_ntt = libcrux_ml_dsa_ntt_ntt_ba( + libcrux_ml_dsa_sample_sample_challenge_ring_element_83( + copy_of_commitment_hash_candidate)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b challenge_times_s1[5U]; + libcrux_ml_dsa_matrix_vector_times_ring_element_4f( + s1_as_ntt, &verifier_challenge_as_ntt, challenge_times_s1); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b challenge_times_s2[6U]; + libcrux_ml_dsa_matrix_vector_times_ring_element_07( + s2_as_ntt, &verifier_challenge_as_ntt, challenge_times_s2); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + signer_response_candidate[5U]; + libcrux_ml_dsa_matrix_add_vectors_4f(mask, challenge_times_s1, + signer_response_candidate); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + w0_minus_challenge_times_s2[6U]; + libcrux_ml_dsa_matrix_subtract_vectors_07(w0, challenge_times_s2, + w0_minus_challenge_times_s2); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + copy_of_signer_response_candidate[5U]; + memcpy(copy_of_signer_response_candidate, signer_response_candidate, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_4f( + copy_of_signer_response_candidate, + ((int32_t)1 << (uint32_t)(size_t)19U) - BETA)) { + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + copy_of_w0_minus_challenge_times_s2[6U]; + memcpy(copy_of_w0_minus_challenge_times_s2, w0_minus_challenge_times_s2, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_07( + copy_of_w0_minus_challenge_times_s2, (int32_t)261888 - BETA)) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + challenge_times_t0[6U]; + libcrux_ml_dsa_matrix_vector_times_ring_element_07( + t0_as_ntt, &verifier_challenge_as_ntt, challenge_times_t0); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + copy_of_challenge_times_t0[6U]; + memcpy( + copy_of_challenge_times_t0, challenge_times_t0, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + if (!libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_07( + copy_of_challenge_times_t0, (int32_t)261888)) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + w0_minus_c_times_s2_plus_c_times_t0[6U]; + libcrux_ml_dsa_matrix_add_vectors_07( + w0_minus_challenge_times_s2, challenge_times_t0, + w0_minus_c_times_s2_plus_c_times_t0); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + copy_of_w0_minus_c_times_s2_plus_c_times_t0[6U]; + memcpy( + copy_of_w0_minus_c_times_s2_plus_c_times_t0, + w0_minus_c_times_s2_plus_c_times_t0, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + copy_of_commitment[6U]; + memcpy( + copy_of_commitment, commitment, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + tuple_e6 uu____12 = libcrux_ml_dsa_arithmetic_make_hint_2f( + copy_of_w0_minus_c_times_s2_plus_c_times_t0, + copy_of_commitment); + int32_t hint_candidate[6U][256U]; + memcpy(hint_candidate, uu____12.fst, + (size_t)6U * sizeof(int32_t[256U])); + size_t ones_in_hint = uu____12.snd; + if (!(ones_in_hint > (size_t)55U)) { + attempt = LIBCRUX_ML_DSA_CONSTANTS_REJECTION_SAMPLE_BOUND_SIGN; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_commitment_hash_candidate0[48U]; + memcpy(copy_of_commitment_hash_candidate0, + commitment_hash_candidate, (size_t)48U * sizeof(uint8_t)); + Option_67 lit0; + lit0.tag = Some; + memcpy(lit0.f0, copy_of_commitment_hash_candidate0, + (size_t)48U * sizeof(uint8_t)); + commitment_hash0 = lit0; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + copy_of_signer_response_candidate0[5U]; + memcpy( + copy_of_signer_response_candidate0, signer_response_candidate, + (size_t)5U * + sizeof( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + Option_f3 lit1; + lit1.tag = Some; + memcpy( + lit1.f0, copy_of_signer_response_candidate0, + (size_t)5U * + sizeof( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + signer_response0 = lit1; + /* Passing arrays by value in Rust generates a copy in C */ + int32_t copy_of_hint_candidate[6U][256U]; + memcpy(copy_of_hint_candidate, hint_candidate, + (size_t)6U * sizeof(int32_t[256U])); + Option_f0 lit; + lit.tag = Some; + memcpy(lit.f0, copy_of_hint_candidate, + (size_t)6U * sizeof(int32_t[256U])); + hint0 = lit; + } + } + } + } + } else { + break; + } + } + Result_2e uu____16; + if (commitment_hash0.tag == None) { + uu____16 = (CLITERAL(Result_2e){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_RejectionSamplingError}}); + } else { + uint8_t commitment_hash1[48U]; + memcpy(commitment_hash1, commitment_hash0.f0, + (size_t)48U * sizeof(uint8_t)); + uint8_t commitment_hash[48U]; + memcpy(commitment_hash, commitment_hash1, (size_t)48U * sizeof(uint8_t)); + if (signer_response0.tag == None) { + uu____16 = (CLITERAL(Result_2e){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_RejectionSamplingError}}); + } else { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b signer_response1[5U]; + memcpy(signer_response1, signer_response0.f0, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b signer_response[5U]; + memcpy(signer_response, signer_response1, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + if (hint0.tag == None) { + uu____16 = (CLITERAL(Result_2e){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_RejectionSamplingError}}); + } else { + int32_t hint1[6U][256U]; + memcpy(hint1, hint0.f0, (size_t)6U * sizeof(int32_t[256U])); + int32_t hint[6U][256U]; + memcpy(hint, hint1, (size_t)6U * sizeof(int32_t[256U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_commitment_hash[48U]; + memcpy(copy_of_commitment_hash, commitment_hash, + (size_t)48U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + copy_of_signer_response[5U]; + memcpy(copy_of_signer_response, signer_response, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + /* Passing arrays by value in Rust generates a copy in C */ + int32_t copy_of_hint[6U][256U]; + memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U])); + uint8_t signature[3309U]; + libcrux_ml_dsa_encoding_signature_Signature_44 lit0; + memcpy(lit0.commitment_hash, copy_of_commitment_hash, + (size_t)48U * sizeof(uint8_t)); + memcpy(lit0.signer_response, copy_of_signer_response, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + memcpy(lit0.hint, copy_of_hint, (size_t)6U * sizeof(int32_t[256U])); + libcrux_ml_dsa_encoding_signature_serialize_92_76(&lit0, signature); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_signature[3309U]; + memcpy(copy_of_signature, signature, (size_t)3309U * sizeof(uint8_t)); + Result_2e lit; + lit.tag = Ok; + lit.val.case_Ok = libcrux_ml_dsa_types_new_8f_fa(copy_of_signature); + uu____16 = lit; + return uu____16; + } + } + } + return uu____16; +} + +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128X4, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_portable_Shake256X4 with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +static KRML_MUSTINLINE Result_2e libcrux_ml_dsa_ml_dsa_generic_sign_05( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( + context, (CLITERAL(Option_30){.tag = None})); + Result_2e uu____1; + if (uu____0.tag == Ok) { + libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = + dsc; + uint8_t *uu____2 = signing_key; + Eurydice_slice uu____3 = message; + Option_84 uu____4 = {.tag = Some, .f0 = domain_separation_context}; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + uu____1 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_05( + uu____2, uu____3, uu____4, copy_of_randomness); + } else { + uu____1 = (CLITERAL(Result_2e){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}}); + } + return uu____1; +} + +/** + Sign. +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.sign with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +static inline Result_2e +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + uint8_t *uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_sign_05(uu____0, uu____1, uu____2, + copy_of_randomness); +} + +/** + Generate an ML-DSA-65 Signature + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It + may also be empty. +*/ +static inline Result_2e libcrux_ml_dsa_ml_dsa_65_portable_sign( + libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, + Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { + uint8_t *uu____0 = libcrux_ml_dsa_types_as_raw_9b_09(signing_key); + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_f3( + uu____0, uu____1, uu____2, copy_of_randomness); +} + +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake128 +with const generics +- OUTPUT_LENGTH= 256 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_hash_functions_portable_shake128_6b( + Eurydice_slice input, uint8_t *out) { + libcrux_sha3_portable_shake128( + Eurydice_array_to_slice((size_t)256U, out, uint8_t), input); +} + +/** +This function found in impl {(libcrux_ml_dsa::hash_functions::shake128::Xof for +libcrux_ml_dsa::hash_functions::portable::Shake128)#1} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.hash_functions.portable.shake128_a0 +with const generics +- OUTPUT_LENGTH= 256 +*/ +static KRML_MUSTINLINE void +libcrux_ml_dsa_hash_functions_portable_shake128_a0_6b(Eurydice_slice input, + uint8_t *out) { + libcrux_ml_dsa_hash_functions_portable_shake128_6b(input, out); +} + +/** +This function found in impl {(libcrux_ml_dsa::pre_hash::PreHash<256: usize> for +libcrux_ml_dsa::pre_hash::SHAKE128_PH)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.pre_hash.hash_bd +with types libcrux_ml_dsa_hash_functions_portable_Shake128 +with const generics + +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_pre_hash_hash_bd_54( + Eurydice_slice message, uint8_t ret[256U]) { + uint8_t output[256U] = {0U}; + libcrux_ml_dsa_hash_functions_portable_shake128_a0_6b(message, output); + memcpy(ret, output, (size_t)256U * sizeof(uint8_t)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.sign_pre_hashed +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128, +libcrux_ml_dsa_hash_functions_portable_Shake128X4, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof, +libcrux_ml_dsa_hash_functions_portable_Shake256X4, +libcrux_ml_dsa_pre_hash_SHAKE128_PH with const generics +- PH_DIGEST_LEN= 256 +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +static KRML_MUSTINLINE Result_2e +libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_0d(uint8_t *signing_key, + Eurydice_slice message, + Eurydice_slice context, + uint8_t randomness[32U]) { + Result_2e uu____0; + if (Eurydice_slice_len(context, uint8_t) > + LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN) { + uu____0 = (CLITERAL(Result_2e){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}}); + } else { + uint8_t pre_hashed_message[256U]; + libcrux_ml_dsa_pre_hash_hash_bd_54(message, pre_hashed_message); + Eurydice_slice uu____1 = context; + Option_30 lit; + lit.tag = Some; + uint8_t ret[11U]; + libcrux_ml_dsa_pre_hash_oid_bd(ret); + memcpy(lit.f0, ret, (size_t)11U * sizeof(uint8_t)); + Result_a8 uu____2 = libcrux_ml_dsa_pre_hash_new_45(uu____1, lit); + if (uu____2.tag == Ok) { + libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____2.val.case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationContext + domain_separation_context = dsc; + uint8_t *uu____3 = signing_key; + Eurydice_slice uu____4 = + Eurydice_array_to_slice((size_t)256U, pre_hashed_message, uint8_t); + Option_84 uu____5 = {.tag = Some, .f0 = domain_separation_context}; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + uu____0 = libcrux_ml_dsa_ml_dsa_generic_sign_internal_05( + uu____3, uu____4, uu____5, copy_of_randomness); + } else { + uu____0 = (CLITERAL(Result_2e){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_ContextTooLongError}}); + } + } + return uu____0; +} + +/** + Sign (pre-hashed). +*/ +/** +A monomorphic instance of +libcrux_ml_dsa.ml_dsa_generic.instantiations.portable.sign_pre_hashed_shake128 +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- ETA= 4 +- ERROR_RING_ELEMENT_SIZE= 128 +- GAMMA1_EXPONENT= 19 +- GAMMA2= 261888 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- SIGNING_KEY_SIZE= 4032 +- SIGNATURE_SIZE= 3309 +*/ +static inline Result_2e +libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_pre_hashed_shake128_f3( + uint8_t *signing_key, Eurydice_slice message, Eurydice_slice context, + uint8_t randomness[32U]) { + uint8_t *uu____0 = signing_key; + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_sign_pre_hashed_0d( + uu____0, uu____1, uu____2, copy_of_randomness); +} + +/** + Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing + + The parameter `context` is used for domain separation + and is a byte string of length at most 255 bytes. It may also be empty. */ -static inline Result_2e -libcrux_ml_dsa_ml_dsa_65_portable_sign_pre_hashed_shake128( - libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, - Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { - uint8_t *uu____0 = libcrux_ml_dsa_types_as_raw_9b_09(signing_key); - Eurydice_slice uu____1 = message; - Eurydice_slice uu____2 = context; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_randomness[32U]; - memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_pre_hashed_shake128_f3( - uu____0, uu____1, uu____2, copy_of_randomness); +static inline Result_2e +libcrux_ml_dsa_ml_dsa_65_portable_sign_pre_hashed_shake128( + libcrux_ml_dsa_types_MLDSASigningKey_22 *signing_key, + Eurydice_slice message, Eurydice_slice context, uint8_t randomness[32U]) { + uint8_t *uu____0 = libcrux_ml_dsa_types_as_raw_9b_09(signing_key); + Eurydice_slice uu____1 = message; + Eurydice_slice uu____2 = context; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_dsa_ml_dsa_generic_instantiations_portable_sign_pre_hashed_shake128_f3( + uu____0, uu____1, uu____2, copy_of_randomness); +} + +/** +A monomorphic instance of K. +with types uint8_t[32size_t], libcrux_ml_dsa_polynomial_PolynomialRingElement +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[6size_t] + +*/ +typedef struct tuple_93_s { + uint8_t fst[32U]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b snd[6U]; +} tuple_93; + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.t1.deserialize +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics + +*/ +static inline void libcrux_ml_dsa_encoding_t1_deserialize_ba( + Eurydice_slice serialized, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *result) { + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, result->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_t1_deserialize_36( + Eurydice_slice_subslice2(serialized, i0 * (size_t)10U, + (i0 + (size_t)1U) * (size_t)10U, uint8_t)); + result->simd_units[i0] = uu____0; + } +} + +/** +A monomorphic instance of libcrux_ml_dsa.encoding.verification_key.deserialize +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ROWS_IN_A= 6 +- VERIFICATION_KEY_SIZE= 1952 +*/ +static KRML_MUSTINLINE tuple_93 +libcrux_ml_dsa_encoding_verification_key_deserialize_2f(uint8_t *serialized) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + t1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)1952U, serialized, uint8_t), + LIBCRUX_ML_DSA_CONSTANTS_SEED_FOR_A_SIZE, uint8_t, + Eurydice_slice_uint8_t_x2); + Eurydice_slice seed_for_A = uu____0.fst; + Eurydice_slice serialized_remaining = uu____0.snd; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + size_t i0 = i; + libcrux_ml_dsa_encoding_t1_deserialize_ba( + Eurydice_slice_subslice2( + serialized_remaining, + i0 * LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, + (i0 + (size_t)1U) * + LIBCRUX_ML_DSA_CONSTANTS_RING_ELEMENT_OF_T1S_SIZE, + uint8_t), + &t1[i0]); + } + uint8_t uu____1[32U]; + Result_fb dst; + Eurydice_slice_to_array2(&dst, seed_for_A, Eurydice_slice, uint8_t[32U]); + unwrap_26_b3(dst, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t1[6U]; + memcpy( + copy_of_t1, t1, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + tuple_93 lit; + memcpy(lit.fst, uu____1, (size_t)32U * sizeof(uint8_t)); + memcpy( + lit.snd, copy_of_t1, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + return lit; +} + +/** +A monomorphic instance of core.result.Result +with types libcrux_ml_dsa_encoding_signature_Signature +libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit[[$6size_t]][[$5size_t]][[$48size_t]], +libcrux_ml_dsa_types_VerificationError + +*/ +typedef struct Result_ef_s { + Result_a9_tags tag; + union { + libcrux_ml_dsa_encoding_signature_Signature_44 case_Ok; + libcrux_ml_dsa_types_VerificationError case_Err; + } val; +} Result_ef; + +/** +This function found in impl +{libcrux_ml_dsa::encoding::signature::Signature[TraitClause@0, TraitClause@1]} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.encoding.signature.deserialize_92 +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- COMMITMENT_HASH_SIZE= 48 +- COLUMNS_IN_A= 5 +- ROWS_IN_A= 6 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- MAX_ONES_IN_HINT= 55 +- SIGNATURE_SIZE= 3309 +*/ +static KRML_MUSTINLINE Result_ef +libcrux_ml_dsa_encoding_signature_deserialize_92_76(uint8_t *serialized) { + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)3309U, serialized, uint8_t), (size_t)48U, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice commitment_hash = uu____0.fst; + Eurydice_slice rest_of_serialized = uu____0.snd; + Eurydice_slice_uint8_t_x2 uu____1 = + Eurydice_slice_split_at(rest_of_serialized, (size_t)640U * (size_t)5U, + uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice signer_response_serialized = uu____1.fst; + Eurydice_slice hint_serialized = uu____1.snd; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b signer_response[5U]; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + signer_response[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + size_t i0 = i; + libcrux_ml_dsa_encoding_gamma1_deserialize_61( + Eurydice_slice_subslice2(signer_response_serialized, i0 * (size_t)640U, + (i0 + (size_t)1U) * (size_t)640U, uint8_t), + &signer_response[i0]); + } + int32_t hint[6U][256U] = {{0U}}; + size_t previous_true_hints_seen = (size_t)0U; + size_t i = (size_t)0U; + bool malformed_hint = false; + while (true) { + if (i < (size_t)6U) { + if (malformed_hint) { + break; + } else { + size_t current_true_hints_seen = (size_t)Eurydice_slice_index( + hint_serialized, (size_t)55U + i, uint8_t, uint8_t *); + size_t j; + bool uu____2; + bool uu____3; + size_t uu____4; + size_t uu____5; + bool uu____6; + size_t uu____7; + size_t uu____8; + bool uu____9; + uint8_t uu____10; + size_t uu____11; + uint8_t uu____12; + size_t uu____13; + size_t uu____14; + bool uu____15; + size_t uu____16; + size_t uu____17; + uint8_t uu____18; + size_t uu____19; + bool uu____20; + size_t uu____21; + if (!(current_true_hints_seen < previous_true_hints_seen)) { + if (!(previous_true_hints_seen > (size_t)55U)) { + j = previous_true_hints_seen; + while (true) { + uu____2 = malformed_hint; + if (uu____2) { + break; + } else { + uu____4 = j; + uu____5 = current_true_hints_seen; + uu____3 = uu____4 < uu____5; + if (uu____3) { + uu____7 = j; + uu____8 = previous_true_hints_seen; + uu____6 = uu____7 > uu____8; + if (uu____6) { + uu____11 = j; + uu____10 = Eurydice_slice_index(hint_serialized, uu____11, + uint8_t, uint8_t *); + uu____14 = j; + uu____13 = uu____14 - (size_t)1U; + uu____12 = Eurydice_slice_index(hint_serialized, uu____13, + uint8_t, uint8_t *); + uu____9 = uu____10 <= uu____12; + if (uu____9) { + malformed_hint = true; + uu____15 = malformed_hint; + if (!uu____15) { + uu____16 = i; + uu____19 = j; + uu____18 = Eurydice_slice_index( + hint_serialized, uu____19, uint8_t, uint8_t *); + uu____17 = (size_t)uu____18; + hint[uu____16][uu____17] = (int32_t)1; + j++; + } + continue; + } + } + uu____15 = malformed_hint; + if (!uu____15) { + uu____16 = i; + uu____19 = j; + uu____18 = Eurydice_slice_index(hint_serialized, uu____19, + uint8_t, uint8_t *); + uu____17 = (size_t)uu____18; + hint[uu____16][uu____17] = (int32_t)1; + j++; + } + } else { + break; + } + } + } + uu____20 = malformed_hint; + if (!uu____20) { + uu____21 = current_true_hints_seen; + previous_true_hints_seen = uu____21; + i++; + } + continue; + } + } + malformed_hint = true; + j = previous_true_hints_seen; + while (true) { + uu____2 = malformed_hint; + if (uu____2) { + break; + } else { + uu____4 = j; + uu____5 = current_true_hints_seen; + uu____3 = uu____4 < uu____5; + if (uu____3) { + uu____7 = j; + uu____8 = previous_true_hints_seen; + uu____6 = uu____7 > uu____8; + if (uu____6) { + uu____11 = j; + uu____10 = Eurydice_slice_index(hint_serialized, uu____11, + uint8_t, uint8_t *); + uu____14 = j; + uu____13 = uu____14 - (size_t)1U; + uu____12 = Eurydice_slice_index(hint_serialized, uu____13, + uint8_t, uint8_t *); + uu____9 = uu____10 <= uu____12; + if (uu____9) { + malformed_hint = true; + uu____15 = malformed_hint; + if (!uu____15) { + uu____16 = i; + uu____19 = j; + uu____18 = Eurydice_slice_index(hint_serialized, uu____19, + uint8_t, uint8_t *); + uu____17 = (size_t)uu____18; + hint[uu____16][uu____17] = (int32_t)1; + j++; + } + continue; + } + } + uu____15 = malformed_hint; + if (!uu____15) { + uu____16 = i; + uu____19 = j; + uu____18 = Eurydice_slice_index(hint_serialized, uu____19, + uint8_t, uint8_t *); + uu____17 = (size_t)uu____18; + hint[uu____16][uu____17] = (int32_t)1; + j++; + } + } else { + break; + } + } + } + uu____20 = malformed_hint; + if (!uu____20) { + uu____21 = current_true_hints_seen; + previous_true_hints_seen = uu____21; + i++; + } + } + } else { + break; + } + } + i = previous_true_hints_seen; + while (true) { + if (i < (size_t)55U) { + if (malformed_hint) { + break; + } else { + if (Eurydice_slice_index(hint_serialized, i, uint8_t, uint8_t *) != + 0U) { + malformed_hint = true; + } + i++; + } + } else { + break; + } + } + Result_ef uu____22; + if (malformed_hint) { + uu____22 = (CLITERAL(Result_ef){ + .tag = Err, + .val = {.case_Err = libcrux_ml_dsa_types_MalformedHintError}}); + } else { + uint8_t uu____23[48U]; + Result_ae dst; + Eurydice_slice_to_array2(&dst, commitment_hash, Eurydice_slice, + uint8_t[48U]); + unwrap_26_28(dst, uu____23); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + copy_of_signer_response[5U]; + memcpy(copy_of_signer_response, signer_response, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + /* Passing arrays by value in Rust generates a copy in C */ + int32_t copy_of_hint[6U][256U]; + memcpy(copy_of_hint, hint, (size_t)6U * sizeof(int32_t[256U])); + Result_ef lit; + lit.tag = Ok; + memcpy(lit.val.case_Ok.commitment_hash, uu____23, + (size_t)48U * sizeof(uint8_t)); + memcpy(lit.val.case_Ok.signer_response, copy_of_signer_response, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + memcpy(lit.val.case_Ok.hint, copy_of_hint, + (size_t)6U * sizeof(int32_t[256U])); + uu____22 = lit; + } + return uu____22; +} + +/** +A monomorphic instance of +libcrux_ml_dsa.simd.portable.arithmetic.shift_left_then_reduce with const +generics +- SHIFT_BY= 13 +*/ +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_arithmetic_shift_left_then_reduce_84( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit out = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)8U, simd_unit.coefficients, int32_t), + int32_t); + i++) { + size_t i0 = i; + out.coefficients[i0] = + libcrux_ml_dsa_simd_portable_arithmetic_reduce_element( + simd_unit.coefficients[i0] << (uint32_t)(int32_t)13); + } + return out; +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.shift_left_then_reduce_36 +with const generics +- SHIFT_BY= 13 +*/ +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_shift_left_then_reduce_36_84( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit) { + return libcrux_ml_dsa_simd_portable_arithmetic_shift_left_then_reduce_84( + simd_unit); +} + +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.shift_left_then_reduce +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- SHIFT_BY= 13 +*/ +static KRML_MUSTINLINE libcrux_ml_dsa_polynomial_PolynomialRingElement_9b +libcrux_ml_dsa_arithmetic_shift_left_then_reduce_b9( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b out = + libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, re.simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t i0 = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit *simd_unit = + &re.simd_units[i0]; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_shift_left_then_reduce_36_84( + simd_unit[0U]); + out.simd_units[i0] = uu____0; + } + return out; +} + +/** + Compute InvertNTT(Â ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ)) +*/ +/** +A monomorphic instance of libcrux_ml_dsa.matrix.compute_w_approx +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_matrix_compute_w_approx_2f( + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b (*A_as_ntt)[5U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b signer_response[5U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + verifier_challenge_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, signer_response, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + i++) { + size_t i0 = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____0 = + libcrux_ml_dsa_ntt_ntt_ba(signer_response[i0]); + signer_response[i0] = uu____0; + } + for (size_t i0 = (size_t)0U; + i0 < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)6U, A_as_ntt, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b[5U]); + i0++) { + size_t i1 = i0; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *row = A_as_ntt[i1]; + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)5U, row, + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b), + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b); + i++) { + size_t j = i; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b *ring_element = + &row[j]; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b product = + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba(ring_element, + &signer_response[j]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____1 = + libcrux_ml_dsa_polynomial_add_ff_ba(&result[i1], &product); + result[i1] = uu____1; + } + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1_shifted = + libcrux_ml_dsa_arithmetic_shift_left_then_reduce_b9(t1[i1]); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1_shifted0 = + libcrux_ml_dsa_ntt_ntt_ba(t1_shifted); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + challenge_times_t1_shifted = + libcrux_ml_dsa_ntt_ntt_multiply_montgomery_ba( + &verifier_challenge_as_ntt, &t1_shifted0); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____2 = + libcrux_ml_dsa_ntt_invert_ntt_montgomery_ba( + libcrux_ml_dsa_polynomial_subtract_ff_ba( + &result[i1], &challenge_times_t1_shifted)); + result[i1] = uu____2; + } + memcpy( + ret, result, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.arithmetic.use_one_hint +with const generics +- GAMMA2= 261888 +*/ +static KRML_MUSTINLINE int32_t +libcrux_ml_dsa_simd_portable_arithmetic_use_one_hint_80(int32_t r, + int32_t hint) { + int32_t_x2 uu____0 = + libcrux_ml_dsa_simd_portable_arithmetic_decompose_element_80(r); + int32_t r0 = uu____0.fst; + int32_t r1 = uu____0.snd; + int32_t uu____1; + if (hint == (int32_t)0) { + uu____1 = r1; + } else if (r0 > (int32_t)0) { + uu____1 = (r1 + hint) & (int32_t)15; + } else { + uu____1 = (r1 - hint) & (int32_t)15; + } + return uu____1; +} + +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.arithmetic.use_hint +with const generics +- GAMMA2= 261888 +*/ +static KRML_MUSTINLINE libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_arithmetic_use_hint_80( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit hint) { + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit result = + libcrux_ml_dsa_simd_portable_vector_type_ZERO(); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len(Eurydice_array_to_slice( + (size_t)8U, result.coefficients, int32_t), + int32_t); + i++) { + size_t i0 = i; + int32_t uu____0 = libcrux_ml_dsa_simd_portable_arithmetic_use_one_hint_80( + simd_unit.coefficients[i0], hint.coefficients[i0]); + result.coefficients[i0] = uu____0; + } + return result; +} + +/** +This function found in impl {(libcrux_ml_dsa::simd::traits::Operations for +libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} +*/ +/** +A monomorphic instance of libcrux_ml_dsa.simd.portable.use_hint_36 +with const generics +- GAMMA2= 261888 +*/ +static inline libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +libcrux_ml_dsa_simd_portable_use_hint_36_80( + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit simd_unit, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit hint) { + return libcrux_ml_dsa_simd_portable_arithmetic_use_hint_80(simd_unit, hint); +} + +/** +A monomorphic instance of libcrux_ml_dsa.arithmetic.use_hint +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit +with const generics +- DIMENSION= 6 +- GAMMA2= 261888 +*/ +static KRML_MUSTINLINE void libcrux_ml_dsa_arithmetic_use_hint_2f( + int32_t hint[6U][256U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b re_vector[6U], + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b ret[6U]) { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b result[6U]; + for (size_t i = (size_t)0U; i < (size_t)6U; i++) { + result[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ba(); + } + for (size_t i0 = (size_t)0U; i0 < (size_t)6U; i0++) { + size_t i1 = i0; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b hint_simd = + libcrux_ml_dsa_polynomial_from_i32_array_ff_ba( + Eurydice_array_to_slice((size_t)256U, hint[i1], int32_t)); + for (size_t i = (size_t)0U; + i < Eurydice_slice_len( + Eurydice_array_to_slice( + (size_t)32U, result->simd_units, + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit), + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit); + i++) { + size_t j = i; + libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit uu____0 = + libcrux_ml_dsa_simd_portable_use_hint_36_80( + re_vector[i1].simd_units[j], hint_simd.simd_units[j]); + result[i1].simd_units[j] = uu____0; + } + } + memcpy( + ret, result, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); +} + +/** + The internal verification API. + + If no `domain_separation_context` is supplied, it is assumed that + `message` already contains the domain separation. +*/ +/** +A monomorphic instance of libcrux_ml_dsa.ml_dsa_generic.verify_internal +with types libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit, +libcrux_ml_dsa_hash_functions_portable_Shake128X4, +libcrux_ml_dsa_hash_functions_portable_Shake256, +libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics +- ROWS_IN_A= 6 +- COLUMNS_IN_A= 5 +- SIGNATURE_SIZE= 3309 +- VERIFICATION_KEY_SIZE= 1952 +- GAMMA1_EXPONENT= 19 +- GAMMA1_RING_ELEMENT_SIZE= 640 +- GAMMA2= 261888 +- BETA= 196 +- COMMITMENT_RING_ELEMENT_SIZE= 128 +- COMMITMENT_VECTOR_SIZE= 768 +- COMMITMENT_HASH_SIZE= 48 +- ONES_IN_VERIFIER_CHALLENGE= 49 +- MAX_ONES_IN_HINT= 55 +*/ +static KRML_MUSTINLINE Result_41 +libcrux_ml_dsa_ml_dsa_generic_verify_internal_99( + uint8_t *verification_key_serialized, Eurydice_slice message, + Option_84 domain_separation_context, uint8_t *signature_serialized) { + tuple_93 uu____0 = libcrux_ml_dsa_encoding_verification_key_deserialize_2f( + verification_key_serialized); + uint8_t seed_for_A[32U]; + memcpy(seed_for_A, uu____0.fst, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b t1[6U]; + memcpy( + t1, uu____0.snd, + (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + Result_ef uu____1 = + libcrux_ml_dsa_encoding_signature_deserialize_92_76(signature_serialized); + Result_41 uu____2; + if (uu____1.tag == Ok) { + libcrux_ml_dsa_encoding_signature_Signature_44 s = uu____1.val.case_Ok; + libcrux_ml_dsa_encoding_signature_Signature_44 signature = s; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____3[5U]; + memcpy(uu____3, signature.signer_response, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + if (libcrux_ml_dsa_arithmetic_vector_infinity_norm_exceeds_4f( + uu____3, ((int32_t)2 << (uint32_t)(size_t)19U) - (int32_t)196)) { + uu____2 = (CLITERAL(Result_41){ + .tag = Err, + .f0 = libcrux_ml_dsa_types_SignerResponseExceedsBoundError}); + } else { + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b A_as_ntt[6U][5U]; + uint8_t ret[34U]; + libcrux_ml_dsa_utils_into_padded_array_b6( + Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t), ret); + libcrux_ml_dsa_samplex4_matrix_A_2f(ret, A_as_ntt); + uint8_t verification_key_hash[64U] = {0U}; + libcrux_ml_dsa_hash_functions_portable_shake256_5c_24( + Eurydice_array_to_slice((size_t)1952U, verification_key_serialized, + uint8_t), + verification_key_hash); + uint8_t message_representative[64U] = {0U}; + uint8_t uu____4[64U]; + memcpy(uu____4, verification_key_hash, (size_t)64U * sizeof(uint8_t)); + libcrux_ml_dsa_ml_dsa_generic_derive_message_representative_7b( + uu____4, domain_separation_context, message, message_representative); + uint8_t uu____5[48U]; + memcpy(uu____5, signature.commitment_hash, (size_t)48U * sizeof(uint8_t)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b + verifier_challenge_as_ntt = libcrux_ml_dsa_ntt_ntt_ba( + libcrux_ml_dsa_sample_sample_challenge_ring_element_83(uu____5)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b(*uu____6)[5U] = + A_as_ntt; + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____7[5U]; + memcpy(uu____7, signature.signer_response, + (size_t)5U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b uu____8 = + verifier_challenge_as_ntt; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_t1[6U]; + memcpy(copy_of_t1, t1, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b w_approx[6U]; + libcrux_ml_dsa_matrix_compute_w_approx_2f(uu____6, uu____7, uu____8, + copy_of_t1, w_approx); + uint8_t commitment_hash[48U] = {0U}; + int32_t uu____10[6U][256U]; + memcpy(uu____10, signature.hint, (size_t)6U * sizeof(int32_t[256U])); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_w_approx[6U]; + memcpy(copy_of_w_approx, w_approx, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b commitment[6U]; + libcrux_ml_dsa_arithmetic_use_hint_2f(uu____10, copy_of_w_approx, + commitment); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_dsa_polynomial_PolynomialRingElement_9b copy_of_commitment[6U]; + memcpy(copy_of_commitment, commitment, + (size_t)6U * + sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_9b)); + uint8_t commitment_serialized[768U]; + libcrux_ml_dsa_encoding_commitment_serialize_vector_5d( + copy_of_commitment, commitment_serialized); + libcrux_sha3_portable_incremental_Shake256Xof shake = + libcrux_ml_dsa_hash_functions_portable_init_83(); + libcrux_ml_dsa_hash_functions_portable_absorb_83( + &shake, Eurydice_array_to_slice((size_t)64U, message_representative, + uint8_t)); + libcrux_ml_dsa_hash_functions_portable_absorb_final_83( + &shake, Eurydice_array_to_slice((size_t)768U, commitment_serialized, + uint8_t)); + libcrux_ml_dsa_hash_functions_portable_squeeze_83( + &shake, + Eurydice_array_to_slice((size_t)48U, commitment_hash, uint8_t)); + if (core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( + (size_t)48U, signature.commitment_hash, commitment_hash, uint8_t, + uint8_t, bool)) { + uu____2 = (CLITERAL(Result_41){.tag = Ok}); + } else { + uu____2 = (CLITERAL(Result_41){ + .tag = Err, + .f0 = libcrux_ml_dsa_types_CommitmentHashesDontMatchError}); + } + } + } else { + libcrux_ml_dsa_types_VerificationError e = uu____1.val.case_Err; + uu____2 = (CLITERAL(Result_41){.tag = Err, .f0 = e}); + } + return uu____2; } /** @@ -5721,13 +9117,23 @@ libcrux_ml_dsa_hash_functions_portable_Shake256Xof with const generics static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_99( uint8_t *verification_key_serialized, Eurydice_slice message, Eurydice_slice context, uint8_t *signature_serialized) { - KRML_HOST_EPRINTF( - "KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"TODO: TraitTypes " - "core::result::{core::ops::try_trait::Try for core::result::Result[TraitClause@0, TraitClause@1]}#26[TraitClause@0, " - "TraitClause@1]::Residual\")\n"); - KRML_HOST_EXIT(255U); + Result_a8 uu____0 = libcrux_ml_dsa_pre_hash_new_45( + context, (CLITERAL(Option_30){.tag = None})); + Result_41 uu____1; + if (uu____0.tag == Ok) { + libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____0.val.case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = + dsc; + uu____1 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_99( + verification_key_serialized, message, + (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}), + signature_serialized); + } else { + uu____1 = (CLITERAL(Result_41){ + .tag = Err, + .f0 = libcrux_ml_dsa_types_VerificationContextTooLongError}); + } + return uu____1; } /** @@ -5801,10 +9207,31 @@ static KRML_MUSTINLINE Result_41 libcrux_ml_dsa_ml_dsa_generic_verify_pre_hashed_ae( uint8_t *verification_key_serialized, Eurydice_slice message, Eurydice_slice context, uint8_t *signature_serialized) { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "Eurydice error: Failure(\"expression_of_operand Constant: " - "TraitClause@11OID\")\n"); - KRML_HOST_EXIT(255U); + uint8_t pre_hashed_message[256U]; + libcrux_ml_dsa_pre_hash_hash_bd_54(message, pre_hashed_message); + Eurydice_slice uu____0 = context; + Option_30 lit; + lit.tag = Some; + uint8_t ret[11U]; + libcrux_ml_dsa_pre_hash_oid_bd(ret); + memcpy(lit.f0, ret, (size_t)11U * sizeof(uint8_t)); + Result_a8 uu____1 = libcrux_ml_dsa_pre_hash_new_45(uu____0, lit); + Result_41 uu____2; + if (uu____1.tag == Ok) { + libcrux_ml_dsa_pre_hash_DomainSeparationContext dsc = uu____1.val.case_Ok; + libcrux_ml_dsa_pre_hash_DomainSeparationContext domain_separation_context = + dsc; + uu____2 = libcrux_ml_dsa_ml_dsa_generic_verify_internal_99( + verification_key_serialized, + Eurydice_array_to_slice((size_t)256U, pre_hashed_message, uint8_t), + (CLITERAL(Option_84){.tag = Some, .f0 = domain_separation_context}), + signature_serialized); + } else { + uu____2 = (CLITERAL(Result_41){ + .tag = Err, + .f0 = libcrux_ml_dsa_types_VerificationContextTooLongError}); + } + return uu____2; } /** @@ -5853,39 +9280,6 @@ libcrux_ml_dsa_ml_dsa_65_portable_verify_pre_hashed_shake128( libcrux_ml_dsa_types_as_raw_8f_fa(signature)); } -typedef struct libcrux_ml_dsa_pre_hash_DomainSeparationContext_s { - Eurydice_slice context; - Option_3f pre_hash_oid; -} libcrux_ml_dsa_pre_hash_DomainSeparationContext; - -/** - Returns the pre-hash OID, if any. -*/ -/** -This function found in impl -{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} -*/ -static inline Option_3f libcrux_ml_dsa_pre_hash_pre_hash_oid_45( - libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { - return self->pre_hash_oid; -} - -/** - Returns the context, guaranteed to be at most 255 bytes long. -*/ -/** -This function found in impl -{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} -*/ -static inline Eurydice_slice libcrux_ml_dsa_pre_hash_context_45( - libcrux_ml_dsa_pre_hash_DomainSeparationContext *self) { - return self->context; -} - -#define libcrux_ml_dsa_pre_hash_ContextTooLongError 0 - -typedef uint8_t libcrux_ml_dsa_pre_hash_DomainSeparationError; - #define LIBCRUX_ML_DSA_PRE_HASH_PRE_HASH_OID_LEN ((size_t)11U) typedef uint8_t libcrux_ml_dsa_pre_hash_PreHashOID[11U]; @@ -5911,143 +9305,6 @@ libcrux_ml_dsa_pre_hash_from_b6( return libcrux_ml_dsa_types_VerificationContextTooLongError; } -static const uint8_t - libcrux_ml_dsa_pre_hash___libcrux_ml_dsa__pre_hash__PreHash_256__usize__for_libcrux_ml_dsa__pre_hash__SHAKE128_PH___OID - [11U] = {6U, 9U, 96U, 134U, 72U, 1U, 101U, 3U, 4U, 2U, 11U}; - -#define libcrux_ml_dsa_pre_hash_Ok 0 -#define libcrux_ml_dsa_pre_hash_Err 1 - -typedef uint8_t libcrux_ml_dsa_pre_hash_PreHashResult_tags; - -typedef struct libcrux_ml_dsa_pre_hash_PreHashResult_s { - libcrux_ml_dsa_pre_hash_PreHashResult_tags tag; - union { - libcrux_ml_dsa_pre_hash_DomainSeparationContext case_Ok; - libcrux_ml_dsa_pre_hash_DomainSeparationError case_Err; - } val; -} libcrux_ml_dsa_pre_hash_PreHashResult; - -/** - `context` must be at most 255 bytes long. -*/ -/** -This function found in impl -{libcrux_ml_dsa::pre_hash::DomainSeparationContext<'a>#1} -*/ -static inline libcrux_ml_dsa_pre_hash_PreHashResult -libcrux_ml_dsa_pre_hash_new_45(Eurydice_slice context, Option_3f pre_hash_oid) { - libcrux_ml_dsa_pre_hash_PreHashResult uu____0; - if (Eurydice_slice_len(context, uint8_t) > - LIBCRUX_ML_DSA_CONSTANTS_CONTEXT_MAX_LEN) { - uu____0 = (CLITERAL(libcrux_ml_dsa_pre_hash_PreHashResult){ - .tag = libcrux_ml_dsa_pre_hash_Err, - .val = {.case_Err = libcrux_ml_dsa_pre_hash_ContextTooLongError}}); - } else { - uu____0 = (CLITERAL(libcrux_ml_dsa_pre_hash_PreHashResult){ - .tag = libcrux_ml_dsa_pre_hash_Ok, - .val = { - .case_Ok = {.context = context, .pre_hash_oid = pre_hash_oid}}}); - } - return uu____0; -} - -static KRML_MUSTINLINE bool libcrux_ml_dsa_sample_inside_out_shuffle( - Eurydice_slice randomness, size_t *out_index, uint64_t *signs, - int32_t *result) { - bool done = false; - core_slice_iter_Iter iter = - core_slice_iter___core__iter__traits__collect__IntoIterator_for___a___Slice_T____1__into_iter( - randomness, uint8_t, core_slice_iter_Iter); - while (true) { - Option_3f uu____0 = - core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Iter__a__T__TraitClause_0___182__next( - &iter, uint8_t, Option_3f); - if (uu____0.tag == None) { - break; - } else { - uint8_t *byte = uu____0.f0; - if (!done) { - size_t sample_at = (size_t)byte[0U]; - if (sample_at <= out_index[0U]) { - result[out_index[0U]] = result[sample_at]; - out_index[0U] = out_index[0U] + (size_t)1U; - result[sample_at] = - (int32_t)1 - (int32_t)2 * (int32_t)(signs[0U] & 1ULL); - signs[0U] = signs[0U] >> 1U; - size_t uu____1 = out_index[0U]; - done = uu____1 == - Eurydice_slice_len( - Eurydice_array_to_slice((size_t)256U, result, int32_t), - int32_t); - } else { - size_t uu____2 = out_index[0U]; - done = uu____2 == - Eurydice_slice_len( - Eurydice_array_to_slice((size_t)256U, result, int32_t), - int32_t); - } - } - } - } - return done; -} - -static KRML_MUSTINLINE void libcrux_ml_dsa_sample_update_seed( - uint8_t seed[66U], uint16_t *domain_separator, uint8_t ret[66U]) { - seed[64U] = (uint8_t)domain_separator[0U]; - seed[65U] = (uint8_t)((uint32_t)domain_separator[0U] >> 8U); - domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U; - memcpy(ret, seed, (size_t)66U * sizeof(uint8_t)); -} - -typedef struct int32_t_x2_s { - int32_t fst; - int32_t snd; -} int32_t_x2; - -static KRML_MUSTINLINE int32_t_x2 -libcrux_ml_dsa_simd_portable_arithmetic_power2round_element(int32_t t) { - int32_t t2 = t + (t >> 31U & LIBCRUX_ML_DSA_SIMD_TRAITS_FIELD_MODULUS); - int32_t t1 = - (t2 - (int32_t)1 + - ((int32_t)1 - << (uint32_t)(LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T - - (size_t)1U))) >> - (uint32_t)LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T; - int32_t t0 = - t2 - (t1 << (uint32_t)LIBCRUX_ML_DSA_CONSTANTS_BITS_IN_LOWER_PART_OF_T); - return (CLITERAL(int32_t_x2){.fst = t0, .snd = t1}); -} - -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_DESERIALIZE_WHEN_ETA_IS_4_ETA \ - ((int32_t)4) - -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_ERROR_SERIALIZE_WHEN_ETA_IS_4_ETA \ - ((int32_t)4) - -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ - ((int32_t)1 << 17U) - -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1_TIMES_2_BITMASK \ - ((LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ - << 1U) - \ - (int32_t)1) - -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ - ((int32_t)1 << 19U) - -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1_TIMES_2_BITMASK \ - ((LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_DESERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ - << 1U) - \ - (int32_t)1) - -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_17_GAMMA1 \ - ((int32_t)1 << 17U) - -#define LIBCRUX_ML_DSA_SIMD_PORTABLE_ENCODING_GAMMA1_SERIALIZE_WHEN_GAMMA1_IS_2_POW_19_GAMMA1 \ - ((int32_t)1 << 19U) - /** This function found in impl {(core::clone::Clone for libcrux_ml_dsa::simd::portable::vector_type::PortableSIMDUnit)} @@ -6062,8 +9319,10 @@ typedef int32_t libcrux_ml_dsa_simd_traits_FieldElementTimesMontgomeryR; typedef int32_t libcrux_ml_dsa_simd_portable_vector_type_FieldElement; -typedef struct libcrux_ml_dsa_hash_functions_portable_Shake128_s { -} libcrux_ml_dsa_hash_functions_portable_Shake128; +typedef Result_a8 libcrux_ml_dsa_pre_hash_PreHashResult; + +// typedef struct libcrux_ml_dsa_hash_functions_portable_Shake128_s { +// } libcrux_ml_dsa_hash_functions_portable_Shake128; #if defined(__cplusplus) } diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h index 5b4eb7f14..78bfb4cff 100644 --- a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 11a2dcf9b3f0c4803b93a53caa737ed8eac8bfd1 + * Libcrux: d4b51bcb3af12fb1358ed37830e33cbd72d31590 */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h index 807e69f7c..e2a3dcc30 100644 --- a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: 11a2dcf9b3f0c4803b93a53caa737ed8eac8bfd1 + * Libcrux: d4b51bcb3af12fb1358ed37830e33cbd72d31590 */ #ifndef __libcrux_sha3_portable_H diff --git a/libcrux-ml-dsa/cg/tests/mldsa65.cc b/libcrux-ml-dsa/cg/tests/mldsa65.cc index e1e4bdb33..ea77a81b2 100644 --- a/libcrux-ml-dsa/cg/tests/mldsa65.cc +++ b/libcrux-ml-dsa/cg/tests/mldsa65.cc @@ -35,19 +35,23 @@ TEST(MlDsa65TestPortable, ConsistencyTest) { randomness[i] = 0x55; } - uint8_t context[0]; - auto ctxt = libcrux_ml_dsa_ml_dsa_65_portable_sign( - &key_pair.signing_key, - mk_slice(&msg, 79), - mk_slice(&context, 0), + uint8_t context[3]; + + auto msg_slice = mk_slice(&msg, 79); + auto context_slice = mk_slice(&context, 3); + auto signature_result = libcrux_ml_dsa_ml_dsa_65_portable_sign( + &key_pair.signing_key, msg_slice, + context_slice, randomness); + EXPECT_EQ(signature_result.tag, Ok); + auto signature = signature_result.val.case_Ok; - // // Verify - // uint8_t sharedSecret2[LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE]; - // libcrux_ml_kem_mlkem768_portable_decapsulate(&key_pair.sk, &ctxt.fst, sharedSecret2); + // Verify + auto result = libcrux_ml_dsa_ml_dsa_65_portable_verify( + &key_pair.verification_key, + msg_slice, + context_slice, + &signature); - // EXPECT_EQ(0, - // memcmp(ctxt.snd, - // sharedSecret2, - // LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE)); + EXPECT_EQ(result.tag, Ok); } From 87497297c8d9a6be6127d9daae13a942b5439e74 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 9 Dec 2024 10:03:56 +0000 Subject: [PATCH 20/27] fix eurydice iterators --- libcrux-ml-dsa/cg/eurydice_glue.h | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/libcrux-ml-dsa/cg/eurydice_glue.h b/libcrux-ml-dsa/cg/eurydice_glue.h index 77124b063..9bfd9f546 100644 --- a/libcrux-ml-dsa/cg/eurydice_glue.h +++ b/libcrux-ml-dsa/cg/eurydice_glue.h @@ -161,23 +161,18 @@ static inline uint8_t core_num__u8_6__wrapping_sub(uint8_t x, uint8_t y) { _ret_t) \ (o)->tag - -static inline uint8_t -Eurydice_bitand_pv_u8(uint8_t *p, uint8_t v) -{ - return (*p) & v; +static inline uint8_t Eurydice_bitand_pv_u8(uint8_t *p, uint8_t v) { + return (*p) & v; } -static inline uint8_t -Eurydice_shr_pv_u8(uint8_t *p, int32_t v) -{ - return (*p) >> v; +static inline uint8_t Eurydice_shr_pv_u8(uint8_t *p, int32_t v) { + return (*p) >> v; } // ITERATORS #define Eurydice_range_iter_next(iter_ptr, t, ret_t) \ - (((iter_ptr)->start == (iter_ptr)->end) \ + (((iter_ptr)->start >= (iter_ptr)->end) \ ? (CLITERAL(ret_t){.tag = None, .f0 = 0}) \ : (CLITERAL(ret_t){.tag = Some, .f0 = (iter_ptr)->start++})) From 02f1009a28a9252c0291a645b2979ad0fc71e3b5 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 9 Dec 2024 10:13:52 +0000 Subject: [PATCH 21/27] mldsa: feature guard sampling --- libcrux-ml-dsa/src/samplex4.rs | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index 1ac7e7530..edf06d13c 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -391,6 +391,7 @@ pub(crate) fn matrix_A; S2_DIMENSION], ) { match (S1_DIMENSION as u8, S2_DIMENSION as u8) { + #[cfg(feature = "mldsa44")] (4, 4) => { sample_s1_and_s2_4_by_4::(seed) } + #[cfg(feature = "mldsa65")] (5, 6) => { sample_s1_and_s2_5_by_6::(seed) } + #[cfg(feature = "mldsa87")] (7, 8) => { sample_s1_and_s2_7_by_8::(seed) } From a93d7ea6889af3fa134fef06b87fe62b8a42f58b Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 9 Dec 2024 10:17:19 +0000 Subject: [PATCH 22/27] mldsa C code (portable working) --- libcrux-ml-dsa/cg/libcrux_core.h | 2 +- libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h | 167 +------------------ libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h | 8 +- libcrux-ml-dsa/cg/libcrux_sha3_avx2.h | 2 +- libcrux-ml-dsa/cg/libcrux_sha3_portable.h | 2 +- 5 files changed, 5 insertions(+), 176 deletions(-) diff --git a/libcrux-ml-dsa/cg/libcrux_core.h b/libcrux-ml-dsa/cg/libcrux_core.h index 4cf1b281a..ed839622f 100644 --- a/libcrux-ml-dsa/cg/libcrux_core.h +++ b/libcrux-ml-dsa/cg/libcrux_core.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: d4b51bcb3af12fb1358ed37830e33cbd72d31590 + * Libcrux: 87497297c8d9a6be6127d9daae13a942b5439e74 */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h index 7c5698cb0..4cd046ed1 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_avx2.