diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti new file mode 100644 index 000000000..105a22c73 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti @@ -0,0 +1,27 @@ +module Libcrux_ml_dsa.Constants.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 6 + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 18 + +let v_COLUMNS_IN_A: usize = sz 4 + +let v_COMMITMENT_HASH_SIZE: usize = sz 32 + +let v_ETA: Libcrux_ml_dsa.Constants.t_Eta = + Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta + +let v_GAMMA1_EXPONENT: usize = sz 17 + +let v_MAX_ONES_IN_HINT: usize = sz 80 + +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 39 + +let v_ROWS_IN_A: usize = sz 4 + +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 88l diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti new file mode 100644 index 000000000..ac228b809 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti @@ -0,0 +1,27 @@ +module Libcrux_ml_dsa.Constants.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 4 + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 + +let v_COLUMNS_IN_A: usize = sz 5 + +let v_COMMITMENT_HASH_SIZE: usize = sz 48 + +let v_ETA: Libcrux_ml_dsa.Constants.t_Eta = + Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta + +let v_GAMMA1_EXPONENT: usize = sz 19 + +let v_MAX_ONES_IN_HINT: usize = sz 55 + +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 49 + +let v_ROWS_IN_A: usize = sz 6 + +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti new file mode 100644 index 000000000..30097ecf0 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti @@ -0,0 +1,27 @@ +module Libcrux_ml_dsa.Constants.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 + +let v_COLUMNS_IN_A: usize = sz 7 + +let v_COMMITMENT_HASH_SIZE: usize = sz 64 + +let v_ETA: Libcrux_ml_dsa.Constants.t_Eta = + Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta + +let v_GAMMA1_EXPONENT: usize = sz 19 + +let v_MAX_ONES_IN_HINT: usize = sz 75 + +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 60 + +let v_ROWS_IN_A: usize = sz 8 + +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst index b93e63c07..4d34ec255 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst @@ -85,10 +85,10 @@ val init_absorb_x4': let init_absorb_x4 = init_absorb_x4' assume -val shake128': v_OUTPUT_LENGTH: usize -> input: t_Slice u8 -> out: t_Array u8 v_OUTPUT_LENGTH - -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) +val shake128': input: t_Slice u8 -> out: t_Slice u8 + -> Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -let shake128 (v_OUTPUT_LENGTH: usize) = shake128' v_OUTPUT_LENGTH +let shake128 = shake128' assume val shake256': v_OUTPUT_LENGTH: usize -> input: t_Slice u8 -> out: t_Array u8 v_OUTPUT_LENGTH diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti index 0b7e313f7..3fc96890c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti @@ -43,8 +43,7 @@ val init_absorb_final_shake256 (input: t_Slice u8) val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) : Prims.Pure t_Shake256X4 Prims.l_True (fun _ -> Prims.l_True) -val shake128 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) - : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) +val shake128 (input out: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti index aa229c844..67503f772 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti @@ -4,17 +4,10 @@ open Core open FStar.Mul class t_Xof (v_Self: Type0) = { - f_shake128_pre:v_OUTPUT_LENGTH: usize -> t_Slice u8 -> t_Array u8 v_OUTPUT_LENGTH -> Type0; - f_shake128_post: - v_OUTPUT_LENGTH: usize -> - t_Slice u8 -> - t_Array u8 v_OUTPUT_LENGTH -> - t_Array u8 v_OUTPUT_LENGTH - -> Type0; - f_shake128:v_OUTPUT_LENGTH: usize -> x0: t_Slice u8 -> x1: t_Array u8 v_OUTPUT_LENGTH - -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) - (f_shake128_pre v_OUTPUT_LENGTH x0 x1) - (fun result -> f_shake128_post v_OUTPUT_LENGTH x0 x1 result) + f_shake128_pre:t_Slice u8 -> t_Slice u8 -> Type0; + f_shake128_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; + f_shake128:x0: t_Slice u8 -> x1: t_Slice u8 + -> Prims.Pure (t_Slice u8) (f_shake128_pre x0 x1) (fun result -> f_shake128_post x0 x1 result) } /// When sampling matrix A we always want to do 4 absorb/squeeze calls in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst index 79969160b..79582529e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 2560) - signing_key - <: - t_Array u8 (sz 2560)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1312) - verification_key - <: - t_Array u8 (sz 1312)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst index 0bc3f9212..8a6b279e8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 2560) - signing_key - <: - t_Array u8 (sz 2560)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1312) - verification_key - <: - t_Array u8 (sz 1312)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst index b4ff49a2e..5d10a32f4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 2560) - signing_key - <: - t_Array u8 (sz 2560)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1312) - verification_key - <: - t_Array u8 (sz 1312)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst index f3364bb9a..3506b3983 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 2560) - signing_key - <: - t_Array u8 (sz 2560)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 2560) + signing_key + <: + t_Array u8 (sz 2560)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1312) - verification_key - <: - t_Array u8 (sz 1312)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1312) + verification_key + <: + t_Array u8 (sz 1312)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst index 8a7ec8559..2fad9a3d2 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4032) - signing_key - <: - t_Array u8 (sz 4032)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1952) - verification_key - <: - t_Array u8 (sz 1952)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst index d3978ab3b..24205fe33 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4032) - signing_key - <: - t_Array u8 (sz 4032)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1952) - verification_key - <: - t_Array u8 (sz 1952)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst index 986c8e0b0..325f4c11f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4032) - signing_key - <: - t_Array u8 (sz 4032)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1952) - verification_key - <: - t_Array u8 (sz 1952)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst index 04a7f4adc..243d5de79 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4032) - signing_key - <: - t_Array u8 (sz 4032)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4032) + signing_key + <: + t_Array u8 (sz 4032)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 1952) - verification_key - <: - t_Array u8 (sz 1952)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 1952) + verification_key + <: + t_Array u8 (sz 1952)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst index 0a4c40f8d..bbb9f7a6a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4896) - signing_key - <: - t_Array u8 (sz 4896)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 2592) - verification_key - <: - t_Array u8 (sz 2592)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst index 401110e07..754385046 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4896) - signing_key - <: - t_Array u8 (sz 4896)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 2592) - verification_key - <: - t_Array u8 (sz 2592)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst index ddb5ccee2..8dd52879e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4896) - signing_key - <: - t_Array u8 (sz 4896)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 2592) - verification_key - <: - t_Array u8 (sz 2592)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst index 856f9a4bc..56f5baaf3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst @@ -42,14 +42,22 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref - (sz 4896) - signing_key - <: - t_Array u8 (sz 4896)) - message - context - randomness + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.sign_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl__as_ref + (sz 4896) + signing_key + <: + t_Array u8 (sz 4896)) + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) @@ -70,11 +78,18 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref - (sz 2592) - verification_key - <: - t_Array u8 (sz 2592)) - message - context - (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + let pre_hash_buffer:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let tmp0, out:(t_Array u8 (sz 256) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.verify_pre_hashed_shake128 (Libcrux_ml_dsa.Types.impl_2__as_ref + (sz 2592) + verification_key + <: + t_Array u8 (sz 2592)) + message + context + pre_hash_buffer + (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627)) + in + let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst new file mode 100644 index 000000000..0e90b5905 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fst @@ -0,0 +1,173 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair___inner + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + generate_key_pair___inner randomness signing_key verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let sign___inner + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness + +let sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = sign___inner signing_key message context randomness + +let sign_pre_hashed_shake128___inner + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + sign_pre_hashed_shake128___inner signing_key message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify___inner + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = verify___inner verification_key message context signature + +let verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + verify_pre_hashed_shake128___inner verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fsti new file mode 100644 index 000000000..1d183a070 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.fsti @@ -0,0 +1,99 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Key Generation. +val generate_key_pair___inner + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val sign___inner + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128___inner + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val verify___inner + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst new file mode 100644 index 000000000..2eaef669f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fst @@ -0,0 +1,173 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair___inner + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + generate_key_pair___inner randomness signing_key verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let sign___inner + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness + +let sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = sign___inner signing_key message context randomness + +let sign_pre_hashed_shake128___inner + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + sign_pre_hashed_shake128___inner signing_key message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify___inner + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = verify___inner verification_key message context signature + +let verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + verify_pre_hashed_shake128___inner verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fsti new file mode 100644 index 000000000..5ca65ea3e --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.fsti @@ -0,0 +1,99 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Key Generation. +val generate_key_pair___inner + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val sign___inner + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128___inner + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val verify___inner + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst new file mode 100644 index 000000000..b33bc079f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fst @@ -0,0 +1,173 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair___inner + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let _:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) = + let tmp0, tmp1:(t_Slice u8 & t_Slice u8) = + generate_key_pair___inner randomness signing_key verification_key + in + let signing_key:t_Slice u8 = tmp0 in + let verification_key:t_Slice u8 = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) + +let sign___inner + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness + +let sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = sign___inner signing_key message context randomness + +let sign_pre_hashed_shake128___inner + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + sign_pre_hashed_shake128___inner signing_key message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify___inner + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = verify___inner verification_key message context signature + +let verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Samplex4.Avx2.t_AVX2Sampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + verify_pre_hashed_shake128___inner verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fsti new file mode 100644 index 000000000..a7b0d3ae2 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.fsti @@ -0,0 +1,99 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Avx2 in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Key Generation. +val generate_key_pair___inner + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val generate_key_pair (randomness: t_Array u8 (sz 32)) (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val sign___inner + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128___inner + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val verify___inner + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed_shake128___inner + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst new file mode 100644 index 000000000..f427c1cf1 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fst @@ -0,0 +1,115 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Neon in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 2560)) + (verification_key: t_Array u8 (sz 1312)) + = + let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 2560) = tmp0 in + let verification_key:t_Array u8 (sz 1312) = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) + +let sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fsti new file mode 100644 index 000000000..a8681a605 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.fsti @@ -0,0 +1,63 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Neon in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 2560)) + (verification_key: t_Array u8 (sz 1312)) + : Prims.Pure (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst new file mode 100644 index 000000000..32e1935fe --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fst @@ -0,0 +1,115 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Neon in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + = + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) + +let sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fsti new file mode 100644 index 000000000..dbc3427cc --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.fsti @@ -0,0 +1,63 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Neon in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + : Prims.Pure (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst new file mode 100644 index 000000000..02aca3140 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fst @@ -0,0 +1,115 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Neon in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4896)) + (verification_key: t_Array u8 (sz 2592)) + = + let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 + randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4896) = tmp0 in + let verification_key:t_Array u8 (sz 2592) = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) + +let sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 (signing_key <: t_Slice u8) message context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Neon.t_NeonSampler #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fsti new file mode 100644 index 000000000..3179307e3 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.fsti @@ -0,0 +1,63 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Neon in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4896)) + (verification_key: t_Array u8 (sz 2592)) + : Prims.Pure (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst new file mode 100644 index 000000000..f5d75d98f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fst @@ -0,0 +1,117 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 2560)) + (verification_key: t_Array u8 (sz 1312)) + = + let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 + randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 2560) = tmp0 in + let verification_key:t_Array u8 (sz 1312) = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) + +let sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fsti new file mode 100644 index 000000000..676d92da6 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.fsti @@ -0,0 +1,62 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 2560)) + (verification_key: t_Array u8 (sz 1312)) + : Prims.Pure (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst new file mode 100644 index 000000000..7350b6417 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fst @@ -0,0 +1,117 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + = + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 + randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) + +let sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fsti new file mode 100644 index 000000000..45fa9ce86 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.fsti @@ -0,0 +1,62 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + : Prims.Pure (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst new file mode 100644 index 000000000..e57e2445f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fst @@ -0,0 +1,117 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4896)) + (verification_key: t_Array u8 (sz 2592)) + = + let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 + randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4896) = tmp0 in + let verification_key:t_Array u8 (sz 2592) = tmp1 in + let hax_temp_output:Prims.unit = () in + signing_key, verification_key <: (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) + +let sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 (signing_key <: t_Slice u8) message context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (signing_key <: t_Slice u8) message context pre_hash_buffer randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof + verification_key + message + context + signature + +let verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + = + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Samplex4.Portable.t_PortableSampler + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Xof #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + verification_key message context pre_hash_buffer signature + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + out + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fsti new file mode 100644 index 000000000..dd7f46ae3 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.fsti @@ -0,0 +1,62 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Samplex4.