From 6fc8f02330967259f8bbb8ef0348abe029860ba0 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 6 Feb 2025 17:00:07 +0000 Subject: [PATCH] Namespacing: Use mlk_xxx prefix for all identifiers of global scope This commit changes the name of all identifiers in global scope by adding a prefix `mlk_`. For example, `check_pk` becomes `mlk_check_pk`, and the struct `poly` becomes `mlk_poly`. Excluded is the standard crypto_kem_xxx API, which stays as is. Signed-off-by: Hanno Becker --- dev/aarch64_clean/src/aarch64_zetas.c | 6 +- dev/aarch64_clean/src/arith_native_aarch64.h | 40 +-- dev/aarch64_clean/src/clean_impl.h | 14 +- dev/aarch64_clean/src/consts.h | 4 +- dev/aarch64_clean/src/intt_clean.S | 10 +- dev/aarch64_clean/src/ntt_clean.S | 2 +- dev/aarch64_clean/src/optimize.sh | 20 +- .../src/poly_mulcache_compute_asm_clean.S | 2 +- dev/aarch64_clean/src/poly_reduce_asm_clean.S | 12 +- .../src/poly_tobytes_asm_clean.S | 2 +- dev/aarch64_clean/src/poly_tomont_asm_clean.S | 2 +- dev/aarch64_clean/src/rej_uniform_asm_clean.S | 2 +- dev/aarch64_clean/src/rej_uniform_table.c | 2 +- dev/aarch64_opt/src/aarch64_zetas.c | 6 +- dev/aarch64_opt/src/arith_native_aarch64.h | 40 +-- dev/aarch64_opt/src/consts.h | 4 +- dev/aarch64_opt/src/intt_opt.S | 2 +- dev/aarch64_opt/src/ntt_opt.S | 2 +- dev/aarch64_opt/src/opt_impl.h | 14 +- .../src/poly_mulcache_compute_asm_opt.S | 2 +- dev/aarch64_opt/src/poly_reduce_asm_opt.S | 4 +- dev/aarch64_opt/src/poly_tobytes_asm_opt.S | 2 +- dev/aarch64_opt/src/poly_tomont_asm_opt.S | 2 +- dev/aarch64_opt/src/rej_uniform_asm_clean.S | 2 +- dev/aarch64_opt/src/rej_uniform_table.c | 2 +- dev/x86_64/src/arith_native_x86_64.h | 78 ++--- dev/x86_64/src/basemul.c | 2 +- dev/x86_64/src/compress_avx2.c | 16 +- dev/x86_64/src/consts.c | 2 +- dev/x86_64/src/consts.h | 4 +- dev/x86_64/src/default_impl.h | 32 +- dev/x86_64/src/reduce.S | 2 +- dev/x86_64/src/rej_uniform_avx2.c | 12 +- dev/x86_64/src/rej_uniform_table.c | 2 +- dev/x86_64/src/tomont.S | 2 +- .../monolithic_build/mlkem_native_monobuild.c | 298 ++++++++--------- mlkem/compress.c | 68 ++-- mlkem/compress.h | 160 ++++----- mlkem/config.h | 2 +- mlkem/debug.c | 4 +- mlkem/debug.h | 18 +- mlkem/fips202/fips202.c | 40 +-- mlkem/fips202/fips202x4.c | 20 +- mlkem/indcpa.c | 238 +++++++------- mlkem/indcpa.h | 28 +- mlkem/kem.c | 40 +-- mlkem/native/aarch64/src/aarch64_zetas.c | 6 +- .../native/aarch64/src/arith_native_aarch64.h | 40 +-- mlkem/native/aarch64/src/consts.h | 4 +- mlkem/native/aarch64/src/opt_impl.h | 14 +- .../aarch64/src/rej_uniform_asm_clean.S | 2 +- mlkem/native/aarch64/src/rej_uniform_table.c | 2 +- mlkem/native/api.h | 12 +- mlkem/native/x86_64/src/arith_native_x86_64.h | 78 ++--- mlkem/native/x86_64/src/basemul.c | 2 +- mlkem/native/x86_64/src/compress_avx2.c | 16 +- mlkem/native/x86_64/src/consts.c | 2 +- mlkem/native/x86_64/src/consts.h | 4 +- mlkem/native/x86_64/src/default_impl.h | 32 +- mlkem/native/x86_64/src/reduce.S | 2 +- mlkem/native/x86_64/src/rej_uniform_avx2.c | 12 +- mlkem/native/x86_64/src/rej_uniform_table.c | 2 +- mlkem/native/x86_64/src/tomont.S | 2 +- mlkem/poly.c | 100 +++--- mlkem/poly.h | 116 +++---- mlkem/poly_k.c | 130 ++++---- mlkem/poly_k.h | 306 +++++++++--------- mlkem/sampling.c | 76 ++--- mlkem/sampling.h | 40 +-- mlkem/verify.c | 2 +- mlkem/verify.h | 86 ++--- mlkem/zetas.c | 4 +- proofs/cbmc/barrett_reduce/Makefile | 6 +- .../barrett_reduce/barrett_reduce_harness.c | 6 +- proofs/cbmc/crypto_kem_dec/Makefile | 2 +- proofs/cbmc/crypto_kem_enc_derand/Makefile | 2 +- .../cbmc/crypto_kem_keypair_derand/Makefile | 2 +- proofs/cbmc/ct_cmask_neg_i16/Makefile | 8 +- .../ct_cmask_neg_i16_harness.c | 2 +- proofs/cbmc/ct_cmask_nonzero_u16/Makefile | 8 +- .../ct_cmask_nonzero_u16_harness.c | 2 +- proofs/cbmc/ct_cmask_nonzero_u8/Makefile | 8 +- .../ct_cmask_nonzero_u8_harness.c | 2 +- proofs/cbmc/ct_cmov_zero/Makefile | 8 +- .../cbmc/ct_cmov_zero/ct_cmov_zero_harness.c | 2 +- proofs/cbmc/ct_memcmp/Makefile | 8 +- proofs/cbmc/ct_memcmp/ct_memcmp_harness.c | 2 +- proofs/cbmc/ct_sel_int16/Makefile | 8 +- .../cbmc/ct_sel_int16/ct_sel_int16_harness.c | 2 +- proofs/cbmc/ct_sel_uint8/Makefile | 8 +- .../cbmc/ct_sel_uint8/ct_sel_uint8_harness.c | 2 +- proofs/cbmc/fqmul/Makefile | 6 +- proofs/cbmc/fqmul/fqmul_harness.c | 6 +- proofs/cbmc/gen_matrix/Makefile | 8 +- proofs/cbmc/gen_matrix/gen_matrix_harness.c | 4 +- proofs/cbmc/gen_matrix_native/Makefile | 4 +- .../gen_matrix_native_harness.c | 4 +- proofs/cbmc/indcpa_dec/Makefile | 26 +- proofs/cbmc/indcpa_dec/indcpa_dec_harness.c | 2 +- proofs/cbmc/indcpa_enc/Makefile | 46 +-- proofs/cbmc/indcpa_enc/indcpa_enc_harness.c | 2 +- proofs/cbmc/indcpa_keypair_derand/Makefile | 8 +- .../indcpa_keypair_derand_harness.c | 2 +- proofs/cbmc/invntt_layer/Makefile | 8 +- .../cbmc/invntt_layer/invntt_layer_harness.c | 6 +- proofs/cbmc/keccak_absorb_once/Makefile | 6 +- .../keccak_absorb_once_harness.c | 6 +- proofs/cbmc/keccak_absorb_once_x4/Makefile | 6 +- .../keccak_absorb_once_x4_harness.c | 6 +- proofs/cbmc/keccak_squeeze_once/Makefile | 6 +- .../keccak_squeeze_once_harness.c | 6 +- proofs/cbmc/keccak_squeezeblocks/Makefile | 6 +- .../keccak_squeezeblocks_harness.c | 6 +- proofs/cbmc/keccak_squeezeblocks_x4/Makefile | 6 +- .../keccak_squeezeblocks_x4_harness.c | 6 +- proofs/cbmc/matvec_mul/Makefile | 8 +- proofs/cbmc/matvec_mul/matvec_mul_harness.c | 12 +- proofs/cbmc/montgomery_reduce/Makefile | 6 +- .../montgomery_reduce_harness.c | 6 +- proofs/cbmc/ntt_butterfly_block/Makefile | 8 +- .../ntt_butterfly_block_harness.c | 6 +- proofs/cbmc/ntt_layer/Makefile | 8 +- proofs/cbmc/ntt_layer/ntt_layer_harness.c | 6 +- proofs/cbmc/poly_add/Makefile | 6 +- proofs/cbmc/poly_add/poly_add_harness.c | 4 +- proofs/cbmc/poly_cbd_eta1/Makefile | 6 +- .../poly_cbd_eta1/poly_cbd_eta1_harness.c | 8 +- proofs/cbmc/poly_cbd_eta2/Makefile | 8 +- .../poly_cbd_eta2/poly_cbd_eta2_harness.c | 10 +- proofs/cbmc/poly_compress_du/Makefile | 12 +- .../poly_compress_du_harness.c | 4 +- proofs/cbmc/poly_compress_dv/Makefile | 10 +- .../poly_compress_dv_harness.c | 4 +- proofs/cbmc/poly_decompress_du/Makefile | 12 +- .../poly_decompress_du_harness.c | 4 +- proofs/cbmc/poly_decompress_dv/Makefile | 12 +- .../poly_decompress_dv_harness.c | 4 +- proofs/cbmc/poly_frombytes/Makefile | 6 +- .../poly_frombytes/poly_frombytes_harness.c | 4 +- proofs/cbmc/poly_frombytes_native/Makefile | 2 +- .../poly_frombytes_native_harness.c | 4 +- proofs/cbmc/poly_frommsg/Makefile | 8 +- .../cbmc/poly_frommsg/poly_frommsg_harness.c | 4 +- proofs/cbmc/poly_getnoise_eta1122_4x/Makefile | 8 +- .../poly_getnoise_eta1122_4x_harness.c | 6 +- .../poly_getnoise_eta1122_4x_native/Makefile | 6 +- .../poly_getnoise_eta1122_4x_native_harness.c | 6 +- proofs/cbmc/poly_getnoise_eta1_4x/Makefile | 8 +- .../poly_getnoise_eta1_4x_harness.c | 4 +- proofs/cbmc/poly_getnoise_eta2/Makefile | 12 +- .../poly_getnoise_eta2_harness.c | 6 +- proofs/cbmc/poly_invntt_tomont/Makefile | 8 +- .../poly_invntt_tomont_harness.c | 4 +- .../cbmc/poly_invntt_tomont_native/Makefile | 2 +- .../poly_invntt_tomont_native_harness.c | 4 +- proofs/cbmc/poly_mulcache_compute/Makefile | 8 +- .../poly_mulcache_compute_harness.c | 6 +- .../poly_mulcache_compute_native/Makefile | 2 +- .../poly_mulcache_compute_native_harness.c | 6 +- proofs/cbmc/poly_ntt/Makefile | 8 +- proofs/cbmc/poly_ntt/poly_ntt_harness.c | 4 +- proofs/cbmc/poly_ntt_native/Makefile | 4 +- .../poly_ntt_native/poly_ntt_native_harness.c | 4 +- proofs/cbmc/poly_reduce/Makefile | 8 +- proofs/cbmc/poly_reduce/poly_reduce_harness.c | 4 +- proofs/cbmc/poly_reduce_native/Makefile | 2 +- .../poly_reduce_native_harness.c | 4 +- proofs/cbmc/poly_rej_uniform/Makefile | 8 +- .../poly_rej_uniform_harness.c | 4 +- proofs/cbmc/poly_rej_uniform_x4/Makefile | 8 +- .../poly_rej_uniform_x4_harness.c | 4 +- proofs/cbmc/poly_sub/Makefile | 6 +- proofs/cbmc/poly_sub/poly_sub_harness.c | 4 +- proofs/cbmc/poly_tobytes/Makefile | 6 +- .../cbmc/poly_tobytes/poly_tobytes_harness.c | 4 +- proofs/cbmc/poly_tobytes_native/Makefile | 2 +- .../poly_tobytes_native_harness.c | 4 +- proofs/cbmc/poly_tomont/Makefile | 8 +- proofs/cbmc/poly_tomont/poly_tomont_harness.c | 4 +- proofs/cbmc/poly_tomont_native/Makefile | 2 +- .../poly_tomont_native_harness.c | 4 +- proofs/cbmc/poly_tomsg/Makefile | 6 +- proofs/cbmc/poly_tomsg/poly_tomsg_harness.c | 4 +- proofs/cbmc/polyvec_add/Makefile | 8 +- proofs/cbmc/polyvec_add/polyvec_add_harness.c | 4 +- .../polyvec_basemul_acc_montgomery/Makefile | 8 +- .../polyvec_basemul_acc_montgomery_harness.c | 6 +- .../Makefile | 8 +- ...ec_basemul_acc_montgomery_cached_harness.c | 8 +- .../Makefile | 2 +- ...mul_acc_montgomery_cached_native_harness.c | 8 +- proofs/cbmc/polyvec_compress_du/Makefile | 8 +- .../polyvec_compress_du_harness.c | 4 +- proofs/cbmc/polyvec_decompress_du/Makefile | 8 +- .../polyvec_decompress_du_harness.c | 4 +- proofs/cbmc/polyvec_frombytes/Makefile | 8 +- .../polyvec_frombytes_harness.c | 4 +- proofs/cbmc/polyvec_invntt_tomont/Makefile | 8 +- .../polyvec_invntt_tomont_harness.c | 4 +- proofs/cbmc/polyvec_mulcache_compute/Makefile | 8 +- .../polyvec_mulcache_compute_harness.c | 6 +- proofs/cbmc/polyvec_ntt/Makefile | 8 +- proofs/cbmc/polyvec_ntt/polyvec_ntt_harness.c | 4 +- proofs/cbmc/polyvec_reduce/Makefile | 8 +- .../polyvec_reduce/polyvec_reduce_harness.c | 4 +- proofs/cbmc/polyvec_tobytes/Makefile | 8 +- .../polyvec_tobytes/polyvec_tobytes_harness.c | 4 +- proofs/cbmc/polyvec_tomont/Makefile | 8 +- .../polyvec_tomont/polyvec_tomont_harness.c | 4 +- proofs/cbmc/proof_guide.md | 42 +-- proofs/cbmc/rej_uniform/Makefile | 8 +- proofs/cbmc/rej_uniform/rej_uniform_harness.c | 6 +- proofs/cbmc/rej_uniform_native/Makefile | 4 +- .../rej_uniform_native_harness.c | 6 +- proofs/cbmc/rej_uniform_scalar/Makefile | 6 +- .../rej_uniform_scalar_harness.c | 6 +- proofs/cbmc/scalar_compress_d1/Makefile | 4 +- .../scalar_compress_d1_harness.c | 2 +- proofs/cbmc/scalar_compress_d10/Makefile | 4 +- .../scalar_compress_d10_harness.c | 2 +- proofs/cbmc/scalar_compress_d11/Makefile | 4 +- .../scalar_compress_d11_harness.c | 2 +- proofs/cbmc/scalar_compress_d4/Makefile | 4 +- .../scalar_compress_d4_harness.c | 2 +- proofs/cbmc/scalar_compress_d5/Makefile | 4 +- .../scalar_compress_d5_harness.c | 2 +- proofs/cbmc/scalar_decompress_d10/Makefile | 4 +- .../scalar_decompress_d10_harness.c | 2 +- proofs/cbmc/scalar_decompress_d11/Makefile | 4 +- .../scalar_decompress_d11_harness.c | 2 +- proofs/cbmc/scalar_decompress_d4/Makefile | 4 +- .../scalar_decompress_d4_harness.c | 2 +- proofs/cbmc/scalar_decompress_d5/Makefile | 4 +- .../scalar_decompress_d5_harness.c | 2 +- .../cbmc/scalar_signed_to_unsigned_q/Makefile | 6 +- .../scalar_signed_to_unsigned_q_harness.c | 6 +- proofs/cbmc/sha3_256/Makefile | 2 +- proofs/cbmc/sha3_512/Makefile | 2 +- proofs/cbmc/shake128_absorb_once/Makefile | 2 +- proofs/cbmc/shake128_squeezeblocks/Makefile | 2 +- proofs/cbmc/shake128x4_absorb_once/Makefile | 2 +- proofs/cbmc/shake128x4_squeezeblocks/Makefile | 2 +- proofs/cbmc/shake256/Makefile | 2 +- proofs/cbmc/shake256x4/Makefile | 2 +- scripts/autogen | 14 +- test/bench_components_mlkem.c | 186 +++++------ test/test_mlkem.c | 32 +- 247 files changed, 1799 insertions(+), 1799 deletions(-) diff --git a/dev/aarch64_clean/src/aarch64_zetas.c b/dev/aarch64_clean/src/aarch64_zetas.c index 6b3f52e46..0e1edfdb6 100644 --- a/dev/aarch64_clean/src/aarch64_zetas.c +++ b/dev/aarch64_clean/src/aarch64_zetas.c @@ -20,7 +20,7 @@ * Table of zeta values used in the AArch64 forward NTT * See autogen for details. */ -MLK_ALIGN const int16_t aarch64_ntt_zetas_layer01234[] = { +MLK_ALIGN const int16_t mlk_aarch64_ntt_zetas_layer01234[] = { -1600, -15749, -749, -7373, -40, -394, -687, -6762, 630, 6201, -1432, -14095, 848, 8347, 0, 0, 1062, 10453, 296, 2914, -882, -8682, 0, 0, -1410, -13879, 1339, 13180, 1476, 14529, @@ -31,7 +31,7 @@ MLK_ALIGN const int16_t aarch64_ntt_zetas_layer01234[] = { 0, 0, -1583, -15582, -1355, -13338, 821, 8081, 0, 0, }; -MLK_ALIGN const int16_t aarch64_ntt_zetas_layer56[] = { +MLK_ALIGN const int16_t mlk_aarch64_ntt_zetas_layer56[] = { 289, 289, 331, 331, -76, -76, -1573, -1573, 2845, 2845, 3258, 3258, -748, -748, -15483, -15483, 17, 17, 583, 583, 1637, 1637, -1041, -1041, 167, 167, 5739, @@ -88,7 +88,7 @@ MLK_ALIGN const int16_t aarch64_invntt_zetas_layer01234[] = { -848, -8347, 1432, 14095, -630, -6201, 687, 6762, 0, 0, }; -MLK_ALIGN const int16_t aarch64_invntt_zetas_layer56[] = { +MLK_ALIGN const int16_t mlk_aarch64_invntt_zetas_layer56[] = { -910, -910, -1227, -1227, 219, 219, 855, 855, -8957, -8957, -12078, -12078, 2156, 2156, 8416, 8416, 1175, 1175, 394, 394, -1029, -1029, -1212, -1212, 11566, 11566, 3878, diff --git a/dev/aarch64_clean/src/arith_native_aarch64.h b/dev/aarch64_clean/src/arith_native_aarch64.h index 8ca61f64b..cad36d56b 100644 --- a/dev/aarch64_clean/src/arith_native_aarch64.h +++ b/dev/aarch64_clean/src/arith_native_aarch64.h @@ -8,40 +8,40 @@ #include #include "../../../common.h" -#define aarch64_ntt_zetas_layer01234 MLK_NAMESPACE(aarch64_ntt_zetas_layer01234) -#define aarch64_ntt_zetas_layer56 MLK_NAMESPACE(aarch64_ntt_zetas_layer56) +#define mlk_aarch64_ntt_zetas_layer01234 MLK_NAMESPACE(aarch64_ntt_zetas_layer01234) +#define mlk_aarch64_ntt_zetas_layer56 MLK_NAMESPACE(aarch64_ntt_zetas_layer56) #define aarch64_invntt_zetas_layer01234 \ MLK_NAMESPACE(aarch64_invntt_zetas_layer01234) -#define aarch64_invntt_zetas_layer56 MLK_NAMESPACE(aarch64_invntt_zetas_layer56) +#define mlk_aarch64_invntt_zetas_layer56 MLK_NAMESPACE(aarch64_invntt_zetas_layer56) #define aarch64_zetas_mulcache_native \ MLK_NAMESPACE(aarch64_zetas_mulcache_native) #define aarch64_zetas_mulcache_twisted_native \ MLK_NAMESPACE(aarch64_zetas_mulcache_twisted_native) -#define rej_uniform_table MLK_NAMESPACE(rej_uniform_table) +#define mlk_rej_uniform_table MLK_NAMESPACE(rej_uniform_table) -extern const int16_t aarch64_ntt_zetas_layer01234[]; -extern const int16_t aarch64_ntt_zetas_layer56[]; +extern const int16_t mlk_aarch64_ntt_zetas_layer01234[]; +extern const int16_t mlk_aarch64_ntt_zetas_layer56[]; extern const int16_t aarch64_invntt_zetas_layer01234[]; -extern const int16_t aarch64_invntt_zetas_layer56[]; +extern const int16_t mlk_aarch64_invntt_zetas_layer56[]; extern const int16_t aarch64_zetas_mulcache_native[]; extern const int16_t aarch64_zetas_mulcache_twisted_native[]; -extern const uint8_t rej_uniform_table[]; +extern const uint8_t mlk_rej_uniform_table[]; -#define ntt_asm_clean MLK_NAMESPACE(ntt_asm_clean) -void ntt_asm_clean(int16_t *, const int16_t *, const int16_t *); +#define mlk_ntt_asm_clean MLK_NAMESPACE(ntt_asm_clean) +void mlk_ntt_asm_clean(int16_t *, const int16_t *, const int16_t *); -#define intt_asm_clean MLK_NAMESPACE(intt_asm_clean) -void intt_asm_clean(int16_t *, const int16_t *, const int16_t *); +#define mlk_intt_asm_clean MLK_NAMESPACE(intt_asm_clean) +void mlk_intt_asm_clean(int16_t *, const int16_t *, const int16_t *); -#define rej_uniform_asm_clean MLK_NAMESPACE(rej_uniform_asm_clean) -unsigned rej_uniform_asm_clean(int16_t *r, const uint8_t *buf, unsigned buflen, +#define mlk_rej_uniform_asm_clean MLK_NAMESPACE(rej_uniform_asm_clean) +unsigned mlk_rej_uniform_asm_clean(int16_t *r, const uint8_t *buf, unsigned buflen, const uint8_t *table); -#define poly_reduce_asm_clean MLK_NAMESPACE(poly_reduce_asm_clean) -void poly_reduce_asm_clean(int16_t *); +#define mlk_poly_reduce_asm_clean MLK_NAMESPACE(poly_reduce_asm_clean) +void mlk_poly_reduce_asm_clean(int16_t *); -#define poly_tomont_asm_clean MLK_NAMESPACE(poly_tomont_asm_clean) -void poly_tomont_asm_clean(int16_t *); +#define mlk_poly_tomont_asm_clean MLK_NAMESPACE(poly_tomont_asm_clean) +void mlk_poly_tomont_asm_clean(int16_t *); #define poly_mulcache_compute_asm_clean \ MLK_NAMESPACE(poly_mulcache_compute_asm_clean) @@ -49,8 +49,8 @@ void poly_mulcache_compute_asm_clean(int16_t *, const int16_t *, const int16_t *, const int16_t *); -#define poly_tobytes_asm_clean MLK_NAMESPACE(poly_tobytes_asm_clean) -void poly_tobytes_asm_clean(uint8_t *r, const int16_t *a); +#define mlk_poly_tobytes_asm_clean MLK_NAMESPACE(poly_tobytes_asm_clean) +void mlk_poly_tobytes_asm_clean(uint8_t *r, const int16_t *a); #define polyvec_basemul_acc_montgomery_cached_asm_k2_clean \ MLK_NAMESPACE(polyvec_basemul_acc_montgomery_cached_asm_k2_clean) diff --git a/dev/aarch64_clean/src/clean_impl.h