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: d4b51bcb3af12fb1358ed37830e33cbd72d31590 + * Libcrux: 87497297c8d9a6be6127d9daae13a942b5439e74 */ #ifndef __libcrux_mldsa65_avx2_H @@ -4495,65 +4495,6 @@ static KRML_MUSTINLINE return lit; } -/** -A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_4_by_4 -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, -libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics -- ETA= 4 -- S1_DIMENSION= 5 -- S2_DIMENSION= 6 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_ce0 -libcrux_ml_dsa_samplex4_sample_s1_and_s2_4_by_4_4d(uint8_t seed_base[66U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - s1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base[66U]; - memcpy(copy_of_seed_base, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( - copy_of_seed_base, 0U, 1U, 2U, 3U); - s1[0U] = four.fst; - s1[1U] = four.snd; - s1[2U] = four.thd; - s1[3U] = four.f3; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base0[66U]; - memcpy(copy_of_seed_base0, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four0 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( - copy_of_seed_base0, 4U, 5U, 6U, 7U); - s2[0U] = four0.fst; - s2[1U] = four0.snd; - s2[2U] = four0.thd; - s2[3U] = four0.f3; - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1[5U]; - memcpy( - copy_of_s1, s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s2[6U]; - memcpy( - copy_of_s2, s2, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - tuple_ce0 lit; - memcpy( - lit.fst, copy_of_s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - memcpy( - lit.snd, copy_of_s2, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - return lit; -} - /** A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_5_by_6 with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, @@ -4622,84 +4563,6 @@ libcrux_ml_dsa_samplex4_sample_s1_and_s2_5_by_6_4d(uint8_t seed_base[66U]) { return lit; } -/** -A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2_7_by_8 -with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, -libcrux_ml_dsa_hash_functions_simd256_Shake256x4 with const generics -- ETA= 4 -- S1_DIMENSION= 5 -- S2_DIMENSION= 6 -*/ -KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE tuple_ce0 -libcrux_ml_dsa_samplex4_sample_s1_and_s2_7_by_8_4d(uint8_t seed_base[66U]) { - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s1[5U]; - for (size_t i = (size_t)0U; i < (size_t)5U; i++) { - s1[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 s2[6U]; - for (size_t i = (size_t)0U; i < (size_t)6U; i++) { - s2[i] = libcrux_ml_dsa_polynomial_ZERO_ff_ea(); - } - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base[66U]; - memcpy(copy_of_seed_base, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( - copy_of_seed_base, 0U, 1U, 2U, 3U); - s1[0U] = four.fst; - s1[1U] = four.snd; - s1[2U] = four.thd; - s1[3U] = four.f3; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base0[66U]; - memcpy(copy_of_seed_base0, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four0 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( - copy_of_seed_base0, 4U, 5U, 6U, 7U); - s1[4U] = four0.fst; - s1[5U] = four0.snd; - s1[6U] = four0.thd; - s2[0U] = four0.f3; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base1[66U]; - memcpy(copy_of_seed_base1, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four1 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( - copy_of_seed_base1, 8U, 9U, 10U, 11U); - s2[1U] = four1.fst; - s2[2U] = four1.snd; - s2[3U] = four1.thd; - s2[4U] = four1.f3; - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed_base2[66U]; - memcpy(copy_of_seed_base2, seed_base, (size_t)66U * sizeof(uint8_t)); - libcrux_ml_dsa_polynomial_PolynomialRingElement_libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit_x4 - four2 = libcrux_ml_dsa_sample_sample_four_error_ring_elements_cb( - copy_of_seed_base2, 12U, 13U, 14U, 15U); - s2[5U] = four2.fst; - s2[6U] = four2.snd; - s2[7U] = four2.thd; - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s1[5U]; - memcpy( - copy_of_s1, s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - /* Passing arrays by value in Rust generates a copy in C */ - libcrux_ml_dsa_polynomial_PolynomialRingElement_24 copy_of_s2[6U]; - memcpy( - copy_of_s2, s2, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - tuple_ce0 lit; - memcpy( - lit.fst, copy_of_s1, - (size_t)5U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - memcpy( - lit.snd, copy_of_s2, - (size_t)6U * sizeof(libcrux_ml_dsa_polynomial_PolynomialRingElement_24)); - return lit; -} - /** A monomorphic instance of libcrux_ml_dsa.samplex4.sample_s1_and_s2 with types libcrux_ml_dsa_simd_avx2_vector_type_AVX2SIMDUnit, @@ -4713,20 +4576,6 @@ static KRML_MUSTINLINE tuple_ce0 libcrux_ml_dsa_samplex4_sample_s1_and_s2_4d(uint8_t seed[66U]) { uint8_t_x2 uu____0 = {.fst = (uint8_t)(size_t)5U, .snd = (uint8_t)(size_t)6U}; switch (uu____0.fst) { - case 4U: { - switch (uu____0.snd) { - case 4U: { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[66U]; - memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); - return libcrux_ml_dsa_samplex4_sample_s1_and_s2_4_by_4_4d( - copy_of_seed); - } - default: { - } - } - break; - } case 5U: { switch (uu____0.snd) { case 6U: { @@ -4741,20 +4590,6 @@ libcrux_ml_dsa_samplex4_sample_s1_and_s2_4d(uint8_t seed[66U]) { } break; } - case 7U: { - switch (uu____0.snd) { - case 8U: { - /* Passing arrays by value in Rust generates a copy in C */ - uint8_t copy_of_seed[66U]; - memcpy(copy_of_seed, seed, (size_t)66U * sizeof(uint8_t)); - return libcrux_ml_dsa_samplex4_sample_s1_and_s2_7_by_8_4d( - copy_of_seed); - } - default: { - } - } - break; - } default: { } } diff --git a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h index a1c766bfb..7c1e075a3 100644 --- a/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_mldsa65_portable.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: d4b51bcb3af12fb1358ed37830e33cbd72d31590 + * Libcrux: 87497297c8d9a6be6127d9daae13a942b5439e74 */ #ifndef __libcrux_mldsa65_portable_H @@ -396,7 +396,6 @@ libcrux_ml_dsa::hash_functions::portable::Shake256Xof)#4} */ static inline void libcrux_ml_dsa_hash_functions_portable_squeeze_83( libcrux_sha3_portable_incremental_Shake256Xof *self, Eurydice_slice out) { - printf("squeeze out len: %lu\n", out.len); libcrux_sha3_portable_incremental_squeeze_68(self, out); } @@ -646,8 +645,6 @@ static inline void libcrux_ml_dsa_pre_hash_oid_bd(uint8_t ret[11U]) { (size_t)11U * sizeof(uint8_t)); } -// typedef struct libcrux_ml_dsa_pre_hash_SHAKE128_PH_s { -// } libcrux_ml_dsa_pre_hash_SHAKE128_PH; typedef struct libcrux_ml_dsa_simd_portable_vector_type_PortableSIMDUnit_s { int32_t coefficients[8U]; @@ -9321,9 +9318,6 @@ typedef int32_t libcrux_ml_dsa_simd_portable_vector_type_FieldElement; typedef Result_a8 libcrux_ml_dsa_pre_hash_PreHashResult; -// typedef struct libcrux_ml_dsa_hash_functions_portable_Shake128_s { -// } libcrux_ml_dsa_hash_functions_portable_Shake128; - #if defined(__cplusplus) } #endif diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h index 78bfb4cff..ed58cea67 100644 --- a/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h +++ b/libcrux-ml-dsa/cg/libcrux_sha3_avx2.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: d4b51bcb3af12fb1358ed37830e33cbd72d31590 + * Libcrux: 87497297c8d9a6be6127d9daae13a942b5439e74 */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h index e2a3dcc30..dabbeb171 100644 --- a/libcrux-ml-dsa/cg/libcrux_sha3_portable.h +++ b/libcrux-ml-dsa/cg/libcrux_sha3_portable.h @@ -8,7 +8,7 @@ * Eurydice: b665364a6d86749566ce2d650d13fa12c8fab2c5 * Karamel: 96572bc631fde691a2aea7bce5a5a3838b3a5968 * F*: b0961063393215ca65927f017720cb365a193833-dirty - * Libcrux: d4b51bcb3af12fb1358ed37830e33cbd72d31590 + * Libcrux: 87497297c8d9a6be6127d9daae13a942b5439e74 */ #ifndef __libcrux_sha3_portable_H From 60ac469a75e40c42c98ad96617fe8015ca6dda93 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 9 Dec 2024 10:19:31 +0000 Subject: [PATCH 23/27] mldsa: updated F* code --- .../Libcrux_ml_dsa.Encoding.Commitment.fst | 143 +++------ .../Libcrux_ml_dsa.Encoding.Commitment.fsti | 8 +- .../Libcrux_ml_dsa.Encoding.Error.fst | 278 +++++++----------- .../Libcrux_ml_dsa.Encoding.Error.fsti | 8 +- .../Libcrux_ml_dsa.Encoding.Gamma1.fst | 226 +++++--------- .../Libcrux_ml_dsa.Encoding.Gamma1.fsti | 10 +- .../Libcrux_ml_dsa.Encoding.Signature.fst | 17 +- .../Libcrux_ml_dsa.Encoding.Signing_key.fst | 26 +- .../extraction/Libcrux_ml_dsa.Encoding.T0.fst | 155 +++++----- .../Libcrux_ml_dsa.Encoding.T0.fsti | 6 +- .../extraction/Libcrux_ml_dsa.Encoding.T1.fst | 75 ++--- .../Libcrux_ml_dsa.Encoding.T1.fsti | 1 + ...bcrux_ml_dsa.Encoding.Verification_key.fst | 1 + .../extraction/Libcrux_ml_dsa.Matrix.fst | 62 +++- ...neric.Instantiations.Avx2.Avx2_feature.fst | 2 + ...dsa.Ml_dsa_generic.Instantiations.Neon.fst | 2 + ...Ml_dsa_generic.Instantiations.Portable.fst | 2 + .../Libcrux_ml_dsa.Ml_dsa_generic.fst | 225 +++++++------- .../Libcrux_ml_dsa.Ml_dsa_generic.fsti | 28 +- .../extraction/Libcrux_ml_dsa.Polynomial.fst | 70 +++-- .../extraction/Libcrux_ml_dsa.Pre_hash.fst | 65 ++-- .../extraction/Libcrux_ml_dsa.Pre_hash.fsti | 40 ++- .../extraction/Libcrux_ml_dsa.Sample.fst | 107 ++++--- .../extraction/Libcrux_ml_dsa.Sample.fsti | 1 + ...x_ml_dsa.Simd.Avx2.Encoding.Commitment.fst | 248 ++++++++-------- ..._ml_dsa.Simd.Avx2.Encoding.Commitment.fsti | 4 +- ...ibcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst | 69 +++-- ...bcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti | 12 +- ...bcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst | 71 +++-- ...crux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti | 12 +- .../extraction/Libcrux_ml_dsa.Simd.Avx2.fst | 81 +++-- ..._dsa.Simd.Portable.Encoding.Commitment.fst | 131 +++++---- ...dsa.Simd.Portable.Encoding.Commitment.fsti | 4 +- ...ux_ml_dsa.Simd.Portable.Encoding.Error.fst | 44 +-- ...x_ml_dsa.Simd.Portable.Encoding.Error.fsti | 13 +- ...x_ml_dsa.Simd.Portable.Encoding.Gamma1.fst | 81 ++--- ..._ml_dsa.Simd.Portable.Encoding.Gamma1.fsti | 13 +- .../Libcrux_ml_dsa.Simd.Portable.Sample.fst | 16 +- .../Libcrux_ml_dsa.Simd.Portable.fst | 54 +++- .../Libcrux_ml_dsa.Simd.Traits.fsti | 36 +-- .../fstar/extraction/Libcrux_ml_dsa.Types.fst | 2 +- .../extraction/Libcrux_ml_dsa.Types.fsti | 2 +- 42 files changed, 1212 insertions(+), 1239 deletions(-) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst index 8634dfbe9..bfbcf309d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst @@ -11,111 +11,54 @@ let _ = let serialize (#v_SIMDUnit: Type0) - (v_OUTPUT_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) = - let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in - match cast (v_OUTPUT_SIZE <: usize) <: u8 with - | 128uy -> - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice v_SIMDUnit) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (Libcrux_ml_dsa.Simd.Traits.f_commitment_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (sz 4) - simd_unit + let output_bytes_per_simd_unit:usize = + (Core.Slice.impl__len #u8 serialized <: usize) /! (sz 8 *! sz 4 <: usize) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; + Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_ml_dsa.Simd.Traits.f_commitment_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + (serialized.[ { + Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize + } <: - t_Slice u8) - <: - t_Slice u8) - <: - t_Array u8 v_OUTPUT_SIZE) - in - serialized - | 192uy -> - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) <: - t_Slice v_SIMDUnit) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start - = - i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (Libcrux_ml_dsa.Simd.Traits.f_commitment_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (sz 6) - simd_unit - <: - t_Slice u8) - <: - t_Slice u8) - <: - t_Array u8 v_OUTPUT_SIZE) - in - serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) + t_Slice u8) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + serialized let serialize_vector (#v_SIMDUnit: Type0) @@ -151,7 +94,8 @@ let serialize_vector } <: Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 + (serialize #v_SIMDUnit + ring_element (serialized.[ { Core.Ops.Range.f_start = offset; Core.Ops.Range.f_end = offset +! v_RING_ELEMENT_SIZE <: usize @@ -160,7 +104,6 @@ let serialize_vector Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (serialize #v_SIMDUnit v_RING_ELEMENT_SIZE ring_element <: t_Slice u8) <: t_Slice u8) in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti index 0becaf037..53816fd08 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti @@ -9,16 +9,12 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 4 - -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 6 - val serialize (#v_SIMDUnit: Type0) - (v_OUTPUT_SIZE: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val serialize_vector (#v_SIMDUnit: Type0) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst index 84a413aa5..e95ba0a90 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst @@ -16,73 +16,50 @@ let deserialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (serialized: t_Slice u8) + (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = - match cast (v_ETA <: usize) <: u8 with - | 2uy -> Core.Slice.impl__chunks #u8 serialized (sz 3) - | 4uy -> Core.Slice.impl__chunks #u8 serialized (sz 4) - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - in + let chunk_size:usize = if v_ETA =. sz 2 then sz 3 else sz 4 in let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - in - let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8) = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) - (fun temp_0_ temp_1_ -> - let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement - v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8) = - temp_0_ - in + (fun result temp_1_ -> + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in let _:usize = temp_1_ in true) - (result, serialized_chunks - <: - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) - ) - (fun temp_0_ i -> - let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement - v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8) = - temp_0_ - in + result + (fun result i -> + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in let i:usize = i in - let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = - Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) - #FStar.Tactics.Typeclasses.solve - serialized_chunks - in - let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in - ({ - result with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - .Libcrux_ml_dsa.Polynomial.f_simd_units - i - (Libcrux_ml_dsa.Simd.Traits.f_error_deserialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - v_ETA - (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) - <: - v_SIMDUnit) - } + { + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_error_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_ETA + (serialized.[ { + Core.Ops.Range.f_start = i *! chunk_size <: usize; + Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! chunk_size <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + v_SIMDUnit) <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), - serialized_chunks + t_Array v_SIMDUnit (sz 32) + } <: - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8)) + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in + let hax_temp_output:Prims.unit = () <: Prims.unit in result let deserialize_to_vector_then_ntt @@ -102,18 +79,15 @@ let deserialize_to_vector_then_ntt in let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Iter.Adapters.Enumerate.t_Enumerate - (Core.Slice.Iter.t_Chunks u8)) - #FStar.Tactics.Typeclasses.solve - (Core.Iter.Traits.Iterator.f_enumerate #(Core.Slice.Iter.t_Chunks u8) - #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__chunks #u8 serialized v_RING_ELEMENT_SIZE - <: - Core.Slice.Iter.t_Chunks u8) - <: - Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) - <: - Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice v_RING_ELEMENT_SIZE + serialized + (fun ring_elements temp_1_ -> + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + ring_elements + in + let _:usize = temp_1_ in + true) ring_elements (fun ring_elements temp_1_ -> let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -121,16 +95,31 @@ let deserialize_to_vector_then_ntt ring_elements in let i, bytes:(usize & t_Slice u8) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (deserialize #v_SIMDUnit v_ETA bytes - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements + i + (deserialize #v_SIMDUnit + v_ETA + bytes + (ring_elements.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (ring_elements.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + ring_elements) in ring_elements @@ -141,103 +130,46 @@ let serialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) = - let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in - match cast (v_ETA <: usize) <: u8 with - | 2uy -> - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice v_SIMDUnit) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (sz 3) - simd_unit + let output_bytes_per_simd_unit:usize = if v_ETA =. sz 2 then sz 3 else sz 4 in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; + Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_ETA + simd_unit + (serialized.[ { + Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize + } <: - t_Slice u8) - <: - t_Slice u8) - <: - t_Array u8 v_OUTPUT_SIZE) - in - serialized - | 4uy -> - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) <: - t_Slice v_SIMDUnit) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start - = - i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (sz 4) - simd_unit - <: - t_Slice u8) - <: - t_Slice u8) - <: - t_Array u8 v_OUTPUT_SIZE) - in - serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) + t_Slice u8) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti index 199d62d48..2136a90ef 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti @@ -9,15 +9,12 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 3 - -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 4 - val deserialize (#v_SIMDUnit: Type0) (v_ETA: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (serialized: t_Slice u8) + (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) @@ -37,4 +34,5 @@ val serialize (v_ETA v_OUTPUT_SIZE: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst index 470cf8ab6..a55f19fe7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst @@ -16,179 +16,101 @@ let deserialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (serialized: t_Slice u8) + (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = - match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with - | 17uy -> Core.Slice.impl__chunks #u8 serialized (sz 18) - | 19uy -> Core.Slice.impl__chunks #u8 serialized (sz 20) - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - in let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - in - let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8) = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) - (fun temp_0_ temp_1_ -> - let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement - v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8) = - temp_0_ - in + (fun result temp_1_ -> + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in let _:usize = temp_1_ in true) - (result, serialized_chunks - <: - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) - ) - (fun temp_0_ i -> - let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement - v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8) = - temp_0_ - in + result + (fun result i -> + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in let i:usize = i in - let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = - Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) - #FStar.Tactics.Typeclasses.solve - serialized_chunks - in - let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in - ({ - result with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - .Libcrux_ml_dsa.Polynomial.f_simd_units - i - (Libcrux_ml_dsa.Simd.Traits.f_gamma1_deserialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - v_GAMMA1_EXPONENT - (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) - <: - v_SIMDUnit) - } + { + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_gamma1_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_GAMMA1_EXPONENT + (serialized.[ { + Core.Ops.Range.f_start = i *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + v_SIMDUnit) <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), - serialized_chunks + t_Array v_SIMDUnit (sz 32) + } <: - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8)) + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in + let hax_temp_output:Prims.unit = () <: Prims.unit in result let serialize (#v_SIMDUnit: Type0) - (v_GAMMA1_EXPONENT v_OUTPUT_BYTES: usize) + (v_GAMMA1_EXPONENT: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) = - let serialized:t_Array u8 v_OUTPUT_BYTES = Rust_primitives.Hax.repeat 0uy v_OUTPUT_BYTES in - match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with - | 17uy -> - let serialized:t_Array u8 v_OUTPUT_BYTES = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice v_SIMDUnit) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (sz 18) - simd_unit + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_GAMMA1_EXPONENT + simd_unit + (serialized.[ { + Core.Ops.Range.f_start = i *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! (v_GAMMA1_EXPONENT +! sz 1 <: usize) <: usize + } <: - t_Slice u8) - <: - t_Slice u8) - <: - t_Array u8 v_OUTPUT_BYTES) - in - serialized - | 19uy -> - let serialized:t_Array u8 v_OUTPUT_BYTES = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) <: - t_Slice v_SIMDUnit) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start - = - i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (sz 20) - simd_unit - <: - t_Slice u8) - <: - t_Slice u8) - <: - t_Array u8 v_OUTPUT_BYTES) - in - serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) + t_Slice u8) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti index c6b16420b..9c35efc9f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti @@ -9,22 +9,20 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 18 - -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 20 - val deserialize (#v_SIMDUnit: Type0) (v_GAMMA1_EXPONENT: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (serialized: t_Slice u8) + (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) val serialize (#v_SIMDUnit: Type0) - (v_GAMMA1_EXPONENT v_OUTPUT_BYTES: usize) + (v_GAMMA1_EXPONENT: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_BYTES) Prims.l_True (fun _ -> Prims.l_True) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst index 3c0ff240a..096a14a68 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst @@ -65,6 +65,9 @@ let impl__deserialize Core.Ops.Range.t_Range usize ] <: t_Slice u8) + (signer_response.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: @@ -274,7 +277,11 @@ let impl__serialize } <: Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 + (Libcrux_ml_dsa.Encoding.Gamma1.serialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (self.f_signer_response.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (signature.[ { Core.Ops.Range.f_start = offset; Core.Ops.Range.f_end = offset +! v_GAMMA1_RING_ELEMENT_SIZE <: usize @@ -283,14 +290,6 @@ let impl__serialize Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (Libcrux_ml_dsa.Encoding.Gamma1.serialize #v_SIMDUnit - v_GAMMA1_EXPONENT - v_GAMMA1_RING_ELEMENT_SIZE - (self.f_signer_response.[ i ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Slice u8) <: t_Slice u8) in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst index 7088fe927..36b4a612d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst @@ -215,7 +215,10 @@ let generate_serialized } <: Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 + (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit + v_ETA + v_ERROR_RING_ELEMENT_SIZE + ring_element (signing_key_serialized.[ { Core.Ops.Range.f_start = offset; Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize @@ -224,12 +227,6 @@ let generate_serialized Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit - v_ETA - v_ERROR_RING_ELEMENT_SIZE - ring_element - <: - t_Slice u8) <: t_Slice u8) in @@ -260,7 +257,10 @@ let generate_serialized } <: Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 + (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit + v_ETA + v_ERROR_RING_ELEMENT_SIZE + ring_element (signing_key_serialized.[ { Core.Ops.Range.f_start = offset; Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize @@ -269,12 +269,6 @@ let generate_serialized Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit - v_ETA - v_ERROR_RING_ELEMENT_SIZE - ring_element - <: - t_Slice u8) <: t_Slice u8) in @@ -307,7 +301,8 @@ let generate_serialized } <: Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 + (Libcrux_ml_dsa.Encoding.T0.serialize #v_SIMDUnit + ring_element (signing_key_serialized.