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4896)) + (verification_key: t_Array u8 (sz 2592)) + : Prims.Pure (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign. +val sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (verification_key: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (verification_key: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst new file mode 100644 index 000000000..7c4cf255d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst @@ -0,0 +1,1271 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Polynomial in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + = + let eta:Libcrux_ml_dsa.Constants.t_Eta = + match + cast (Libcrux_ml_dsa.Constants.t_Eta_cast_to_repr Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA + <: + isize) + <: + u8 + with + | 2uy -> Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta + | 4uy -> Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 signing_key Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + in + let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + in + let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A <: usize) + in + let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A <: usize) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + eta + v_ERROR_RING_ELEMENT_SIZE + s1_serialized + s1_as_ntt + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + eta + v_ERROR_RING_ELEMENT_SIZE + s2_serialized + s2_as_ntt + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit t0_serialized t0_as_ntt + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 16) + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + seed_for_a + matrix + in + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let message_representative:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof + verification_key_hash + domain_separation_context + message + message_representative + in + let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_for_signing + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + mask_seed + in + let shake:v_Shake256Xof = tmp0 in + let mask_seed:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let (domain_separator_for_mask: u16):u16 = 0us in + let attempt:usize = sz 0 in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 32)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 32)) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Core.Option.Option_None + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) + in + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 32)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 32)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) = + temp_0_ + in + attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN <: bool) + (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 32)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)))) + (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 32)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) = + temp_0_ + in + let attempt:usize = attempt +! sz 1 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let tmp0, tmp1:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit + #v_Shake256 + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA1_EXPONENT + mask_seed + domain_separator_for_mask + mask + in + let domain_separator_for_mask:u16 = tmp0 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + tmp1 + in + let _:Prims.unit = () in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) + = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + #FStar.Tactics.Typeclasses.solve + mask + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) + = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (mask_ntt + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun mask_ntt temp_1_ -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + mask_ntt + in + let _:usize = temp_1_ in + true) + mask_ntt + (fun mask_ntt i -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + mask_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (mask_ntt.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) + = + Libcrux_ml_dsa.Matrix.compute_matrix_x_mask #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (mask_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + a_x_mask + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA2 + (a_x_mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + w0 + commitment + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + tmp0 + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) = + tmp1 + in + let _:Prims.unit = () in + let _:Prims.unit = () in + let commitment_hash_candidate:t_Array u8 (sz 32) = + Rust_primitives.Hax.repeat 0uy (sz 32) + in + let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in + let commitment_serialized:t_Array u8 (sz 768) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (commitment <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 32)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + commitment_hash_candidate + in + let shake:v_Shake256Xof = tmp0 in + let commitment_hash_candidate:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + (commitment_hash_candidate <: t_Slice u8) + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ONES_IN_VERIFIER_CHALLENGE + verifier_challenge + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + #FStar.Tactics.Typeclasses.solve + s1_as_ntt + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + #FStar.Tactics.Typeclasses.solve + s2_as_ntt + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s1 + verifier_challenge + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s2 + verifier_challenge + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + mask + (challenge_times_s1 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + w0 + (challenge_times_s2 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((1l <. Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 32)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) + else + let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 32)) = + Core.Option.Option_Some commitment_hash_candidate + <: + Core.Option.t_Option (t_Array u8 (sz 32)) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Core.Option.Option_Some mask + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) = + Core.Option.Option_Some hint_candidate + <: + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) + in + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 32)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))) + ) + in + match commitment_hash <: Core.Option.t_Option (t_Array u8 (sz 32)) with + | Core.Option.Option_Some commitment_hash -> + let commitment_hash:t_Array u8 (sz 32) = commitment_hash in + (match + signer_response + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + with + | Core.Option.Option_Some signer_response -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) = + signer_response + in + (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 4)) with + | Core.Option.Option_Some hint -> + let hint:t_Array (t_Array i32 (sz 256)) (sz 4) = hint in + let signature:t_Array u8 (sz 2420) = Rust_primitives.Hax.repeat 0uy (sz 2420) in + let signature:t_Array u8 (sz 2420) = + Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit + (commitment_hash <: t_Slice u8) + (signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (hint <: t_Slice (t_Array i32 (sz 256))) + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT signature + in + Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new (sz 2420) signature) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError + ) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError + +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError + +let sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i13: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i14: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + else + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + pre_hash_buffer + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError = + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key pre_hash_buffer + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key: t_Array u8 (sz 1312)) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 (sz 2420)) + = + let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (verification_key <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + t1_serialized + t1 + in + let deserialized_commitment_hash:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 4) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) + (sz 4) + in + let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 32) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) & + t_Array (t_Array i32 (sz 256)) (sz 4) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE + (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response + deserialized_hint + in + let deserialized_commitment_hash:t_Array u8 (sz 32) = tmp0 in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + tmp1 + in + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 4) = tmp2 in + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with + | Core.Result.Result_Ok _ -> + let _:Prims.unit = () <: Prims.unit in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((2l < + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + deserialized_signer_response + in + let _:usize = temp_1_ in + true) + deserialized_signer_response + (fun deserialized_signer_response i -> + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + deserialized_signer_response + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialized_signer_response.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verifier_challenge + t1 + in + let recomputed_commitment_hash:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA2 + (deserialized_hint <: t_Slice (t_Array i32 (sz 256))) + t1 + in + let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in + let commitment_serialized:t_Array u8 (sz 768) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 32)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + recomputed_commitment_hash + in + let shake:v_Shake256Xof = tmp0 in + let recomputed_commitment_hash:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + if deserialized_commitment_hash =. recomputed_commitment_hash + then + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized + message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + = + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + pre_hash_buffer + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized + pre_hash_buffer + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + +let generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE + <: + bool) + in + () + in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. + v_VERIFICATION_KEY_SIZE + <: + bool) + in + () + in + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + ((let list = + [ + cast (Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A <: usize) <: u8; + cast (Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A <: usize) <: u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list) + <: + t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_expanded + in + let shake:v_Shake256Xof = tmp0 in + let seed_expanded:t_Array u8 (sz 128) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 16) + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + seed_for_a + a_as_ntt + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA + seed_for_error_vectors + s1_s2 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + s1_ntt + (s1_s2.