b/dev/aarch64_clean/src/clean_impl.h index 59469196b..f2a3954ba 100644 --- a/dev/aarch64_clean/src/clean_impl.h +++ b/dev/aarch64_clean/src/clean_impl.h @@ -26,23 +26,23 @@ static MLK_INLINE void ntt_native(int16_t data[MLKEM_N]) { - ntt_asm_clean(data, aarch64_ntt_zetas_layer01234, aarch64_ntt_zetas_layer56); + mlk_ntt_asm_clean(data, mlk_aarch64_ntt_zetas_layer01234, mlk_aarch64_ntt_zetas_layer56); } static MLK_INLINE void intt_native(int16_t data[MLKEM_N]) { - intt_asm_clean(data, aarch64_invntt_zetas_layer01234, - aarch64_invntt_zetas_layer56); + mlk_intt_asm_clean(data, aarch64_invntt_zetas_layer01234, + mlk_aarch64_invntt_zetas_layer56); } static MLK_INLINE void poly_reduce_native(int16_t data[MLKEM_N]) { - poly_reduce_asm_clean(data); + mlk_poly_reduce_asm_clean(data); } static MLK_INLINE void poly_tomont_native(int16_t data[MLKEM_N]) { - poly_tomont_asm_clean(data); + mlk_poly_tomont_asm_clean(data); } static MLK_INLINE void poly_mulcache_compute_native(int16_t x[MLKEM_N / 2], @@ -76,7 +76,7 @@ static MLK_INLINE void polyvec_basemul_acc_montgomery_cached_k4_native( static MLK_INLINE void poly_tobytes_native(uint8_t r[MLKEM_POLYBYTES], const int16_t a[MLKEM_N]) { - poly_tobytes_asm_clean(r, a); + mlk_poly_tobytes_asm_clean(r, a); } static MLK_INLINE int rej_uniform_native(int16_t *r, unsigned len, @@ -86,7 +86,7 @@ static MLK_INLINE int rej_uniform_native(int16_t *r, unsigned len, { return -1; } - return (int)rej_uniform_asm_clean(r, buf, buflen, rej_uniform_table); + return (int)mlk_rej_uniform_asm_clean(r, buf, buflen, mlk_rej_uniform_table); } #endif /* MLK_ARITH_PROFILE_IMPL_H */ diff --git a/dev/aarch64_clean/src/consts.h b/dev/aarch64_clean/src/consts.h index da304e973..03f4f45bf 100644 --- a/dev/aarch64_clean/src/consts.h +++ b/dev/aarch64_clean/src/consts.h @@ -9,8 +9,8 @@ #include #include "../../../common.h" -#define zetas_mulcache_native MLK_NAMESPACE(zetas_mulcache_native) -extern const int16_t zetas_mulcache_native[256]; +#define mlk_zetas_mulcache_native MLK_NAMESPACE(zetas_mulcache_native) +extern const int16_t mlk_zetas_mulcache_native[256]; #define zetas_mulcache_twisted_native \ MLK_NAMESPACE(zetas_mulcache_twisted_native) diff --git a/dev/aarch64_clean/src/intt_clean.S b/dev/aarch64_clean/src/intt_clean.S index 72403504a..9570bf8eb 100644 --- a/dev/aarch64_clean/src/intt_clean.S +++ b/dev/aarch64_clean/src/intt_clean.S @@ -68,7 +68,7 @@ mulmod \dst3, \src3, ninv, ninv_tw .endm -.macro barrett_reduce a +.macro mlk_barrett_reduce a sqdmulh t0.8h, \a\().8h, consts.h[1] srshr t0.8h, t0.8h, #11 mls \a\().8h, t0.8h, consts.h[0] @@ -271,10 +271,10 @@ layer3456_start: // Not all of those reductions are needed, but the bounds tracking // is easier if we uniformly reduce at this point. - barrett_reduce data0 - barrett_reduce data2 - barrett_reduce data1 - barrett_reduce data3 + mlk_barrett_reduce data0 + mlk_barrett_reduce data2 + mlk_barrett_reduce data1 + mlk_barrett_reduce data3 // Bounds: q/2 diff --git a/dev/aarch64_clean/src/ntt_clean.S b/dev/aarch64_clean/src/ntt_clean.S index a4ab586c3..6c59ad3dd 100644 --- a/dev/aarch64_clean/src/ntt_clean.S +++ b/dev/aarch64_clean/src/ntt_clean.S @@ -189,7 +189,7 @@ MLK_ASM_NAMESPACE(ntt_asm_clean): // is modified through the addition/subtraction of a Montgomery // product of a twiddle of absolute value < q/2 and a layer-N value. // - Recalling that for C such that |a| < C * q and |t| #include "../../../common.h" -#define aarch64_ntt_zetas_layer01234 MLK_NAMESPACE(aarch64_ntt_zetas_layer01234) -#define aarch64_ntt_zetas_layer56 MLK_NAMESPACE(aarch64_ntt_zetas_layer56) +#define mlk_aarch64_ntt_zetas_layer01234 MLK_NAMESPACE(aarch64_ntt_zetas_layer01234) +#define mlk_aarch64_ntt_zetas_layer56 MLK_NAMESPACE(aarch64_ntt_zetas_layer56) #define aarch64_invntt_zetas_layer01234 \ MLK_NAMESPACE(aarch64_invntt_zetas_layer01234) -#define aarch64_invntt_zetas_layer56 MLK_NAMESPACE(aarch64_invntt_zetas_layer56) +#define mlk_aarch64_invntt_zetas_layer56 MLK_NAMESPACE(aarch64_invntt_zetas_layer56) #define aarch64_zetas_mulcache_native \ MLK_NAMESPACE(aarch64_zetas_mulcache_native) #define aarch64_zetas_mulcache_twisted_native \ MLK_NAMESPACE(aarch64_zetas_mulcache_twisted_native) -#define rej_uniform_table MLK_NAMESPACE(rej_uniform_table) +#define mlk_rej_uniform_table MLK_NAMESPACE(rej_uniform_table) -extern const int16_t aarch64_ntt_zetas_layer01234[]; -extern const int16_t aarch64_ntt_zetas_layer56[]; +extern const int16_t mlk_aarch64_ntt_zetas_layer01234[]; +extern const int16_t mlk_aarch64_ntt_zetas_layer56[]; extern const int16_t aarch64_invntt_zetas_layer01234[]; -extern const int16_t aarch64_invntt_zetas_layer56[]; +extern const int16_t mlk_aarch64_invntt_zetas_layer56[]; extern const int16_t aarch64_zetas_mulcache_native[]; extern const int16_t aarch64_zetas_mulcache_twisted_native[]; -extern const uint8_t rej_uniform_table[]; +extern const uint8_t mlk_rej_uniform_table[]; -#define ntt_asm_opt MLK_NAMESPACE(ntt_asm_opt) -void ntt_asm_opt(int16_t *, const int16_t *, const int16_t *); +#define mlk_ntt_asm_opt MLK_NAMESPACE(ntt_asm_opt) +void mlk_ntt_asm_opt(int16_t *, const int16_t *, const int16_t *); -#define intt_asm_opt MLK_NAMESPACE(intt_asm_opt) -void intt_asm_opt(int16_t *, const int16_t *, const int16_t *); +#define mlk_intt_asm_opt MLK_NAMESPACE(intt_asm_opt) +void mlk_intt_asm_opt(int16_t *, const int16_t *, const int16_t *); -#define poly_reduce_asm_opt MLK_NAMESPACE(poly_reduce_asm_opt) -void poly_reduce_asm_opt(int16_t *); +#define mlk_poly_reduce_asm_opt MLK_NAMESPACE(poly_reduce_asm_opt) +void mlk_poly_reduce_asm_opt(int16_t *); -#define poly_tomont_asm_opt MLK_NAMESPACE(poly_tomont_asm_opt) -void poly_tomont_asm_opt(int16_t *); +#define mlk_poly_tomont_asm_opt MLK_NAMESPACE(poly_tomont_asm_opt) +void mlk_poly_tomont_asm_opt(int16_t *); #define poly_mulcache_compute_asm_opt \ MLK_NAMESPACE(poly_mulcache_compute_asm_opt) void poly_mulcache_compute_asm_opt(int16_t *, const int16_t *, const int16_t *, const int16_t *); -#define poly_tobytes_asm_opt MLK_NAMESPACE(poly_tobytes_asm_opt) -void poly_tobytes_asm_opt(uint8_t *r, const int16_t *a); +#define mlk_poly_tobytes_asm_opt MLK_NAMESPACE(poly_tobytes_asm_opt) +void mlk_poly_tobytes_asm_opt(uint8_t *r, const int16_t *a); #define polyvec_basemul_acc_montgomery_cached_asm_k2_opt \ MLK_NAMESPACE(polyvec_basemul_acc_montgomery_cached_asm_k2_opt) @@ -68,8 +68,8 @@ void polyvec_basemul_acc_montgomery_cached_asm_k4_opt(int16_t *r, const int16_t *b, const int16_t *b_cache); -#define rej_uniform_asm_clean MLK_NAMESPACE(rej_uniform_asm_clean) -unsigned rej_uniform_asm_clean(int16_t *r, const uint8_t *buf, unsigned buflen, +#define mlk_rej_uniform_asm_clean MLK_NAMESPACE(rej_uniform_asm_clean) +unsigned mlk_rej_uniform_asm_clean(int16_t *r, const uint8_t *buf, unsigned buflen, const uint8_t *table); #endif /* MLK_DEV_AARCH64_OPT_SRC_ARITH_NATIVE_AARCH64_H */ diff --git a/dev/aarch64_opt/src/consts.h b/dev/aarch64_opt/src/consts.h index 96e91a01f..83d253c94 100644 --- a/dev/aarch64_opt/src/consts.h +++ b/dev/aarch64_opt/src/consts.h @@ -9,8 +9,8 @@ #include #include "../../../common.h" -#define zetas_mulcache_native MLK_NAMESPACE(zetas_mulcache_native) -extern const int16_t zetas_mulcache_native[256]; +#define mlk_zetas_mulcache_native MLK_NAMESPACE(zetas_mulcache_native) +extern const int16_t mlk_zetas_mulcache_native[256]; #define zetas_mulcache_twisted_native \ MLK_NAMESPACE(zetas_mulcache_twisted_native) diff --git a/dev/aarch64_opt/src/intt_opt.S b/dev/aarch64_opt/src/intt_opt.S index b827c2971..eb9784cb1 100644 --- a/dev/aarch64_opt/src/intt_opt.S +++ b/dev/aarch64_opt/src/intt_opt.S @@ -68,7 +68,7 @@ mulmod \dst3, \src3, ninv, ninv_tw .endm -.macro barrett_reduce a +.macro mlk_barrett_reduce a sqdmulh t0.8h, \a\().8h, consts.h[1] srshr t0.8h, t0.8h, #11 mls \a\().8h, t0.8h, consts.h[0] diff --git a/dev/aarch64_opt/src/ntt_opt.S b/dev/aarch64_opt/src/ntt_opt.S index b5824d645..6d4ef7cfb 100644 --- a/dev/aarch64_opt/src/ntt_opt.S +++ b/dev/aarch64_opt/src/ntt_opt.S @@ -190,7 +190,7 @@ MLK_ASM_NAMESPACE(ntt_asm_opt): // is modified through the addition/subtraction of a Montgomery // product of a twiddle of absolute value < q/2 and a layer-N value. // - Recalling that for C such that |a| < C * q and |t|> 0) & 0xFF])); + _mm_loadl_epi64((__m128i *)&mlk_rej_uniform_table[(good >> 0) & 0xFF])); g1 = _mm256_castsi128_si256( - _mm_loadl_epi64((__m128i *)&rej_uniform_table[(good >> 8) & 0xFF])); + _mm_loadl_epi64((__m128i *)&mlk_rej_uniform_table[(good >> 8) & 0xFF])); g0 = _mm256_inserti128_si256( - g0, _mm_loadl_epi64((__m128i *)&rej_uniform_table[(good >> 16) & 0xFF]), + g0, _mm_loadl_epi64((__m128i *)&mlk_rej_uniform_table[(good >> 16) & 0xFF]), 1); g1 = _mm256_inserti128_si256( - g1, _mm_loadl_epi64((__m128i *)&rej_uniform_table[(good >> 24) & 0xFF]), + g1, _mm_loadl_epi64((__m128i *)&mlk_rej_uniform_table[(good >> 24) & 0xFF]), 1); g2 = _mm256_add_epi8(g0, ones); @@ -100,7 +100,7 @@ unsigned rej_uniform_avx2(int16_t *MLK_RESTRICT r, const uint8_t *buf) good = _mm_movemask_epi8(t); good = _pext_u32(good, 0x5555); - pilo = _mm_loadl_epi64((__m128i *)&rej_uniform_table[good]); + pilo = _mm_loadl_epi64((__m128i *)&mlk_rej_uniform_table[good]); pihi = _mm_add_epi8(pilo, _mm256_castsi256_si128(ones)); pilo = _mm_unpacklo_epi8(pilo, pihi); diff --git a/dev/x86_64/src/rej_uniform_table.c b/dev/x86_64/src/rej_uniform_table.c index c411e35e4..dce708456 100644 --- a/dev/x86_64/src/rej_uniform_table.c +++ b/dev/x86_64/src/rej_uniform_table.c @@ -20,7 +20,7 @@ * Lookup table used by rejection sampling of the public matrix. * See autogen for details. */ -MLK_ALIGN const uint8_t rej_uniform_table[256][8] = { +MLK_ALIGN const uint8_t mlk_rej_uniform_table[256][8] = { {-1, -1, -1, -1, -1, -1, -1, -1}, {0, -1, -1, -1, -1, -1, -1, -1}, {2, -1, -1, -1, -1, -1, -1, -1}, {0, 2, -1, -1, -1, -1, -1, -1}, {4, -1, -1, -1, -1, -1, -1, -1}, {0, 4, -1, -1, -1, -1, -1, -1}, diff --git a/dev/x86_64/src/tomont.S b/dev/x86_64/src/tomont.S index 6f5bebcec..19f32a437 100644 --- a/dev/x86_64/src/tomont.S +++ b/dev/x86_64/src/tomont.S @@ -9,7 +9,7 @@ // Changes: // - Add call to csub in reduce128_avx to produce outputs // in [0,1,...,q-1] rather than [0,1,...,q], matching the -// semantics of poly_reduce(). +// semantics of mlk_poly_reduce(). #include "../../../common.h" #if defined(MLK_ARITH_BACKEND_X86_64_DEFAULT) && \ diff --git a/examples/monolithic_build/mlkem_native_monobuild.c b/examples/monolithic_build/mlkem_native_monobuild.c index f5f80cf61..d7d2c359b 100644 --- a/examples/monolithic_build/mlkem_native_monobuild.c +++ b/examples/monolithic_build/mlkem_native_monobuild.c @@ -76,10 +76,10 @@ #undef MLK_NAMESPACE_PREFIX /* mlkem/indcpa.h */ #undef MLK_INDCPA_H -#undef gen_matrix -#undef indcpa_dec -#undef indcpa_enc -#undef indcpa_keypair_derand +#undef mlk_gen_matrix +#undef mlk_indcpa_dec +#undef mlk_indcpa_enc +#undef mlk_indcpa_keypair_derand /* mlkem/kem.h */ #undef MLK_KEM_H #undef crypto_kem_dec @@ -159,28 +159,28 @@ #undef MLK_PARAMS_H /* mlkem/poly_k.h */ #undef MLK_POLY_K_H -#undef poly_compress_du -#undef poly_compress_dv -#undef poly_decompress_du -#undef poly_decompress_dv -#undef poly_getnoise_eta1122_4x -#undef poly_getnoise_eta1_4x -#undef poly_getnoise_eta2 -#undef poly_getnoise_eta2_4x -#undef polyvec -#undef polyvec_add -#undef polyvec_basemul_acc_montgomery -#undef polyvec_basemul_acc_montgomery_cached -#undef polyvec_compress_du -#undef polyvec_decompress_du -#undef polyvec_frombytes -#undef polyvec_invntt_tomont -#undef polyvec_mulcache -#undef polyvec_mulcache_compute -#undef polyvec_ntt -#undef polyvec_reduce -#undef polyvec_tobytes -#undef polyvec_tomont +#undef mlk_poly_compress_du +#undef mlk_poly_compress_dv +#undef mlk_poly_decompress_du +#undef mlk_poly_decompress_dv +#undef mlk_poly_getnoise_eta1122_4x +#undef mlk_poly_getnoise_eta1_4x +#undef mlk_poly_getnoise_eta2 +#undef mlk_poly_getnoise_eta2_4x +#undef mlk_polyvec +#undef mlk_polyvec_add +#undef mlk_polyvec_basemul_acc_montgomery +#undef mlk_polyvec_basemul_acc_montgomery_cached +#undef mlk_polyvec_compress_du +#undef mlk_polyvec_decompress_du +#undef mlk_polyvec_frombytes +#undef mlk_polyvec_invntt_tomont +#undef mlk_polyvec_mulcache +#undef mlk_polyvec_mulcache_compute +#undef mlk_polyvec_ntt +#undef mlk_polyvec_reduce +#undef mlk_polyvec_tobytes +#undef mlk_polyvec_tomont #if !defined(MLK_MONOBUILD_KEEP_SHARED_HEADERS) /* @@ -195,22 +195,22 @@ /* dev/aarch64_clean/src/arith_native_aarch64.h */ #undef MLK_DEV_AARCH64_CLEAN_SRC_ARITH_NATIVE_AARCH64_H #undef aarch64_invntt_zetas_layer01234 -#undef aarch64_invntt_zetas_layer56 -#undef aarch64_ntt_zetas_layer01234 -#undef aarch64_ntt_zetas_layer56 +#undef mlk_aarch64_invntt_zetas_layer56 +#undef mlk_aarch64_ntt_zetas_layer01234 +#undef mlk_aarch64_ntt_zetas_layer56 #undef aarch64_zetas_mulcache_native #undef aarch64_zetas_mulcache_twisted_native -#undef intt_asm_clean -#undef ntt_asm_clean +#undef mlk_intt_asm_clean +#undef mlk_ntt_asm_clean #undef poly_mulcache_compute_asm_clean -#undef poly_reduce_asm_clean -#undef poly_tobytes_asm_clean -#undef poly_tomont_asm_clean +#undef mlk_poly_reduce_asm_clean +#undef mlk_poly_tobytes_asm_clean +#undef mlk_poly_tomont_asm_clean #undef polyvec_basemul_acc_montgomery_cached_asm_k2_clean #undef polyvec_basemul_acc_montgomery_cached_asm_k3_clean #undef polyvec_basemul_acc_montgomery_cached_asm_k4_clean -#undef rej_uniform_asm_clean -#undef rej_uniform_table +#undef mlk_rej_uniform_asm_clean +#undef mlk_rej_uniform_table /* dev/aarch64_clean/src/clean_impl.h */ #undef MLK_ARITH_PROFILE_IMPL_H #undef MLK_DEV_AARCH64_CLEAN_SRC_CLEAN_IMPL_H @@ -224,7 +224,7 @@ #undef MLK_USE_NATIVE_REJ_UNIFORM /* dev/aarch64_clean/src/consts.h */ #undef MLK_DEV_AARCH64_CLEAN_SRC_CONSTS_H -#undef zetas_mulcache_native +#undef mlk_zetas_mulcache_native #undef zetas_mulcache_twisted_native /* dev/aarch64_opt/meta.h */ #undef MLK_ARITH_BACKEND_AARCH64_OPT @@ -235,25 +235,25 @@ /* dev/aarch64_opt/src/arith_native_aarch64.h */ #undef MLK_DEV_AARCH64_OPT_SRC_ARITH_NATIVE_AARCH64_H #undef aarch64_invntt_zetas_layer01234 -#undef aarch64_invntt_zetas_layer56 -#undef aarch64_ntt_zetas_layer01234 -#undef aarch64_ntt_zetas_layer56 +#undef mlk_aarch64_invntt_zetas_layer56 +#undef mlk_aarch64_ntt_zetas_layer01234 +#undef mlk_aarch64_ntt_zetas_layer56 #undef aarch64_zetas_mulcache_native #undef aarch64_zetas_mulcache_twisted_native -#undef intt_asm_opt -#undef ntt_asm_opt +#undef mlk_intt_asm_opt +#undef mlk_ntt_asm_opt #undef poly_mulcache_compute_asm_opt -#undef poly_reduce_asm_opt -#undef poly_tobytes_asm_opt -#undef poly_tomont_asm_opt +#undef mlk_poly_reduce_asm_opt +#undef mlk_poly_tobytes_asm_opt +#undef mlk_poly_tomont_asm_opt #undef polyvec_basemul_acc_montgomery_cached_asm_k2_opt #undef polyvec_basemul_acc_montgomery_cached_asm_k3_opt #undef polyvec_basemul_acc_montgomery_cached_asm_k4_opt -#undef rej_uniform_asm_clean -#undef rej_uniform_table +#undef mlk_rej_uniform_asm_clean +#undef mlk_rej_uniform_table /* dev/aarch64_opt/src/consts.h */ #undef MLK_DEV_AARCH64_OPT_SRC_CONSTS_H -#undef zetas_mulcache_native +#undef mlk_zetas_mulcache_native #undef zetas_mulcache_twisted_native /* dev/aarch64_opt/src/opt_impl.h */ #undef MLK_ARITH_PROFILE_IMPL_H @@ -310,26 +310,26 @@ /* dev/x86_64/src/arith_native_x86_64.h */ #undef MLK_AVX2_REJ_UNIFORM_BUFLEN #undef MLK_DEV_X86_64_SRC_ARITH_NATIVE_X86_64_H -#undef basemul_avx2 -#undef invntt_avx2 -#undef ntt_avx2 -#undef nttfrombytes_avx2 -#undef nttpack_avx2 -#undef ntttobytes_avx2 -#undef nttunpack_avx2 -#undef poly_compress_d10_avx2 -#undef poly_compress_d11_avx2 -#undef poly_compress_d4_avx2 -#undef poly_compress_d5_avx2 -#undef poly_decompress_d10_avx2 -#undef poly_decompress_d11_avx2 -#undef poly_decompress_d4_avx2 -#undef poly_decompress_d5_avx2 +#undef mlk_basemul_avx2 +#undef mlk_invntt_avx2 +#undef mlk_ntt_avx2 +#undef mlk_nttfrombytes_avx2 +#undef mlk_nttpack_avx2 +#undef mlk_ntttobytes_avx2 +#undef mlk_nttunpack_avx2 +#undef mlk_poly_compress_d10_avx2 +#undef mlk_poly_compress_d11_avx2 +#undef mlk_poly_compress_d4_avx2 +#undef mlk_poly_compress_d5_avx2 +#undef mlk_poly_decompress_d10_avx2 +#undef mlk_poly_decompress_d11_avx2 +#undef mlk_poly_decompress_d4_avx2 +#undef mlk_poly_decompress_d5_avx2 #undef polyvec_basemul_acc_montgomery_cached_avx2 -#undef reduce_avx2 -#undef rej_uniform_avx2 -#undef rej_uniform_table -#undef tomont_avx2 +#undef