[ { Core.Ops.Range.f_start = offset; Core.Ops.Range.f_end @@ -318,7 +313,6 @@ let generate_serialized Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (Libcrux_ml_dsa.Encoding.T0.serialize #v_SIMDUnit ring_element <: t_Slice u8) <: t_Slice u8) in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst index b1193d6cd..2fda1d74c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst @@ -15,65 +15,50 @@ let deserialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (serialized: t_Slice u8) + (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = - Core.Slice.impl__chunks #u8 serialized (sz 13) - in let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - in - let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8) = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) - (fun temp_0_ temp_1_ -> - let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement - v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8) = - temp_0_ - in + (fun result temp_1_ -> + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in let _:usize = temp_1_ in true) - (result, serialized_chunks - <: - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) - ) - (fun temp_0_ i -> - let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement - v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8) = - temp_0_ - in + result + (fun result i -> + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in let i:usize = i in - let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = - Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) - #FStar.Tactics.Typeclasses.solve - serialized_chunks - in - let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in - ({ - result with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - .Libcrux_ml_dsa.Polynomial.f_simd_units - i - (Libcrux_ml_dsa.Simd.Traits.f_t0_deserialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) - <: - v_SIMDUnit) - } + { + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_t0_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (serialized.[ { + Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + v_SIMDUnit) <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), - serialized_chunks + t_Array v_SIMDUnit (sz 32) + } <: - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8)) + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in + let hax_temp_output:Prims.unit = () <: Prims.unit in result let deserialize_to_vector_then_ntt @@ -93,20 +78,15 @@ let deserialize_to_vector_then_ntt in let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Iter.Adapters.Enumerate.t_Enumerate - (Core.Slice.Iter.t_Chunks u8)) - #FStar.Tactics.Typeclasses.solve - (Core.Iter.Traits.Iterator.f_enumerate #(Core.Slice.Iter.t_Chunks u8) - #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__chunks #u8 - serialized - Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE - <: - Core.Slice.Iter.t_Chunks u8) - <: - Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) - <: - Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE + serialized + (fun ring_elements temp_1_ -> + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + ring_elements + in + let _:usize = temp_1_ in + true) ring_elements (fun ring_elements temp_1_ -> let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -114,16 +94,30 @@ let deserialize_to_vector_then_ntt ring_elements in let i, bytes:(usize & t_Slice u8) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements - i - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (deserialize #v_SIMDUnit bytes - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements + i + (deserialize #v_SIMDUnit + bytes + (ring_elements.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (ring_elements.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + ring_elements) in ring_elements @@ -133,35 +127,33 @@ let serialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (serialized: t_Slice u8) = - let serialized:t_Array u8 (sz 416) = Rust_primitives.Hax.repeat 0uy (sz 416) in - let serialized:t_Array u8 (sz 416) = + let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) (fun serialized temp_1_ -> - let serialized:t_Array u8 (sz 416) = serialized in + let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in true) serialized (fun serialized temp_1_ -> - let serialized:t_Array u8 (sz 416) = serialized in + let serialized:t_Slice u8 = serialized in let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize } <: Core.Ops.Range.t_Range usize) (Core.Slice.impl__copy_from_slice #u8 (serialized.[ { - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize; Core.Ops.Range.f_end = - (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize } <: Core.Ops.Range.t_Range usize ] @@ -175,6 +167,7 @@ let serialize <: t_Slice u8) <: - t_Array u8 (sz 416)) + t_Slice u8) in + let hax_temp_output:Prims.unit = () <: Prims.unit in serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti index 3969d9d7c..94ac260a2 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti @@ -9,12 +9,13 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 13 +let v_OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 13 val deserialize (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (serialized: t_Slice u8) + (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) @@ -33,4 +34,5 @@ val serialize (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (t_Array u8 (sz 416)) Prims.l_True (fun _ -> Prims.l_True) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst index 6a59315c3..2348e0868 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst @@ -15,65 +15,48 @@ let deserialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (serialized: t_Slice u8) + (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = - Core.Slice.impl__chunks #u8 serialized (sz 10) - in let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - in - let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8) = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) - (fun temp_0_ temp_1_ -> - let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement - v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8) = - temp_0_ - in + (fun result temp_1_ -> + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in let _:usize = temp_1_ in true) - (result, serialized_chunks - <: - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) - ) - (fun temp_0_ i -> - let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement - v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8) = - temp_0_ - in + result + (fun result i -> + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = result in let i:usize = i in - let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = - Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) - #FStar.Tactics.Typeclasses.solve - serialized_chunks - in - let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in - ({ - result with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - .Libcrux_ml_dsa.Polynomial.f_simd_units - i - (Libcrux_ml_dsa.Simd.Traits.f_t1_deserialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) - <: - v_SIMDUnit) - } + { + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_t1_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (serialized.[ { + Core.Ops.Range.f_start = i *! sz 10 <: usize; + Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! sz 10 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + v_SIMDUnit) <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), - serialized_chunks + t_Array v_SIMDUnit (sz 32) + } <: - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8)) + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in + let hax_temp_output:Prims.unit = () <: Prims.unit in result let serialize diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti index f05c66a13..6ac2183bb 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti @@ -15,6 +15,7 @@ val deserialize (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (serialized: t_Slice u8) + (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst index 94a614a45..f36227839 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst @@ -62,6 +62,7 @@ let deserialize Core.Ops.Range.t_Range usize ] <: t_Slice u8) + (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst index 2ba6033e2..a5339e177 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst @@ -121,6 +121,18 @@ let compute_A_times_mask Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A + = + Core.Array.impl_23__map #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A + #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + mask + (fun s -> + let s:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = s in + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit s + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt <: @@ -168,10 +180,7 @@ let compute_A_times_mask let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit ring_element - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (mask.[ j ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (mask_ntt.[ j ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in @@ -339,6 +348,39 @@ let compute_w_approx Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A in + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (signer_response <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + ) + <: + usize) + (fun signer_response temp_1_ -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + signer_response + in + let _:usize = temp_1_ in + true) + signer_response + (fun signer_response i -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + signer_response + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signer_response + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (signer_response.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + in let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt <: @@ -386,10 +428,7 @@ let compute_w_approx let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit ring_element - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit - (signer_response.[ j ] - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (signer_response.[ j ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in @@ -412,13 +451,14 @@ let compute_w_approx 13l (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in + let t1_shifted:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit t1_shifted + in let challenge_times_t1_shifted:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit verifier_challenge_as_ntt - (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit t1_shifted - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + t1_shifted in let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst index ccfe9b578..3ae7a4680 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst @@ -56,6 +56,7 @@ let sign_pre_hashed_shake128 (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof @@ -94,6 +95,7 @@ let verify_pre_hashed_shake128 (signature: t_Array u8 v_SIGNATURE_SIZE) = Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst index d8354ab2f..bc44352c6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst @@ -56,6 +56,7 @@ let sign_pre_hashed_shake128 (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof @@ -94,6 +95,7 @@ let verify_pre_hashed_shake128 (signature: t_Array u8 v_SIGNATURE_SIZE) = Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst index 8672a8e98..581a147b8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst @@ -55,6 +55,7 @@ let sign_pre_hashed_shake128 (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof @@ -93,6 +94,7 @@ let verify_pre_hashed_shake128 (signature: t_Array u8 v_SIGNATURE_SIZE) = Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst index 21226d0c1..0bf89311c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -456,57 +456,18 @@ let sign_internal (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A))) in - match - match commitment_hash with - | Core.Option.Option_Some commitment_hash -> - Core.Result.Result_Ok commitment_hash - <: - Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) Libcrux_ml_dsa.Types.t_SigningError - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError - <: - Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) Libcrux_ml_dsa.Types.t_SigningError - with - | Core.Result.Result_Ok commitment_hash -> - (match - match signer_response with - | Core.Option.Option_Some signer_response -> - Core.Result.Result_Ok signer_response - <: - Core.Result.t_Result - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - Libcrux_ml_dsa.Types.t_SigningError - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError - <: - Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - Libcrux_ml_dsa.Types.t_SigningError - with - | Core.Result.Result_Ok signer_response -> - (match - match hint with - | Core.Option.Option_Some hint -> - Core.Result.Result_Ok hint - <: - Core.Result.t_Result (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) - Libcrux_ml_dsa.Types.t_SigningError - | Core.Option.Option_None -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError - <: - Libcrux_ml_dsa.Types.t_SigningError) - <: - Core.Result.t_Result (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) - Libcrux_ml_dsa.Types.t_SigningError - with - | Core.Result.Result_Ok hint -> + match commitment_hash with + | Core.Option.Option_Some commitment_hash -> + let commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = commitment_hash in + (match signer_response with + | Core.Option.Option_Some signer_response -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + signer_response + in + (match hint with + | Core.Option.Option_Some hint -> + let hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = hint in let signature:t_Array u8 v_SIGNATURE_SIZE = Libcrux_ml_dsa.Encoding.Signature.impl__serialize #v_SIMDUnit v_COMMITMENT_HASH_SIZE @@ -531,18 +492,26 @@ let sign_internal <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError - | Core.Result.Result_Err err -> - Core.Result.Result_Err err + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError + ) <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError @@ -576,49 +545,50 @@ let sign Libcrux_ml_dsa.Pre_hash.impl_1__new context (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) with - | Core.Result.Result_Ok hoist36 -> + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message - (Core.Option.Option_Some hoist36 + (Core.Option.Option_Some domain_separation_context <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - | Core.Result.Result_Err err -> + | Core.Result.Result_Err _ -> Core.Result.Result_Err - (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError - #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - #FStar.Tactics.Typeclasses.solve - err) + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError let sign_pre_hashed - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) + (#v_SIMDUnit #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i10: + i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i11: + i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) @@ -633,7 +603,11 @@ let sign_pre_hashed Libcrux_ml_dsa.Types.t_SigningError else let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = - Libcrux_ml_dsa.Pre_hash.f_hash #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve message + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #v_PH_DIGEST_LEN + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message in match Libcrux_ml_dsa.Pre_hash.impl_1__new context @@ -644,21 +618,19 @@ let sign_pre_hashed <: Core.Option.t_Option (t_Array u8 (sz 11))) with - | Core.Result.Result_Ok hoist39 -> + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key (pre_hashed_message <: t_Slice u8) - (Core.Option.Option_Some hoist39 + (Core.Option.Option_Some domain_separation_context <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - | Core.Result.Result_Err err -> + | Core.Result.Result_Err _ -> Core.Result.Result_Err - (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError - #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - #FStar.Tactics.Typeclasses.solve - err) + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError @@ -706,15 +678,26 @@ let verify_internal v_SIGNATURE_SIZE signature_serialized with - | Core.Result.Result_Ok signature -> + | Core.Result.Result_Ok s -> + let signature:Libcrux_ml_dsa.Encoding.Signature.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A = + s + in if - ~.(Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit - v_COLUMNS_IN_A - signature.Libcrux_ml_dsa.Encoding.Signature.f_signer_response - ((2l <. commitment_hash + if signature.Libcrux_ml_dsa.Encoding.Signature.f_commitment_hash =. commitment_hash then + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else Core.Result.Result_Err (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError <: Libcrux_ml_dsa.Types.t_VerificationError) <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - else - Core.Result.Result_Ok (() <: Prims.unit) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - else - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_SignerResponseExceedsBoundError - <: - Libcrux_ml_dsa.Types.t_VerificationError) - <: - Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError - | Core.Result.Result_Err err -> - Core.Result.Result_Err err + | Core.Result.Result_Err e -> + Core.Result.Result_Err e <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError @@ -857,51 +833,58 @@ let verify Libcrux_ml_dsa.Pre_hash.impl_1__new context (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) with - | Core.Result.Result_Ok hoist41 -> + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message - (Core.Option.Option_Some hoist41 + (Core.Option.Option_Some domain_separation_context <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized - | Core.Result.Result_Err err -> + | Core.Result.Result_Err _ -> Core.Result.Result_Err - (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError - #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - #FStar.Tactics.Typeclasses.solve - err) + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError let verify_pre_hashed - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + (#v_SIMDUnit #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: + i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: + i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i8: + i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i9: + i11: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) = let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = - Libcrux_ml_dsa.Pre_hash.f_hash #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve message + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #v_PH_DIGEST_LEN + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message in match Libcrux_ml_dsa.Pre_hash.impl_1__new context @@ -912,21 +895,21 @@ let verify_pre_hashed <: Core.Option.t_Option (t_Array u8 (sz 11))) with - | Core.Result.Result_Ok hoist43 -> + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized (pre_hashed_message <: t_Slice u8) - (Core.Option.Option_Some hoist43 + (Core.Option.Option_Some domain_separation_context <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized - | Core.Result.Result_Err err -> + | Core.Result.Result_Err _ -> Core.Result.Result_Err - (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError - #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - #FStar.Tactics.Typeclasses.solve - err) + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti index 574ce29b4..b333cdc66 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti @@ -81,18 +81,19 @@ val sign Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) val sign_pre_hashed - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) + (#v_SIMDUnit #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: Type0) (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) (v_GAMMA2: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) - {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - {| i11: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} + {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) @@ -142,17 +143,18 @@ val verify (fun _ -> Prims.l_True) val verify_pre_hashed - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + (#v_SIMDUnit #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) (v_GAMMA2 v_BETA: i32) (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) - {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i6: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} - {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} - {| i9: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst index 92db55cce..1cfb3ccb5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst @@ -44,50 +44,48 @@ let impl__from_i32_array in () in - let array_chunks:Core.Slice.Iter.t_Chunks i32 = - Core.Slice.impl__chunks #i32 array Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in let result:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in - let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit) = + let result:t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_dsa.Simd.Traits.v_SIMD_UNITS_IN_RING_ELEMENT - (fun temp_0_ temp_1_ -> - let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 & - t_PolynomialRingElement v_SIMDUnit) = - temp_0_ - in + (fun result temp_1_ -> + let result:t_PolynomialRingElement v_SIMDUnit = result in let _:usize = temp_1_ in true) - (array_chunks, result <: (Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit)) - (fun temp_0_ i -> - let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 & - t_PolynomialRingElement v_SIMDUnit) = - temp_0_ - in + result + (fun result i -> + let result:t_PolynomialRingElement v_SIMDUnit = result in let i:usize = i in - let tmp0, out:(Core.Slice.Iter.t_Chunks i32 & Core.Option.t_Option (t_Slice i32)) = - Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks i32) - #FStar.Tactics.Typeclasses.solve - array_chunks - in - let array_chunks:Core.Slice.Iter.t_Chunks i32 = tmp0 in - array_chunks, - ({ - result with - f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_simd_units - i - (Libcrux_ml_dsa.Simd.Traits.f_from_coefficient_array #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Core.Option.impl__unwrap #(t_Slice i32) out <: t_Slice i32) - <: - v_SIMDUnit) - } + { + result with + f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_from_coefficient_array #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (array.