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun s1_ntt temp_1_ -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + s1_ntt + in + let _:usize = temp_1_ in + true) + s1_ntt + (fun s1_ntt i -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + s1_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + t0 + in + let _:Prims.unit = () in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 4) + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp0 in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp1 in + let _:Prims.unit = () in + let verification_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + seed_for_a + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verification_key + in + let signing_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a + seed_for_signing verification_key + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key + in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti new file mode 100644 index 000000000..d42b5c793 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti @@ -0,0 +1,165 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Polynomial in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let v_BETA: i32 = + Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ONES_IN_VERIFIER_CHALLENGE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA + +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_COMMITMENT_COEFFICIENT + +let v_COMMITMENT_VECTOR_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_COMMITMENT_COEFFICIENT + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + +let v_ERROR_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.error_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_ERROR_COEFFICIENT + +let v_GAMMA1_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.gamma1_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_GAMMA1_COEFFICIENT + +let v_ROW_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A +! + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + +let v_ROW_X_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A *! + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + +let v_SIGNATURE_SIZE: usize = + Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_GAMMA1_COEFFICIENT + +let v_SIGNING_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.signing_key_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A + v_ERROR_RING_ELEMENT_SIZE + +let v_VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.verification_key_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A + +val sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// The internal verification API. +/// If no `domain_separation_context` is supplied, it is assumed that +/// `message` already contains the domain separation. +val verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + (verification_key: t_Array u8 (sz 1312)) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst new file mode 100644 index 000000000..d7663ec47 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst @@ -0,0 +1,1271 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Polynomial in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + = + let eta:Libcrux_ml_dsa.Constants.t_Eta = + match + cast (Libcrux_ml_dsa.Constants.t_Eta_cast_to_repr Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA + <: + isize) + <: + u8 + with + | 2uy -> Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta + | 4uy -> Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 signing_key Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + in + let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + in + let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A <: usize) + in + let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A <: usize) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 5) + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + eta + v_ERROR_RING_ELEMENT_SIZE + s1_serialized + s1_as_ntt + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + eta + v_ERROR_RING_ELEMENT_SIZE + s2_serialized + s2_as_ntt + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit t0_serialized t0_as_ntt + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 30) + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + seed_for_a + matrix + in + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let message_representative:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof + verification_key_hash + domain_separation_context + message + message_representative + in + let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_for_signing + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + mask_seed + in + let shake:v_Shake256Xof = tmp0 in + let mask_seed:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let (domain_separator_for_mask: u16):u16 = 0us in + let attempt:usize = sz 0 in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 48)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 48)) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) = + Core.Option.Option_None + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) + in + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 48)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 48)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) = + temp_0_ + in + attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN <: bool) + (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 48)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)))) + (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 48)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) = + temp_0_ + in + let attempt:usize = attempt +! sz 1 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 5) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let tmp0, tmp1:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) = + Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit + #v_Shake256 + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA1_EXPONENT + mask_seed + domain_separator_for_mask + mask + in + let domain_separator_for_mask:u16 = tmp0 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + tmp1 + in + let _:Prims.unit = () in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) + = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + #FStar.Tactics.Typeclasses.solve + mask + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) + = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (mask_ntt + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun mask_ntt temp_1_ -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + mask_ntt + in + let _:usize = temp_1_ in + true) + mask_ntt + (fun mask_ntt i -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + mask_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (mask_ntt.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) + = + Libcrux_ml_dsa.Matrix.compute_matrix_x_mask #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (mask_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + a_x_mask + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) = + Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA2 + (a_x_mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + w0 + commitment + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + tmp0 + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) = + tmp1 + in + let _:Prims.unit = () in + let _:Prims.unit = () in + let commitment_hash_candidate:t_Array u8 (sz 48) = + Rust_primitives.Hax.repeat 0uy (sz 48) + in + let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in + let commitment_serialized:t_Array u8 (sz 768) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (commitment <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 48)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + commitment_hash_candidate + in + let shake:v_Shake256Xof = tmp0 in + let commitment_hash_candidate:t_Array u8 (sz 48) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + (commitment_hash_candidate <: t_Slice u8) + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ONES_IN_VERIFIER_CHALLENGE + verifier_challenge + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + #FStar.Tactics.Typeclasses.solve + s1_as_ntt + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) + #FStar.Tactics.Typeclasses.solve + s2_as_ntt + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s1 + verifier_challenge + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s2 + verifier_challenge + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + mask + (challenge_times_s1 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + w0 + (challenge_times_s2 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((1l <. Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 48)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) + else + let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 48)) = + Core.Option.Option_Some commitment_hash_candidate + <: + Core.Option.t_Option (t_Array u8 (sz 48)) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) = + Core.Option.Option_Some mask + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) = + Core.Option.Option_Some hint_candidate + <: + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) + in + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 48)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))) + ) + in + match commitment_hash <: Core.Option.t_Option (t_Array u8 (sz 48)) with + | Core.Option.Option_Some commitment_hash -> + let commitment_hash:t_Array u8 (sz 48) = commitment_hash in + (match + signer_response + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + with + | Core.Option.Option_Some signer_response -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 5) = + signer_response + in + (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 6)) with + | Core.Option.Option_Some hint -> + let hint:t_Array (t_Array i32 (sz 256)) (sz 6) = hint in + let signature:t_Array u8 (sz 3309) = Rust_primitives.Hax.repeat 0uy (sz 3309) in + let signature:t_Array u8 (sz 3309) = + Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit + (commitment_hash <: t_Slice u8) + (signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (hint <: t_Slice (t_Array i32 (sz 256))) + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT signature + in + Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new (sz 3309) signature) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError + ) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError + +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError + +let sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i13: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i14: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + else + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + pre_hash_buffer + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError = + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key pre_hash_buffer + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key: t_Array u8 (sz 1952)) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 (sz 3309)) + = + let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (verification_key <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + t1_serialized + t1 + in + let deserialized_commitment_hash:t_Array u8 (sz 48) = Rust_primitives.Hax.repeat 0uy (sz 48) in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 5) + in + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 6) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) + (sz 6) + in + let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 48) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) & + t_Array (t_Array i32 (sz 256)) (sz 6) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE + (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response + deserialized_hint + in + let deserialized_commitment_hash:t_Array u8 (sz 48) = tmp0 in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + tmp1 + in + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 6) = tmp2 in + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with + | Core.Result.Result_Ok _ -> + let _:Prims.unit = () <: Prims.unit in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((2l < + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + deserialized_signer_response + in + let _:usize = temp_1_ in + true) + deserialized_signer_response + (fun deserialized_signer_response i -> + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + deserialized_signer_response + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialized_signer_response.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verifier_challenge + t1 + in + let recomputed_commitment_hash:t_Array u8 (sz 48) = Rust_primitives.Hax.repeat 0uy (sz 48) in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA2 + (deserialized_hint <: t_Slice (t_Array i32 (sz 256))) + t1 + in + let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in + let commitment_serialized:t_Array u8 (sz 768) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 48)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + recomputed_commitment_hash + in + let shake:v_Shake256Xof = tmp0 in + let recomputed_commitment_hash:t_Array u8 (sz 48) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + if deserialized_commitment_hash =. recomputed_commitment_hash + then + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized + message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + = + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + pre_hash_buffer + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized + pre_hash_buffer + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + +let generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE + <: + bool) + in + () + in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. + v_VERIFICATION_KEY_SIZE + <: + bool) + in + () + in + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + ((let list = + [ + cast (Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A <: usize) <: u8; + cast (Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A <: usize) <: u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list) + <: + t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_expanded + in + let shake:v_Shake256Xof = tmp0 in + let seed_expanded:t_Array u8 (sz 128) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 30) + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + seed_for_a + a_as_ntt + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 11) + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA + seed_for_error_vectors + s1_s2 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 5) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + s1_ntt + (s1_s2.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun s1_ntt temp_1_ -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + s1_ntt + in + let _:usize = temp_1_ in + true) + s1_ntt + (fun s1_ntt i -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) = + s1_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5)) + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + t0 + in + let _:Prims.unit = () in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 6) + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp0 in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp1 in + let _:Prims.unit = () in + let verification_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + seed_for_a + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verification_key + in + let signing_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a + seed_for_signing verification_key + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key + in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti new file mode 100644 index 000000000..46aa5f314 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti @@ -0,0 +1,165 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Polynomial in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let v_BETA: i32 = + Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ONES_IN_VERIFIER_CHALLENGE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA + +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_COMMITMENT_COEFFICIENT + +let v_COMMITMENT_VECTOR_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_COMMITMENT_COEFFICIENT + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + +let v_ERROR_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.error_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_ERROR_COEFFICIENT + +let v_GAMMA1_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.gamma1_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_GAMMA1_COEFFICIENT + +let v_ROW_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A +! + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + +let v_ROW_X_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A *! + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + +let v_SIGNATURE_SIZE: usize = + Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_GAMMA1_COEFFICIENT + +let v_SIGNING_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.signing_key_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A + v_ERROR_RING_ELEMENT_SIZE + +let v_VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.verification_key_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A + +val sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// The internal verification API. +/// If no `domain_separation_context` is supplied, it is assumed that +/// `message` already contains the domain separation. +val verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + (verification_key: t_Array u8 (sz 1952)) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst new file mode 100644 index 000000000..ae888c151 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst @@ -0,0 +1,1273 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Polynomial in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + = + let eta:Libcrux_ml_dsa.Constants.t_Eta = + match + cast (Libcrux_ml_dsa.Constants.t_Eta_cast_to_repr Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA + <: + isize) + <: + u8 + with + | 2uy -> Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta + | 4uy -> Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let seed_for_a, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 signing_key Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + in + let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + in + let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A <: usize) + in + let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A <: usize) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 7) + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + eta + v_ERROR_RING_ELEMENT_SIZE + s1_serialized + s1_as_ntt + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + eta + v_ERROR_RING_ELEMENT_SIZE + s2_serialized + s2_as_ntt + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit t0_serialized t0_as_ntt + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 56) + in + let matrix:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + seed_for_a + matrix + in + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let message_representative:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Ml_dsa_generic.derive_message_representative #v_Shake256Xof + verification_key_hash + domain_separation_context + message + message_representative + in + let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_for_signing + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + mask_seed + in + let shake:v_Shake256Xof = tmp0 in + let mask_seed:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let (domain_separator_for_mask: u16):u16 = 0us in + let attempt:usize = sz 0 in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 64)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 64)) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) = + Core.Option.Option_None + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) + in + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 64)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 64)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) = + temp_0_ + in + attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN <: bool) + (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 64)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)))) + (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 (sz 64)) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) = + temp_0_ + in + let attempt:usize = attempt +! sz 1 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 7) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let tmp0, tmp1:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) = + Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit + #v_Shake256 + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA1_EXPONENT + mask_seed + domain_separator_for_mask + mask + in + let domain_separator_for_mask:u16 = tmp0 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + tmp1 + in + let _:Prims.unit = () in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) + = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + #FStar.Tactics.Typeclasses.solve + mask + in + let mask_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) + = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (mask_ntt + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun mask_ntt temp_1_ -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + mask_ntt + in + let _:usize = temp_1_ in + true) + mask_ntt + (fun mask_ntt i -> + let mask_ntt:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + mask_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (mask_ntt.