mlk_reduce_avx2 +#undef mlk_rej_uniform_avx2 +#undef mlk_rej_uniform_table +#undef mlk_tomont_avx2 /* dev/x86_64/src/consts.h */ #undef MLK_AVX2_BACKEND_DATA_OFFSET_16XFHI #undef MLK_AVX2_BACKEND_DATA_OFFSET_16XFLO @@ -344,7 +344,7 @@ #undef MLK_AVX2_BACKEND_DATA_OFFSET_REVIDXD #undef MLK_AVX2_BACKEND_DATA_OFFSET_ZETAS_EXP #undef MLK_DEV_X86_64_SRC_CONSTS_H -#undef qdata +#undef mlk_qdata /* dev/x86_64/src/default_impl.h */ #undef MLK_ARITH_PROFILE_IMPL_H #undef MLK_DEV_X86_64_SRC_DEFAULT_IMPL_H @@ -370,27 +370,27 @@ #undef MLK_ARITH_BACKEND_H /* mlkem/compress.h */ #undef MLK_COMPRESS_H -#undef poly_compress_d10 -#undef poly_compress_d11 -#undef poly_compress_d4 -#undef poly_compress_d5 -#undef poly_decompress_d10 -#undef poly_decompress_d11 -#undef poly_decompress_d4 -#undef poly_decompress_d5 -#undef poly_frombytes -#undef poly_frommsg -#undef poly_tobytes -#undef poly_tomsg -#undef scalar_compress_d1 -#undef scalar_compress_d10 -#undef scalar_compress_d11 -#undef scalar_compress_d4 -#undef scalar_compress_d5 -#undef scalar_decompress_d10 -#undef scalar_decompress_d11 -#undef scalar_decompress_d4 -#undef scalar_decompress_d5 +#undef mlk_poly_compress_d10 +#undef mlk_poly_compress_d11 +#undef mlk_poly_compress_d4 +#undef mlk_poly_compress_d5 +#undef mlk_poly_decompress_d10 +#undef mlk_poly_decompress_d11 +#undef mlk_poly_decompress_d4 +#undef mlk_poly_decompress_d5 +#undef mlk_poly_frombytes +#undef mlk_poly_frommsg +#undef mlk_poly_tobytes +#undef mlk_poly_tomsg +#undef mlk_scalar_compress_d1 +#undef mlk_scalar_compress_d10 +#undef mlk_scalar_compress_d11 +#undef mlk_scalar_compress_d4 +#undef mlk_scalar_compress_d5 +#undef mlk_scalar_decompress_d10 +#undef mlk_scalar_decompress_d11 +#undef mlk_scalar_decompress_d4 +#undef mlk_scalar_decompress_d5 /* mlkem/debug.h */ #undef MLK_DEBUG_H #undef debug_assert @@ -398,8 +398,8 @@ #undef debug_assert_abs_bound_2d #undef debug_assert_bound #undef debug_assert_bound_2d -#undef mlkem_debug_assert -#undef mlkem_debug_check_bounds +#undef mlk_mlkem_debug_assert +#undef mlk_mlkem_debug_check_bounds /* mlkem/fips202/fips202.h */ #undef FIPS202_X4_DEFAULT_IMPLEMENTATION #undef MLK_FIPS202_FIPS202_H @@ -442,26 +442,26 @@ #undef MLK_INVNTT_BOUND #undef MLK_NTT_BOUND #undef MLK_POLY_H -#undef cast_uint16_to_int16 -#undef montgomery_reduce -#undef poly -#undef poly_add -#undef poly_invntt_tomont -#undef poly_mulcache -#undef poly_mulcache_compute -#undef poly_ntt -#undef poly_reduce -#undef poly_sub -#undef poly_tomont -#undef zetas +#undef mlk_cast_uint16_to_int16 +#undef mlk_montgomery_reduce +#undef mlk_poly +#undef mlk_poly_add +#undef mlk_poly_invntt_tomont +#undef mlk_poly_mulcache +#undef mlk_poly_mulcache_compute +#undef mlk_poly_ntt +#undef mlk_poly_reduce +#undef mlk_poly_sub +#undef mlk_poly_tomont +#undef mlk_zetas /* mlkem/randombytes.h */ #undef MLK_RANDOMBYTES_H /* mlkem/sampling.h */ #undef MLK_SAMPLING_H -#undef poly_cbd2 -#undef poly_cbd3 -#undef poly_rej_uniform -#undef poly_rej_uniform_x4 +#undef mlk_poly_cbd2 +#undef mlk_poly_cbd3 +#undef mlk_poly_rej_uniform +#undef mlk_poly_rej_uniform_x4 /* mlkem/symmetric.h */ #undef MLK_SYMMETRIC_H #undef XOF_RATE @@ -498,17 +498,17 @@ /* mlkem/verify.h */ #undef MLK_USE_ASM_VALUE_BARRIER #undef MLK_VERIFY_H -#undef ct_cmask_neg_i16 -#undef ct_cmask_nonzero_u16 -#undef ct_cmask_nonzero_u8 -#undef ct_cmov_zero -#undef ct_memcmp -#undef ct_opt_blocker_u64 -#undef ct_sel_int16 -#undef ct_sel_uint8 -#undef value_barrier_i32 -#undef value_barrier_u32 -#undef value_barrier_u8 +#undef mlk_ct_cmask_neg_i16 +#undef mlk_ct_cmask_nonzero_u16 +#undef mlk_ct_cmask_nonzero_u8 +#undef mlk_ct_cmov_zero +#undef mlk_ct_memcmp +#undef mlk_ct_opt_blocker_u64 +#undef mlk_ct_sel_int16 +#undef mlk_ct_sel_uint8 +#undef mlk_value_barrier_i32 +#undef mlk_value_barrier_u32 +#undef mlk_value_barrier_u8 /* mlkem/cbmc.h */ #undef MLK_CBMC_H #undef __contract__ @@ -578,25 +578,25 @@ /* mlkem/native/aarch64/src/arith_native_aarch64.h */ #undef MLK_NATIVE_AARCH64_SRC_ARITH_NATIVE_AARCH64_H #undef aarch64_invntt_zetas_layer01234 -#undef aarch64_invntt_zetas_layer56 -#undef aarch64_ntt_zetas_layer01234 -#undef aarch64_ntt_zetas_layer56 +#undef mlk_aarch64_invntt_zetas_layer56 +#undef mlk_aarch64_ntt_zetas_layer01234 +#undef mlk_aarch64_ntt_zetas_layer56 #undef aarch64_zetas_mulcache_native #undef aarch64_zetas_mulcache_twisted_native -#undef intt_asm_opt -#undef ntt_asm_opt +#undef mlk_intt_asm_opt +#undef mlk_ntt_asm_opt #undef poly_mulcache_compute_asm_opt -#undef poly_reduce_asm_opt -#undef poly_tobytes_asm_opt -#undef poly_tomont_asm_opt +#undef mlk_poly_reduce_asm_opt +#undef mlk_poly_tobytes_asm_opt +#undef mlk_poly_tomont_asm_opt #undef polyvec_basemul_acc_montgomery_cached_asm_k2_opt #undef polyvec_basemul_acc_montgomery_cached_asm_k3_opt #undef polyvec_basemul_acc_montgomery_cached_asm_k4_opt -#undef rej_uniform_asm_clean -#undef rej_uniform_table +#undef mlk_rej_uniform_asm_clean +#undef mlk_rej_uniform_table /* mlkem/native/aarch64/src/consts.h */ #undef MLK_NATIVE_AARCH64_SRC_CONSTS_H -#undef zetas_mulcache_native +#undef mlk_zetas_mulcache_native #undef zetas_mulcache_twisted_native /* mlkem/native/aarch64/src/opt_impl.h */ #undef MLK_ARITH_PROFILE_IMPL_H @@ -627,26 +627,26 @@ /* mlkem/native/x86_64/src/arith_native_x86_64.h */ #undef MLK_AVX2_REJ_UNIFORM_BUFLEN #undef MLK_NATIVE_X86_64_SRC_ARITH_NATIVE_X86_64_H -#undef basemul_avx2 -#undef invntt_avx2 -#undef ntt_avx2 -#undef nttfrombytes_avx2 -#undef nttpack_avx2 -#undef ntttobytes_avx2 -#undef nttunpack_avx2 -#undef poly_compress_d10_avx2 -#undef poly_compress_d11_avx2 -#undef poly_compress_d4_avx2 -#undef poly_compress_d5_avx2 -#undef poly_decompress_d10_avx2 -#undef poly_decompress_d11_avx2 -#undef poly_decompress_d4_avx2 -#undef poly_decompress_d5_avx2 +#undef mlk_basemul_avx2 +#undef mlk_invntt_avx2 +#undef mlk_ntt_avx2 +#undef mlk_nttfrombytes_avx2 +#undef mlk_nttpack_avx2 +#undef mlk_ntttobytes_avx2 +#undef mlk_nttunpack_avx2 +#undef mlk_poly_compress_d10_avx2 +#undef mlk_poly_compress_d11_avx2 +#undef mlk_poly_compress_d4_avx2 +#undef mlk_poly_compress_d5_avx2 +#undef mlk_poly_decompress_d10_avx2 +#undef mlk_poly_decompress_d11_avx2 +#undef mlk_poly_decompress_d4_avx2 +#undef mlk_poly_decompress_d5_avx2 #undef polyvec_basemul_acc_montgomery_cached_avx2 -#undef reduce_avx2 -#undef rej_uniform_avx2 -#undef rej_uniform_table -#undef tomont_avx2 +#undef mlk_reduce_avx2 +#undef mlk_rej_uniform_avx2 +#undef mlk_rej_uniform_table +#undef mlk_tomont_avx2 /* mlkem/native/x86_64/src/consts.h */ #undef MLK_AVX2_BACKEND_DATA_OFFSET_16XFHI #undef MLK_AVX2_BACKEND_DATA_OFFSET_16XFLO @@ -661,7 +661,7 @@ #undef MLK_AVX2_BACKEND_DATA_OFFSET_REVIDXD #undef MLK_AVX2_BACKEND_DATA_OFFSET_ZETAS_EXP #undef MLK_NATIVE_X86_64_SRC_CONSTS_H -#undef qdata +#undef mlk_qdata /* mlkem/native/x86_64/src/default_impl.h */ #undef MLK_ARITH_PROFILE_IMPL_H #undef MLK_NATIVE_X86_64_SRC_DEFAULT_IMPL_H diff --git a/mlkem/compress.c b/mlkem/compress.c index e218d00d0..80b161bff 100644 --- a/mlkem/compress.c +++ b/mlkem/compress.c @@ -16,7 +16,7 @@ #if defined(MLK_MULTILEVEL_BUILD_WITH_SHARED) || (MLKEM_K == 2 || MLKEM_K == 3) #if !defined(MLK_USE_NATIVE_POLY_COMPRESS_D4) MLK_INTERNAL_API -void poly_compress_d4(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], const poly *a) +void mlk_poly_compress_d4(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], const mlk_poly *a) { unsigned i; debug_assert_bound(a, MLKEM_N, 0, MLKEM_Q); @@ -31,7 +31,7 @@ void poly_compress_d4(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], const poly *a) invariant(i <= MLKEM_N / 8 && j <= 8) invariant(array_bound(t, 0, j, 0, 16))) { - t[j] = scalar_compress_d4(a->coeffs[8 * i + j]); + t[j] = mlk_scalar_compress_d4(a->coeffs[8 * i + j]); } r[i * 4] = t[0] | (t[1] << 4); @@ -42,7 +42,7 @@ void poly_compress_d4(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], const poly *a) } #else /* MLK_USE_NATIVE_POLY_COMPRESS_D4 */ MLK_INTERNAL_API -void poly_compress_d4(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], const poly *a) +void mlk_poly_compress_d4(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], const mlk_poly *a) { debug_assert_bound(a, MLKEM_N, 0, MLKEM_Q); poly_compress_d4_native(r, a->coeffs); @@ -51,7 +51,7 @@ void poly_compress_d4(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], const poly *a) #if !defined(MLK_USE_NATIVE_POLY_COMPRESS_D10) MLK_INTERNAL_API -void poly_compress_d10(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], const poly *a) +void mlk_poly_compress_d10(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], const mlk_poly *a) { unsigned j; debug_assert_bound(a, MLKEM_N, 0, MLKEM_Q); @@ -65,7 +65,7 @@ void poly_compress_d10(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], const poly *a) invariant(k <= 4) invariant(forall(r, 0, k, t[r] < (1u << 10)))) { - t[k] = scalar_compress_d10(a->coeffs[4 * j + k]); + t[k] = mlk_scalar_compress_d10(a->coeffs[4 * j + k]); } /* @@ -81,7 +81,7 @@ void poly_compress_d10(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], const poly *a) } #else /* MLK_USE_NATIVE_POLY_COMPRESS_D10 */ MLK_INTERNAL_API -void poly_compress_d10(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], const poly *a) +void mlk_poly_compress_d10(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], const mlk_poly *a) { debug_assert_bound(a, MLKEM_N, 0, MLKEM_Q); poly_compress_d10_native(r, a->coeffs); @@ -90,7 +90,7 @@ void poly_compress_d10(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], const poly *a) #if !defined(MLK_USE_NATIVE_POLY_DECOMPRESS_D4) MLK_INTERNAL_API -void poly_decompress_d4(poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D4]) +void mlk_poly_decompress_d4(mlk_poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D4]) { unsigned i; for (i = 0; i < MLKEM_N / 2; i++) @@ -98,15 +98,15 @@ void poly_decompress_d4(poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D4]) invariant(i <= MLKEM_N / 2) invariant(array_bound(r->coeffs, 0, 2 * i, 0, MLKEM_Q))) { - r->coeffs[2 * i + 0] = scalar_decompress_d4((a[i] >> 0) & 0xF); - r->coeffs[2 * i + 1] = scalar_decompress_d4((a[i] >> 4) & 0xF); + r->coeffs[2 * i + 0] = mlk_scalar_decompress_d4((a[i] >> 0) & 0xF); + r->coeffs[2 * i + 1] = mlk_scalar_decompress_d4((a[i] >> 4) & 0xF); } debug_assert_bound(r, MLKEM_N, 0, MLKEM_Q); } #else /* MLK_USE_NATIVE_POLY_DECOMPRESS_D4 */ MLK_INTERNAL_API -void poly_decompress_d4(poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D4]) +void mlk_poly_decompress_d4(mlk_poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D4]) { poly_decompress_d4_native(r->coeffs, a); debug_assert_bound(r, MLKEM_N, 0, MLKEM_Q); @@ -115,7 +115,7 @@ void poly_decompress_d4(poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D4]) #if !defined(MLK_USE_NATIVE_POLY_DECOMPRESS_D10) MLK_INTERNAL_API -void poly_decompress_d10(poly *r, +void mlk_poly_decompress_d10(mlk_poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D10]) { unsigned j; @@ -138,7 +138,7 @@ void poly_decompress_d10(poly *r, invariant(k <= 4) invariant(array_bound(r->coeffs, 0, 4 * j + k, 0, MLKEM_Q))) { - r->coeffs[4 * j + k] = scalar_decompress_d10(t[k]); + r->coeffs[4 * j + k] = mlk_scalar_decompress_d10(t[k]); } } @@ -146,7 +146,7 @@ void poly_decompress_d10(poly *r, } #else /* MLK_USE_NATIVE_POLY_DECOMPRESS_D10 */ MLK_INTERNAL_API -void poly_decompress_d10(poly *r, +void mlk_poly_decompress_d10(mlk_poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D10]) { poly_decompress_d10_native(r->coeffs, a); @@ -159,7 +159,7 @@ void poly_decompress_d10(poly *r, #if defined(MLK_MULTILEVEL_BUILD_WITH_SHARED) || MLKEM_K == 4 #if !defined(MLK_USE_NATIVE_POLY_COMPRESS_D5) MLK_INTERNAL_API -void poly_compress_d5(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], const poly *a) +void mlk_poly_compress_d5(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], const mlk_poly *a) { unsigned i; debug_assert_bound(a, MLKEM_N, 0, MLKEM_Q); @@ -174,7 +174,7 @@ void poly_compress_d5(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], const poly *a) invariant(i <= MLKEM_N / 8 && j <= 8) invariant(array_bound(t, 0, j, 0, 32))) { - t[j] = scalar_compress_d5(a->coeffs[8 * i + j]); + t[j] = mlk_scalar_compress_d5(a->coeffs[8 * i + j]); } /* @@ -191,7 +191,7 @@ void poly_compress_d5(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], const poly *a) } #else /* MLK_USE_NATIVE_POLY_COMPRESS_D5 */ MLK_INTERNAL_API -void poly_compress_d5(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], const poly *a) +void mlk_poly_compress_d5(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], const mlk_poly *a) { debug_assert_bound(a, MLKEM_N, 0, MLKEM_Q); poly_compress_d5_native(r, a->coeffs); @@ -200,7 +200,7 @@ void poly_compress_d5(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], const poly *a) #if !defined(MLK_USE_NATIVE_POLY_COMPRESS_D11) MLK_INTERNAL_API -void poly_compress_d11(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], const poly *a) +void mlk_poly_compress_d11(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], const mlk_poly *a) { unsigned j; debug_assert_bound(a, MLKEM_N, 0, MLKEM_Q); @@ -215,7 +215,7 @@ void poly_compress_d11(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], const poly *a) invariant(k <= 8) invariant(forall(r, 0, k, t[r] < (1u << 11)))) { - t[k] = scalar_compress_d11(a->coeffs[8 * j + k]); + t[k] = mlk_scalar_compress_d11(a->coeffs[8 * j + k]); } /* @@ -237,7 +237,7 @@ void poly_compress_d11(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], const poly *a) } #else /* MLK_USE_NATIVE_POLY_COMPRESS_D11 */ MLK_INTERNAL_API -void poly_compress_d11(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], const poly *a) +void mlk_poly_compress_d11(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], const mlk_poly *a) { debug_assert_bound(a, MLKEM_N, 0, MLKEM_Q); poly_compress_d11_native(r, a->coeffs); @@ -246,7 +246,7 @@ void poly_compress_d11(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], const poly *a) #if !defined(MLK_USE_NATIVE_POLY_DECOMPRESS_D5) MLK_INTERNAL_API -void poly_decompress_d5(poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D5]) +void mlk_poly_decompress_d5(mlk_poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D5]) { unsigned i; for (i = 0; i < MLKEM_N / 8; i++) @@ -282,7 +282,7 @@ void poly_decompress_d5(poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D5]) invariant(j <= 8 && i <= MLKEM_N / 8) invariant(array_bound(r->coeffs, 0, 8 * i + j, 0, MLKEM_Q))) { - r->coeffs[8 * i + j] = scalar_decompress_d5(t[j]); + r->coeffs[8 * i + j] = mlk_scalar_decompress_d5(t[j]); } } @@ -290,7 +290,7 @@ void poly_decompress_d5(poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D5]) } #else /* MLK_USE_NATIVE_POLY_DECOMPRESS_D5 */ MLK_INTERNAL_API -void poly_decompress_d5(poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D5]) +void mlk_poly_decompress_d5(mlk_poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D5]) { poly_decompress_d5_native(r->coeffs, a); debug_assert_bound(r, MLKEM_N, 0, MLKEM_Q); @@ -299,7 +299,7 @@ void poly_decompress_d5(poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D5]) #if !defined(MLK_USE_NATIVE_POLY_DECOMPRESS_D11) MLK_INTERNAL_API -void poly_decompress_d11(poly *r, +void mlk_poly_decompress_d11(mlk_poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D11]) { unsigned j; @@ -327,7 +327,7 @@ void poly_decompress_d11(poly *r, invariant(k <= 8) invariant(array_bound(r->coeffs, 0, 8 * j + k, 0, MLKEM_Q))) { - r->coeffs[8 * j + k] = scalar_decompress_d11(t[k]); + r->coeffs[8 * j + k] = mlk_scalar_decompress_d11(t[k]); } } @@ -335,7 +335,7 @@ void poly_decompress_d11(poly *r, } #else /* MLK_USE_NATIVE_POLY_DECOMPRESS_D11 */ MLK_INTERNAL_API -void poly_decompress_d11(poly *r, +void mlk_poly_decompress_d11(mlk_poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D11]) { poly_decompress_d11_native(r->coeffs, a); @@ -347,7 +347,7 @@ void poly_decompress_d11(poly *r, #if !defined(MLK_USE_NATIVE_POLY_TOBYTES) MLK_INTERNAL_API -void poly_tobytes(uint8_t r[MLKEM_POLYBYTES], const poly *a) +void mlk_poly_tobytes(uint8_t r[MLKEM_POLYBYTES], const mlk_poly *a) { unsigned i; debug_assert_bound(a, MLKEM_N, 0, MLKEM_Q); @@ -379,7 +379,7 @@ void poly_tobytes(uint8_t r[MLKEM_POLYBYTES], const poly *a) } #else /* MLK_USE_NATIVE_POLY_TOBYTES */ MLK_INTERNAL_API -void poly_tobytes(uint8_t r[MLKEM_POLYBYTES], const