[ { + Core.Ops.Range.f_start + = + i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + <: + usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + <: + v_SIMDUnit) <: - t_PolynomialRingElement v_SIMDUnit) + t_Array v_SIMDUnit (sz 32) + } <: - (Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit)) + t_PolynomialRingElement v_SIMDUnit) in result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst index 839ac9c79..a9b6eddc8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst @@ -6,7 +6,6 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Portable in let open Libcrux_ml_dsa.Hash_functions.Shake128 in () @@ -14,18 +13,6 @@ let impl_1__context (self: t_DomainSeparationContext) = self.f_context let impl_1__pre_hash_oid (self: t_DomainSeparationContext) = self.f_pre_hash_oid -let impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) = - if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN - then - Core.Result.Result_Err (DomainSeparationError_ContextTooLongError <: t_DomainSeparationError) - <: - Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError - else - Core.Result.Result_Ok - ({ f_context = context; f_pre_hash_oid = pre_hash_oid } <: t_DomainSeparationContext) - <: - Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError - let t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) = match x with | DomainSeparationError_ContextTooLongError -> isz 0 @@ -56,30 +43,62 @@ let impl_3: Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_Domai fun (e: t_DomainSeparationError) -> match e with | DomainSeparationError_ContextTooLongError -> - Libcrux_ml_dsa.Types.VerificationError_ContextTooLongError + Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError <: Libcrux_ml_dsa.Types.t_VerificationError } +let impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) = + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + Core.Result.Result_Err (DomainSeparationError_ContextTooLongError <: t_DomainSeparationError) + <: + Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError + else + Core.Result.Result_Ok + ({ f_context = context; f_pre_hash_oid = pre_hash_oid } <: t_DomainSeparationContext) + <: + Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError + [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: t_PreHash t_SHAKE128_PH (sz 256) = { f_oid_pre = (fun (_: Prims.unit) -> true); f_oid_post = (fun (_: Prims.unit) (out: t_Array u8 (sz 11)) -> true); - f_oid + f_oid = (fun (_: Prims.unit) -> v_SHAKE128_OID); + f_hash_pre + = + (fun + (#v_Shake128: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (message: t_Slice u8) + -> + true); + f_hash_post = - (fun (_: Prims.unit) -> - let list = [6uy; 9uy; 96uy; 134uy; 72uy; 1uy; 101uy; 3uy; 4uy; 2uy; 11uy] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 11); - Rust_primitives.Hax.array_of_list 11 list); - f_hash_pre = (fun (message: t_Slice u8) -> true); - f_hash_post = (fun (message: t_Slice u8) (out: t_Array u8 (sz 256)) -> true); + (fun + (#v_Shake128: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (message: t_Slice u8) + (out: t_Array u8 (sz 256)) + -> + true); f_hash = - fun (message: t_Slice u8) -> + fun + (#v_Shake128: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (message: t_Slice u8) + -> let output:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in let output:t_Array u8 (sz 256) = - Libcrux_ml_dsa.Hash_functions.Shake128.f_shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + Libcrux_ml_dsa.Hash_functions.Shake128.f_shake128 #v_Shake128 #FStar.Tactics.Typeclasses.solve (sz 256) message diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti index 2dc40559b..c23391618 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti @@ -6,7 +6,6 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Portable in let open Libcrux_ml_dsa.Hash_functions.Shake128 in () @@ -27,12 +26,6 @@ val impl_1__pre_hash_oid (self: t_DomainSeparationContext) type t_DomainSeparationError = | DomainSeparationError_ContextTooLongError : t_DomainSeparationError -/// `context` must be at most 255 bytes long. -val impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) - : Prims.Pure (Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError) - Prims.l_True - (fun _ -> Prims.l_True) - val t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) @@ -41,10 +34,24 @@ class t_PreHash (v_Self: Type0) (v_DIGEST_LEN: usize) = { f_oid_post:Prims.unit -> t_Array u8 (sz 11) -> Type0; f_oid:x0: Prims.unit -> Prims.Pure (t_Array u8 (sz 11)) (f_oid_pre x0) (fun result -> f_oid_post x0 result); - f_hash_pre:t_Slice u8 -> Type0; - f_hash_post:t_Slice u8 -> t_Array u8 v_DIGEST_LEN -> Type0; - f_hash:x0: t_Slice u8 - -> Prims.Pure (t_Array u8 v_DIGEST_LEN) (f_hash_pre x0) (fun result -> f_hash_post x0 result) + f_hash_pre: + #v_Shake128: Type0 -> + {| i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} -> + t_Slice u8 + -> Type0; + f_hash_post: + #v_Shake128: Type0 -> + {| i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} -> + t_Slice u8 -> + t_Array u8 v_DIGEST_LEN + -> Type0; + f_hash: + #v_Shake128: Type0 -> + {| i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} -> + x0: t_Slice u8 + -> Prims.Pure (t_Array u8 v_DIGEST_LEN) + (f_hash_pre #v_Shake128 #i1 x0) + (fun result -> f_hash_post #v_Shake128 #i1 x0 result) } /// An implementation of the pre-hash trait for the SHAKE-128 XOF with @@ -53,11 +60,22 @@ type t_SHAKE128_PH = | SHAKE128_PH : t_SHAKE128_PH let v_PRE_HASH_OID_LEN: usize = sz 11 +let v_SHAKE128_OID: t_Array u8 (sz 11) = + let list = [6uy; 9uy; 96uy; 134uy; 72uy; 1uy; 101uy; 3uy; 4uy; 2uy; 11uy] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 11); + Rust_primitives.Hax.array_of_list 11 list + [@@ FStar.Tactics.Typeclasses.tcinstance] val impl_2:Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSeparationError [@@ FStar.Tactics.Typeclasses.tcinstance] val impl_3:Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_DomainSeparationError +/// `context` must be at most 255 bytes long. +val impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) + : Prims.Pure (Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError) + Prims.l_True + (fun _ -> Prims.l_True) + [@@ FStar.Tactics.Typeclasses.tcinstance] val impl:t_PreHash t_SHAKE128_PH (sz 256) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst index 2a6b43436..288d73ebd 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst @@ -38,12 +38,12 @@ let rejection_sample_less_than_eta_equals_2_ = let done:bool = false in let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact u8) #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__chunks #u8 randomness (sz 4) <: Core.Slice.Iter.t_Chunks u8) + (Core.Slice.impl__chunks_exact #u8 randomness (sz 4) <: Core.Slice.Iter.t_ChunksExact u8) <: - Core.Slice.Iter.t_Chunks u8) + Core.Slice.Iter.t_ChunksExact u8) (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) (fun temp_0_ random_bytes -> let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in @@ -90,12 +90,12 @@ let rejection_sample_less_than_eta_equals_4_ = let done:bool = false in let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact u8) #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__chunks #u8 randomness (sz 4) <: Core.Slice.Iter.t_Chunks u8) + (Core.Slice.impl__chunks_exact #u8 randomness (sz 4) <: Core.Slice.Iter.t_ChunksExact u8) <: - Core.Slice.Iter.t_Chunks u8) + Core.Slice.Iter.t_ChunksExact u8) (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) (fun temp_0_ random_bytes -> let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in @@ -183,12 +183,12 @@ let rejection_sample_less_than_field_modulus = let done:bool = false in let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact u8) #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__chunks #u8 randomness (sz 24) <: Core.Slice.Iter.t_Chunks u8) + (Core.Slice.impl__chunks_exact #u8 randomness (sz 24) <: Core.Slice.Iter.t_ChunksExact u8) <: - Core.Slice.Iter.t_Chunks u8) + Core.Slice.Iter.t_ChunksExact u8) (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) (fun temp_0_ random_bytes -> let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in @@ -232,9 +232,10 @@ let inside_out_shuffle = let done:bool = false in let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + u8) #FStar.Tactics.Typeclasses.solve - randomness + (Core.Slice.impl__iter #u8 randomness <: Core.Slice.Iter.t_Iter u8) <: Core.Slice.Iter.t_Iter u8) (done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) @@ -1049,33 +1050,53 @@ let sample_mask_ring_element i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) (seed: t_Array u8 (sz 66)) + (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with - | 17uy -> - let out:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in - let out:t_Array u8 (sz 576) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 - #FStar.Tactics.Typeclasses.solve - (sz 576) - (seed <: t_Slice u8) - out - in - Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out <: t_Slice u8) - | 19uy -> - let out:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in - let out:t_Array u8 (sz 640) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 - #FStar.Tactics.Typeclasses.solve - (sz 640) - (seed <: t_Slice u8) - out - in - Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out <: t_Slice u8) - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + let result, hax_temp_output:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Prims.unit) = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> + let out:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out:t_Array u8 (sz 576) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 576) + (seed <: t_Slice u8) + out + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out <: t_Slice u8) + result + in + result, () <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Prims.unit) + | 19uy -> + let out:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out:t_Array u8 (sz 640) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 640) + (seed <: t_Slice u8) + out + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out <: t_Slice u8) + result + in + result, () <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Prims.unit) + | _ -> + result, + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - <: - Rust_primitives.Hax.t_Never) + <: + Rust_primitives.Hax.t_Never) + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Prims.unit) + in + result let sample_mask_vector (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0) @@ -1143,6 +1164,7 @@ let sample_mask_vector (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out0 <: t_Slice u8) + (mask.[ sz 0 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in @@ -1152,6 +1174,7 @@ let sample_mask_vector (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out1 <: t_Slice u8) + (mask.[ sz 1 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in @@ -1161,6 +1184,7 @@ let sample_mask_vector (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out2 <: t_Slice u8) + (mask.[ sz 2 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in @@ -1170,6 +1194,7 @@ let sample_mask_vector (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out3 <: t_Slice u8) + (mask.[ sz 3 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in @@ -1196,6 +1221,7 @@ let sample_mask_vector (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out0 <: t_Slice u8) + (mask.[ sz 0 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in @@ -1205,6 +1231,7 @@ let sample_mask_vector (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out1 <: t_Slice u8) + (mask.[ sz 1 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in @@ -1214,6 +1241,7 @@ let sample_mask_vector (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out2 <: t_Slice u8) + (mask.[ sz 2 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in @@ -1223,6 +1251,7 @@ let sample_mask_vector (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out3 <: t_Slice u8) + (mask.[ sz 3 ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in @@ -1268,7 +1297,11 @@ let sample_mask_vector v_DIMENSION = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask i - (sample_mask_ring_element #v_SIMDUnit #v_Shake256 v_GAMMA1_EXPONENT seed + (sample_mask_ring_element #v_SIMDUnit + #v_Shake256 + v_GAMMA1_EXPONENT + seed + (mask.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti index 02905d2e7..9cab11744 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti @@ -99,6 +99,7 @@ val sample_mask_ring_element {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} (seed: t_Array u8 (sz 66)) + (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst index fba456933..424d9ceae 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst @@ -3,139 +3,145 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment open Core open FStar.Mul -let serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) = +let serialize (simd_unit: u8) (out: t_Slice u8) = let serialized:t_Array u8 (sz 19) = Rust_primitives.Hax.repeat 0uy (sz 19) in - match cast (v_OUTPUT_SIZE <: usize) <: u8 with - | 4uy -> - let adjacent_2_combined:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 28l 0l 28l 0l 28l 0l 28l <: u8) - in - let adjacent_2_combined:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 28l adjacent_2_combined - in - let adjacent_4_combined:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 2l 4l 0l <: u8) - in - let adjacent_4_combined:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined - in - let adjacent_4_combined:u8 = - Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 adjacent_4_combined - (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 240uy 240uy 240uy 240uy 240uy 240uy 240uy 240uy - 240uy 240uy 240uy 240uy 12uy 4uy 8uy 0uy - <: - u8) - in - let serialized:t_Array u8 (sz 19) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } - <: - Core.Ops.Range.t_Range usize) - (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 16 - } + let (out, serialized), hax_temp_output:((t_Slice u8 & t_Array u8 (sz 19)) & Prims.unit) = + match cast (Core.Slice.impl__len #u8 out <: usize) <: u8 with + | 4uy -> + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 28l 0l 28l 0l 28l 0l 28l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 28l adjacent_2_combined + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 2l 4l 0l <: u8) + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 240uy 240uy 240uy 240uy 240uy 240uy 240uy + 240uy 240uy 240uy 240uy 240uy 12uy 4uy 8uy 0uy + <: + u8) + in + let serialized:t_Array u8 (sz 19) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - adjacent_4_combined - <: - t_Slice u8) - in - Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 v_OUTPUT_SIZE) - #FStar.Tactics.Typeclasses.solve + t_Slice u8) + adjacent_4_combined + <: + t_Slice u8) + in + let out:t_Slice u8 = + Core.Slice.impl__copy_from_slice #u8 + out (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } <: Core.Ops.Range.t_Range usize ] <: t_Slice u8) - <: - Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) - | 6uy -> - let adjacent_2_combined:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 26l 0l 26l 0l 26l 0l 26l <: u8) - in - let adjacent_2_combined:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 26l adjacent_2_combined - in - let adjacent_3_combined:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) - (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) - (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y - <: - u8) - in - let adjacent_3_combined:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 adjacent_3_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 1s 1s 1s 1s 1s 1s 1s (1s < + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 26l 0l 26l 0l 26l 0l 26l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 26l adjacent_2_combined + in + let adjacent_3_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y + <: + u8) + in + let adjacent_3_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 adjacent_3_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 1s 1s 1s 1s 1s 1s 1s (1s < - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + in + (out, serialized <: (t_Slice u8 & t_Array u8 (sz 19))), () + <: + ((t_Slice u8 & t_Array u8 (sz 19)) & Prims.unit) + | _ -> + (out, serialized <: (t_Slice u8 & t_Array u8 (sz 19))), + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - <: - Rust_primitives.Hax.t_Never) + <: + Rust_primitives.Hax.t_Never) + <: + ((t_Slice u8 & t_Array u8 (sz 19)) & Prims.unit) + in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti index 74c8d9c15..b329f5957 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti @@ -3,5 +3,5 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment open Core open FStar.Mul -val serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) +val serialize (simd_unit: u8) (out: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst index be78d6aba..7f757bb1b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst @@ -83,7 +83,7 @@ let deserialize (v_ETA: usize) (serialized: t_Slice u8) = u8) unsigned -let serialize_when_eta_is_2_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = +let serialize_when_eta_is_2_ (simd_unit: u8) (out: t_Slice u8) = let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in let simd_unit_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 @@ -145,20 +145,18 @@ let serialize_when_eta_is_2_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = <: t_Slice u8) in - Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 v_OUTPUT_SIZE) - #FStar.Tactics.Typeclasses.solve - (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 3 } - <: - Core.Ops.Range.t_Range usize ] + let out:t_Slice u8 = + Core.Slice.impl__copy_from_slice #u8 + out + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 3 } <: - t_Slice u8) - <: - Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + out -let serialize_when_eta_is_4_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = +let serialize_when_eta_is_4_ (simd_unit: u8) (out: t_Slice u8) = let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in let simd_unit_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 @@ -205,25 +203,32 @@ let serialize_when_eta_is_4_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = <: t_Slice u8) in - Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 v_OUTPUT_SIZE) - #FStar.Tactics.Typeclasses.solve - (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } - <: - Core.Ops.Range.t_Range usize ] + let hax_temp_output, out:(Prims.unit & t_Slice u8) = + (), + Core.Slice.impl__copy_from_slice #u8 + out + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } <: - t_Slice u8) - <: - Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + (Prims.unit & t_Slice u8) + in + out -let serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) = - match cast (v_OUTPUT_SIZE <: usize) <: u8 with - | 3uy -> serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit - | 4uy -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +let serialize (v_ETA: usize) (simd_unit: u8) (serialized: t_Slice u8) = + let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> serialize_when_eta_is_2_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) + | 4uy -> serialize_when_eta_is_4_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) + | _ -> + serialized, + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - <: - Rust_primitives.Hax.t_Never) + <: + Rust_primitives.Hax.t_Never) + <: + (t_Slice u8 & Prims.unit) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti index 45782f6dc..ccad2e3cf 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti @@ -23,11 +23,11 @@ val deserialize_to_unsigned (v_ETA: usize) (serialized: t_Slice u8) val deserialize (v_ETA: usize) (serialized: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val serialize_when_eta_is_2_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) +val serialize_when_eta_is_2_ (simd_unit: u8) (out: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val serialize_when_eta_is_4_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) +val serialize_when_eta_is_4_ (simd_unit: u8) (out: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) +val serialize (v_ETA: usize) (simd_unit: u8) (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst index 929fa141e..cb2d34680 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst @@ -125,7 +125,7 @@ let deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) = <: Rust_primitives.Hax.t_Never) -let serialize_when_gamma1_is_2_pow_17_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = +let serialize_when_gamma1_is_2_pow_17_ (simd_unit: u8) (out: t_Slice u8) = let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in let simd_unit_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 @@ -192,20 +192,18 @@ let serialize_when_gamma1_is_2_pow_17_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = <: t_Slice u8) in - Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 v_OUTPUT_SIZE) - #FStar.Tactics.Typeclasses.solve - (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 18 } - <: - Core.Ops.Range.t_Range usize ] + let out:t_Slice u8 = + Core.Slice.impl__copy_from_slice #u8 + out + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 18 } <: - t_Slice u8) - <: - Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + out -let serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = +let serialize_when_gamma1_is_2_pow_19_ (simd_unit: u8) (out: t_Slice u8) = let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in let simd_unit_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 @@ -267,25 +265,34 @@ let serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = <: t_Slice u8) in - Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 v_OUTPUT_SIZE) - #FStar.Tactics.Typeclasses.solve - (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 20 } - <: - Core.Ops.Range.t_Range usize ] + let hax_temp_output, out:(Prims.unit & t_Slice u8) = + (), + Core.Slice.impl__copy_from_slice #u8 + out + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 20 } <: - t_Slice u8) - <: - Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + (Prims.unit & t_Slice u8) + in + out -let serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) = - match cast (v_OUTPUT_SIZE <: usize) <: u8 with - | 18uy -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit - | 20uy -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +let serialize (v_GAMMA1_EXPONENT: usize) (simd_unit: u8) (serialized: t_Slice u8) = + let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> + serialize_when_gamma1_is_2_pow_17_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) + | 19uy -> + serialize_when_gamma1_is_2_pow_19_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) + | _ -> + serialized, + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - <: - Rust_primitives.Hax.t_Never) + <: + Rust_primitives.Hax.t_Never) + <: + (t_Slice u8 & Prims.unit) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti index 655c1c899..35fffc4e1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti @@ -26,11 +26,11 @@ val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val serialize_when_gamma1_is_2_pow_17_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) +val serialize_when_gamma1_is_2_pow_17_ (simd_unit: u8) (out: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) +val serialize_when_gamma1_is_2_pow_19_ (simd_unit: u8) (out: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) +val serialize (v_GAMMA1_EXPONENT: usize) (simd_unit: u8) (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst index 3c5867826..2ccf9ed86 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fst @@ -344,21 +344,37 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = out, hax_temp_output <: (t_Slice i32 & usize)); f_gamma1_serialize_pre = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + (fun + (v_GAMMA1_EXPONENT: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (serialized: t_Slice u8) + -> true); f_gamma1_serialize_post = (fun - (v_OUTPUT_SIZE: usize) + (v_GAMMA1_EXPONENT: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: t_Array u8 v_OUTPUT_SIZE) + (serialized: t_Slice u8) + (out: t_Slice u8) -> true); f_gamma1_serialize = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.serialize v_OUTPUT_SIZE - simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); + (fun + (v_GAMMA1_EXPONENT: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (serialized: t_Slice u8) + -> + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), + Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.serialize v_GAMMA1_EXPONENT + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + serialized + <: + (Prims.unit & t_Slice u8) + in + serialized); f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); f_gamma1_deserialize_post = @@ -377,38 +393,67 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = (Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized <: u8)); f_commitment_serialize_pre = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (serialized: t_Slice u8) + -> true); f_commitment_serialize_post = (fun - (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: t_Array u8 v_OUTPUT_SIZE) + (serialized: t_Slice u8) + (out: t_Slice u8) -> true); f_commitment_serialize = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.serialize v_OUTPUT_SIZE - simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (serialized: t_Slice u8) + -> + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), + Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.serialize simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + serialized + <: + (Prims.unit & t_Slice u8) + in + serialized); f_error_serialize_pre = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + (fun + (v_ETA: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (serialized: t_Slice u8) + -> true); f_error_serialize_post = (fun - (v_OUTPUT_SIZE: usize) + (v_ETA: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: t_Array u8 v_OUTPUT_SIZE) + (serialized: t_Slice u8) + (out: t_Slice u8) -> true); f_error_serialize = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.serialize v_OUTPUT_SIZE - simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); + (fun + (v_ETA: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (serialized: t_Slice u8) + -> + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), + Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.serialize v_ETA + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + serialized + <: + (Prims.unit & t_Slice u8) + in + serialized); f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); f_error_deserialize_post = diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst index ff1788cd5..3fb3f1467 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst @@ -4,69 +4,74 @@ open Core open FStar.Mul let serialize - (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (serialized: t_Slice u8) = - let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in - match cast (v_OUTPUT_SIZE <: usize) <: u8 with - | 4uy -> - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in - let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - i - ((coefficient1 < - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in - let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in - let coefficient2:u8 = cast (coefficients.