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + in + let a_x_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) + = + Libcrux_ml_dsa.Matrix.compute_matrix_x_mask #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (mask_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + a_x_mask + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) = + Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA2 + (a_x_mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + w0 + commitment + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + tmp0 + in + let commitment:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) = + tmp1 + in + let _:Prims.unit = () in + let _:Prims.unit = () in + let commitment_hash_candidate:t_Array u8 (sz 64) = + Rust_primitives.Hax.repeat 0uy (sz 64) + in + let commitment_serialized:t_Array u8 (sz 1024) = + Rust_primitives.Hax.repeat 0uy (sz 1024) + in + let commitment_serialized:t_Array u8 (sz 1024) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (commitment <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + commitment_hash_candidate + in + let shake:v_Shake256Xof = tmp0 in + let commitment_hash_candidate:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + (commitment_hash_candidate <: t_Slice u8) + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ONES_IN_VERIFIER_CHALLENGE + verifier_challenge + in + let verifier_challenge:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit verifier_challenge + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + #FStar.Tactics.Typeclasses.solve + s1_as_ntt + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Core.Clone.f_clone #(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) + #FStar.Tactics.Typeclasses.solve + s2_as_ntt + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s1 + verifier_challenge + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + challenge_times_s2 + verifier_challenge + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + mask + (challenge_times_s1 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let w0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + w0 + (challenge_times_s2 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (mask <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((1l <. Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 64)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) + else + let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN in + let commitment_hash:Core.Option.t_Option (t_Array u8 (sz 64)) = + Core.Option.Option_Some commitment_hash_candidate + <: + Core.Option.t_Option (t_Array u8 (sz 64)) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) = + Core.Option.Option_Some mask + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) = + Core.Option.Option_Some hint_candidate + <: + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) + in + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 (sz 64)) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))) + ) + in + match commitment_hash <: Core.Option.t_Option (t_Array u8 (sz 64)) with + | Core.Option.Option_Some commitment_hash -> + let commitment_hash:t_Array u8 (sz 64) = commitment_hash in + (match + signer_response + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + with + | Core.Option.Option_Some signer_response -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 7) = + signer_response + in + (match hint <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) (sz 8)) with + | Core.Option.Option_Some hint -> + let hint:t_Array (t_Array i32 (sz 256)) (sz 8) = hint in + let signature:t_Array u8 (sz 4627) = Rust_primitives.Hax.repeat 0uy (sz 4627) in + let signature:t_Array u8 (sz 4627) = + Libcrux_ml_dsa.Encoding.Signature.serialize #v_SIMDUnit + (commitment_hash <: t_Slice u8) + (signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (hint <: t_Slice (t_Array i32 (sz 256))) + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT signature + in + Core.Result.Result_Ok (Libcrux_ml_dsa.Types.impl_4__new (sz 4627) signature) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError <: Libcrux_ml_dsa.Types.t_SigningError + ) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError + +let sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError + +let sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i13: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i14: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + else + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + pre_hash_buffer + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError = + sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 + signing_key pre_hash_buffer + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key: t_Array u8 (sz 2592)) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 (sz 4627)) + = + let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (verification_key <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + t1_serialized + t1 + in + let deserialized_commitment_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 7) + in + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 8) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) + (sz 8) + in + let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 64) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) & + t_Array (t_Array i32 (sz 256)) (sz 8) & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE + (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response + deserialized_hint + in + let deserialized_commitment_hash:t_Array u8 (sz 64) = tmp0 in + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + tmp1 + in + let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 8) = tmp2 in + match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with + | Core.Result.Result_Ok _ -> + let _:Prims.unit = () <: Prims.unit in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + ((2l < + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + deserialized_signer_response + in + let _:usize = temp_1_ in + true) + deserialized_signer_response + (fun deserialized_signer_response i -> + let deserialized_signer_response:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + deserialized_signer_response + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialized_signer_response.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (deserialized_signer_response + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verifier_challenge + t1 + in + let recomputed_commitment_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA2 + (deserialized_hint <: t_Slice (t_Array i32 (sz 256))) + t1 + in + let commitment_serialized:t_Array u8 (sz 1024) = Rust_primitives.Hax.repeat 0uy (sz 1024) in + let commitment_serialized:t_Array u8 (sz 1024) = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_COMMITMENT_RING_ELEMENT_SIZE + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + commitment_serialized + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + recomputed_commitment_hash + in + let shake:v_Shake256Xof = tmp0 in + let recomputed_commitment_hash:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + if deserialized_commitment_hash =. recomputed_commitment_hash + then + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + | Core.Result.Result_Err e -> + Core.Result.Result_Err e + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized + message + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized + | Core.Result.Result_Err _ -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i12: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH) + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + = + let pre_hash_buffer:t_Slice u8 = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH + #FStar.Tactics.Typeclasses.solve + #v_Shake128 + message + pre_hash_buffer + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext + Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + with + | Core.Result.Result_Ok dsc -> + let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in + let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError = + verify_internal #v_SIMDUnit + #v_Sampler + #v_Shake128X4 + #v_Shake256 + #v_Shake256Xof + verification_key_serialized + pre_hash_buffer + (Core.Option.Option_Some domain_separation_context + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + signature_serialized + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + | Core.Result.Result_Err _ -> + pre_hash_buffer, + (Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + +let generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i10: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i11: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE + <: + bool) + in + () + in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =. + v_VERIFICATION_KEY_SIZE + <: + bool) + in + () + in + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve () + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:v_Shake256Xof = + Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + ((let list = + [ + cast (Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A <: usize) <: u8; + cast (Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A <: usize) <: u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list) + <: + t_Slice u8) + in + let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof + #FStar.Tactics.Typeclasses.solve + shake + seed_expanded + in + let shake:v_Shake256Xof = tmp0 in + let seed_expanded:t_Array u8 (sz 128) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 56) + in + let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) = + Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler + #FStar.Tactics.Typeclasses.solve + #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + seed_for_a + a_as_ntt + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 15) + in + let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA + seed_for_error_vectors + s1_s2 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 7) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + s1_ntt + (s1_s2.