poly *a) +void mlk_poly_tobytes(uint8_t r[MLKEM_POLYBYTES], const mlk_poly *a) { debug_assert_bound(a, MLKEM_N, 0, MLKEM_Q); poly_tobytes_native(r, a->coeffs); @@ -388,7 +388,7 @@ void poly_tobytes(uint8_t r[MLKEM_POLYBYTES], const poly *a) #if !defined(MLK_USE_NATIVE_POLY_FROMBYTES) MLK_INTERNAL_API -void poly_frombytes(poly *r, const uint8_t a[MLKEM_POLYBYTES]) +void mlk_poly_frombytes(mlk_poly *r, const uint8_t a[MLKEM_POLYBYTES]) { unsigned i; for (i = 0; i < MLKEM_N / 2; i++) @@ -408,14 +408,14 @@ void poly_frombytes(poly *r, const uint8_t a[MLKEM_POLYBYTES]) } #else /* MLK_USE_NATIVE_POLY_FROMBYTES */ MLK_INTERNAL_API -void poly_frombytes(poly *r, const uint8_t a[MLKEM_POLYBYTES]) +void mlk_poly_frombytes(mlk_poly *r, const uint8_t a[MLKEM_POLYBYTES]) { poly_frombytes_native(r->coeffs, a); } #endif /* MLK_USE_NATIVE_POLY_FROMBYTES */ MLK_INTERNAL_API -void poly_frommsg(poly *r, const uint8_t msg[MLKEM_INDCPA_MSGBYTES]) +void mlk_poly_frommsg(mlk_poly *r, const uint8_t msg[MLKEM_INDCPA_MSGBYTES]) { unsigned i; #if (MLKEM_INDCPA_MSGBYTES != MLKEM_N / 8) @@ -434,15 +434,15 @@ void poly_frommsg(poly *r, const uint8_t msg[MLKEM_INDCPA_MSGBYTES]) invariant(array_bound(r->coeffs, 0, 8 * i + j, 0, MLKEM_Q))) { /* Prevent the compiler from recognizing this as a bit selection */ - uint8_t mask = value_barrier_u8(1u << j); - r->coeffs[8 * i + j] = ct_sel_int16(MLKEM_Q_HALF, 0, msg[i] & mask); + uint8_t mask = mlk_value_barrier_u8(1u << j); + r->coeffs[8 * i + j] = mlk_ct_sel_int16(MLKEM_Q_HALF, 0, msg[i] & mask); } } debug_assert_abs_bound(r, MLKEM_N, MLKEM_Q); } MLK_INTERNAL_API -void poly_tomsg(uint8_t msg[MLKEM_INDCPA_MSGBYTES], const poly *a) +void mlk_poly_tomsg(uint8_t msg[MLKEM_INDCPA_MSGBYTES], const mlk_poly *a) { unsigned i; debug_assert_bound(a, MLKEM_N, 0, MLKEM_Q); @@ -456,7 +456,7 @@ void poly_tomsg(uint8_t msg[MLKEM_INDCPA_MSGBYTES], const poly *a) __loop__( invariant(i <= MLKEM_N / 8 && j <= 8)) { - uint32_t t = scalar_compress_d1(a->coeffs[8 * i + j]); + uint32_t t = mlk_scalar_compress_d1(a->coeffs[8 * i + j]); msg[i] |= t << j; } } diff --git a/mlkem/compress.h b/mlkem/compress.h index 9eb710da6..814ae91ab 100644 --- a/mlkem/compress.h +++ b/mlkem/compress.h @@ -17,19 +17,19 @@ * This is to facilitate building multiple instances * of mlkem-native (e.g. with varying security levels) * within a single compilation unit. */ -#define scalar_compress_d1 MLK_NAMESPACE(scalar_compress_d1) -#define scalar_compress_d4 MLK_NAMESPACE(scalar_compress_d4) -#define scalar_compress_d5 MLK_NAMESPACE(scalar_compress_d5) -#define scalar_compress_d10 MLK_NAMESPACE(scalar_compress_d10) -#define scalar_compress_d11 MLK_NAMESPACE(scalar_compress_d11) -#define scalar_decompress_d4 MLK_NAMESPACE(scalar_decompress_d4) -#define scalar_decompress_d5 MLK_NAMESPACE(scalar_decompress_d5) -#define scalar_decompress_d10 MLK_NAMESPACE(scalar_decompress_d10) -#define scalar_decompress_d11 MLK_NAMESPACE(scalar_decompress_d11) +#define mlk_scalar_compress_d1 MLK_NAMESPACE(scalar_compress_d1) +#define mlk_scalar_compress_d4 MLK_NAMESPACE(scalar_compress_d4) +#define mlk_scalar_compress_d5 MLK_NAMESPACE(scalar_compress_d5) +#define mlk_scalar_compress_d10 MLK_NAMESPACE(scalar_compress_d10) +#define mlk_scalar_compress_d11 MLK_NAMESPACE(scalar_compress_d11) +#define mlk_scalar_decompress_d4 MLK_NAMESPACE(scalar_decompress_d4) +#define mlk_scalar_decompress_d5 MLK_NAMESPACE(scalar_decompress_d5) +#define mlk_scalar_decompress_d10 MLK_NAMESPACE(scalar_decompress_d10) +#define mlk_scalar_decompress_d11 MLK_NAMESPACE(scalar_decompress_d11) /* End of static namespacing */ /************************************************************ - * Name: scalar_compress_d1 + * Name: mlk_scalar_compress_d1 * * Description: Computes round(u * 2 / q) * @@ -47,7 +47,7 @@ #pragma CPROVER check push #pragma CPROVER check disable "unsigned-overflow" #endif -static MLK_INLINE uint32_t scalar_compress_d1(uint16_t u) +static MLK_INLINE uint32_t mlk_scalar_compress_d1(uint16_t u) __contract__( requires(u <= MLKEM_Q - 1) ensures(return_value < 2) @@ -64,7 +64,7 @@ __contract__( #endif /************************************************************ - * Name: scalar_compress_d4 + * Name: mlk_scalar_compress_d4 * * Description: Computes round(u * 16 / q) % 16 * @@ -82,7 +82,7 @@ __contract__( #pragma CPROVER check push #pragma CPROVER check disable "unsigned-overflow" #endif -static MLK_INLINE uint32_t scalar_compress_d4(uint16_t u) +static MLK_INLINE uint32_t mlk_scalar_compress_d4(uint16_t u) __contract__( requires(u <= MLKEM_Q - 1) ensures(return_value < 16) @@ -96,7 +96,7 @@ __contract__( #endif /************************************************************ - * Name: scalar_decompress_d4 + * Name: mlk_scalar_decompress_d4 * * Description: Computes round(u * q / 16) * @@ -106,14 +106,14 @@ __contract__( * Arguments: - u: Unsigned canonical modulus modulo 16 * to be decompressed. ************************************************************/ -static MLK_INLINE uint16_t scalar_decompress_d4(uint32_t u) +static MLK_INLINE uint16_t mlk_scalar_decompress_d4(uint32_t u) __contract__( requires(0 <= u && u < 16) ensures(return_value <= (MLKEM_Q - 1)) ) { return ((u * MLKEM_Q) + 8) >> 4; } /************************************************************ - * Name: scalar_compress_d5 + * Name: mlk_scalar_compress_d5 * * Description: Computes round(u * 32 / q) % 32 * @@ -131,7 +131,7 @@ __contract__( #pragma CPROVER check push #pragma CPROVER check disable "unsigned-overflow" #endif -static MLK_INLINE uint32_t scalar_compress_d5(uint16_t u) +static MLK_INLINE uint32_t mlk_scalar_compress_d5(uint16_t u) __contract__( requires(u <= MLKEM_Q - 1) ensures(return_value < 32) @@ -145,7 +145,7 @@ __contract__( #endif /************************************************************ - * Name: scalar_decompress_d5 + * Name: mlk_scalar_decompress_d5 * * Description: Computes round(u * q / 32) * @@ -155,14 +155,14 @@ __contract__( * Arguments: - u: Unsigned canonical modulus modulo 32 * to be decompressed. ************************************************************/ -static MLK_INLINE uint16_t scalar_decompress_d5(uint32_t u) +static MLK_INLINE uint16_t mlk_scalar_decompress_d5(uint32_t u) __contract__( requires(0 <= u && u < 32) ensures(return_value <= MLKEM_Q - 1) ) { return ((u * MLKEM_Q) + 16) >> 5; } /************************************************************ - * Name: scalar_compress_d10 + * Name: mlk_scalar_compress_d10 * * Description: Computes round(u * 2**10 / q) % 2**10 * @@ -180,7 +180,7 @@ __contract__( #pragma CPROVER check push #pragma CPROVER check disable "unsigned-overflow" #endif -static MLK_INLINE uint32_t scalar_compress_d10(uint16_t u) +static MLK_INLINE uint32_t mlk_scalar_compress_d10(uint16_t u) __contract__( requires(u <= MLKEM_Q - 1) ensures(return_value < (1u << 10)) @@ -195,7 +195,7 @@ __contract__( #endif /************************************************************ - * Name: scalar_decompress_d10 + * Name: mlk_scalar_decompress_d10 * * Description: Computes round(u * q / 1024) * @@ -205,14 +205,14 @@ __contract__( * Arguments: - u: Unsigned canonical modulus modulo 16 * to be decompressed. ************************************************************/ -static MLK_INLINE uint16_t scalar_decompress_d10(uint32_t u) +static MLK_INLINE uint16_t mlk_scalar_decompress_d10(uint32_t u) __contract__( requires(0 <= u && u < 1024) ensures(return_value <= (MLKEM_Q - 1)) ) { return ((u * MLKEM_Q) + 512) >> 10; } /************************************************************ - * Name: scalar_compress_d11 + * Name: mlk_scalar_compress_d11 * * Description: Computes round(u * 2**11 / q) % 2**11 * @@ -230,7 +230,7 @@ __contract__( #pragma CPROVER check push #pragma CPROVER check disable "unsigned-overflow" #endif -static MLK_INLINE uint32_t scalar_compress_d11(uint16_t u) +static MLK_INLINE uint32_t mlk_scalar_compress_d11(uint16_t u) __contract__( requires(u <= MLKEM_Q - 1) ensures(return_value < (1u << 11)) @@ -245,7 +245,7 @@ __contract__( #endif /************************************************************ - * Name: scalar_decompress_d11 + * Name: mlk_scalar_decompress_d11 * * Description: Computes round(u * q / 1024) * @@ -255,53 +255,53 @@ __contract__( * Arguments: - u: Unsigned canonical modulus modulo 16 * to be decompressed. ************************************************************/ -static MLK_INLINE uint16_t scalar_decompress_d11(uint32_t u) +static MLK_INLINE uint16_t mlk_scalar_decompress_d11(uint32_t u) __contract__( requires(0 <= u && u < 2048) ensures(return_value <= (MLKEM_Q - 1)) ) { return ((u * MLKEM_Q) + 1024) >> 11; } #if defined(MLK_MULTILEVEL_BUILD_WITH_SHARED) || (MLKEM_K == 2 || MLKEM_K == 3) -#define poly_compress_d4 MLK_NAMESPACE(poly_compress_d4) +#define mlk_poly_compress_d4 MLK_NAMESPACE(poly_compress_d4) /************************************************* - * Name: poly_compress_d4 + * Name: mlk_poly_compress_d4 * * Description: Compression (4 bits) and subsequent serialization of a * polynomial * * Arguments: - uint8_t *r: pointer to output byte array * (of length MLKEM_POLYCOMPRESSEDBYTES_D4 bytes) - * - const poly *a: pointer to input polynomial + * - const mlk_poly *a: pointer to input polynomial * Coefficients must be unsigned canonical, * i.e. in [0,1,..,MLKEM_Q-1]. **************************************************/ MLK_INTERNAL_API -void poly_compress_d4(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], const poly *a); +void mlk_poly_compress_d4(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], const mlk_poly *a); -#define poly_compress_d10 MLK_NAMESPACE(poly_compress_d10) +#define mlk_poly_compress_d10 MLK_NAMESPACE(poly_compress_d10) /************************************************* - * Name: poly_compress_d10 + * Name: mlk_poly_compress_d10 * * Description: Compression (10 bits) and subsequent serialization of a * polynomial * * Arguments: - uint8_t *r: pointer to output byte array * (of length MLKEM_POLYCOMPRESSEDBYTES_D10 bytes) - * - const poly *a: pointer to input polynomial + * - const mlk_poly *a: pointer to input polynomial * Coefficients must be unsigned canonical, * i.e. in [0,1,..,MLKEM_Q-1]. **************************************************/ MLK_INTERNAL_API -void poly_compress_d10(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], const poly *a); +void mlk_poly_compress_d10(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], const mlk_poly *a); -#define poly_decompress_d4 MLK_NAMESPACE(poly_decompress_d4) +#define mlk_poly_decompress_d4 MLK_NAMESPACE(poly_decompress_d4) /************************************************* - * Name: poly_decompress_d4 + * Name: mlk_poly_decompress_d4 * * Description: De-serialization and subsequent decompression (dv bits) of a * polynomial; approximate inverse of poly_compress * - * Arguments: - poly *r: pointer to output polynomial + * Arguments: - mlk_poly *r: pointer to output polynomial * - const uint8_t *a: pointer to input byte array * (of length MLKEM_POLYCOMPRESSEDBYTES_D4 bytes) * @@ -310,16 +310,16 @@ void poly_compress_d10(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], const poly *a); * **************************************************/ MLK_INTERNAL_API -void poly_decompress_d4(poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D4]); +void mlk_poly_decompress_d4(mlk_poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D4]); -#define poly_decompress_d10 MLK_NAMESPACE(poly_decompress_d10) +#define mlk_poly_decompress_d10 MLK_NAMESPACE(poly_decompress_d10) /************************************************* - * Name: poly_decompress_d10 + * Name: mlk_poly_decompress_d10 * * Description: De-serialization and subsequent decompression (10 bits) of a - * polynomial; approximate inverse of poly_compress_d10 + * polynomial; approximate inverse of mlk_poly_compress_d10 * - * Arguments: - poly *r: pointer to output polynomial + * Arguments: - mlk_poly *r: pointer to output polynomial * - const uint8_t *a: pointer to input byte array * (of length MLKEM_POLYCOMPRESSEDBYTES_D10 bytes) * @@ -328,52 +328,52 @@ void poly_decompress_d4(poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D4]); * **************************************************/ MLK_INTERNAL_API -void poly_decompress_d10(poly *r, +void mlk_poly_decompress_d10(mlk_poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D10]); #endif /* defined(MLK_MULTILEVEL_BUILD_WITH_SHARED) || (MLKEM_K == 2 \ || MLKEM_K == 3) */ #if defined(MLK_MULTILEVEL_BUILD_WITH_SHARED) || MLKEM_K == 4 -#define poly_compress_d5 MLK_NAMESPACE(poly_compress_d5) +#define mlk_poly_compress_d5 MLK_NAMESPACE(poly_compress_d5) /************************************************* - * Name: poly_compress_d5 + * Name: mlk_poly_compress_d5 * * Description: Compression (5 bits) and subsequent serialization of a * polynomial * * Arguments: - uint8_t *r: pointer to output byte array * (of length MLKEM_POLYCOMPRESSEDBYTES_D5 bytes) - * - const poly *a: pointer to input polynomial + * - const mlk_poly *a: pointer to input polynomial * Coefficients must be unsigned canonical, * i.e. in [0,1,..,MLKEM_Q-1]. **************************************************/ MLK_INTERNAL_API -void poly_compress_d5(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], const poly *a); +void mlk_poly_compress_d5(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], const mlk_poly *a); -#define poly_compress_d11 MLK_NAMESPACE(poly_compress_d11) +#define mlk_poly_compress_d11 MLK_NAMESPACE(poly_compress_d11) /************************************************* - * Name: poly_compress_d11 + * Name: mlk_poly_compress_d11 * * Description: Compression (11 bits) and subsequent serialization of a * polynomial * * Arguments: - uint8_t *r: pointer to output byte array * (of length MLKEM_POLYCOMPRESSEDBYTES_D11 bytes) - * - const poly *a: pointer to input polynomial + * - const mlk_poly *a: pointer to input polynomial * Coefficients must be unsigned canonical, * i.e. in [0,1,..,MLKEM_Q-1]. **************************************************/ MLK_INTERNAL_API -void poly_compress_d11(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], const poly *a); +void mlk_poly_compress_d11(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], const mlk_poly *a); -#define poly_decompress_d5 MLK_NAMESPACE(poly_decompress_d5) +#define mlk_poly_decompress_d5 MLK_NAMESPACE(poly_decompress_d5) /************************************************* - * Name: poly_decompress_d5 + * Name: mlk_poly_decompress_d5 * * Description: De-serialization and subsequent decompression (dv bits) of a * polynomial; approximate inverse of poly_compress * - * Arguments: - poly *r: pointer to output polynomial + * Arguments: - mlk_poly *r: pointer to output polynomial * - const uint8_t *a: pointer to input byte array * (of length MLKEM_POLYCOMPRESSEDBYTES_D5 bytes) * @@ -382,16 +382,16 @@ void poly_compress_d11(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], const poly *a); * **************************************************/ MLK_INTERNAL_API -void poly_decompress_d5(poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D5]); +void mlk_poly_decompress_d5(mlk_poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D5]); -#define poly_decompress_d11 MLK_NAMESPACE(poly_decompress_d11) +#define mlk_poly_decompress_d11 MLK_NAMESPACE(poly_decompress_d11) /************************************************* - * Name: poly_decompress_d11 + * Name: mlk_poly_decompress_d11 * * Description: De-serialization and subsequent decompression (11 bits) of a - * polynomial; approximate inverse of poly_compress_d11 + * polynomial; approximate inverse of mlk_poly_compress_d11 * - * Arguments: - poly *r: pointer to output polynomial + * Arguments: - mlk_poly *r: pointer to output polynomial * - const uint8_t *a: pointer to input byte array * (of length MLKEM_POLYCOMPRESSEDBYTES_D11 bytes) * @@ -400,14 +400,14 @@ void poly_decompress_d5(poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D5]); * **************************************************/ MLK_INTERNAL_API -void poly_decompress_d11(poly *r, +void mlk_poly_decompress_d11(mlk_poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D11]); #endif /* defined(MLK_MULTILEVEL_BUILD_WITH_SHARED) || MLKEM_K == 4 \ */ -#define poly_tobytes MLK_NAMESPACE(poly_tobytes) +#define mlk_poly_tobytes MLK_NAMESPACE(poly_tobytes) /************************************************* - * Name: poly_tobytes + * Name: mlk_poly_tobytes * * Description: Serialization of a polynomial. * Signed coefficients are converted to @@ -421,18 +421,18 @@ void poly_decompress_d11(poly *r, * (of MLKEM_POLYBYTES bytes) **************************************************/ MLK_INTERNAL_API -void poly_tobytes(uint8_t r[MLKEM_POLYBYTES], const poly *a) +void mlk_poly_tobytes(uint8_t r[MLKEM_POLYBYTES], const mlk_poly *a) __contract__( requires(memory_no_alias(r, MLKEM_POLYBYTES)) - requires(memory_no_alias(a, sizeof(poly))) + requires(memory_no_alias(a, sizeof(mlk_poly))) requires(array_bound(a->coeffs, 0, MLKEM_N, 0, MLKEM_Q)) assigns(object_whole(r)) ); -#define poly_frombytes MLK_NAMESPACE(poly_frombytes) +#define mlk_poly_frombytes MLK_NAMESPACE(poly_frombytes) /************************************************* - * Name: poly_frombytes + * Name: mlk_poly_frombytes * * Description: De-serialization of a polynomial. * @@ -445,48 +445,48 @@ __contract__( * 0 .. 