[ sz 2 ] <: i32) <: u8 in - let coefficient3:u8 = cast (coefficients.[ sz 3 ] <: i32) <: u8 in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 3 *! i <: usize) - ((coefficient1 <>! 2l <: u8) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 3 *! i <: usize) +! sz 2 <: usize) - ((coefficient3 <>! 4l <: u8) <: u8) - in - serialized) - in - serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) = + match cast (Core.Slice.impl__len #u8 serialized <: usize) <: u8 with + | 4uy -> + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in + let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + i + ((coefficient1 < + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in + let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in + let coefficient2:u8 = cast (coefficients.[ sz 2 ] <: i32) <: u8 in + let coefficient3:u8 = cast (coefficients.[ sz 3 ] <: i32) <: u8 in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3 *! i <: usize) + ((coefficient1 <>! 2l <: u8) <: u8) + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 3 *! i <: usize) +! sz 2 <: usize) + ((coefficient3 <>! 4l <: u8) <: u8) + in + serialized) + in + serialized, (() <: Prims.unit) <: (t_Slice u8 & Prims.unit) + | _ -> + serialized, + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - <: - Rust_primitives.Hax.t_Never) + <: + Rust_primitives.Hax.t_Never) + <: + (t_Slice u8 & Prims.unit) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti index cc50ef52c..a06e23904 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti @@ -4,6 +4,6 @@ open Core open FStar.Mul val serialize - (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst index a91008218..2b13f6a43 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst @@ -4,10 +4,9 @@ open Core open FStar.Mul let serialize_when_eta_is_2_ - (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (serialized: t_Slice u8) = - let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in let coefficient0:u8 = cast (serialize_when_eta_is_2___ETA -! (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) @@ -72,12 +71,12 @@ let serialize_when_eta_is_2_ <: u8 in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized (sz 0) (((coefficient2 < - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in true) serialized (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let serialized:t_Slice u8 = serialized in let i, coefficients:(usize & t_Slice i32) = temp_1_ in let coefficient0:u8 = cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 0 ] <: i32) <: i32) <: u8 @@ -309,24 +307,32 @@ let serialize_when_eta_is_4_ let coefficient1:u8 = cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 1 ] <: i32) <: i32) <: u8 in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized i ((coefficient1 < serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit - | 4uy -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> serialize_when_eta_is_2_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) + | 4uy -> serialize_when_eta_is_4_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) + | _ -> + serialized, + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - <: - Rust_primitives.Hax.t_Never) + <: + Rust_primitives.Hax.t_Never) + <: + (t_Slice u8 & Prims.unit) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti index e973dc734..3d5414485 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti @@ -12,9 +12,9 @@ let serialize_when_eta_is_2___ETA: i32 = 2l let serialize_when_eta_is_4___ETA: i32 = 4l val serialize_when_eta_is_2_ - (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val deserialize_when_eta_is_2_ (serialized: t_Slice u8) : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit @@ -32,11 +32,12 @@ val deserialize (v_ETA: usize) (serialized: t_Slice u8) (fun _ -> Prims.l_True) val serialize_when_eta_is_4_ - (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val serialize - (v_OUTPUT_SIZE: usize) + (v_ETA: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst index ca1f48e87..2f3e006e4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst @@ -203,20 +203,19 @@ let deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) = Rust_primitives.Hax.t_Never) let serialize_when_gamma1_is_2_pow_17_ - (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (serialized: t_Slice u8) = - let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in true) serialized (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let serialized:t_Slice u8 = serialized in let i, coefficients:(usize & t_Slice i32) = temp_1_ in let coefficient0:i32 = serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 0 ] <: i32) @@ -230,22 +229,22 @@ let serialize_when_gamma1_is_2_pow_17_ let coefficient3:i32 = serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 3 ] <: i32) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized (sz 9 *! i <: usize) (cast (coefficient0 <: i32) <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 9 *! i <: usize) +! sz 1 <: usize) (cast (coefficient0 >>! 8l <: i32) <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 9 *! i <: usize) +! sz 2 <: usize) (cast (coefficient0 >>! 16l <: i32) <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 9 *! i <: usize) +! sz 2 <: usize) ((serialized.[ (sz 9 *! i <: usize) +! sz 2 <: usize ] <: u8) |. @@ -253,17 +252,17 @@ let serialize_when_gamma1_is_2_pow_17_ <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 9 *! i <: usize) +! sz 3 <: usize) (cast (coefficient1 >>! 6l <: i32) <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 9 *! i <: usize) +! sz 4 <: usize) (cast (coefficient1 >>! 14l <: i32) <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 9 *! i <: usize) +! sz 4 <: usize) ((serialized.[ (sz 9 *! i <: usize) +! sz 4 <: usize ] <: u8) |. @@ -271,17 +270,17 @@ let serialize_when_gamma1_is_2_pow_17_ <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 9 *! i <: usize) +! sz 5 <: usize) (cast (coefficient2 >>! 4l <: i32) <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 9 *! i <: usize) +! sz 6 <: usize) (cast (coefficient2 >>! 12l <: i32) <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 9 *! i <: usize) +! sz 6 <: usize) ((serialized.[ (sz 9 *! i <: usize) +! sz 6 <: usize ] <: u8) |. @@ -289,35 +288,35 @@ let serialize_when_gamma1_is_2_pow_17_ <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 9 *! i <: usize) +! sz 7 <: usize) (cast (coefficient3 >>! 2l <: i32) <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 9 *! i <: usize) +! sz 8 <: usize) (cast (coefficient3 >>! 10l <: i32) <: u8) in serialized) in + let hax_temp_output:Prims.unit = () <: Prims.unit in serialized let serialize_when_gamma1_is_2_pow_19_ - (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (serialized: t_Slice u8) = - let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in true) serialized (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let serialized:t_Slice u8 = serialized in let i, coefficients:(usize & t_Slice i32) = temp_1_ in let coefficient0:i32 = serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 0 ] <: i32) @@ -325,22 +324,22 @@ let serialize_when_gamma1_is_2_pow_19_ let coefficient1:i32 = serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 1 ] <: i32) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized (sz 5 *! i <: usize) (cast (coefficient0 <: i32) <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 5 *! i <: usize) +! sz 1 <: usize) (cast (coefficient0 >>! 8l <: i32) <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 5 *! i <: usize) +! sz 2 <: usize) (cast (coefficient0 >>! 16l <: i32) <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 5 *! i <: usize) +! sz 2 <: usize) ((serialized.[ (sz 5 *! i <: usize) +! sz 2 <: usize ] <: u8) |. @@ -348,29 +347,39 @@ let serialize_when_gamma1_is_2_pow_19_ <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 5 *! i <: usize) +! sz 3 <: usize) (cast (coefficient1 >>! 4l <: i32) <: u8) in - let serialized:t_Array u8 v_OUTPUT_SIZE = + let serialized:t_Slice u8 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized ((sz 5 *! i <: usize) +! sz 4 <: usize) (cast (coefficient1 >>! 12l <: i32) <: u8) in serialized) in + let hax_temp_output:Prims.unit = () <: Prims.unit in serialized let serialize - (v_OUTPUT_SIZE: usize) + (v_GAMMA1_EXPONENT: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (serialized: t_Slice u8) = - match cast (v_OUTPUT_SIZE <: usize) <: u8 with - | 18uy -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit - | 20uy -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + let serialized, hax_temp_output:(t_Slice u8 & Prims.unit) = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> + serialize_when_gamma1_is_2_pow_17_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) + | 19uy -> + serialize_when_gamma1_is_2_pow_19_ simd_unit serialized, () <: (t_Slice u8 & Prims.unit) + | _ -> + serialized, + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - <: - Rust_primitives.Hax.t_Never) + <: + Rust_primitives.Hax.t_Never) + <: + (t_Slice u8 & Prims.unit) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti index a22f485c1..635329f6a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti @@ -33,16 +33,17 @@ val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) (fun _ -> Prims.l_True) val serialize_when_gamma1_is_2_pow_17_ - (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val serialize_when_gamma1_is_2_pow_19_ - (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val serialize - (v_OUTPUT_SIZE: usize) + (v_GAMMA1_EXPONENT: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst index 25f533de9..b381e5f1b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst @@ -6,9 +6,10 @@ open FStar.Mul let rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (out: t_Slice i32) = let sampled:usize = sz 0 in let out, sampled:(t_Slice i32 & usize) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + u8) #FStar.Tactics.Typeclasses.solve - randomness + (Core.Slice.impl__iter #u8 randomness <: Core.Slice.Iter.t_Iter u8) <: Core.Slice.Iter.t_Iter u8) (out, sampled <: (t_Slice i32 & usize)) @@ -54,9 +55,10 @@ let rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (out: t_Sl let rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Slice i32) = let sampled:usize = sz 0 in let out, sampled:(t_Slice i32 & usize) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + u8) #FStar.Tactics.Typeclasses.solve - randomness + (Core.Slice.impl__iter #u8 randomness <: Core.Slice.Iter.t_Iter u8) <: Core.Slice.Iter.t_Iter u8) (out, sampled <: (t_Slice i32 & usize)) @@ -94,12 +96,12 @@ let rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Sl let rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (out: t_Slice i32) = let sampled:usize = sz 0 in let out, sampled:(t_Slice i32 & usize) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact u8) #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__chunks #u8 randomness (sz 3) <: Core.Slice.Iter.t_Chunks u8) + (Core.Slice.impl__chunks_exact #u8 randomness (sz 3) <: Core.Slice.Iter.t_ChunksExact u8) <: - Core.Slice.Iter.t_Chunks u8) + Core.Slice.Iter.t_ChunksExact u8) (out, sampled <: (t_Slice i32 & usize)) (fun temp_0_ bytes -> let out, sampled:(t_Slice i32 & usize) = temp_0_ in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst index b5c72724c..a997fecc8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst @@ -282,25 +282,36 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_gamma1_serialize_pre = (fun - (v_OUTPUT_SIZE: usize) + (v_GAMMA1_EXPONENT: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (serialized: t_Slice u8) -> true); f_gamma1_serialize_post = (fun - (v_OUTPUT_SIZE: usize) + (v_GAMMA1_EXPONENT: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: t_Array u8 v_OUTPUT_SIZE) + (serialized: t_Slice u8) + (out: t_Slice u8) -> true); f_gamma1_serialize = (fun - (v_OUTPUT_SIZE: usize) + (v_GAMMA1_EXPONENT: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (serialized: t_Slice u8) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize v_OUTPUT_SIZE simd_unit); + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), + Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize v_GAMMA1_EXPONENT + simd_unit + serialized + <: + (Prims.unit & t_Slice u8) + in + serialized); f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); f_gamma1_deserialize_post = @@ -317,47 +328,60 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_commitment_serialize_pre = (fun - (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (serialized: t_Slice u8) -> true); f_commitment_serialize_post = (fun - (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: t_Array u8 v_OUTPUT_SIZE) + (serialized: t_Slice u8) + (out: t_Slice u8) -> true); f_commitment_serialize = (fun - (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (serialized: t_Slice u8) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.serialize v_OUTPUT_SIZE simd_unit); + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.serialize simd_unit serialized + <: + (Prims.unit & t_Slice u8) + in + serialized); f_error_serialize_pre = (fun - (v_OUTPUT_SIZE: usize) + (v_ETA: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (serialized: t_Slice u8) -> true); f_error_serialize_post = (fun - (v_OUTPUT_SIZE: usize) + (v_ETA: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: t_Array u8 v_OUTPUT_SIZE) + (serialized: t_Slice u8) + (out: t_Slice u8) -> true); f_error_serialize = (fun - (v_OUTPUT_SIZE: usize) + (v_ETA: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (serialized: t_Slice u8) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize v_OUTPUT_SIZE simd_unit); + let hax_temp_output, serialized:(Prims.unit & t_Slice u8) = + (), Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize v_ETA simd_unit serialized + <: + (Prims.unit & t_Slice u8) + in + serialized); f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); f_error_deserialize_post = diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti index 280e421e6..9b879cee0 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti @@ -92,30 +92,30 @@ class t_Operations (v_Self: Type0) = { -> Prims.Pure (t_Slice i32 & usize) (f_rejection_sample_less_than_eta_equals_4_pre x0 x1) (fun result -> f_rejection_sample_less_than_eta_equals_4_post x0 x1 result); - f_gamma1_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0; - f_gamma1_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0; - f_gamma1_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self - -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE) - (f_gamma1_serialize_pre v_OUTPUT_SIZE x0) - (fun result -> f_gamma1_serialize_post v_OUTPUT_SIZE x0 result); + f_gamma1_serialize_pre:v_GAMMA1_EXPONENT: usize -> v_Self -> t_Slice u8 -> Type0; + f_gamma1_serialize_post:v_GAMMA1_EXPONENT: usize -> v_Self -> t_Slice u8 -> t_Slice u8 -> Type0; + f_gamma1_serialize:v_GAMMA1_EXPONENT: usize -> x0: v_Self -> x1: t_Slice u8 + -> Prims.Pure (t_Slice u8) + (f_gamma1_serialize_pre v_GAMMA1_EXPONENT x0 x1) + (fun result -> f_gamma1_serialize_post v_GAMMA1_EXPONENT x0 x1 result); f_gamma1_deserialize_pre:v_GAMMA1_EXPONENT: usize -> t_Slice u8 -> Type0; f_gamma1_deserialize_post:v_GAMMA1_EXPONENT: usize -> t_Slice u8 -> v_Self -> Type0; f_gamma1_deserialize:v_GAMMA1_EXPONENT: usize -> x0: t_Slice u8 -> Prims.Pure v_Self (f_gamma1_deserialize_pre v_GAMMA1_EXPONENT x0) (fun result -> f_gamma1_deserialize_post v_GAMMA1_EXPONENT x0 result); - f_commitment_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0; - f_commitment_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0; - f_commitment_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self - -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE) - (f_commitment_serialize_pre v_OUTPUT_SIZE x0) - (fun result -> f_commitment_serialize_post v_OUTPUT_SIZE x0 result); - f_error_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0; - f_error_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0; - f_error_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self - -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE) - (f_error_serialize_pre v_OUTPUT_SIZE x0) - (fun result -> f_error_serialize_post v_OUTPUT_SIZE x0 result); + f_commitment_serialize_pre:v_Self -> t_Slice u8 -> Type0; + f_commitment_serialize_post:v_Self -> t_Slice u8 -> t_Slice u8 -> Type0; + f_commitment_serialize:x0: v_Self -> x1: t_Slice u8 + -> Prims.Pure (t_Slice u8) + (f_commitment_serialize_pre x0 x1) + (fun result -> f_commitment_serialize_post x0 x1 result); + f_error_serialize_pre:v_ETA: usize -> v_Self -> t_Slice u8 -> Type0; + f_error_serialize_post:v_ETA: usize -> v_Self -> t_Slice u8 -> t_Slice u8 -> Type0; + f_error_serialize:v_ETA: usize -> x0: v_Self -> x1: t_Slice u8 + -> Prims.Pure (t_Slice u8) + (f_error_serialize_pre v_ETA x0 x1) + (fun result -> f_error_serialize_post v_ETA x0 x1 result); f_error_deserialize_pre:v_ETA: usize -> t_Slice u8 -> Type0; f_error_deserialize_post:v_ETA: usize -> t_Slice u8 -> v_Self -> Type0; f_error_deserialize:v_ETA: usize -> x0: t_Slice u8 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst index 1707b9546..0a457fc6e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst @@ -34,7 +34,7 @@ let t_VerificationError_cast_to_repr (x: t_VerificationError) = | VerificationError_MalformedHintError -> isz 0 | VerificationError_SignerResponseExceedsBoundError -> isz 1 | VerificationError_CommitmentHashesDontMatchError -> isz 3 - | VerificationError_ContextTooLongError -> isz 6 + | VerificationError_VerificationContextTooLongError -> isz 6 let impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self.f_value <: t_Slice u8 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti index e01708ed2..0a03514df 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti @@ -64,7 +64,7 @@ type t_VerificationError = | VerificationError_MalformedHintError : t_VerificationError | VerificationError_SignerResponseExceedsBoundError : t_VerificationError | VerificationError_CommitmentHashesDontMatchError : t_VerificationError - | VerificationError_ContextTooLongError : t_VerificationError + | VerificationError_VerificationContextTooLongError : t_VerificationError val t_VerificationError_cast_to_repr (x: t_VerificationError) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) From 9f923062eac13378f38581b2713046191d4ae7ad Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 11 Dec 2024 10:00:19 +0000 Subject: [PATCH 24/27] address review comments --- libcrux-ml-dsa/src/encoding/t1.rs | 3 +- .../src/ml_dsa_generic/instantiations/avx2.rs | 36 ++++++++++++++----- libcrux-sha3/src/lib.rs | 6 ++-- 3 files changed, 32 insertions(+), 13 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/t1.rs b/libcrux-ml-dsa/src/encoding/t1.rs index 4f72fe98b..037e3e794 100644 --- a/libcrux-ml-dsa/src/encoding/t1.rs +++ b/libcrux-ml-dsa/src/encoding/t1.rs @@ -27,8 +27,9 @@ pub(crate) fn deserialize( serialized: &[u8], result: &mut PolynomialRingElement, ) { + const WINDOW: usize = 10; for i in 0..result.simd_units.len() { - result.simd_units[i] = SIMDUnit::t1_deserialize(&serialized[i * 10..(i + 1) * 10]); + result.simd_units[i] = SIMDUnit::t1_deserialize(&serialized[i * WINDOW..(i + 1) * WINDOW]); } () } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs index 92d06ad8d..a6d3c85b5 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -25,7 +25,9 @@ mod avx2_feature { crate::simd::avx2::AVX2SIMDUnit, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, - crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, crate::hash_functions::simd256::Shake256x4, ROWS_IN_A, COLUMNS_IN_A, @@ -64,7 +66,9 @@ mod avx2_feature { crate::simd::avx2::AVX2SIMDUnit, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, - crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, crate::hash_functions::simd256::Shake256x4, ROWS_IN_A, COLUMNS_IN_A, @@ -111,7 +115,9 @@ mod avx2_feature { crate::simd::avx2::AVX2SIMDUnit, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, - crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, crate::hash_functions::simd256::Shake256x4, ROWS_IN_A, COLUMNS_IN_A, @@ -156,10 +162,14 @@ mod avx2_feature { ) -> Result, SigningError> { crate::ml_dsa_generic::sign_pre_hashed::< crate::simd::avx2::AVX2SIMDUnit, - crate::hash_functions::portable::Shake128, // XXX: Use simd256 + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake128, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, - crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, crate::hash_functions::simd256::Shake256x4, SHAKE128_PH, 256, @@ -207,7 +217,9 @@ mod avx2_feature { crate::simd::avx2::AVX2SIMDUnit, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, - crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, ROWS_IN_A, COLUMNS_IN_A, SIGNATURE_SIZE, @@ -251,7 +263,9 @@ mod avx2_feature { crate::simd::avx2::AVX2SIMDUnit, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, - crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, ROWS_IN_A, COLUMNS_IN_A, SIGNATURE_SIZE, @@ -293,10 +307,14 @@ mod avx2_feature { ) -> Result<(), VerificationError> { crate::ml_dsa_generic::verify_pre_hashed::< crate::simd::avx2::AVX2SIMDUnit, - crate::hash_functions::portable::Shake128, // XXX: Use simd256 + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake128, crate::hash_functions::simd256::Shake128x4, crate::hash_functions::simd256::Shake256, - crate::hash_functions::portable::Shake256Xof, // XXX: Use simd256 + // We use the portable version here. + // It doesn' make sense to do these in parallel. + crate::hash_functions::portable::Shake256Xof, SHAKE128_PH, 256, ROWS_IN_A, diff --git a/libcrux-sha3/src/lib.rs b/libcrux-sha3/src/lib.rs index 0d5d02d8c..45033ab98 100644 --- a/libcrux-sha3/src/lib.rs +++ b/libcrux-sha3/src/lib.rs @@ -270,17 +270,17 @@ pub mod portable { } use super::*; - /// SHAKE128 in absorb state + /// SHAKE128 Xof state pub struct Shake128Xof { state: KeccakXofState<1, 168, u64>, } - /// SHAKE256 in absorb state + /// SHAKE256 Xof state pub struct Shake256Xof { state: KeccakXofState<1, 136, u64>, } - /// An XOF in absorb state + /// An XOF pub trait Xof: private::Sealed { /// Create new absorb state fn new() -> Self; From c51c2dddfdda4a78d6671743e9d24fb5d0c1512d Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 11 Dec 2024 16:25:41 +0000 Subject: [PATCH 25/27] update C extraction --- libcrux-ml-kem/c/code_gen.txt | 2 +- libcrux-ml-kem/c/internal/libcrux_core.h | 2 +- .../c/internal/libcrux_mlkem_avx2.h | 2 +- .../c/internal/libcrux_mlkem_portable.h | 2 +- libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h | 2 +- .../c/internal/libcrux_sha3_internal.h | 310 +++++++++--------- libcrux-ml-kem/c/libcrux_core.c | 2 +- libcrux-ml-kem/c/libcrux_core.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem1024.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem1024_portable.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem1024_portable.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem512.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem512_avx2.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem512_avx2.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem512_portable.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem512_portable.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem768.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem768_avx2.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem768_avx2.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem768_portable.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem768_portable.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem_avx2.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem_avx2.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem_portable.