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + in + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + usize) + (fun s1_ntt temp_1_ -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + s1_ntt + in + let _:usize = temp_1_ in + true) + s1_ntt + (fun s1_ntt i -> + let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) = + s1_ntt + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7)) + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + t0 + in + let _:Prims.unit = () in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (sz 8) + in + let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1 + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp0 in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp1 in + let _:Prims.unit = () in + let verification_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + seed_for_a + (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + verification_key + in + let signing_key:t_Slice u8 = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a + seed_for_signing verification_key + (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key + in + signing_key, verification_key <: (t_Slice u8 & t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti new file mode 100644 index 000000000..c47847ef4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti @@ -0,0 +1,165 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Polynomial in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Samplex4 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let v_BETA: i32 = + Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ONES_IN_VERIFIER_CHALLENGE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA + +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_COMMITMENT_COEFFICIENT + +let v_COMMITMENT_VECTOR_SIZE: usize = + Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_COMMITMENT_COEFFICIENT + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + +let v_ERROR_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.error_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_ERROR_COEFFICIENT + +let v_GAMMA1_RING_ELEMENT_SIZE: usize = + Libcrux_ml_dsa.Constants.gamma1_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_GAMMA1_COEFFICIENT + +let v_ROW_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A +! + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + +let v_ROW_X_COLUMN: usize = + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A *! + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + +let v_SIGNATURE_SIZE: usize = + Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_GAMMA1_COEFFICIENT + +let v_SIGNING_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.signing_key_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A + v_ERROR_RING_ELEMENT_SIZE + +let v_VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.verification_key_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A + +val sign_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH: + Type0) + {| i8: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i9: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i13: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i14: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i15: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (signing_key message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// The internal verification API. +/// If no `domain_separation_context` is supplied, it is assumed that +/// `message` already contains the domain separation. +val verify_internal + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + (verification_key: t_Array u8 (sz 2592)) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0) + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed + (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0) + {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |} + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val generate_key_pair + (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0) + {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |} + {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |} + {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (randomness: t_Array u8 (sz 32)) + (signing_key verification_key: t_Slice u8) + : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fst new file mode 100644 index 000000000..3d5bc9e4a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fst @@ -0,0 +1,223 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 2560)) + (verification_key: t_Array u8 (sz 1312)) + = + let (signing_key, verification_key), hax_temp_output:((t_Array u8 (sz 2560) & t_Array u8 (sz 1312) + ) & + Prims.unit) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 2560) = tmp0 in + let verification_key:t_Array u8 (sz 1312) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 2560) & t_Array u8 (sz 1312))), () + <: + ((t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) & Prims.unit) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 2560) = tmp0 in + let verification_key:t_Array u8 (sz 1312) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 2560) & t_Array u8 (sz 1312))), () + <: + ((t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) & Prims.unit) + else + let tmp0, tmp1:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 2560) = tmp0 in + let verification_key:t_Array u8 (sz 1312) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 2560) & t_Array u8 (sz 1312))), () + <: + ((t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) & Prims.unit) + in + signing_key, verification_key <: (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) + +let sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.sign signing_key + message + context + randomness + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.sign signing_key + message + context + randomness + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.sign signing_key + message + context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let pre_hash_buffer, hax_temp_output:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + else + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.verify verification_key_serialized + message + context + signature_serialized + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.verify verification_key_serialized + message + context + signature_serialized + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.verify verification_key_serialized + message + context + signature_serialized + +let verify_pre_hashed_shake128 + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + = + let pre_hash_buffer, hax_temp_output:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_44_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_44_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_44_.verify_pre_hashed_shake128 + verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fsti new file mode 100644 index 000000000..86e20ee9e --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.fsti @@ -0,0 +1,44 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 2560)) + (verification_key: t_Array u8 (sz 1312)) + : Prims.Pure (t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (signing_key: t_Array u8 (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 2560)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val verify + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed_shake128 + (verification_key_serialized: t_Array u8 (sz 1312)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 2420)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fst new file mode 100644 index 000000000..22dde3f4a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fst @@ -0,0 +1,223 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + = + let (signing_key, verification_key), hax_temp_output:((t_Array u8 (sz 4032) & t_Array u8 (sz 1952) + ) & + Prims.unit) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952))), () + <: + ((t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) & Prims.unit) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952))), () + <: + ((t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) & Prims.unit) + else + let tmp0, tmp1:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4032) = tmp0 in + let verification_key:t_Array u8 (sz 1952) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952))), () + <: + ((t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) & Prims.unit) + in + signing_key, verification_key <: (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) + +let sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.sign signing_key + message + context + randomness + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.sign signing_key + message + context + randomness + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.sign signing_key + message + context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let pre_hash_buffer, hax_temp_output:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + else + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.verify