4095 **************************************************/ MLK_INTERNAL_API -void poly_frombytes(poly *r, const uint8_t a[MLKEM_POLYBYTES]) +void mlk_poly_frombytes(mlk_poly *r, const uint8_t a[MLKEM_POLYBYTES]) __contract__( requires(memory_no_alias(a, MLKEM_POLYBYTES)) - requires(memory_no_alias(r, sizeof(poly))) - assigns(memory_slice(r, sizeof(poly))) + requires(memory_no_alias(r, sizeof(mlk_poly))) + assigns(memory_slice(r, sizeof(mlk_poly))) ensures(array_bound(r->coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT)) ); -#define poly_frommsg MLK_NAMESPACE(poly_frommsg) +#define mlk_poly_frommsg MLK_NAMESPACE(poly_frommsg) /************************************************* - * Name: poly_frommsg + * Name: mlk_poly_frommsg * * Description: Convert 32-byte message to polynomial * - * Arguments: - poly *r: pointer to output polynomial + * Arguments: - mlk_poly *r: pointer to output polynomial * - const uint8_t *msg: pointer to input message **************************************************/ MLK_INTERNAL_API -void poly_frommsg(poly *r, const uint8_t msg[MLKEM_INDCPA_MSGBYTES]) +void mlk_poly_frommsg(mlk_poly *r, const uint8_t msg[MLKEM_INDCPA_MSGBYTES]) __contract__( requires(memory_no_alias(msg, MLKEM_INDCPA_MSGBYTES)) - requires(memory_no_alias(r, sizeof(poly))) + requires(memory_no_alias(r, sizeof(mlk_poly))) assigns(object_whole(r)) ensures(array_bound(r->coeffs, 0, MLKEM_N, 0, MLKEM_Q)) ); -#define poly_tomsg MLK_NAMESPACE(poly_tomsg) +#define mlk_poly_tomsg MLK_NAMESPACE(poly_tomsg) /************************************************* - * Name: poly_tomsg + * Name: mlk_poly_tomsg * * Description: Convert polynomial to 32-byte message * * Arguments: - uint8_t *msg: pointer to output message - * - const poly *r: pointer to input polynomial + * - const mlk_poly *r: pointer to input polynomial * Coefficients must be unsigned canonical **************************************************/ MLK_INTERNAL_API -void poly_tomsg(uint8_t msg[MLKEM_INDCPA_MSGBYTES], const poly *r) +void mlk_poly_tomsg(uint8_t msg[MLKEM_INDCPA_MSGBYTES], const mlk_poly *r) __contract__( requires(memory_no_alias(msg, MLKEM_INDCPA_MSGBYTES)) - requires(memory_no_alias(r, sizeof(poly))) + requires(memory_no_alias(r, sizeof(mlk_poly))) requires(array_bound(r->coeffs, 0, MLKEM_N, 0, MLKEM_Q)) assigns(object_whole(msg)) ); diff --git a/mlkem/config.h b/mlkem/config.h index 3e92722a0..ee3ce38fa 100644 --- a/mlkem/config.h +++ b/mlkem/config.h @@ -81,7 +81,7 @@ * in the build, including code needed only for other security * levels. * - * Example: poly_cbd3 is only needed for MLKEM_K == 2. Yet, if + * Example: mlk_poly_cbd3 is only needed for MLKEM_K == 2. Yet, if * this option is set for a build with MLKEM_K==3/4, it would * be included. * diff --git a/mlkem/debug.c b/mlkem/debug.c index 66fed302e..360ba995d 100644 --- a/mlkem/debug.c +++ b/mlkem/debug.c @@ -16,7 +16,7 @@ #define MLK_DEBUG_ERROR_HEADER "[ERROR:%s:%04d] " -void mlkem_debug_assert(const char *file, int line, const int val) +void mlk_mlkem_debug_assert(const char *file, int line, const int val) { if (val == 0) { @@ -26,7 +26,7 @@ void mlkem_debug_assert(const char *file, int line, const int val) } } -void mlkem_debug_check_bounds(const char *file, int line, const int16_t *ptr, +void mlk_mlkem_debug_check_bounds(const char *file, int line, const int16_t *ptr, unsigned len, int lower_bound_exclusive, int upper_bound_exclusive) { diff --git a/mlkem/debug.h b/mlkem/debug.h index 6623aa2a5..7b124d463 100644 --- a/mlkem/debug.h +++ b/mlkem/debug.h @@ -10,7 +10,7 @@ #include /************************************************* - * Name: mlkem_debug_assert + * Name: mlk_mlkem_debug_assert * * Description: Check debug assertion * @@ -21,11 +21,11 @@ * - line: line number * - val: Value asserted to be non-zero **************************************************/ -#define mlkem_debug_assert MLK_NAMESPACE(mlkem_debug_assert) -void mlkem_debug_assert(const char *file, int line, const int val); +#define mlk_mlkem_debug_assert MLK_NAMESPACE(mlkem_debug_assert) +void mlk_mlkem_debug_assert(const char *file, int line, const int val); /************************************************* - * Name: mlkem_debug_check_bounds + * Name: mlk_mlkem_debug_check_bounds * * Description: Check whether values in an array of int16_t * are within specified bounds. @@ -40,8 +40,8 @@ void mlkem_debug_assert(const char *file, int line, const int val); * - lower_bound_exclusive: Exclusive lower bound * - upper_bound_exclusive: Exclusive upper bound **************************************************/ -#define mlkem_debug_check_bounds MLK_NAMESPACE(mlkem_debug_check_bounds) -void mlkem_debug_check_bounds(const char *file, int line, const int16_t *ptr, +#define mlk_mlkem_debug_check_bounds MLK_NAMESPACE(mlkem_debug_check_bounds) +void mlk_mlkem_debug_check_bounds(const char *file, int line, const int16_t *ptr, unsigned len, int lower_bound_exclusive, int upper_bound_exclusive); @@ -49,16 +49,16 @@ void mlkem_debug_check_bounds(const char *file, int line, const int16_t *ptr, * * val: Value that's asserted to be non-zero */ -#define debug_assert(val) mlkem_debug_assert(__FILE__, __LINE__, (val)) +#define debug_assert(val) mlk_mlkem_debug_assert(__FILE__, __LINE__, (val)) /* Check bounds in array of int16_t's * ptr: Base of int16_t array; will be explicitly cast to int16_t*, - * so you may pass a byte-compatible type such as poly or polyvec. + * so you may pass a byte-compatible type such as mlk_poly or polyvec. * len: Number of int16_t in array * value_lb: Inclusive lower value bound * value_ub: Exclusive upper value bound */ #define debug_assert_bound(ptr, len, value_lb, value_ub) \ - mlkem_debug_check_bounds(__FILE__, __LINE__, (const int16_t *)(ptr), (len), \ + mlk_mlkem_debug_check_bounds(__FILE__, __LINE__, (const int16_t *)(ptr), (len), \ (value_lb)-1, (value_ub)) /* Check absolute bounds in array of int16_t's diff --git a/mlkem/fips202/fips202.c b/mlkem/fips202/fips202.c index c58bdc5af..65b89acc6 100644 --- a/mlkem/fips202/fips202.c +++ b/mlkem/fips202/fips202.c @@ -24,13 +24,13 @@ * This is to facilitate building multiple instances * of mlkem-native (e.g. with varying security levels) * within a single compilation unit. */ -#define keccak_absorb_once MLK_NAMESPACE(keccak_absorb_once) -#define keccak_squeeze_once MLK_NAMESPACE(keccak_squeeze_once) -#define keccak_squeezeblocks MLK_NAMESPACE(keccak_squeezeblocks) +#define mlk_keccak_absorb_once MLK_NAMESPACE(keccak_absorb_once) +#define mlk_keccak_squeeze_once MLK_NAMESPACE(keccak_squeeze_once) +#define mlk_keccak_squeezeblocks MLK_NAMESPACE(keccak_squeezeblocks) /* End of static namespacing */ /************************************************* - * Name: keccak_absorb_once + * Name: mlk_keccak_absorb_once * * Description: Absorb step of Keccak; * non-incremental, starts by zeroeing the state. @@ -45,7 +45,7 @@ * - uint8_t p: domain-separation byte for different * Keccak-derived functions **************************************************/ -static void keccak_absorb_once(uint64_t *s, uint32_t r, const uint8_t *m, +static void mlk_keccak_absorb_once(uint64_t *s, uint32_t r, const uint8_t *m, size_t mlen, uint8_t p) __contract__( requires(r <= sizeof(uint64_t) * KECCAK_LANES) @@ -92,7 +92,7 @@ __contract__( } /************************************************* - * Name: keccak_squeezeblocks + * Name: mlk_keccak_squeezeblocks * * Description: block-level Keccak squeeze * @@ -101,7 +101,7 @@ __contract__( * - uint64_t *s_inc: pointer to input/output state * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128) **************************************************/ -static void keccak_squeezeblocks(uint8_t *h, size_t nblocks, uint64_t *s, +static void mlk_keccak_squeezeblocks(uint8_t *h, size_t nblocks, uint64_t *s, uint32_t r) __contract__( requires(r <= sizeof(uint64_t) * KECCAK_LANES) @@ -127,7 +127,7 @@ __contract__( } /************************************************* - * Name: keccak_squeeze_once + * Name: mlk_keccak_squeeze_once * * Description: Keccak squeeze; can be called on byte-level * @@ -138,7 +138,7 @@ __contract__( * - uint64_t *s_inc: pointer to Keccak state * - uint32_t r: rate in bytes (e.g., 168 for SHAKE128) **************************************************/ -static void keccak_squeeze_once(uint8_t *h, size_t outlen, uint64_t *s, +static void mlk_keccak_squeeze_once(uint8_t *h, size_t outlen, uint64_t *s, uint32_t r) __contract__( requires(r <= sizeof(uint64_t) * KECCAK_LANES) @@ -175,12 +175,12 @@ __contract__( void shake128_absorb_once(shake128ctx *state, const uint8_t *input, size_t inlen) { - keccak_absorb_once(state->ctx, SHAKE128_RATE, input, inlen, 0x1F); + mlk_keccak_absorb_once(state->ctx, SHAKE128_RATE, input, inlen, 0x1F); } void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state) { - keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE); + mlk_keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE); } void shake128_init(shake128ctx *state) { (void)state; } @@ -193,27 +193,27 @@ void shake256(uint8_t *output, size_t outlen, const uint8_t *input, { shake256ctx state; /* Absorb input */ - keccak_absorb_once(state.ctx, SHAKE256_RATE, input, inlen, 0x1F); + mlk_keccak_absorb_once(state.ctx, SHAKE256_RATE, input, inlen, 0x1F); /* Squeeze output */ - keccak_squeeze_once(output, outlen, state.ctx, SHAKE256_RATE); + mlk_keccak_squeeze_once(output, outlen, state.ctx, SHAKE256_RATE); } void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen) { uint64_t ctx[25]; /* Absorb input */ - keccak_absorb_once(ctx, SHA3_256_RATE, input, inlen, 0x06); + mlk_keccak_absorb_once(ctx, SHA3_256_RATE, input, inlen, 0x06); /* Squeeze output */ - keccak_squeeze_once(output, 32, ctx, SHA3_256_RATE); + mlk_keccak_squeeze_once(output, 32, ctx, SHA3_256_RATE); } void sha3_512(uint8_t *output, const uint8_t *input, size_t inlen) { uint64_t ctx[25]; /* Absorb input */ - keccak_absorb_once(ctx, SHA3_512_RATE, input, inlen, 0x06); + mlk_keccak_absorb_once(ctx, SHA3_512_RATE, input, inlen, 0x06); /* Squeeze output */ - keccak_squeeze_once(output, 64, ctx, SHA3_512_RATE); + mlk_keccak_squeeze_once(output, 64, ctx, SHA3_512_RATE); } #else /* MLK_MULTILEVEL_BUILD_NO_SHARED */ @@ -224,7 +224,7 @@ MLK_EMPTY_CU(fips202) /* To facilitate single-compilation-unit (SCU) builds, undefine all macros. * Don't modify by hand -- this is auto-generated by scripts/autogen. */ -#undef keccak_absorb_once -#undef keccak_squeeze_once -#undef keccak_squeezeblocks +#undef mlk_keccak_absorb_once +#undef mlk_keccak_squeeze_once +#undef mlk_keccak_squeezeblocks #undef shake256ctx diff --git a/mlkem/fips202/fips202x4.c b/mlkem/fips202/fips202x4.c index bc3b68a2a..e07fb0edd 100644 --- a/mlkem/fips202/fips202x4.c +++ b/mlkem/fips202/fips202x4.c @@ -17,13 +17,13 @@ typedef shake128x4ctx shake256x4_ctx; * This is to facilitate building multiple instances * of mlkem-native (e.g. with varying security levels) * within a single compilation unit. */ -#define keccak_absorb_once_x4 MLK_NAMESPACE(keccak_absorb_once_x4) -#define keccak_squeezeblocks_x4 MLK_NAMESPACE(keccak_squeezeblocks_x4) +#define mlk_keccak_absorb_once_x4 MLK_NAMESPACE(keccak_absorb_once_x4) +#define mlk_keccak_squeezeblocks_x4 MLK_NAMESPACE(keccak_squeezeblocks_x4) #define shake256x4_absorb_once MLK_NAMESPACE(shake256x4_absorb_once) #define shake256x4_squeezeblocks MLK_NAMESPACE(shake256x4_squeezeblocks) /* End of static namespacing */ -static void keccak_absorb_once_x4(uint64_t *s, uint32_t r, const uint8_t *in0, +static void mlk_keccak_absorb_once_x4(uint64_t *s, uint32_t r, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen, uint8_t p) __contract__( @@ -72,7 +72,7 @@ __contract__( } } -static void keccak_squeezeblocks_x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, +static void mlk_keccak_squeezeblocks_x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t nblocks, uint64_t *s, uint32_t r) __contract__( @@ -119,7 +119,7 @@ void shake128x4_absorb_once(shake128x4ctx *state, const uint8_t *in0, const uint8_t *in3, size_t inlen) { memset(state, 0, sizeof(shake128x4ctx)); - keccak_absorb_once_x4(state->ctx, SHAKE128_RATE, in0, in1, in2, in3, inlen, + mlk_keccak_absorb_once_x4(state->ctx, SHAKE128_RATE, in0, in1, in2, in3, inlen, 0x1F); } @@ -127,7 +127,7 @@ void shake128x4_squeezeblocks(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t nblocks, shake128x4ctx *state) { - keccak_squeezeblocks_x4(out0, out1, out2, out3, nblocks, state->ctx, + mlk_keccak_squeezeblocks_x4(out0, out1, out2, out3, nblocks, state->ctx, SHAKE128_RATE); } @@ -139,7 +139,7 @@ static void shake256x4_absorb_once(shake256x4_ctx *state, const uint8_t *in0, const uint8_t *in3, size_t inlen) { memset(state, 0, sizeof(shake128x4ctx)); - keccak_absorb_once_x4(state->ctx, SHAKE256_RATE, in0, in1, in2, in3, inlen, + mlk_keccak_absorb_once_x4(state->ctx, SHAKE256_RATE, in0, in1, in2, in3, inlen, 0x1F); } @@ -147,7 +147,7 @@ static void shake256x4_squeezeblocks(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t nblocks, shake256x4_ctx *state) { - keccak_squeezeblocks_x4(out0, out1, out2, out3, nblocks, state->ctx, + mlk_keccak_squeezeblocks_x4(out0, out1, out2, out3, nblocks, state->ctx, SHAKE256_RATE); } @@ -191,7 +191,7 @@ MLK_EMPTY_CU(fips202x4) /* To facilitate single-compilation-unit (SCU) builds, undefine all macros. * Don't modify by hand -- this is auto-generated by scripts/autogen. */ #undef shake256x4_ctx -#undef keccak_absorb_once_x4 -#undef keccak_squeezeblocks_x4 +#undef mlk_keccak_absorb_once_x4 +#undef mlk_keccak_squeezeblocks_x4 #undef shake256x4_absorb_once #undef shake256x4_squeezeblocks diff --git a/mlkem/indcpa.c b/mlkem/indcpa.c index ee2431787..236dac8d7 100644 --- a/mlkem/indcpa.c +++ b/mlkem/indcpa.c @@ -26,51 +26,51 @@ * This is to facilitate building multiple instances * of mlkem-native (e.g. with varying security levels) * within a single compilation unit. */ -#define pack_pk MLK_NAMESPACE_K(pack_pk) -#define unpack_pk MLK_NAMESPACE_K(unpack_pk) -#define pack_sk MLK_NAMESPACE_K(pack_sk) -#define unpack_sk MLK_NAMESPACE_K(unpack_sk) -#define pack_ciphertext MLK_NAMESPACE_K(pack_ciphertext) -#define unpack_ciphertext MLK_NAMESPACE_K(unpack_ciphertext) -#define matvec_mul MLK_NAMESPACE_K(matvec_mul) +#define mlk_pack_pk MLK_NAMESPACE_K(pack_pk) +#define mlk_unpack_pk MLK_NAMESPACE_K(unpack_pk) +#define mlk_pack_sk MLK_NAMESPACE_K(pack_sk) +#define mlk_unpack_sk MLK_NAMESPACE_K(unpack_sk) +#define mlk_pack_ciphertext MLK_NAMESPACE_K(pack_ciphertext) +#define mlk_unpack_ciphertext MLK_NAMESPACE_K(unpack_ciphertext) +#define mlk_matvec_mul MLK_NAMESPACE_K(matvec_mul) /* End of static namespacing */ /************************************************* - * Name: pack_pk + * Name: mlk_pack_pk * * Description: Serialize the public key as concatenation of the * serialized vector of polynomials pk * and the public seed used to generate the matrix A. * * Arguments: uint8_t *r: pointer to the output serialized public key - * polyvec *pk: pointer to the input public-key polyvec. + * mlk_polyvec *pk: pointer to the input public-key polyvec. * Must have coefficients within [0,..,q-1]. * const uint8_t *seed: pointer to the input public seed **************************************************/ -static void pack_pk(uint8_t r[MLKEM_INDCPA_PUBLICKEYBYTES], polyvec *pk, +static void mlk_pack_pk(uint8_t r[MLKEM_INDCPA_PUBLICKEYBYTES], mlk_polyvec *pk, const uint8_t