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem_portable.h | 2 +- libcrux-ml-kem/c/libcrux_sha3.h | 2 +- libcrux-ml-kem/c/libcrux_sha3_avx2.c | 2 +- libcrux-ml-kem/c/libcrux_sha3_avx2.h | 2 +- libcrux-ml-kem/c/libcrux_sha3_internal.h | 2 +- libcrux-ml-kem/cg/code_gen.txt | 2 +- libcrux-ml-kem/cg/libcrux_core.h | 2 +- libcrux-ml-kem/cg/libcrux_ct_ops.h | 2 +- libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h | 2 +- libcrux-ml-kem/cg/libcrux_mlkem768_portable.h | 2 +- libcrux-ml-kem/cg/libcrux_sha3_avx2.h | 2 +- libcrux-ml-kem/cg/libcrux_sha3_portable.h | 310 +++++++++--------- 38 files changed, 328 insertions(+), 364 deletions(-) diff --git a/libcrux-ml-kem/c/code_gen.txt b/libcrux-ml-kem/c/code_gen.txt index 96556d5be..fa60f6271 100644 --- a/libcrux-ml-kem/c/code_gen.txt +++ b/libcrux-ml-kem/c/code_gen.txt @@ -3,4 +3,4 @@ Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 Eurydice: 7d686376ec943225ff89942978c6c3028bac689c Karamel: 8c3612018c25889288da6857771be3ad03b75bcd F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty -Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 +Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad diff --git a/libcrux-ml-kem/c/internal/libcrux_core.h b/libcrux-ml-kem/c/internal/libcrux_core.h index c5f48a4ce..322d182d6 100644 --- a/libcrux-ml-kem/c/internal/libcrux_core.h +++ b/libcrux-ml-kem/c/internal/libcrux_core.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __internal_libcrux_core_H diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h index 01108cafb..c94c2e592 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __internal_libcrux_mlkem_avx2_H diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h index aca6e52eb..4e73d33cd 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __internal_libcrux_mlkem_portable_H diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h index fb158f1b4..27e184647 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __internal_libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h index ca072118b..8cce8bc81 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __internal_libcrux_sha3_internal_H @@ -245,7 +245,7 @@ typedef struct libcrux_sha3_generic_keccak_KeccakXofState_e2_s { } libcrux_sha3_generic_keccak_KeccakXofState_e2; typedef libcrux_sha3_generic_keccak_KeccakXofState_e2 - libcrux_sha3_portable_incremental_Shake256Absorb; + libcrux_sha3_portable_incremental_Shake256Xof; /** Consume the internal buffer and the required amount of the input to pad to @@ -401,19 +401,15 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_8b_c6( Shake256 absorb */ /** -This function found in impl -{(libcrux_sha3::portable::incremental::XofAbsorb<136: usize> for -libcrux_sha3::portable::incremental::Shake256Absorb)#2} +This function found in impl {(libcrux_sha3::portable::incremental::Xof<136: +usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1} */ -static inline void libcrux_sha3_portable_incremental_absorb_7d( +static inline void libcrux_sha3_portable_incremental_absorb_68( libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice input) { Eurydice_slice buf[1U] = {input}; libcrux_sha3_generic_keccak_absorb_8b_c6(self, buf); } -typedef libcrux_sha3_generic_keccak_KeccakXofState_e2 - libcrux_sha3_portable_incremental_Shake256Squeeze; - /** Absorb a final block. @@ -479,16 +475,13 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_8b_9e( Shake256 absorb final */ /** -This function found in impl -{(libcrux_sha3::portable::incremental::XofAbsorb<136: usize> for -libcrux_sha3::portable::incremental::Shake256Absorb)#2} +This function found in impl {(libcrux_sha3::portable::incremental::Xof<136: +usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1} */ -static inline libcrux_sha3_generic_keccak_KeccakXofState_e2 -libcrux_sha3_portable_incremental_absorb_final_7d( - libcrux_sha3_generic_keccak_KeccakXofState_e2 self, Eurydice_slice input) { +static inline void libcrux_sha3_portable_incremental_absorb_final_68( + libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice input) { Eurydice_slice buf[1U] = {input}; - libcrux_sha3_generic_keccak_absorb_final_8b_9e(&self, buf); - return self; + libcrux_sha3_generic_keccak_absorb_final_8b_9e(self, buf); } /** @@ -675,15 +668,132 @@ libcrux_sha3_generic_keccak_new_8b_c6(void) { Shake256 new state */ /** -This function found in impl -{(libcrux_sha3::portable::incremental::XofAbsorb<136: usize> for -libcrux_sha3::portable::incremental::Shake256Absorb)#2} +This function found in impl {(libcrux_sha3::portable::incremental::Xof<136: +usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1} */ static inline libcrux_sha3_generic_keccak_KeccakXofState_e2 -libcrux_sha3_portable_incremental_new_7d(void) { +libcrux_sha3_portable_incremental_new_68(void) { return libcrux_sha3_generic_keccak_new_8b_c6(); } +/** + `out` has the exact size we want here. It must be less than or equal to `RATE`. +*/ +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_5a +with const generics +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_5a_5b( + uint64_t (*state)[5U], Eurydice_slice out[1U]) { + size_t num_full_blocks = Eurydice_slice_len(out[0U], uint8_t) / (size_t)8U; + size_t last_block_len = Eurydice_slice_len(out[0U], uint8_t) % (size_t)8U; + for (size_t i = (size_t)0U; i < num_full_blocks; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = Eurydice_slice_subslice2( + out[0U], i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t); + uint8_t ret[8U]; + core_num__u64_9__to_le_bytes(state[i0 / (size_t)5U][i0 % (size_t)5U], ret); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); + } + if (last_block_len != (size_t)0U) { + Eurydice_slice uu____1 = Eurydice_slice_subslice2( + out[0U], num_full_blocks * (size_t)8U, + num_full_blocks * (size_t)8U + last_block_len, uint8_t); + uint8_t ret[8U]; + core_num__u64_9__to_le_bytes( + state[num_full_blocks / (size_t)5U][num_full_blocks % (size_t)5U], ret); + Eurydice_slice_copy( + uu____1, + Eurydice_array_to_subslice2(ret, (size_t)0U, last_block_len, uint8_t), + uint8_t); + } +} + +/** + Squeeze `N` x `LEN` bytes. +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c6( + libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, + Eurydice_slice out[1U]) { + if (self->sponge) { + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + } + size_t out_len = Eurydice_slice_len(out[0U], uint8_t); + size_t blocks = out_len / (size_t)136U; + size_t last = out_len - out_len % (size_t)136U; + size_t mid; + if ((size_t)136U >= out_len) { + mid = out_len; + } else { + mid = (size_t)136U; + } + Eurydice_slice_uint8_t_1size_t__x2 uu____0 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, mid); + Eurydice_slice out00[1U]; + memcpy(out00, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice out_rest[1U]; + memcpy(out_rest, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out00); + core_ops_range_Range_08 iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U, + .end = blocks}), + core_ops_range_Range_08, core_ops_range_Range_08); + while (true) { + if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( + &iter, size_t, core_option_Option_08) + .tag == core_option_None) { + break; + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____1 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out_rest, + (size_t)136U); + Eurydice_slice out0[1U]; + memcpy(out0, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice tmp[1U]; + memcpy(tmp, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out0); + memcpy(out_rest, tmp, (size_t)1U * sizeof(Eurydice_slice)); + } + } + if (last < out_len) { + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out_rest); + } + self->sponge = true; +} + +/** + Shake256 squeeze +*/ +/** +This function found in impl {(libcrux_sha3::portable::incremental::Xof<136: +usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1} +*/ +static inline void libcrux_sha3_portable_incremental_squeeze_68( + libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice out) { + Eurydice_slice buf[1U] = {out}; + libcrux_sha3_generic_keccak_squeeze_8b_c6(self, buf); +} + /** A monomorphic instance of libcrux_sha3.generic_keccak.KeccakXofState with types uint64_t @@ -699,7 +809,7 @@ typedef struct libcrux_sha3_generic_keccak_KeccakXofState_97_s { } libcrux_sha3_generic_keccak_KeccakXofState_97; typedef libcrux_sha3_generic_keccak_KeccakXofState_97 - libcrux_sha3_portable_incremental_Shake128Absorb; + libcrux_sha3_portable_incremental_Shake128Xof; /** Consume the internal buffer and the required amount of the input to pad to @@ -852,19 +962,15 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_8b_c60( } /** -This function found in impl -{(libcrux_sha3::portable::incremental::XofAbsorb<168: usize> for -libcrux_sha3::portable::incremental::Shake128Absorb)} +This function found in impl {(libcrux_sha3::portable::incremental::Xof<168: +usize> for libcrux_sha3::portable::incremental::Shake128Xof)} */ -static inline void libcrux_sha3_portable_incremental_absorb_1c( +static inline void libcrux_sha3_portable_incremental_absorb_2f( libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice input) { Eurydice_slice buf[1U] = {input}; libcrux_sha3_generic_keccak_absorb_8b_c60(self, buf); } -typedef libcrux_sha3_generic_keccak_KeccakXofState_97 - libcrux_sha3_portable_incremental_Shake128Squeeze; - /** Absorb a final block. @@ -927,16 +1033,13 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_8b_9e0( } /** -This function found in impl -{(libcrux_sha3::portable::incremental::XofAbsorb<168: usize> for -libcrux_sha3::portable::incremental::Shake128Absorb)} +This function found in impl {(libcrux_sha3::portable::incremental::Xof<168: +usize> for libcrux_sha3::portable::incremental::Shake128Xof)} */ -static inline libcrux_sha3_generic_keccak_KeccakXofState_97 -libcrux_sha3_portable_incremental_absorb_final_1c( - libcrux_sha3_generic_keccak_KeccakXofState_97 self, Eurydice_slice input) { +static inline void libcrux_sha3_portable_incremental_absorb_final_2f( + libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice input) { Eurydice_slice buf[1U] = {input}; - libcrux_sha3_generic_keccak_absorb_final_8b_9e0(&self, buf); - return self; + libcrux_sha3_generic_keccak_absorb_final_8b_9e0(self, buf); } /** @@ -1152,134 +1255,14 @@ libcrux_sha3_generic_keccak_new_8b_c60(void) { } /** -This function found in impl -{(libcrux_sha3::portable::incremental::XofAbsorb<168: usize> for -libcrux_sha3::portable::incremental::Shake128Absorb)} +This function found in impl {(libcrux_sha3::portable::incremental::Xof<168: +usize> for libcrux_sha3::portable::incremental::Shake128Xof)} */ static inline libcrux_sha3_generic_keccak_KeccakXofState_97 -libcrux_sha3_portable_incremental_new_1c(void) { +libcrux_sha3_portable_incremental_new_2f(void) { return libcrux_sha3_generic_keccak_new_8b_c60(); } -/** - `out` has the exact size we want here. It must be less than or equal to `RATE`. -*/ -/** -This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: -usize> for u64)} -*/ -/** -A monomorphic instance of libcrux_sha3.portable_keccak.store_5a -with const generics -- RATE= 136 -*/ -static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_5a_5b( - uint64_t (*state)[5U], Eurydice_slice out[1U]) { - size_t num_full_blocks = Eurydice_slice_len(out[0U], uint8_t) / (size_t)8U; - size_t last_block_len = Eurydice_slice_len(out[0U], uint8_t) % (size_t)8U; - for (size_t i = (size_t)0U; i < num_full_blocks; i++) { - size_t i0 = i; - Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t); - uint8_t ret[8U]; - core_num__u64_9__to_le_bytes(state[i0 / (size_t)5U][i0 % (size_t)5U], ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); - } - if (last_block_len != (size_t)0U) { - Eurydice_slice uu____1 = Eurydice_slice_subslice2( - out[0U], num_full_blocks * (size_t)8U, - num_full_blocks * (size_t)8U + last_block_len, uint8_t); - uint8_t ret[8U]; - core_num__u64_9__to_le_bytes( - state[num_full_blocks / (size_t)5U][num_full_blocks % (size_t)5U], ret); - Eurydice_slice_copy( - uu____1, - Eurydice_array_to_subslice2(ret, (size_t)0U, last_block_len, uint8_t), - uint8_t); - } -} - -/** - Squeeze `N` x `LEN` bytes. -*/ -/** -This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} -*/ -/** -A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_8b -with types uint64_t -with const generics -- PARALLEL_LANES= 1 -- RATE= 136 -*/ -static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c6( - libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, - Eurydice_slice out[1U]) { - if (self->sponge) { - libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); - } - size_t out_len = Eurydice_slice_len(out[0U], uint8_t); - size_t blocks = out_len / (size_t)136U; - size_t last = out_len - out_len % (size_t)136U; - size_t mid; - if ((size_t)136U >= out_len) { - mid = out_len; - } else { - mid = (size_t)136U; - } - Eurydice_slice_uint8_t_1size_t__x2 uu____0 = - libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, mid); - Eurydice_slice out00[1U]; - memcpy(out00, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice)); - Eurydice_slice out_rest[1U]; - memcpy(out_rest, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out00); - core_ops_range_Range_08 iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( - (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U, - .end = blocks}), - core_ops_range_Range_08, core_ops_range_Range_08); - while (true) { - if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( - &iter, size_t, core_option_Option_08) - .tag == core_option_None) { - break; - } else { - Eurydice_slice_uint8_t_1size_t__x2 uu____1 = - libcrux_sha3_portable_keccak_split_at_mut_n_5a(out_rest, - (size_t)136U); - Eurydice_slice out0[1U]; - memcpy(out0, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice)); - Eurydice_slice tmp[1U]; - memcpy(tmp, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); - libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out0); - memcpy(out_rest, tmp, (size_t)1U * sizeof(Eurydice_slice)); - } - } - if (last < out_len) { - libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); - libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out_rest); - } - self->sponge = true; -} - -/** - Shake256 squeeze -*/ -/** -This function found in impl -{(libcrux_sha3::portable::incremental::XofSqueeze<136: usize> for -libcrux_sha3::portable::incremental::Shake256Squeeze)#3} -*/ -static inline void libcrux_sha3_portable_incremental_squeeze_8a( - libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice out) { - Eurydice_slice buf[1U] = {out}; - libcrux_sha3_generic_keccak_squeeze_8b_c6(self, buf); -} - /** `out` has the exact size we want here. It must be less than or equal to `RATE`. */ @@ -1389,11 +1372,10 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c60( Shake128 squeeze */ /** -This function found in impl -{(libcrux_sha3::portable::incremental::XofSqueeze<168: usize> for -libcrux_sha3::portable::incremental::Shake128Squeeze)#1} +This function found in impl {(libcrux_sha3::portable::incremental::Xof<168: +usize> for libcrux_sha3::portable::incremental::Shake128Xof)} */ -static inline void libcrux_sha3_portable_incremental_squeeze_10( +static inline void libcrux_sha3_portable_incremental_squeeze_2f( libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice out) { Eurydice_slice buf[1U] = {out}; libcrux_sha3_generic_keccak_squeeze_8b_c60(self, buf); diff --git a/libcrux-ml-kem/c/libcrux_core.c b/libcrux-ml-kem/c/libcrux_core.c index 76677a85b..61b0a6556 100644 --- a/libcrux-ml-kem/c/libcrux_core.c +++ b/libcrux-ml-kem/c/libcrux_core.c @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #include "internal/libcrux_core.h" diff --git a/libcrux-ml-kem/c/libcrux_core.h b/libcrux-ml-kem/c/libcrux_core.h index a94f355d9..0e1e56827 100644 --- a/libcrux-ml-kem/c/libcrux_core.h +++ b/libcrux-ml-kem/c/libcrux_core.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024.h b/libcrux-ml-kem/c/libcrux_mlkem1024.h index b173ad526..10a342939 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_mlkem1024_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c index c43ee8f13..b9329bb6c 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #include "libcrux_mlkem1024_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h index afd941054..c11238c83 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_mlkem1024_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c index 57e04e060..27f7af3bb 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #include "libcrux_mlkem1024_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h index b1942de40..3c8d10766 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_mlkem1024_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512.h b/libcrux-ml-kem/c/libcrux_mlkem512.h index ab5380f35..d36c4edc6 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_mlkem512_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c index e23ec575f..f01ff24d4 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #include "libcrux_mlkem512_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h index 6e4bc764c..8a37e6ad1 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_mlkem512_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c index 0f919e950..a36ff5b74 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #include "libcrux_mlkem512_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h index 4cdcf8d07..8b857f3f7 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_mlkem512_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768.h b/libcrux-ml-kem/c/libcrux_mlkem768.h index adf020ae6..11ba89a99 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_mlkem768_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c index b8fc9a3c4..eb76ca161 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #include "libcrux_mlkem768_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h index e5c7f82c3..2ed095a8c 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_mlkem768_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c index a767de37e..8b0e1a1c3 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #include "libcrux_mlkem768_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h index d3c6f6abc..f9e85d74e 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_mlkem768_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c index 8b8affa45..76e9f79ec 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #include "internal/libcrux_mlkem_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h index cbc9c0c6c..2bb5b6243 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_mlkem_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.c b/libcrux-ml-kem/c/libcrux_mlkem_portable.c index 3272dbcf8..02c85a990 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.c @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #include "internal/libcrux_mlkem_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/libcrux_mlkem_portable.h index 594c2bd30..81d96fa11 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_mlkem_portable_H diff --git a/libcrux-ml-kem/c/libcrux_sha3.h b/libcrux-ml-kem/c/libcrux_sha3.h index a930941d7..f4d77b827 100644 --- a/libcrux-ml-kem/c/libcrux_sha3.h +++ b/libcrux-ml-kem/c/libcrux_sha3.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_sha3_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.c b/libcrux-ml-kem/c/libcrux_sha3_avx2.c index a9b3b3f77..8bd336749 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.c +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.c @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #include "internal/libcrux_sha3_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/libcrux_sha3_avx2.h index 7b0eb2132..f40fab695 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_internal.h b/libcrux-ml-kem/c/libcrux_sha3_internal.h index 1e69eabe2..25ede7742 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/libcrux_sha3_internal.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: 122ee3d193e33f55c2324ee84f974e647255f545 + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_sha3_internal_H diff --git a/libcrux-ml-kem/cg/code_gen.txt b/libcrux-ml-kem/cg/code_gen.txt index 3bbff9516..fa60f6271 100644 --- a/libcrux-ml-kem/cg/code_gen.txt +++ b/libcrux-ml-kem/cg/code_gen.txt @@ -3,4 +3,4 @@ Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 Eurydice: 7d686376ec943225ff89942978c6c3028bac689c Karamel: 8c3612018c25889288da6857771be3ad03b75bcd F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty -Libcrux: dc479b888127f61fdc6af2d8524c06a6a6fb1e9c +Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad diff --git a/libcrux-ml-kem/cg/libcrux_core.h b/libcrux-ml-kem/cg/libcrux_core.h index 797299a5e..33e8d0a6b 100644 --- a/libcrux-ml-kem/cg/libcrux_core.h +++ b/libcrux-ml-kem/cg/libcrux_core.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: dc479b888127f61fdc6af2d8524c06a6a6fb1e9c + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-kem/cg/libcrux_ct_ops.h b/libcrux-ml-kem/cg/libcrux_ct_ops.h index d29deded9..d5d436aa6 100644 --- a/libcrux-ml-kem/cg/libcrux_ct_ops.h +++ b/libcrux-ml-kem/cg/libcrux_ct_ops.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: dc479b888127f61fdc6af2d8524c06a6a6fb1e9c + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_ct_ops_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h index 09c5ec2f6..50f3b0065 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: dc479b888127f61fdc6af2d8524c06a6a6fb1e9c + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_mlkem768_avx2_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h index 0ef93f4c2..8dcdb1834 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: dc479b888127f61fdc6af2d8524c06a6a6fb1e9c + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_mlkem768_portable_H diff --git a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h index 412ce26b2..b55d65d99 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: dc479b888127f61fdc6af2d8524c06a6a6fb1e9c + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/cg/libcrux_sha3_portable.h b/libcrux-ml-kem/cg/libcrux_sha3_portable.h index 6bed02ce3..a95250aad 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_portable.