verification_key_serialized + message + context + signature_serialized + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.verify verification_key_serialized + message + context + signature_serialized + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.verify verification_key_serialized + message + context + signature_serialized + +let verify_pre_hashed_shake128 + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + = + let pre_hash_buffer, hax_temp_output:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_65_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_65_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_65_.verify_pre_hashed_shake128 + verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fsti new file mode 100644 index 000000000..c19ae6a03 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.fsti @@ -0,0 +1,44 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4032)) + (verification_key: t_Array u8 (sz 1952)) + : Prims.Pure (t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (signing_key: t_Array u8 (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4032)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val verify + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed_shake128 + (verification_key_serialized: t_Array u8 (sz 1952)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 3309)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fst new file mode 100644 index 000000000..8427f42e6 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fst @@ -0,0 +1,223 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4896)) + (verification_key: t_Array u8 (sz 2592)) + = + let (signing_key, verification_key), hax_temp_output:((t_Array u8 (sz 4896) & t_Array u8 (sz 2592) + ) & + Prims.unit) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4896) = tmp0 in + let verification_key:t_Array u8 (sz 2592) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 4896) & t_Array u8 (sz 2592))), () + <: + ((t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) & Prims.unit) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4896) = tmp0 in + let verification_key:t_Array u8 (sz 2592) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 4896) & t_Array u8 (sz 2592))), () + <: + ((t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) & Prims.unit) + else + let tmp0, tmp1:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.generate_key_pair randomness + signing_key + verification_key + in + let signing_key:t_Array u8 (sz 4896) = tmp0 in + let verification_key:t_Array u8 (sz 2592) = tmp1 in + let _:Prims.unit = () in + (signing_key, verification_key <: (t_Array u8 (sz 4896) & t_Array u8 (sz 2592))), () + <: + ((t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) & Prims.unit) + in + signing_key, verification_key <: (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) + +let sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.sign signing_key + message + context + randomness + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.sign signing_key + message + context + randomness + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.sign signing_key + message + context + randomness + +let sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let pre_hash_buffer, hax_temp_output:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + else + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.sign_pre_hashed_shake128 signing_key + message + context + pre_hash_buffer + randomness + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) + +let verify + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.verify verification_key_serialized + message + context + signature_serialized + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.verify verification_key_serialized + message + context + signature_serialized + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.verify verification_key_serialized + message + context + signature_serialized + +let verify_pre_hashed_shake128 + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + = + let pre_hash_buffer, hax_temp_output:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + if Libcrux_platform.Platform.simd256_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Ml_dsa_87_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + if Libcrux_platform.Platform.simd128_support () + then + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.Ml_dsa_87_.verify_pre_hashed_shake128 verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + else + let tmp0, out:(t_Slice u8 & + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.Ml_dsa_87_.verify_pre_hashed_shake128 + verification_key_serialized + message + context + pre_hash_buffer + signature_serialized + in + let pre_hash_buffer:t_Slice u8 = tmp0 in + pre_hash_buffer, out + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + in + pre_hash_buffer, hax_temp_output + <: + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fsti new file mode 100644 index 000000000..d90ff6e68 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.fsti @@ -0,0 +1,44 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val generate_key_pair + (randomness: t_Array u8 (sz 32)) + (signing_key: t_Array u8 (sz 4896)) + (verification_key: t_Array u8 (sz 2592)) + : Prims.Pure (t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (signing_key: t_Array u8 (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128 + (signing_key: t_Array u8 (sz 4896)) + (message context pre_hash_buffer: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (t_Slice u8 & + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val verify + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed_shake128 + (verification_key_serialized: t_Array u8 (sz 2592)) + (message context pre_hash_buffer: t_Slice u8) + (signature_serialized: t_Array u8 (sz 4627)) + : Prims.Pure + (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst index 43d3a2fb7..55181b452 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst @@ -48,20 +48,8 @@ let impl_3: Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_Domai Libcrux_ml_dsa.Types.t_VerificationError } -let impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) = - if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN - then - Core.Result.Result_Err (DomainSeparationError_ContextTooLongError <: t_DomainSeparationError) - <: - Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError - else - Core.Result.Result_Ok - ({ f_context = context; f_pre_hash_oid = pre_hash_oid } <: t_DomainSeparationContext) - <: - Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError - [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: t_PreHash t_SHAKE128_PH (sz 256) = +let impl: t_PreHash t_SHAKE128_PH = { f_oid_pre = (fun (_: Prims.unit) -> true); f_oid_post = (fun (_: Prims.unit) (out: t_Array u8 (sz 11)) -> true); @@ -74,6 +62,7 @@ let impl: t_PreHash t_SHAKE128_PH (sz 256) = i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) (message: t_Slice u8) + (output: t_Slice u8) -> true); f_hash_post @@ -84,7 +73,8 @@ let impl: t_PreHash t_SHAKE128_PH (sz 256) = i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) (message: t_Slice u8) - (out: t_Array u8 (sz 256)) + (output: t_Slice u8) + (out: t_Slice u8) -> true); f_hash @@ -95,14 +85,34 @@ let impl: t_PreHash t_SHAKE128_PH (sz 256) = i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128) (message: t_Slice u8) + (output: t_Slice u8) -> - let output:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in - let output:t_Array u8 (sz 256) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + match Core.Slice.impl__len #u8 output, sz 256 <: (usize & usize) with + | left_val, right_val -> Hax_lib.v_assert (left_val =. right_val <: bool) + in + () + in + let output:t_Slice u8 = Libcrux_ml_dsa.Hash_functions.Shake128.f_shake128 #v_Shake128 #FStar.Tactics.Typeclasses.solve - (sz 256) message output in output } + +let impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) = + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + Core.Result.Result_Err (DomainSeparationError_ContextTooLongError <: t_DomainSeparationError) + <: + Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError + else + Core.Result.Result_Ok + ({ f_context = context; f_pre_hash_oid = pre_hash_oid } <: t_DomainSeparationContext) + <: + Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti index c23391618..37b79c9e3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti @@ -29,7 +29,7 @@ type t_DomainSeparationError = | DomainSeparationError_ContextTooLongError : t_D val t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) -class t_PreHash (v_Self: Type0) (v_DIGEST_LEN: usize) = { +class t_PreHash (v_Self: Type0) = { f_oid_pre:Prims.unit -> Type0; f_oid_post:Prims.unit -> t_Array u8 (sz 11) -> Type0; f_oid:x0: Prims.unit @@ -37,21 +37,24 @@ class t_PreHash (v_Self: Type0) (v_DIGEST_LEN: usize) = { f_hash_pre: #v_Shake128: Type0 -> {| i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} -> + t_Slice u8 -> t_Slice u8 -> Type0; f_hash_post: #v_Shake128: Type0 -> {| i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} -> t_Slice u8 -> - t_Array u8 v_DIGEST_LEN + t_Slice u8 -> + t_Slice u8 -> Type0; f_hash: #v_Shake128: Type0 -> {| i1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |} -> - x0: t_Slice u8 - -> Prims.Pure (t_Array u8 v_DIGEST_LEN) - (f_hash_pre #v_Shake128 #i1 x0) - (fun result -> f_hash_post #v_Shake128 #i1 x0 result) + x0: t_Slice u8 -> + x1: t_Slice u8 + -> Prims.Pure (t_Slice u8) + (f_hash_pre #v_Shake128 #i1 x0 x1) + (fun result -> f_hash_post #v_Shake128 #i1 x0 x1 result) } /// An implementation of the pre-hash trait for the SHAKE-128 XOF with @@ -71,11 +74,11 @@ val impl_2:Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSepar [@@ FStar.Tactics.Typeclasses.tcinstance] val impl_3:Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_DomainSeparationError +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl:t_PreHash t_SHAKE128_PH + /// `context` must be at most 255 bytes long. val impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) : Prims.Pure (Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError) Prims.l_True (fun _ -> Prims.l_True) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl:t_PreHash t_SHAKE128_PH (sz 256)