seed[MLKEM_SYMBYTES]) { debug_assert_bound_2d(pk, MLKEM_K, MLKEM_N, 0, MLKEM_Q); - polyvec_tobytes(r, pk); + mlk_polyvec_tobytes(r, pk); memcpy(r + MLKEM_POLYVECBYTES, seed, MLKEM_SYMBYTES); } /************************************************* - * Name: unpack_pk + * Name: mlk_unpack_pk * * Description: De-serialize public key from a byte array; - * approximate inverse of pack_pk + * approximate inverse of mlk_pack_pk * - * Arguments: - polyvec *pk: pointer to output public-key polynomial vector + * Arguments: - mlk_polyvec *pk: pointer to output public-key polynomial vector * Coefficients will be normalized to [0,..,q-1]. * - uint8_t *seed: pointer to output seed to generate matrix A * - const uint8_t *packedpk: pointer to input serialized public * key. **************************************************/ -static void unpack_pk(polyvec *pk, uint8_t seed[MLKEM_SYMBYTES], +static void mlk_unpack_pk(mlk_polyvec *pk, uint8_t seed[MLKEM_SYMBYTES], const uint8_t packedpk[MLKEM_INDCPA_PUBLICKEYBYTES]) { - polyvec_frombytes(pk, packedpk); + mlk_polyvec_frombytes(pk, packedpk); memcpy(seed, packedpk + MLKEM_POLYVECBYTES, MLKEM_SYMBYTES); /* NOTE: If a modulus check was conducted on the PK, we know at this @@ -80,68 +80,68 @@ static void unpack_pk(polyvec *pk, uint8_t seed[MLKEM_SYMBYTES], } /************************************************* - * Name: pack_sk + * Name: mlk_pack_sk * * Description: Serialize the secret key * * Arguments: - uint8_t *r: pointer to output serialized secret key - * - polyvec *sk: pointer to input vector of polynomials (secret + * - mlk_polyvec *sk: pointer to input vector of polynomials (secret *key) **************************************************/ -static void pack_sk(uint8_t r[MLKEM_INDCPA_SECRETKEYBYTES], polyvec *sk) +static void mlk_pack_sk(uint8_t r[MLKEM_INDCPA_SECRETKEYBYTES], mlk_polyvec *sk) { debug_assert_bound_2d(sk, MLKEM_K, MLKEM_N, 0, MLKEM_Q); - polyvec_tobytes(r, sk); + mlk_polyvec_tobytes(r, sk); } /************************************************* - * Name: unpack_sk + * Name: mlk_unpack_sk * - * Description: De-serialize the secret key; inverse of pack_sk + * Description: De-serialize the secret key; inverse of mlk_pack_sk * - * Arguments: - polyvec *sk: pointer to output vector of polynomials (secret + * Arguments: - mlk_polyvec *sk: pointer to output vector of polynomials (secret * key) * - const uint8_t *packedsk: pointer to input serialized secret * key **************************************************/ -static void unpack_sk(polyvec *sk, +static void mlk_unpack_sk(mlk_polyvec *sk, const uint8_t packedsk[MLKEM_INDCPA_SECRETKEYBYTES]) { - polyvec_frombytes(sk, packedsk); + mlk_polyvec_frombytes(sk, packedsk); } /************************************************* - * Name: pack_ciphertext + * Name: mlk_pack_ciphertext * * Description: Serialize the ciphertext as concatenation of the * compressed and serialized vector of polynomials b * and the compressed and serialized polynomial v * * Arguments: uint8_t *r: pointer to the output serialized ciphertext - * poly *pk: pointer to the input vector of polynomials b - * poly *v: pointer to the input polynomial v + * mlk_poly *pk: pointer to the input vector of polynomials b + * mlk_poly *v: pointer to the input polynomial v **************************************************/ -static void pack_ciphertext(uint8_t r[MLKEM_INDCPA_BYTES], polyvec *b, poly *v) +static void mlk_pack_ciphertext(uint8_t r[MLKEM_INDCPA_BYTES], mlk_polyvec *b, mlk_poly *v) { - polyvec_compress_du(r, b); - poly_compress_dv(r + MLKEM_POLYVECCOMPRESSEDBYTES_DU, v); + mlk_polyvec_compress_du(r, b); + mlk_poly_compress_dv(r + MLKEM_POLYVECCOMPRESSEDBYTES_DU, v); } /************************************************* - * Name: unpack_ciphertext + * Name: mlk_unpack_ciphertext * * Description: De-serialize and decompress ciphertext from a byte array; - * approximate inverse of pack_ciphertext + * approximate inverse of mlk_pack_ciphertext * - * Arguments: - polyvec *b: pointer to the output vector of polynomials b - * - poly *v: pointer to the output polynomial v + * Arguments: - mlk_polyvec *b: pointer to the output vector of polynomials b + * - mlk_poly *v: pointer to the output polynomial v * - const uint8_t *c: pointer to the input serialized ciphertext **************************************************/ -static void unpack_ciphertext(polyvec *b, poly *v, +static void mlk_unpack_ciphertext(mlk_polyvec *b, mlk_poly *v, const uint8_t c[MLKEM_INDCPA_BYTES]) { - polyvec_decompress_du(b, c); - poly_decompress_dv(v, c + MLKEM_POLYVECCOMPRESSEDBYTES_DU); + mlk_polyvec_decompress_du(b, c); + mlk_poly_decompress_dv(v, c + MLKEM_POLYVECCOMPRESSEDBYTES_DU); } #if !defined(MLK_USE_NATIVE_NTT_CUSTOM_ORDER) @@ -156,13 +156,13 @@ __contract__( * that it does not change the bound established at the end of gen_matrix. */ requires(memory_no_alias(data, sizeof(int16_t) * MLKEM_N)) requires(array_bound(data, 0, MLKEM_N, 0, MLKEM_Q)) - assigns(memory_slice(data, sizeof(poly))) + assigns(memory_slice(data, sizeof(mlk_poly))) ensures(array_bound(data, 0, MLKEM_N, 0, MLKEM_Q))) { ((void)data); } #endif /* MLK_USE_NATIVE_NTT_CUSTOM_ORDER */ /* Not static for benchmarking */ MLK_INTERNAL_API -void gen_matrix(polyvec *a, const uint8_t seed[MLKEM_SYMBYTES], int transposed) +void mlk_gen_matrix(mlk_polyvec *a, const uint8_t seed[MLKEM_SYMBYTES], int transposed) { unsigned i, j; /* @@ -208,10 +208,10 @@ void gen_matrix(polyvec *a, const uint8_t seed[MLKEM_SYMBYTES], int transposed) } /* - * This call writes across polyvec boundaries for K=2 and K=3. + * This call writes across mlk_polyvec boundaries for K=2 and K=3. * This is intentional and safe. */ - poly_rej_uniform_x4(&a[0].vec[0] + i, seedxy); + mlk_poly_rej_uniform_x4(&a[0].vec[0] + i, seedxy); } /* For MLKEM_K == 3, sample the last entry individually. */ @@ -232,7 +232,7 @@ void gen_matrix(polyvec *a, const uint8_t seed[MLKEM_SYMBYTES], int transposed) seed0[MLKEM_SYMBYTES + 1] = x; } - poly_rej_uniform(&a[0].vec[0] + i, seed0); + mlk_poly_rej_uniform(&a[0].vec[0] + i, seed0); i++; } @@ -252,25 +252,25 @@ void gen_matrix(polyvec *a, const uint8_t seed[MLKEM_SYMBYTES], int transposed) } /************************************************* - * Name: matvec_mul + * Name: mlk_matvec_mul * * Description: Computes matrix-vector product in NTT domain, * via Montgomery multiplication. * - * Arguments: - polyvec *out: Pointer to output polynomial vector - * - polyvec a[MLKEM_K]: Input matrix. Must be in NTT domain + * Arguments: - mlk_polyvec *out: Pointer to output polynomial vector + * - mlk_polyvec a[MLKEM_K]: Input matrix. Must be in NTT domain * and have coefficients of absolute value < 4096. - * - polyvec *v: Input polynomial vector. Must be in NTT domain. - * - polyvec *vc: Mulcache for v, computed via - * polyvec_mulcache_compute(). + * - mlk_polyvec *v: Input polynomial vector. Must be in NTT domain. + * - mlk_polyvec *vc: Mulcache for v, computed via + * mlk_polyvec_mulcache_compute(). **************************************************/ -static void matvec_mul(polyvec *out, const polyvec a[MLKEM_K], const polyvec *v, - const polyvec_mulcache *vc) +static void mlk_matvec_mul(mlk_polyvec *out, const mlk_polyvec a[MLKEM_K], const mlk_polyvec *v, + const mlk_polyvec_mulcache *vc) __contract__( - requires(memory_no_alias(out, sizeof(polyvec))) - requires(memory_no_alias(a, sizeof(polyvec) * MLKEM_K)) - requires(memory_no_alias(v, sizeof(polyvec))) - requires(memory_no_alias(vc, sizeof(polyvec_mulcache))) + requires(memory_no_alias(out, sizeof(mlk_polyvec))) + requires(memory_no_alias(a, sizeof(mlk_polyvec) * MLKEM_K)) + requires(memory_no_alias(v, sizeof(mlk_polyvec))) + requires(memory_no_alias(vc, sizeof(mlk_polyvec_mulcache))) requires(forall(k0, 0, MLKEM_K, forall(k1, 0, MLKEM_K, array_bound(a[k0].vec[k1].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT)))) @@ -282,20 +282,20 @@ __contract__( assigns(i, object_whole(out)) invariant(i <= MLKEM_K)) { - polyvec_basemul_acc_montgomery_cached(&out->vec[i], &a[i], v, vc); + mlk_polyvec_basemul_acc_montgomery_cached(&out->vec[i], &a[i], v, vc); } } MLK_INTERNAL_API -void indcpa_keypair_derand(uint8_t pk[MLKEM_INDCPA_PUBLICKEYBYTES], +void mlk_indcpa_keypair_derand(uint8_t pk[MLKEM_INDCPA_PUBLICKEYBYTES], uint8_t sk[MLKEM_INDCPA_SECRETKEYBYTES], const uint8_t coins[MLKEM_SYMBYTES]) { MLK_ALIGN uint8_t buf[2 * MLKEM_SYMBYTES]; const uint8_t *publicseed = buf; const uint8_t *noiseseed = buf + MLKEM_SYMBYTES; - polyvec a[MLKEM_K], e, pkpv, skpv; - polyvec_mulcache skpv_cache; + mlk_polyvec a[MLKEM_K], e, pkpv, skpv; + mlk_polyvec_mulcache skpv_cache; MLK_ALIGN uint8_t coins_with_domain_separator[MLKEM_SYMBYTES + 1]; /* Concatenate coins with MLKEM_K for domain separation of security levels */ @@ -315,59 +315,59 @@ void indcpa_keypair_derand(uint8_t pk[MLKEM_INDCPA_PUBLICKEYBYTES], VALGRIND_MAKE_MEM_DEFINED(publicseed, MLKEM_SYMBYTES); #endif - gen_matrix(a, publicseed, 0 /* no transpose */); + mlk_gen_matrix(a, publicseed, 0 /* no transpose */); #if MLKEM_K == 2 - poly_getnoise_eta1_4x(skpv.vec + 0, skpv.vec + 1, e.vec + 0, e.vec + 1, + mlk_poly_getnoise_eta1_4x(skpv.vec + 0, skpv.vec + 1, e.vec + 0, e.vec + 1, noiseseed, 0, 1, 2, 3); #elif MLKEM_K == 3 /* * Only the first three output buffers are needed. * The laster parameter is a dummy that's overwritten later. */ - poly_getnoise_eta1_4x(skpv.vec + 0, skpv.vec + 1, skpv.vec + 2, + mlk_poly_getnoise_eta1_4x(skpv.vec + 0, skpv.vec + 1, skpv.vec + 2, pkpv.vec + 0 /* irrelevant */, noiseseed, 0, 1, 2, 0xFF /* irrelevant */); /* Same here */ - poly_getnoise_eta1_4x(e.vec + 0, e.vec + 1, e.vec + 2, + mlk_poly_getnoise_eta1_4x(e.vec + 0, e.vec + 1, e.vec + 2, pkpv.vec + 0 /* irrelevant */, noiseseed, 3, 4, 5, 0xFF /* irrelevant */); #elif MLKEM_K == 4 - poly_getnoise_eta1_4x(skpv.vec + 0, skpv.vec + 1, skpv.vec + 2, skpv.vec + 3, + mlk_poly_getnoise_eta1_4x(skpv.vec + 0, skpv.vec + 1, skpv.vec + 2, skpv.vec + 3, noiseseed, 0, 1, 2, 3); - poly_getnoise_eta1_4x(e.vec + 0, e.vec + 1, e.vec + 2, e.vec + 3, noiseseed, + mlk_poly_getnoise_eta1_4x(e.vec + 0, e.vec + 1, e.vec + 2, e.vec + 3, noiseseed, 4, 5, 6, 7); #endif - polyvec_ntt(&skpv); - polyvec_ntt(&e); + mlk_polyvec_ntt(&skpv); + mlk_polyvec_ntt(&e); - polyvec_mulcache_compute(&skpv_cache, &skpv); - matvec_mul(&pkpv, a, &skpv, &skpv_cache); - polyvec_tomont(&pkpv); + mlk_polyvec_mulcache_compute(&skpv_cache, &skpv); + mlk_matvec_mul(&pkpv, a, &skpv, &skpv_cache); + mlk_polyvec_tomont(&pkpv); - polyvec_add(&pkpv, &e); - polyvec_reduce(&pkpv); - polyvec_reduce(&skpv); + mlk_polyvec_add(&pkpv, &e); + mlk_polyvec_reduce(&pkpv); + mlk_polyvec_reduce(&skpv); - pack_sk(sk, &skpv); - pack_pk(pk, &pkpv, publicseed); + mlk_pack_sk(sk, &skpv); + mlk_pack_pk(pk, &pkpv, publicseed); } MLK_INTERNAL_API -void indcpa_enc(uint8_t c[MLKEM_INDCPA_BYTES], +void mlk_indcpa_enc(uint8_t c[MLKEM_INDCPA_BYTES], const uint8_t m[MLKEM_INDCPA_MSGBYTES], const uint8_t pk[MLKEM_INDCPA_PUBLICKEYBYTES], const uint8_t coins[MLKEM_SYMBYTES]) { MLK_ALIGN uint8_t seed[MLKEM_SYMBYTES]; - polyvec sp, pkpv, ep, at[MLKEM_K], b; - poly v, k, epp; - polyvec_mulcache sp_cache; + mlk_polyvec sp, pkpv, ep, at[MLKEM_K], b; + mlk_poly v, k, epp; + mlk_polyvec_mulcache sp_cache; - unpack_pk(&pkpv, seed, pk); - poly_frommsg(&k, m); + mlk_unpack_pk(&pkpv, seed, pk); + mlk_poly_frommsg(&k, m); #ifdef ENABLE_CT_TESTING @@ -380,77 +380,77 @@ void indcpa_enc(uint8_t c[MLKEM_INDCPA_BYTES], VALGRIND_MAKE_MEM_DEFINED(seed, MLKEM_SYMBYTES); #endif - gen_matrix(at, seed, 1 /* transpose */); + mlk_gen_matrix(at, seed, 1 /* transpose */); #if MLKEM_K == 2 - poly_getnoise_eta1122_4x(sp.vec + 0, sp.vec + 1, ep.vec + 0, ep.vec + 1, + mlk_poly_getnoise_eta1122_4x(sp.vec + 0, sp.vec + 1, ep.vec + 0, ep.vec + 1, coins, 0, 1, 2, 3); - poly_getnoise_eta2(&epp, coins, 4); + mlk_poly_getnoise_eta2(&epp, coins, 4); #elif MLKEM_K == 3 /* * In this call, only the first three output buffers are needed. * The last parameter is a dummy that's overwritten later. */ - poly_getnoise_eta1_4x(sp.vec + 0, sp.vec + 1, sp.vec + 2, &b.vec[0], coins, 0, + mlk_poly_getnoise_eta1_4x(sp.vec + 0, sp.vec + 1, sp.vec + 2, &b.vec[0], coins, 0, 1, 2, 0xFF); /* The fourth output buffer in this call _is_ used. */ - poly_getnoise_eta2_4x(ep.vec + 0, ep.vec + 1, ep.vec + 2, &epp, coins, 3, 4, + mlk_poly_getnoise_eta2_4x(ep.vec + 0, ep.vec + 1, ep.vec + 2, &epp, coins, 3, 4, 5, 6); #elif MLKEM_K == 4 - poly_getnoise_eta1_4x(sp.vec + 0, sp.vec + 1, sp.vec + 2, sp.vec + 3, coins, + mlk_poly_getnoise_eta1_4x(sp.vec + 0, sp.vec + 1, sp.vec + 2, sp.vec + 3, coins, 0, 1, 2, 3); - poly_getnoise_eta2_4x(ep.vec + 0, ep.vec + 1, ep.vec + 2, ep.vec + 3, coins, + mlk_poly_getnoise_eta2_4x(ep.vec + 0, ep.vec + 1, ep.vec + 2, ep.vec + 3, coins, 4, 5, 6, 7); - poly_getnoise_eta2(&epp, coins, 8); + mlk_poly_getnoise_eta2(&epp, coins, 8); #endif - polyvec_ntt(&sp); + mlk_polyvec_ntt(&sp); - polyvec_mulcache_compute(&sp_cache, &sp); - matvec_mul(&b, at, &sp, &sp_cache); - polyvec_basemul_acc_montgomery_cached(&v, &pkpv, &sp, &sp_cache); + mlk_polyvec_mulcache_compute(&sp_cache, &sp); + mlk_matvec_mul(&b, at, &sp, &sp_cache); + mlk_polyvec_basemul_acc_montgomery_cached(&v, &pkpv, &sp, &sp_cache); - polyvec_invntt_tomont(&b); - poly_invntt_tomont(&v); + mlk_polyvec_invntt_tomont(&b); + mlk_poly_invntt_tomont(&v); - polyvec_add(&b, &ep); - poly_add(&v, &epp); - poly_add(&v, &k); + mlk_polyvec_add(&b, &ep); + mlk_poly_add(&v, &epp); + mlk_poly_add(&v, &k); - polyvec_reduce(&b); - poly_reduce(&v); + mlk_polyvec_reduce(&b); + mlk_poly_reduce(&v); - pack_ciphertext(c, &b, &v); + mlk_pack_ciphertext(c, &b, &v); } MLK_INTERNAL_API -void indcpa_dec(uint8_t m[MLKEM_INDCPA_MSGBYTES], +void mlk_indcpa_dec(uint8_t m[MLKEM_INDCPA_MSGBYTES], const uint8_t c[MLKEM_INDCPA_BYTES], const uint8_t sk[MLKEM_INDCPA_SECRETKEYBYTES]) { - polyvec b, skpv; - poly v, sb; + mlk_polyvec b, skpv; + mlk_poly v, sb; - unpack_ciphertext(&b, &v, c); - unpack_sk(&skpv, sk); + mlk_unpack_ciphertext(&b, &v, c); + mlk_unpack_sk(&skpv, sk); - polyvec_ntt(&b); - polyvec_basemul_acc_montgomery(&sb, &skpv, &b); - poly_invntt_tomont(&sb); + mlk_polyvec_ntt(&b); + mlk_polyvec_basemul_acc_montgomery(&sb, &skpv, &b); + mlk_poly_invntt_tomont(&sb); - poly_sub(&v, &sb); - poly_reduce(&v); + mlk_poly_sub(&v, &sb); + mlk_poly_reduce(&v); - poly_tomsg(m, &v); + mlk_poly_tomsg(m, &v); } /* To facilitate single-compilation-unit (SCU) builds, undefine all macros. * Don't modify by hand -- this is auto-generated by scripts/autogen. */ -#undef pack_pk -#undef unpack_pk -#undef pack_sk -#undef unpack_sk -#undef pack_ciphertext -#undef unpack_ciphertext -#undef matvec_mul +#undef mlk_pack_pk +#undef mlk_unpack_pk +#undef mlk_pack_sk +#undef mlk_unpack_sk +#undef mlk_pack_ciphertext +#undef mlk_unpack_ciphertext +#undef mlk_matvec_mul #undef poly_permute_bitrev_to_custom diff --git a/mlkem/indcpa.h b/mlkem/indcpa.h index c8ef76916..ebd9c9704 100644 --- a/mlkem/indcpa.h +++ b/mlkem/indcpa.h @@ -10,23 +10,23 @@ #include "common.h" #include "poly_k.h" -#define gen_matrix MLK_NAMESPACE_K(gen_matrix) +#define mlk_gen_matrix MLK_NAMESPACE_K(gen_matrix) /************************************************* - * Name: gen_matrix + * Name: mlk_gen_matrix * * Description: Deterministically generate matrix A (or the transpose of A) * from a seed. Entries of the matrix are polynomials that look * uniformly random. Performs rejection sampling on output of * a XOF * - * Arguments: - polyvec *a: pointer to ouptput matrix A + * Arguments: - mlk_polyvec *a: pointer to ouptput matrix A * - const uint8_t *seed: pointer to input seed * - int transposed: boolean deciding whether A or A^T is generated **************************************************/ MLK_INTERNAL_API -void gen_matrix(polyvec *a, const uint8_t seed[MLKEM_SYMBYTES], int transposed) +void mlk_gen_matrix(mlk_polyvec *a, const uint8_t seed[MLKEM_SYMBYTES], int transposed) __contract__( - requires(memory_no_alias(a, sizeof(polyvec) * MLKEM_K)) + requires(memory_no_alias(a, sizeof(mlk_polyvec) * MLKEM_K)) requires(memory_no_alias(seed, MLKEM_SYMBYTES)) requires(transposed == 0 || transposed == 1) assigns(object_whole(a)) @@ -34,9 +34,9 @@ __contract__( array_bound(a[x].vec[y].