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_portable.h @@ -8,7 +8,7 @@ * Eurydice: 7d686376ec943225ff89942978c6c3028bac689c * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: dc479b888127f61fdc6af2d8524c06a6a6fb1e9c + * Libcrux: 9f923062eac13378f38581b2713046191d4ae7ad */ #ifndef __libcrux_sha3_portable_H @@ -3705,7 +3705,7 @@ typedef struct libcrux_sha3_generic_keccak_KeccakXofState_e2_s { } libcrux_sha3_generic_keccak_KeccakXofState_e2; typedef libcrux_sha3_generic_keccak_KeccakXofState_e2 - libcrux_sha3_portable_incremental_Shake256Absorb; + libcrux_sha3_portable_incremental_Shake256Xof; /** Consume the internal buffer and the required amount of the input to pad to @@ -3861,19 +3861,15 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_8b_c6( Shake256 absorb */ /** -This function found in impl -{(libcrux_sha3::portable::incremental::XofAbsorb<136: usize> for -libcrux_sha3::portable::incremental::Shake256Absorb)#2} +This function found in impl {(libcrux_sha3::portable::incremental::Xof<136: +usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1} */ -static inline void libcrux_sha3_portable_incremental_absorb_7d( +static inline void libcrux_sha3_portable_incremental_absorb_68( libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice input) { Eurydice_slice buf[1U] = {input}; libcrux_sha3_generic_keccak_absorb_8b_c6(self, buf); } -typedef libcrux_sha3_generic_keccak_KeccakXofState_e2 - libcrux_sha3_portable_incremental_Shake256Squeeze; - /** Absorb a final block. @@ -3939,16 +3935,13 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_8b_9e( Shake256 absorb final */ /** -This function found in impl -{(libcrux_sha3::portable::incremental::XofAbsorb<136: usize> for -libcrux_sha3::portable::incremental::Shake256Absorb)#2} +This function found in impl {(libcrux_sha3::portable::incremental::Xof<136: +usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1} */ -static inline libcrux_sha3_generic_keccak_KeccakXofState_e2 -libcrux_sha3_portable_incremental_absorb_final_7d( - libcrux_sha3_generic_keccak_KeccakXofState_e2 self, Eurydice_slice input) { +static inline void libcrux_sha3_portable_incremental_absorb_final_68( + libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice input) { Eurydice_slice buf[1U] = {input}; - libcrux_sha3_generic_keccak_absorb_final_8b_9e(&self, buf); - return self; + libcrux_sha3_generic_keccak_absorb_final_8b_9e(self, buf); } /** @@ -4135,15 +4128,132 @@ libcrux_sha3_generic_keccak_new_8b_c6(void) { Shake256 new state */ /** -This function found in impl -{(libcrux_sha3::portable::incremental::XofAbsorb<136: usize> for -libcrux_sha3::portable::incremental::Shake256Absorb)#2} +This function found in impl {(libcrux_sha3::portable::incremental::Xof<136: +usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1} */ static inline libcrux_sha3_generic_keccak_KeccakXofState_e2 -libcrux_sha3_portable_incremental_new_7d(void) { +libcrux_sha3_portable_incremental_new_68(void) { return libcrux_sha3_generic_keccak_new_8b_c6(); } +/** + `out` has the exact size we want here. It must be less than or equal to `RATE`. +*/ +/** +This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: +usize> for u64)} +*/ +/** +A monomorphic instance of libcrux_sha3.portable_keccak.store_5a +with const generics +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_5a_5b( + uint64_t (*state)[5U], Eurydice_slice out[1U]) { + size_t num_full_blocks = Eurydice_slice_len(out[0U], uint8_t) / (size_t)8U; + size_t last_block_len = Eurydice_slice_len(out[0U], uint8_t) % (size_t)8U; + for (size_t i = (size_t)0U; i < num_full_blocks; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = Eurydice_slice_subslice2( + out[0U], i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t); + uint8_t ret[8U]; + core_num__u64_9__to_le_bytes(state[i0 / (size_t)5U][i0 % (size_t)5U], ret); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); + } + if (last_block_len != (size_t)0U) { + Eurydice_slice uu____1 = Eurydice_slice_subslice2( + out[0U], num_full_blocks * (size_t)8U, + num_full_blocks * (size_t)8U + last_block_len, uint8_t); + uint8_t ret[8U]; + core_num__u64_9__to_le_bytes( + state[num_full_blocks / (size_t)5U][num_full_blocks % (size_t)5U], ret); + Eurydice_slice_copy( + uu____1, + Eurydice_array_to_subslice2(ret, (size_t)0U, last_block_len, uint8_t), + uint8_t); + } +} + +/** + Squeeze `N` x `LEN` bytes. +*/ +/** +This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} +*/ +/** +A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_8b +with types uint64_t +with const generics +- PARALLEL_LANES= 1 +- RATE= 136 +*/ +static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c6( + libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, + Eurydice_slice out[1U]) { + if (self->sponge) { + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + } + size_t out_len = Eurydice_slice_len(out[0U], uint8_t); + size_t blocks = out_len / (size_t)136U; + size_t last = out_len - out_len % (size_t)136U; + size_t mid; + if ((size_t)136U >= out_len) { + mid = out_len; + } else { + mid = (size_t)136U; + } + Eurydice_slice_uint8_t_1size_t__x2 uu____0 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, mid); + Eurydice_slice out00[1U]; + memcpy(out00, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice out_rest[1U]; + memcpy(out_rest, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out00); + core_ops_range_Range_08 iter = + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( + (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U, + .end = blocks}), + core_ops_range_Range_08, core_ops_range_Range_08); + while (true) { + if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( + &iter, size_t, Option_08) + .tag == None) { + break; + } else { + Eurydice_slice_uint8_t_1size_t__x2 uu____1 = + libcrux_sha3_portable_keccak_split_at_mut_n_5a(out_rest, + (size_t)136U); + Eurydice_slice out0[1U]; + memcpy(out0, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice)); + Eurydice_slice tmp[1U]; + memcpy(tmp, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out0); + memcpy(out_rest, tmp, (size_t)1U * sizeof(Eurydice_slice)); + } + } + if (last < out_len) { + libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); + libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out_rest); + } + self->sponge = true; +} + +/** + Shake256 squeeze +*/ +/** +This function found in impl {(libcrux_sha3::portable::incremental::Xof<136: +usize> for libcrux_sha3::portable::incremental::Shake256Xof)#1} +*/ +static inline void libcrux_sha3_portable_incremental_squeeze_68( + libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice out) { + Eurydice_slice buf[1U] = {out}; + libcrux_sha3_generic_keccak_squeeze_8b_c6(self, buf); +} + /** A monomorphic instance of libcrux_sha3.generic_keccak.KeccakXofState with types uint64_t @@ -4159,7 +4269,7 @@ typedef struct libcrux_sha3_generic_keccak_KeccakXofState_97_s { } libcrux_sha3_generic_keccak_KeccakXofState_97; typedef libcrux_sha3_generic_keccak_KeccakXofState_97 - libcrux_sha3_portable_incremental_Shake128Absorb; + libcrux_sha3_portable_incremental_Shake128Xof; /** Consume the internal buffer and the required amount of the input to pad to @@ -4312,19 +4422,15 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_8b_c60( } /** -This function found in impl -{(libcrux_sha3::portable::incremental::XofAbsorb<168: usize> for -libcrux_sha3::portable::incremental::Shake128Absorb)} +This function found in impl {(libcrux_sha3::portable::incremental::Xof<168: +usize> for libcrux_sha3::portable::incremental::Shake128Xof)} */ -static inline void libcrux_sha3_portable_incremental_absorb_1c( +static inline void libcrux_sha3_portable_incremental_absorb_2f( libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice input) { Eurydice_slice buf[1U] = {input}; libcrux_sha3_generic_keccak_absorb_8b_c60(self, buf); } -typedef libcrux_sha3_generic_keccak_KeccakXofState_97 - libcrux_sha3_portable_incremental_Shake128Squeeze; - /** Absorb a final block. @@ -4387,16 +4493,13 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_8b_9e0( } /** -This function found in impl -{(libcrux_sha3::portable::incremental::XofAbsorb<168: usize> for -libcrux_sha3::portable::incremental::Shake128Absorb)} +This function found in impl {(libcrux_sha3::portable::incremental::Xof<168: +usize> for libcrux_sha3::portable::incremental::Shake128Xof)} */ -static inline libcrux_sha3_generic_keccak_KeccakXofState_97 -libcrux_sha3_portable_incremental_absorb_final_1c( - libcrux_sha3_generic_keccak_KeccakXofState_97 self, Eurydice_slice input) { +static inline void libcrux_sha3_portable_incremental_absorb_final_2f( + libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice input) { Eurydice_slice buf[1U] = {input}; - libcrux_sha3_generic_keccak_absorb_final_8b_9e0(&self, buf); - return self; + libcrux_sha3_generic_keccak_absorb_final_8b_9e0(self, buf); } /** @@ -4612,134 +4715,14 @@ libcrux_sha3_generic_keccak_new_8b_c60(void) { } /** -This function found in impl -{(libcrux_sha3::portable::incremental::XofAbsorb<168: usize> for -libcrux_sha3::portable::incremental::Shake128Absorb)} +This function found in impl {(libcrux_sha3::portable::incremental::Xof<168: +usize> for libcrux_sha3::portable::incremental::Shake128Xof)} */ static inline libcrux_sha3_generic_keccak_KeccakXofState_97 -libcrux_sha3_portable_incremental_new_1c(void) { +libcrux_sha3_portable_incremental_new_2f(void) { return libcrux_sha3_generic_keccak_new_8b_c60(); } -/** - `out` has the exact size we want here. It must be less than or equal to `RATE`. -*/ -/** -This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1: -usize> for u64)} -*/ -/** -A monomorphic instance of libcrux_sha3.portable_keccak.store_5a -with const generics -- RATE= 136 -*/ -static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_5a_5b( - uint64_t (*state)[5U], Eurydice_slice out[1U]) { - size_t num_full_blocks = Eurydice_slice_len(out[0U], uint8_t) / (size_t)8U; - size_t last_block_len = Eurydice_slice_len(out[0U], uint8_t) % (size_t)8U; - for (size_t i = (size_t)0U; i < num_full_blocks; i++) { - size_t i0 = i; - Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t); - uint8_t ret[8U]; - core_num__u64_9__to_le_bytes(state[i0 / (size_t)5U][i0 % (size_t)5U], ret); - Eurydice_slice_copy( - uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); - } - if (last_block_len != (size_t)0U) { - Eurydice_slice uu____1 = Eurydice_slice_subslice2( - out[0U], num_full_blocks * (size_t)8U, - num_full_blocks * (size_t)8U + last_block_len, uint8_t); - uint8_t ret[8U]; - core_num__u64_9__to_le_bytes( - state[num_full_blocks / (size_t)5U][num_full_blocks % (size_t)5U], ret); - Eurydice_slice_copy( - uu____1, - Eurydice_array_to_subslice2(ret, (size_t)0U, last_block_len, uint8_t), - uint8_t); - } -} - -/** - Squeeze `N` x `LEN` bytes. -*/ -/** -This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState[TraitClause@0, TraitClause@1]#2} -*/ -/** -A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_8b -with types uint64_t -with const generics -- PARALLEL_LANES= 1 -- RATE= 136 -*/ -static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c6( - libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, - Eurydice_slice out[1U]) { - if (self->sponge) { - libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); - } - size_t out_len = Eurydice_slice_len(out[0U], uint8_t); - size_t blocks = out_len / (size_t)136U; - size_t last = out_len - out_len % (size_t)136U; - size_t mid; - if ((size_t)136U >= out_len) { - mid = out_len; - } else { - mid = (size_t)136U; - } - Eurydice_slice_uint8_t_1size_t__x2 uu____0 = - libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, mid); - Eurydice_slice out00[1U]; - memcpy(out00, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice)); - Eurydice_slice out_rest[1U]; - memcpy(out_rest, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out00); - core_ops_range_Range_08 iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( - (CLITERAL(core_ops_range_Range_08){.start = (size_t)1U, - .end = blocks}), - core_ops_range_Range_08, core_ops_range_Range_08); - while (true) { - if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A__TraitClause_0___6__next( - &iter, size_t, Option_08) - .tag == None) { - break; - } else { - Eurydice_slice_uint8_t_1size_t__x2 uu____1 = - libcrux_sha3_portable_keccak_split_at_mut_n_5a(out_rest, - (size_t)136U); - Eurydice_slice out0[1U]; - memcpy(out0, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice)); - Eurydice_slice tmp[1U]; - memcpy(tmp, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); - libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out0); - memcpy(out_rest, tmp, (size_t)1U * sizeof(Eurydice_slice)); - } - } - if (last < out_len) { - libcrux_sha3_generic_keccak_keccakf1600_04(&self->inner); - libcrux_sha3_portable_keccak_store_5a_5b(self->inner.st, out_rest); - } - self->sponge = true; -} - -/** - Shake256 squeeze -*/ -/** -This function found in impl -{(libcrux_sha3::portable::incremental::XofSqueeze<136: usize> for -libcrux_sha3::portable::incremental::Shake256Squeeze)#3} -*/ -static inline void libcrux_sha3_portable_incremental_squeeze_8a( - libcrux_sha3_generic_keccak_KeccakXofState_e2 *self, Eurydice_slice out) { - Eurydice_slice buf[1U] = {out}; - libcrux_sha3_generic_keccak_squeeze_8b_c6(self, buf); -} - /** `out` has the exact size we want here. It must be less than or equal to `RATE`. */ @@ -4849,11 +4832,10 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_8b_c60( Shake128 squeeze */ /** -This function found in impl -{(libcrux_sha3::portable::incremental::XofSqueeze<168: usize> for -libcrux_sha3::portable::incremental::Shake128Squeeze)#1} +This function found in impl {(libcrux_sha3::portable::incremental::Xof<168: +usize> for libcrux_sha3::portable::incremental::Shake128Xof)} */ -static inline void libcrux_sha3_portable_incremental_squeeze_10( +static inline void libcrux_sha3_portable_incremental_squeeze_2f( libcrux_sha3_generic_keccak_KeccakXofState_97 *self, Eurydice_slice out) { Eurydice_slice buf[1U] = {out}; libcrux_sha3_generic_keccak_squeeze_8b_c60(self, buf); From 23f67231af11af4e9d063b91bf5f00ed76b5e7f0 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 11 Dec 2024 18:29:25 +0000 Subject: [PATCH 26/27] update DsaXof comment --- libcrux-ml-dsa/src/hash_functions.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index 84ca5fbe9..c58a1b46f 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -5,6 +5,8 @@ pub(crate) mod shake256 { pub(crate) const BLOCK_SIZE: usize = 136; /// An ML-DSA specific Xof trait + /// This trait is not actually a full Xof implementation but opererates only + /// on multiple of blocks. The only real Xof API for SHAKE256 is [`Xof`]. pub(crate) trait DsaXof { fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]); fn init_absorb_final(input: &[u8]) -> Self; From f2e76e9d0b0eb79fc9b9b0bc25c0862b7d7db2c6 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 11 Dec 2024 18:29:42 +0000 Subject: [PATCH 27/27] mldsa: update F* extraction --- .../fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst | 4 ++-- .../fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti | 2 ++ .../Libcrux_ml_dsa.Hash_functions.Shake256.fsti | 2 ++ .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst | 12 ++++++------ .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst | 12 ++++++------ .../Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst | 12 ++++++------ .../fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst | 12 ++++++------ .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst | 12 ++++++------ .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst | 12 ++++++------ .../Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst | 12 ++++++------ .../fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst | 12 ++++++------ .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst | 12 ++++++------ .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst | 12 ++++++------ .../Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst | 12 ++++++------ .../fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst | 12 ++++++------ .../proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst | 6 +++--- .../fstar/extraction/Libcrux_ml_dsa.Types.fsti | 6 +++--- 17 files changed, 84 insertions(+), 80 deletions(-) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst index 2348e0868..4e42a3c10 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst @@ -41,8 +41,8 @@ let deserialize (Libcrux_ml_dsa.Simd.Traits.f_t1_deserialize #v_SIMDUnit #FStar.Tactics.Typeclasses.solve (serialized.[ { - Core.Ops.Range.f_start = i *! sz 10 <: usize; - Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! sz 10 <: usize + Core.Ops.Range.f_start = i *! deserialize__WINDOW <: usize; + Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! deserialize__WINDOW <: usize } <: Core.Ops.Range.t_Range usize ] diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti index 6ac2183bb..b1b59a0dc 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti @@ -9,6 +9,8 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let deserialize__WINDOW: usize = sz 10 + let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 10 val deserialize diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti index 4f08af6fa..de5a31b65 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti @@ -4,6 +4,8 @@ open Core open FStar.Mul /// An ML-DSA specific Xof trait +/// This trait is not actually a full Xof implementation but opererates only +/// on multiple of blocks. The only real Xof API for SHAKE256 is [`Xof`]. class t_DsaXof (v_Self: Type0) = { f_shake256_pre:v_OUTPUT_LENGTH: usize -> t_Slice u8 -> t_Array u8 v_OUTPUT_LENGTH -> Type0; f_shake256_post: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst index 57daef3c6..c923aaf46 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst @@ -29,7 +29,7 @@ let sign = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message context randomness let sign_pre_hashed_shake128 @@ -39,7 +39,7 @@ let sign_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message context randomness let verify @@ -49,8 +49,8 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) @@ -59,5 +59,5 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst index 881529d16..cbfcb41f1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst @@ -29,7 +29,7 @@ let sign = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message context randomness let sign_pre_hashed_shake128 @@ -39,7 +39,7 @@ let sign_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message context randomness let verify @@ -49,8 +49,8 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) @@ -59,5 +59,5 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst index 47feb8acb..5ecf58ac3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst @@ -29,7 +29,7 @@ let sign = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message context randomness let sign_pre_hashed_shake128 @@ -39,7 +39,7 @@ let sign_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) - (sz 2420) (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560)) + (sz 2420) (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message context randomness let verify @@ -49,8 +49,8 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) @@ -59,5 +59,5 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst index de9e24809..fd9368339 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst @@ -29,7 +29,7 @@ let sign = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message context randomness let sign_pre_hashed_shake128 @@ -39,7 +39,7 @@ let sign_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 2560) signing_key <: t_Array u8 (sz 2560)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 2560) signing_key <: t_Array u8 (sz 2560)) message context randomness let verify @@ -49,8 +49,8 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) @@ -59,5 +59,5 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1312) verification_key <: t_Array u8 (sz 1312)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 2420) signature <: t_Array u8 (sz 2420)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1312) verification_key <: t_Array u8 (sz 1312)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst index 93a4a47d2..fb56ab400 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst @@ -29,7 +29,7 @@ let sign = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message context randomness let sign_pre_hashed_shake128 @@ -39,7 +39,7 @@ let sign_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message context randomness let verify @@ -49,8 +49,8 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) @@ -59,5 +59,5 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst index 52cd13c55..06692d1d7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst @@ -29,7 +29,7 @@ let sign = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message context randomness let sign_pre_hashed_shake128 @@ -39,7 +39,7 @@ let sign_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message context randomness let verify @@ -49,8 +49,8 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) @@ -59,5 +59,5 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst index 272c8f309..d696b883f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst @@ -29,7 +29,7 @@ let sign = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message context randomness let sign_pre_hashed_shake128 @@ -39,7 +39,7 @@ let sign_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) - (sz 3309) (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032)) + (sz 3309) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message context randomness let verify @@ -49,8 +49,8 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) @@ -59,5 +59,5 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst index 47f6598f5..9029cf9f8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst @@ -29,7 +29,7 @@ let sign = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message context randomness let sign_pre_hashed_shake128 @@ -39,7 +39,7 @@ let sign_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 4032) signing_key <: t_Array u8 (sz 4032)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4032) signing_key <: t_Array u8 (sz 4032)) message context randomness let verify @@ -49,8 +49,8 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) @@ -59,5 +59,5 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 1952) verification_key <: t_Array u8 (sz 1952)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 3309) signature <: t_Array u8 (sz 3309)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 1952) verification_key <: t_Array u8 (sz 1952)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst index a5cb7cc82..bed872537 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst @@ -29,7 +29,7 @@ let sign = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message context randomness let sign_pre_hashed_shake128 @@ -39,7 +39,7 @@ let sign_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message context randomness let verify @@ -49,8 +49,8 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) @@ -59,5 +59,5 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst index bec5c242e..f4bc8340a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst @@ -29,7 +29,7 @@ let sign = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message context randomness let sign_pre_hashed_shake128 @@ -39,7 +39,7 @@ let sign_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message context randomness let verify @@ -49,8 +49,8 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) @@ -59,5 +59,5 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst index a5b4a3a2a..6f6364908 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst @@ -29,7 +29,7 @@ let sign = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message context randomness let sign_pre_hashed_shake128 @@ -39,7 +39,7 @@ let sign_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) - (sz 4627) (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896)) + (sz 4627) (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message context randomness let verify @@ -49,8 +49,8 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) @@ -59,5 +59,5 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst index b7bfad8f1..a72c5865b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst @@ -29,7 +29,7 @@ let sign = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message context randomness let sign_pre_hashed_shake128 @@ -39,7 +39,7 @@ let sign_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) - (Libcrux_ml_dsa.Types.impl__as_raw (sz 4896) signing_key <: t_Array u8 (sz 4896)) message + (Libcrux_ml_dsa.Types.impl__as_ref (sz 4896) signing_key <: t_Array u8 (sz 4896)) message context randomness let verify @@ -49,8 +49,8 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) @@ -59,5 +59,5 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) - (Libcrux_ml_dsa.Types.impl_2__as_raw (sz 2592) verification_key <: t_Array u8 (sz 2592)) message - context (Libcrux_ml_dsa.Types.impl_4__as_raw (sz 4627) signature <: t_Array u8 (sz 4627)) + (Libcrux_ml_dsa.Types.impl_2__as_ref (sz 2592) verification_key <: t_Array u8 (sz 2592)) message + context (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst index 0a457fc6e..ee9c6cfaa 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst @@ -9,17 +9,17 @@ let impl_2__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE let impl_4__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_4__as_raw (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self.f_value +let impl_4__as_ref (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self.f_value let impl_4__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) = { f_value = value } <: t_MLDSASignature v_SIZE -let impl__as_raw (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self.f_value +let impl__as_ref (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self.f_value let impl__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) = { f_value = value } <: t_MLDSASigningKey v_SIZE -let impl_2__as_raw (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = self.f_value +let impl_2__as_ref (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = self.f_value let impl_2__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) = { f_value = value } <: t_MLDSAVerificationKey v_SIZE diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti index 0a03514df..b399b3cd7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti @@ -18,7 +18,7 @@ val impl_4__len: v_SIZE: usize -> Prims.unit type t_MLDSASignature (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } /// A reference to the raw byte array. -val impl_4__as_raw (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) +val impl_4__as_ref (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Build @@ -29,7 +29,7 @@ val impl_4__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) type t_MLDSASigningKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } /// A reference to the raw byte array. -val impl__as_raw (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) +val impl__as_ref (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Build @@ -40,7 +40,7 @@ val impl__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) type t_MLDSAVerificationKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } /// A reference to the raw byte array. -val impl_2__as_raw (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) +val impl_2__as_ref (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Build