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))); ); -#define indcpa_keypair_derand MLK_NAMESPACE_K(indcpa_keypair_derand) +#define mlk_indcpa_keypair_derand MLK_NAMESPACE_K(indcpa_keypair_derand) /************************************************* - * Name: indcpa_keypair_derand + * Name: mlk_indcpa_keypair_derand * * Description: Generates public and private key for the CPA-secure * public-key encryption scheme underlying ML-KEM @@ -49,7 +49,7 @@ __contract__( * (of length MLKEM_SYMBYTES bytes) **************************************************/ MLK_INTERNAL_API -void indcpa_keypair_derand(uint8_t pk[MLKEM_INDCPA_PUBLICKEYBYTES], +void mlk_indcpa_keypair_derand(uint8_t pk[MLKEM_INDCPA_PUBLICKEYBYTES], uint8_t sk[MLKEM_INDCPA_SECRETKEYBYTES], const uint8_t coins[MLKEM_SYMBYTES]) __contract__( @@ -60,9 +60,9 @@ __contract__( assigns(object_whole(sk)) ); -#define indcpa_enc MLK_NAMESPACE_K(indcpa_enc) +#define mlk_indcpa_enc MLK_NAMESPACE_K(indcpa_enc) /************************************************* - * Name: indcpa_enc + * Name: mlk_indcpa_enc * * Description: Encryption function of the CPA-secure * public-key encryption scheme underlying Kyber. @@ -77,7 +77,7 @@ __contract__( *seed (of length MLKEM_SYMBYTES) to deterministically generate all randomness **************************************************/ MLK_INTERNAL_API -void indcpa_enc(uint8_t c[MLKEM_INDCPA_BYTES], +void mlk_indcpa_enc(uint8_t c[MLKEM_INDCPA_BYTES], const uint8_t m[MLKEM_INDCPA_MSGBYTES], const uint8_t pk[MLKEM_INDCPA_PUBLICKEYBYTES], const uint8_t coins[MLKEM_SYMBYTES]) @@ -89,9 +89,9 @@ __contract__( assigns(object_whole(c)) ); -#define indcpa_dec MLK_NAMESPACE_K(indcpa_dec) +#define mlk_indcpa_dec MLK_NAMESPACE_K(indcpa_dec) /************************************************* - * Name: indcpa_dec + * Name: mlk_indcpa_dec * * Description: Decryption function of the CPA-secure * public-key encryption scheme underlying Kyber. @@ -104,7 +104,7 @@ __contract__( * (of length MLKEM_INDCPA_SECRETKEYBYTES) **************************************************/ MLK_INTERNAL_API -void indcpa_dec(uint8_t m[MLKEM_INDCPA_MSGBYTES], +void mlk_indcpa_dec(uint8_t m[MLKEM_INDCPA_MSGBYTES], const uint8_t c[MLKEM_INDCPA_BYTES], const uint8_t sk[MLKEM_INDCPA_SECRETKEYBYTES]) __contract__( diff --git a/mlkem/kem.c b/mlkem/kem.c index f768df07b..ef5099a7c 100644 --- a/mlkem/kem.c +++ b/mlkem/kem.c @@ -20,8 +20,8 @@ * This is to facilitate building multiple instances * of mlkem-native (e.g. with varying security levels) * within a single compilation unit. */ -#define check_pk MLK_NAMESPACE_K(check_pk) -#define check_sk MLK_NAMESPACE_K(check_sk) +#define mlk_check_pk MLK_NAMESPACE_K(check_pk) +#define mlk_check_sk MLK_NAMESPACE_K(check_sk) /* End of static namespacing */ #if defined(CBMC) @@ -34,7 +34,7 @@ __contract__( #endif /************************************************* - * Name: check_pk + * Name: mlk_check_pk * * Description: Implements modulus check mandated by FIPS203, * i.e., ensures that coefficients are in [0,q-1]. @@ -46,13 +46,13 @@ __contract__( * * Returns 0 on success, and -1 on failure **************************************************/ -static int check_pk(const uint8_t pk[MLKEM_INDCCA_PUBLICKEYBYTES]) +static int mlk_check_pk(const uint8_t pk[MLKEM_INDCCA_PUBLICKEYBYTES]) { - polyvec p; + mlk_polyvec p; uint8_t p_reencoded[MLKEM_POLYVECBYTES]; - polyvec_frombytes(&p, pk); - polyvec_reduce(&p); - polyvec_tobytes(p_reencoded, &p); + mlk_polyvec_frombytes(&p, pk); + mlk_polyvec_reduce(&p); + mlk_polyvec_tobytes(p_reencoded, &p); /* Data is public, so a variable-time memcmp() is OK */ if (memcmp(pk, p_reencoded, MLKEM_POLYVECBYTES)) { @@ -62,7 +62,7 @@ static int check_pk(const uint8_t pk[MLKEM_INDCCA_PUBLICKEYBYTES]) } /************************************************* - * Name: check_sk + * Name: mlk_check_sk * * Description: Implements public key hash check mandated by FIPS203, * i.e., ensures that @@ -75,7 +75,7 @@ static int check_pk(const uint8_t pk[MLKEM_INDCCA_PUBLICKEYBYTES]) * * Returns 0 on success, and -1 on failure **************************************************/ -static int check_sk(const uint8_t sk[MLKEM_INDCCA_SECRETKEYBYTES]) +static int mlk_check_sk(const uint8_t sk[MLKEM_INDCCA_SECRETKEYBYTES]) { MLK_ALIGN uint8_t test[MLKEM_SYMBYTES]; /* @@ -105,7 +105,7 @@ int crypto_kem_keypair_derand(uint8_t pk[MLKEM_INDCCA_PUBLICKEYBYTES], uint8_t sk[MLKEM_INDCCA_SECRETKEYBYTES], const uint8_t *coins) { - indcpa_keypair_derand(pk, sk, coins); + mlk_indcpa_keypair_derand(pk, sk, coins); memcpy(sk + MLKEM_INDCPA_SECRETKEYBYTES, pk, MLKEM_INDCCA_PUBLICKEYBYTES); hash_h(sk + MLKEM_INDCCA_SECRETKEYBYTES - 2 * MLKEM_SYMBYTES, pk, MLKEM_INDCCA_PUBLICKEYBYTES); @@ -133,7 +133,7 @@ int crypto_kem_enc_derand(uint8_t ct[MLKEM_INDCCA_CIPHERTEXTBYTES], /* Will contain key, coins */ MLK_ALIGN uint8_t kr[2 * MLKEM_SYMBYTES]; - if (check_pk(pk)) + if (mlk_check_pk(pk)) { return -1; } @@ -145,7 +145,7 @@ int crypto_kem_enc_derand(uint8_t ct[MLKEM_INDCCA_CIPHERTEXTBYTES], hash_g(kr, buf, 2 * MLKEM_SYMBYTES); /* coins are in kr+MLKEM_SYMBYTES */ - indcpa_enc(ct, buf, pk, kr + MLKEM_SYMBYTES); + mlk_indcpa_enc(ct, buf, pk, kr + MLKEM_SYMBYTES); memcpy(ss, kr, MLKEM_SYMBYTES); return 0; @@ -170,12 +170,12 @@ int crypto_kem_dec(uint8_t ss[MLKEM_SSBYTES], MLK_ALIGN uint8_t kr[2 * MLKEM_SYMBYTES]; const uint8_t *pk = sk + MLKEM_INDCPA_SECRETKEYBYTES; - if (check_sk(sk)) + if (mlk_check_sk(sk)) { return -1; } - indcpa_dec(buf, ct, sk); + mlk_indcpa_dec(buf, ct, sk); /* Multitarget countermeasure for coins + contributory KEM */ memcpy(buf + MLKEM_SYMBYTES, @@ -187,8 +187,8 @@ int crypto_kem_dec(uint8_t ss[MLKEM_SSBYTES], /* Temporary buffer */ MLK_ALIGN uint8_t cmp[MLKEM_INDCCA_CIPHERTEXTBYTES]; /* coins are in kr+MLKEM_SYMBYTES */ - indcpa_enc(cmp, buf, pk, kr + MLKEM_SYMBYTES); - fail = ct_memcmp(ct, cmp, MLKEM_INDCCA_CIPHERTEXTBYTES); + mlk_indcpa_enc(cmp, buf, pk, kr + MLKEM_SYMBYTES); + fail = mlk_ct_memcmp(ct, cmp, MLKEM_INDCCA_CIPHERTEXTBYTES); } /* Compute rejection key */ @@ -202,12 +202,12 @@ int crypto_kem_dec(uint8_t ss[MLKEM_SSBYTES], } /* Copy true key to return buffer if fail is 0 */ - ct_cmov_zero(ss, kr, MLKEM_SYMBYTES, fail); + mlk_ct_cmov_zero(ss, kr, MLKEM_SYMBYTES, fail); return 0; } /* To facilitate single-compilation-unit (SCU) builds, undefine all macros. * Don't modify by hand -- this is auto-generated by scripts/autogen. */ -#undef check_pk -#undef check_sk +#undef mlk_check_pk +#undef mlk_check_sk diff --git a/mlkem/native/aarch64/src/aarch64_zetas.c b/mlkem/native/aarch64/src/aarch64_zetas.c index 1b7184ec6..c414d3412 100644 --- a/mlkem/native/aarch64/src/aarch64_zetas.c +++ b/mlkem/native/aarch64/src/aarch64_zetas.c @@ -20,7 +20,7 @@ * Table of zeta values used in the AArch64 forward NTT * See autogen for details. */ -MLK_ALIGN const int16_t aarch64_ntt_zetas_layer01234[] = { +MLK_ALIGN const int16_t mlk_aarch64_ntt_zetas_layer01234[] = { -1600, -15749, -749, -7373, -40, -394, -687, -6762, 630, 6201, -1432, -14095, 848, 8347, 0, 0, 1062, 10453, 296, 2914, -882, -8682, 0, 0, -1410, -13879, 1339, 13180, 1476, 14529, @@ -31,7 +31,7 @@ MLK_ALIGN const int16_t aarch64_ntt_zetas_layer01234[] = { 0, 0, -1583, -15582, -1355, -13338, 821, 8081, 0, 0, }; -MLK_ALIGN const int16_t aarch64_ntt_zetas_layer56[] = { +MLK_ALIGN const int16_t mlk_aarch64_ntt_zetas_layer56[] = { 289, 289, 331, 331, -76, -76, -1573, -1573, 2845, 2845, 3258, 3258, -748, -748, -15483, -15483, 17, 17, 583, 583, 1637, 1637, -1041, -1041, 167, 167, 5739, @@ -88,7 +88,7 @@ MLK_ALIGN const int16_t aarch64_invntt_zetas_layer01234[] = { -848, -8347, 1432, 14095, -630, -6201, 687, 6762, 0, 0, }; -MLK_ALIGN const int16_t aarch64_invntt_zetas_layer56[] = { +MLK_ALIGN const int16_t mlk_aarch64_invntt_zetas_layer56[] = { -910, -910, -1227, -1227, 219, 219, 855, 855, -8957, -8957, -12078, -12078, 2156, 2156, 8416, 8416, 1175, 1175, 394, 394, -1029, -1029, -1212, -1212, 11566, 11566, 3878, diff --git a/mlkem/native/aarch64/src/arith_native_aarch64.h b/mlkem/native/aarch64/src/arith_native_aarch64.h index d3fd58a67..41a144577 100644 --- a/mlkem/native/aarch64/src/arith_native_aarch64.h +++ b/mlkem/native/aarch64/src/arith_native_aarch64.h @@ -8,44 +8,44 @@ #include #include "../../../common.h" -#define aarch64_ntt_zetas_layer01234 MLK_NAMESPACE(aarch64_ntt_zetas_layer01234) -#define aarch64_ntt_zetas_layer56 MLK_NAMESPACE(aarch64_ntt_zetas_layer56) +#define mlk_aarch64_ntt_zetas_layer01234 MLK_NAMESPACE(aarch64_ntt_zetas_layer01234) +#define mlk_aarch64_ntt_zetas_layer56 MLK_NAMESPACE(aarch64_ntt_zetas_layer56) #define aarch64_invntt_zetas_layer01234 \ MLK_NAMESPACE(aarch64_invntt_zetas_layer01234) -#define aarch64_invntt_zetas_layer56 MLK_NAMESPACE(aarch64_invntt_zetas_layer56) +#define mlk_aarch64_invntt_zetas_layer56 MLK_NAMESPACE(aarch64_invntt_zetas_layer56) #define aarch64_zetas_mulcache_native \ MLK_NAMESPACE(aarch64_zetas_mulcache_native) #define aarch64_zetas_mulcache_twisted_native \ MLK_NAMESPACE(aarch64_zetas_mulcache_twisted_native) -#define rej_uniform_table MLK_NAMESPACE(rej_uniform_table) +#define mlk_rej_uniform_table MLK_NAMESPACE(rej_uniform_table) -extern const int16_t aarch64_ntt_zetas_layer01234[]; -extern const int16_t aarch64_ntt_zetas_layer56[]; +extern const int16_t mlk_aarch64_ntt_zetas_layer01234[]; +extern const int16_t mlk_aarch64_ntt_zetas_layer56[]; extern const int16_t aarch64_invntt_zetas_layer01234[]; -extern const int16_t aarch64_invntt_zetas_layer56[]; +extern const int16_t mlk_aarch64_invntt_zetas_layer56[]; extern const int16_t aarch64_zetas_mulcache_native[]; extern const int16_t aarch64_zetas_mulcache_twisted_native[]; -extern const uint8_t rej_uniform_table[]; +extern const uint8_t mlk_rej_uniform_table[]; -#define ntt_asm_opt MLK_NAMESPACE(ntt_asm_opt) -void ntt_asm_opt(int16_t *, const int16_t *, const int16_t *); +#define mlk_ntt_asm_opt MLK_NAMESPACE(ntt_asm_opt) +void mlk_ntt_asm_opt(int16_t *, const int16_t *, const int16_t *); -#define intt_asm_opt MLK_NAMESPACE(intt_asm_opt) -void intt_asm_opt(int16_t *, const int16_t *, const int16_t *); +#define mlk_intt_asm_opt MLK_NAMESPACE(intt_asm_opt) +void mlk_intt_asm_opt(int16_t *, const int16_t *, const int16_t *); -#define poly_reduce_asm_opt MLK_NAMESPACE(poly_reduce_asm_opt) -void poly_reduce_asm_opt(int16_t *); +#define mlk_poly_reduce_asm_opt MLK_NAMESPACE(poly_reduce_asm_opt) +void mlk_poly_reduce_asm_opt(int16_t *); -#define poly_tomont_asm_opt MLK_NAMESPACE(poly_tomont_asm_opt) -void poly_tomont_asm_opt(int16_t *); +#define mlk_poly_tomont_asm_opt MLK_NAMESPACE(poly_tomont_asm_opt) +void mlk_poly_tomont_asm_opt(int16_t *); #define poly_mulcache_compute_asm_opt \ MLK_NAMESPACE(poly_mulcache_compute_asm_opt) void poly_mulcache_compute_asm_opt(int16_t *, const int16_t *, const int16_t *, const int16_t *); -#define poly_tobytes_asm_opt MLK_NAMESPACE(poly_tobytes_asm_opt) -void poly_tobytes_asm_opt(uint8_t *r, const int16_t *a); +#define mlk_poly_tobytes_asm_opt MLK_NAMESPACE(poly_tobytes_asm_opt) +void mlk_poly_tobytes_asm_opt(uint8_t *r, const int16_t *a); #define polyvec_basemul_acc_montgomery_cached_asm_k2_opt \ MLK_NAMESPACE(polyvec_basemul_acc_montgomery_cached_asm_k2_opt) @@ -68,8 +68,8 @@ void polyvec_basemul_acc_montgomery_cached_asm_k4_opt(int16_t *r, const int16_t *b, const int16_t *b_cache); -#define rej_uniform_asm_clean MLK_NAMESPACE(rej_uniform_asm_clean) -unsigned rej_uniform_asm_clean(int16_t *r, const uint8_t *buf, unsigned buflen, +#define mlk_rej_uniform_asm_clean MLK_NAMESPACE(rej_uniform_asm_clean) +unsigned mlk_rej_uniform_asm_clean(int16_t *r, const uint8_t *buf, unsigned buflen, const uint8_t *table); #endif /* MLK_NATIVE_AARCH64_SRC_ARITH_NATIVE_AARCH64_H */ diff --git a/mlkem/native/aarch64/src/consts.h b/mlkem/native/aarch64/src/consts.h index 4b6c8b0b0..3bd189188 100644 --- a/mlkem/native/aarch64/src/consts.h +++ b/mlkem/native/aarch64/src/consts.h @@ -9,8 +9,8 @@ #include #include "../../../common.h" -#define zetas_mulcache_native MLK_NAMESPACE(zetas_mulcache_native) -extern const int16_t zetas_mulcache_native[256]; +#define mlk_zetas_mulcache_native MLK_NAMESPACE(zetas_mulcache_native) +extern const int16_t mlk_zetas_mulcache_native[256]; #define zetas_mulcache_twisted_native \ MLK_NAMESPACE(zetas_mulcache_twisted_native) diff --git a/mlkem/native/aarch64/src/opt_impl.h b/mlkem/native/aarch64/src/opt_impl.h index c4ea727e5..7cd382a98 100644 --- a/mlkem/native/aarch64/src/opt_impl.h +++ b/mlkem/native/aarch64/src/opt_impl.h @@ -25,23 +25,23 @@ static MLK_INLINE void ntt_native(int16_t data[MLKEM_N]) { - ntt_asm_opt(data, aarch64_ntt_zetas_layer01234, aarch64_ntt_zetas_layer56); + mlk_ntt_asm_opt(data, mlk_aarch64_ntt_zetas_layer01234, mlk_aarch64_ntt_zetas_layer56); } static MLK_INLINE void intt_native(int16_t data[MLKEM_N]) { - intt_asm_opt(data, aarch64_invntt_zetas_layer01234, - aarch64_invntt_zetas_layer56); + mlk_intt_asm_opt(data, aarch64_invntt_zetas_layer01234, + mlk_aarch64_invntt_zetas_layer56); } static MLK_INLINE void poly_reduce_native(int16_t data[MLKEM_N]) { - poly_reduce_asm_opt(data); + mlk_poly_reduce_asm_opt(data); } static MLK_INLINE void poly_tomont_native(int16_t data[MLKEM_N]) { - poly_tomont_asm_opt(data); + mlk_poly_tomont_asm_opt(data); } static MLK_INLINE void poly_mulcache_compute_native(int16_t x[MLKEM_N / 2], @@ -75,7 +75,7 @@ static MLK_INLINE void polyvec_basemul_acc_montgomery_cached_k4_native( static MLK_INLINE void poly_tobytes_native(uint8_t r[MLKEM_POLYBYTES], const int16_t a[MLKEM_N]) { - poly_tobytes_asm_opt(r, a); + mlk_poly_tobytes_asm_opt(r, a); } static MLK_INLINE int rej_uniform_native(int16_t *r, unsigned len, @@ -85,7 +85,7 @@ static MLK_INLINE int rej_uniform_native(int16_t *r, unsigned len, { return -1; } - return (int)rej_uniform_asm_clean(r, buf, buflen, rej_uniform_table); + return (int)mlk_rej_uniform_asm_clean(r, buf, buflen, mlk_rej_uniform_table); } #endif /* MLK_ARITH_PROFILE_IMPL_H */ diff --git a/mlkem/native/aarch64/src/rej_uniform_asm_clean.S b/mlkem/native/aarch64/src/rej_uniform_asm_clean.S index dac4c0bd4..bc51a9c4e 100644 --- a/mlkem/native/aarch64/src/rej_uniform_asm_clean.S +++ b/mlkem/native/aarch64/src/rej_uniform_asm_clean.S @@ -4,7 +4,7 @@ */ /************************************************* - * Name: rej_uniform_asm_clean + * Name: mlk_rej_uniform_asm_clean * * Description: Run rejection sampling on uniform random bytes to generate * uniform random integers mod q diff --git a/mlkem/native/aarch64/src/rej_uniform_table.c b/mlkem/native/aarch64/src/rej_uniform_table.c index c1b8e1319..7247db42d 100644 --- a/mlkem/native/aarch64/src/rej_uniform_table.c +++ b/mlkem/native/aarch64/src/rej_uniform_table.c @@ -20,7 +20,7 @@ * Lookup table used by rejection sampling of the public matrix. * See autogen for details. */ -MLK_ALIGN const uint8_t rej_uniform_table[] = { +MLK_ALIGN const uint8_t mlk_rej_uniform_table[] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 /* 0 */, 0, 1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 /* 1 */, 2, 3, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 /* 2 */, diff --git a/mlkem/native/api.h b/mlkem/native/api.h index bc886deee..f115e4b54 100644 --- a/mlkem/native/api.h +++ b/mlkem/native/api.h @@ -192,7 +192,7 @@ __contract__( * implementation defined. * * Arguments: INPUT: - * - poly: const pointer to input polynomial. + * - mlk_poly: const pointer to input polynomial. * This must be in NTT domain and inin bitreversed order, or of * a custom order if MLK_USE_NATIVE_NTT_CUSTOM_ORDER is set. * See the documentation of MLK_USE_NATIVE_NTT_CUSTOM_ORDER @@ -201,10 +201,10 @@ __contract__( * - cache: pointer to multiplication cache **************************************************/ static MLK_INLINE void poly_mulcache_compute_native(int16_t cache[MLKEM_N / 2], - const int16_t poly[MLKEM_N]) + const int16_t mlk_poly[MLKEM_N]) __contract__( requires(memory_no_alias(cache, sizeof(int16_t) * (MLKEM_N / 2))) - requires(memory_no_alias(poly, sizeof(int16_t) * MLKEM_N)) + requires(memory_no_alias(mlk_poly, sizeof(int16_t) * MLKEM_N)) assigns(object_whole(cache)) ); #endif /* MLK_USE_NATIVE_POLY_MULCACHE_COMPUTE */ @@ -456,7 +456,7 @@ static MLK_INLINE void poly_compress_d10_native( #if defined(MLK_USE_NATIVE_POLY_DECOMPRESS_D4) /************************************************* - * Name: poly_decompress_d4 + * Name: mlk_poly_decompress_d4 * * Description: De-serialization and subsequent decompression (dv bits) of a * polynomial; approximate inverse of poly_compress @@ -478,7 +478,7 @@ static MLK_INLINE void poly_decompress_d4_native( * Name: poly_decompress_d10_native * * Description: De-serialization and subsequent decompression (10 bits) of a - * polynomial; approximate inverse of poly_compress_d10 + * polynomial; approximate inverse of mlk_poly_compress_d10 * * Arguments: - int16_t r[MLKEM_N]: pointer to output polynomial * - const uint8_t *a: pointer to input byte array @@ -553,7 +553,7 @@ static MLK_INLINE void poly_decompress_d5_native( * Name: poly_decompress_d11_native * * Description: De-serialization and subsequent decompression (11 bits) of a - * polynomial; approximate inverse of poly_compress_d11 + * polynomial; approximate inverse of mlk_poly_compress_d11 * * Arguments: - int16_t r[MLKEM_N]: pointer to output polynomial * - const uint8_t *a: pointer to input byte array diff --git a/mlkem/native/x86_64/src/arith_native_x86_64.h b/mlkem/native/x86_64/src/arith_native_x86_64.h index 41cd345f4..a5c9763f6 100644 --- a/mlkem/native/x86_64/src/arith_native_x86_64.h +++ b/mlkem/native/x86_64/src/arith_native_x86_64.h @@ -14,30 +14,30 @@ #define MLK_AVX2_REJ_UNIFORM_BUFLEN \ (3 * 168) /* REJ_UNIFORM_NBLOCKS * SHAKE128_RATE */ -#define rej_uniform_avx2 MLK_NAMESPACE(rej_uniform_avx2) -unsigned rej_uniform_avx2(int16_t *r, const uint8_t *buf); +#define mlk_rej_uniform_avx2 MLK_NAMESPACE(rej_uniform_avx2) +unsigned mlk_rej_uniform_avx2(int16_t *r, const uint8_t *buf); -#define rej_uniform_table MLK_NAMESPACE(rej_uniform_table) -extern const uint8_t rej_uniform_table[256][8]; +#define mlk_rej_uniform_table MLK_NAMESPACE(rej_uniform_table) +extern const uint8_t mlk_rej_uniform_table[256][8]; -#define ntt_avx2 MLK_NAMESPACE(ntt_avx2) -void ntt_avx2(__m256i *r, const __m256i *qdata); +#define mlk_ntt_avx2 MLK_NAMESPACE(ntt_avx2) +void mlk_ntt_avx2(__m256i *r, const __m256i *mlk_qdata); -#define invntt_avx2 MLK_NAMESPACE(invntt_avx2) -void invntt_avx2(__m256i *r, const __m256i *qdata); +#define mlk_invntt_avx2 MLK_NAMESPACE(invntt_avx2) +void mlk_invntt_avx2(__m256i *r, const __m256i *mlk_qdata); -#define nttpack_avx2 MLK_NAMESPACE(nttpack_avx2) -void nttpack_avx2(__m256i *r, const __m256i *qdata); +#define mlk_nttpack_avx2 MLK_NAMESPACE(nttpack_avx2) +void mlk_nttpack_avx2(__m256i *r, const __m256i *mlk_qdata); -#define nttunpack_avx2 MLK_NAMESPACE(nttunpack_avx2) -void nttunpack_avx2(__m256i *r, const __m256i *qdata); +#define mlk_nttunpack_avx2 MLK_NAMESPACE(nttunpack_avx2) +void mlk_nttunpack_avx2(__m256i *r, const __m256i *mlk_qdata); -#define reduce_avx2 MLK_NAMESPACE(reduce_avx2) -void reduce_avx2(__m256i *r, const __m256i *qdata); +#define mlk_reduce_avx2 MLK_NAMESPACE(reduce_avx2) +void mlk_reduce_avx2(__m256i *r, const __m256i *mlk_qdata); -#define basemul_avx2 MLK_NAMESPACE(basemul_avx2) -void basemul_avx2(__m256i *r, const __m256i *a, const __m256i *b, - const __m256i *qdata); +#define mlk_basemul_avx2 MLK_NAMESPACE(basemul_avx2) +void mlk_basemul_avx2(__m256i *r, const __m256i *a, const __m256i *b, + const __m256i *mlk_qdata); #define polyvec_basemul_acc_montgomery_cached_avx2 \ MLK_NAMESPACE(polyvec_basemul_acc_montgomery_cached_avx2) @@ -46,38 +46,38 @@ void polyvec_basemul_acc_montgomery_cached_avx2(unsigned k, int16_t r[MLKEM_N], const int16_t *b, const int16_t *kb_cache); -#define ntttobytes_avx2 MLK_NAMESPACE(ntttobytes_avx2) -void ntttobytes_avx2(uint8_t *r, const __m256i *a, const __m256i *qdata); +#define mlk_ntttobytes_avx2 MLK_NAMESPACE(ntttobytes_avx2) +void mlk_ntttobytes_avx2(uint8_t *r, const __m256i *a, const __m256i *mlk_qdata); -#define nttfrombytes_avx2 MLK_NAMESPACE(nttfrombytes_avx2) -void nttfrombytes_avx2(__m256i *r, const uint8_t *a, const __m256i *qdata); +#define mlk_nttfrombytes_avx2 MLK_NAMESPACE(nttfrombytes_avx2) +void mlk_nttfrombytes_avx2(__m256i *r, const uint8_t *a, const __m256i *mlk_qdata); -#define tomont_avx2 MLK_NAMESPACE(tomont_avx2) -void tomont_avx2(__m256i *r, const __m256i *qdata); +#define mlk_tomont_avx2 MLK_NAMESPACE(tomont_avx2) +void mlk_tomont_avx2(__m256i *r, const __m256i *mlk_qdata); -#define poly_compress_d4_avx2 MLK_NAMESPACE(poly_compress_d4_avx2) -void poly_compress_d4_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], +#define mlk_poly_compress_d4_avx2 MLK_NAMESPACE(poly_compress_d4_avx2) +void mlk_poly_compress_d4_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], const __m256i *MLK_RESTRICT a); -#define poly_decompress_d4_avx2 MLK_NAMESPACE(poly_decompress_d4_avx2) -void poly_decompress_d4_avx2(__m256i *MLK_RESTRICT r, +#define mlk_poly_decompress_d4_avx2 MLK_NAMESPACE(poly_decompress_d4_avx2) +void mlk_poly_decompress_d4_avx2(__m256i *MLK_RESTRICT r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D4]); -#define poly_compress_d10_avx2 MLK_NAMESPACE(poly_compress10_avx2) -void poly_compress_d10_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], +#define mlk_poly_compress_d10_avx2 MLK_NAMESPACE(poly_compress10_avx2) +void mlk_poly_compress_d10_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], const __m256i *MLK_RESTRICT a); -#define poly_decompress_d10_avx2 MLK_NAMESPACE(poly_decompress10_avx2) -void poly_decompress_d10_avx2(__m256i *MLK_RESTRICT r, +#define mlk_poly_decompress_d10_avx2 MLK_NAMESPACE(poly_decompress10_avx2) +void mlk_poly_decompress_d10_avx2(__m256i *MLK_RESTRICT r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D10]); -#define poly_compress_d5_avx2 MLK_NAMESPACE(poly_compress_d5_avx2) -void poly_compress_d5_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], +#define mlk_poly_compress_d5_avx2 MLK_NAMESPACE(poly_compress_d5_avx2) +void mlk_poly_compress_d5_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], const __m256i *MLK_RESTRICT a); -#define poly_decompress_d5_avx2 MLK_NAMESPACE(poly_decompress_d5_avx2) -void poly_decompress_d5_avx2(__m256i *MLK_RESTRICT r, +#define mlk_poly_decompress_d5_avx2 MLK_NAMESPACE(poly_decompress_d5_avx2) +void mlk_poly_decompress_d5_avx2(__m256i *MLK_RESTRICT r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D5]); -#define poly_compress_d11_avx2 MLK_NAMESPACE(poly_compress11_avx2) -void poly_compress_d11_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], +#define mlk_poly_compress_d11_avx2 MLK_NAMESPACE(poly_compress11_avx2) +void mlk_poly_compress_d11_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], const __m256i *MLK_RESTRICT a); -#define poly_decompress_d11_avx2 MLK_NAMESPACE(poly_decompress11_avx2) -void poly_decompress_d11_avx2(__m256i *MLK_RESTRICT r, +#define mlk_poly_decompress_d11_avx2 MLK_NAMESPACE(poly_decompress11_avx2) +void mlk_poly_decompress_d11_avx2(__m256i *MLK_RESTRICT r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D11]); #endif /* MLK_NATIVE_X86_64_SRC_ARITH_NATIVE_X86_64_H */ diff --git a/mlkem/native/x86_64/src/basemul.c b/mlkem/native/x86_64/src/basemul.c index 93491aa46..3bc262cc1 100644 --- a/mlkem/native/x86_64/src/basemul.c +++ b/mlkem/native/x86_64/src/basemul.c @@ -15,7 +15,7 @@ static void poly_basemul_montgomery_avx2(int16_t r[MLKEM_N], const int16_t a[MLKEM_N], const int16_t b[MLKEM_N]) { - basemul_avx2((__m256i *)r, (const __m256i *)a, (const __m256i *)b, qdata.vec); + mlk_basemul_avx2((__m256i *)r, (const __m256i *)a, (const __m256i *)b, qdata.vec); } /* diff --git a/mlkem/native/x86_64/src/compress_avx2.c b/mlkem/native/x86_64/src/compress_avx2.c index d9734e49c..e2735b7f0 100644 --- a/mlkem/native/x86_64/src/compress_avx2.c +++ b/mlkem/native/x86_64/src/compress_avx2.c @@ -18,7 +18,7 @@ #include "consts.h" #if defined(MLK_MULTILEVEL_BUILD_WITH_SHARED) || (MLKEM_K == 2 || MLKEM_K == 3) -void poly_compress_d4_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], +void mlk_poly_compress_d4_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], const __m256i *MLK_RESTRICT a) { unsigned int i; @@ -58,7 +58,7 @@ void poly_compress_d4_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], } } -void poly_decompress_d4_avx2(__m256i *MLK_RESTRICT r, +void mlk_poly_decompress_d4_avx2(__m256i *MLK_RESTRICT r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D4]) { unsigned int i; @@ -84,7 +84,7 @@ void poly_decompress_d4_avx2(__m256i *MLK_RESTRICT r, } } -void poly_compress_d10_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], +void mlk_poly_compress_d10_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], const __m256i *MLK_RESTRICT a) { unsigned int i; @@ -128,7 +128,7 @@ void poly_compress_d10_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], } } -void poly_decompress_d10_avx2(__m256i *MLK_RESTRICT r, +void mlk_poly_decompress_d10_avx2(__m256i *MLK_RESTRICT r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D10]) { unsigned int i; @@ -168,7 +168,7 @@ void poly_decompress_d10_avx2(__m256i *MLK_RESTRICT r, || MLKEM_K == 3) */ #if defined(MLK_MULTILEVEL_BUILD_WITH_SHARED) || MLKEM_K == 4 -void poly_compress_d5_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], +void mlk_poly_compress_d5_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], const __m256i *MLK_RESTRICT a) { unsigned int i; @@ -210,7 +210,7 @@ void poly_compress_d5_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], } } -void poly_decompress_d5_avx2(__m256i *MLK_RESTRICT r, +void mlk_poly_decompress_d5_avx2(__m256i *MLK_RESTRICT r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D5]) { unsigned int i; @@ -241,7 +241,7 @@ void poly_decompress_d5_avx2(__m256i *MLK_RESTRICT r, } } -void poly_compress_d11_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], +void mlk_poly_compress_d11_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], const __m256i *MLK_RESTRICT a) { unsigned int i; @@ -314,7 +314,7 @@ void poly_compress_d11_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], memcpy(&r[22 * i + 16], &t1, 6); } -void poly_decompress_d11_avx2(__m256i *MLK_RESTRICT r, +void mlk_poly_decompress_d11_avx2(__m256i *MLK_RESTRICT r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D11]) { unsigned int i; diff --git a/mlkem/native/x86_64/src/consts.c b/mlkem/native/x86_64/src/consts.c index 990d26064..5805df713 100644 --- a/mlkem/native/x86_64/src/consts.c +++ b/mlkem/native/x86_64/src/consts.c @@ -27,7 +27,7 @@ #define MLK_AVX2_MASK 4095 #define MLK_AVX2_SHIFT 32 -const qdata_t qdata = {{ +const qdata_t mlk_qdata = {{ #define MLK_AVX2_BACKEND_DATA_OFFSET_16XQ 0 MLK_AVX2_Q, MLK_AVX2_Q, diff --git a/mlkem/native/x86_64/src/consts.h b/mlkem/native/x86_64/src/consts.h index ad24c5123..5fccc615e 100644 --- a/mlkem/native/x86_64/src/consts.h +++ b/mlkem/native/x86_64/src/consts.h @@ -35,8 +35,8 @@ #ifndef __ASSEMBLER__ #include "align.h" typedef MLK_ALIGNED_INT16(640) qdata_t; -#define qdata MLK_NAMESPACE(qdata) -extern const qdata_t qdata; +#define mlk_qdata MLK_NAMESPACE(qdata) +extern const qdata_t mlk_qdata; #endif #endif /* MLK_NATIVE_X86_64_SRC_CONSTS_H */ diff --git a/mlkem/native/x86_64/src/default_impl.h b/mlkem/native/x86_64/src/default_impl.h index 6a0517233..0f72b11a8 100644 --- a/mlkem/native/x86_64/src/default_impl.h +++ b/mlkem/native/x86_64/src/default_impl.h @@ -39,7 +39,7 @@ static MLK_INLINE void poly_permute_bitrev_to_custom(int16_t data[MLKEM_N]) { - nttunpack_avx2((__m256i *)(data), qdata.vec); + mlk_nttunpack_avx2((__m256i *)(data), qdata.vec); } static MLK_INLINE int rej_uniform_native(int16_t *r, unsigned len, @@ -51,27 +51,27 @@ static MLK_INLINE int rej_uniform_native(int16_t *r, unsigned len, return -1; } - return (int)rej_uniform_avx2(r, buf); + return (int)mlk_rej_uniform_avx2(r, buf); } static MLK_INLINE void ntt_native(int16_t data[MLKEM_N]) { - ntt_avx2((__m256i *)data, qdata.vec); + mlk_ntt_avx2((__m256i *)data, qdata.vec); } static MLK_INLINE void intt_native(int16_t data[MLKEM_N]) { - invntt_avx2((__m256i *)data, qdata.vec); + mlk_invntt_avx2((__m256i *)data, qdata.vec); } static MLK_INLINE void poly_reduce_native(int16_t data[MLKEM_N]) { - reduce_avx2((__m256i *)data, qdata.vec); + mlk_reduce_avx2((__m256i *)data, qdata.vec); } static MLK_INLINE void poly_tomont_native(int16_t data[MLKEM_N]) { - tomont_avx2((__m256i *)data, qdata.vec); + mlk_tomont_avx2((__m256i *)data, qdata.vec); } static MLK_INLINE void poly_mulcache_compute_native(int16_t x[MLKEM_N / 2], @@ -112,38 +112,38 @@ static MLK_INLINE void polyvec_basemul_acc_montgomery_cached_k4_native( static MLK_INLINE void poly_tobytes_native(uint8_t r[MLKEM_POLYBYTES], const int16_t a[MLKEM_N]) { - ntttobytes_avx2(r, (const __m256i *)a, qdata.vec); + mlk_ntttobytes_avx2(r, (const __m256i *)a, qdata.vec); } static MLK_INLINE void poly_frombytes_native(int16_t r[MLKEM_N], const uint8_t a[MLKEM_POLYBYTES]) { - nttfrombytes_avx2((__m256i *)r, a, qdata.vec); + mlk_nttfrombytes_avx2((__m256i *)r, a, qdata.vec); } #if defined(MLK_MULTILEVEL_BUILD_WITH_SHARED) || (MLKEM_K == 2 || MLKEM_K == 3) static MLK_INLINE void poly_compress_d4_native( uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], const int16_t a[MLKEM_N]) { - poly_compress_d4_avx2(r, (const __m256i *)a); + mlk_poly_compress_d4_avx2(r, (const __m256i *)a); } static MLK_INLINE void poly_compress_d10_native( uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], const int16_t a[MLKEM_N]) { - poly_compress_d10_avx2(r, (const __m256i *)a); + mlk_poly_compress_d10_avx2(r, (const __m256i *)a); } static MLK_INLINE void poly_decompress_d4_native( int16_t r[MLKEM_N], const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D4]) { - poly_decompress_d4_avx2((__m256i *)r, a); + mlk_poly_decompress_d4_avx2((__m256i *)r, a); } static MLK_INLINE void poly_decompress_d10_native( int16_t r[MLKEM_N], const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D10]) { - poly_decompress_d10_avx2((__m256i *)r, a); + mlk_poly_decompress_d10_avx2((__m256i *)r, a); } #endif /* defined(MLK_MULTILEVEL_BUILD_WITH_SHARED) || (MLKEM_K == 2 \ || MLKEM_K == 3) */ @@ -152,25 +152,25 @@ static MLK_INLINE void poly_decompress_d10_native( static MLK_INLINE void poly_compress_d5_native( uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], const int16_t a[MLKEM_N]) { - poly_compress_d5_avx2(r, (const __m256i *)a); + mlk_poly_compress_d5_avx2(r, (const __m256i *)a); } static MLK_INLINE void poly_compress_d11_native( uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], const int16_t a[MLKEM_N]) { - poly_compress_d11_avx2(r, (const __m256i *)a); + mlk_poly_compress_d11_avx2(r, (const __m256i *)a); } static MLK_INLINE void poly_decompress_d5_native( int16_t r[MLKEM_N], const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D5]) { - poly_decompress_d5_avx2((__m256i *)r, a); + mlk_poly_decompress_d5_avx2((__m256i *)r, a); } static MLK_INLINE void poly_decompress_d11_native( int16_t r[MLKEM_N], const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D11]) { - poly_decompress_d11_avx2((__m256i *)r, a); + mlk_poly_decompress_d11_avx2((__m256i *)r, a); } #endif /* MLK_MULTILEVEL_BUILD_WITH_SHARED || MLKEM_K == 4 */ diff --git a/mlkem/native/x86_64/src/reduce.S b/mlkem/native/x86_64/src/reduce.S index 7ba64f0ab..aac74fa44 100644 --- a/mlkem/native/x86_64/src/reduce.S +++ b/mlkem/native/x86_64/src/reduce.S @@ -9,7 +9,7 @@ // Changes: // - Add call to csub in reduce128_avx to produce outputs // in [0,1,...,q-1] rather than [0,1,...,q], matching the -// semantics of poly_reduce(). +// semantics of mlk_poly_reduce(). #include "../../../common.h" diff --git a/mlkem/native/x86_64/src/rej_uniform_avx2.c b/mlkem/native/x86_64/src/rej_uniform_avx2.c index 1b057e737..8a66afb62 100644 --- a/mlkem/native/x86_64/src/rej_uniform_avx2.c +++ b/mlkem/native/x86_64/src/rej_uniform_avx2.c @@ -19,7 +19,7 @@ #include "arith_native_x86_64.h" #include "consts.h" -unsigned rej_uniform_avx2(int16_t *MLK_RESTRICT r, const uint8_t *buf) +unsigned mlk_rej_uniform_avx2(int16_t *MLK_RESTRICT r, const uint8_t *buf) { unsigned ctr, pos; uint16_t val0, val1; @@ -59,14 +59,14 @@ unsigned rej_uniform_avx2(int16_t *MLK_RESTRICT r, const uint8_t *buf) good = _mm256_movemask_epi8(g0); g0 = _mm256_castsi128_si256( - _mm_loadl_epi64((__m128i *)&rej_uniform_table[(good >> 0) & 0xFF])); + _mm_loadl_epi64((__m128i *)&mlk_rej_uniform_table[(good >> 0) & 0xFF])); g1 = _mm256_castsi128_si256( - _mm_loadl_epi64((__m128i *)&rej_uniform_table[(good >> 8) & 0xFF])); + _mm_loadl_epi64((__m128i *)&mlk_rej_uniform_table[(good >> 8) & 0xFF])); g0 = _mm256_inserti128_si256( - g0, _mm_loadl_epi64((__m128i *)&rej_uniform_table[(good >> 16) & 0xFF]), + g0, _mm_loadl_epi64((__m128i *)&mlk_rej_uniform_table[(good >> 16) & 0xFF]), 1); g1 = _mm256_inserti128_si256( - g1, _mm_loadl_epi64((__m128i *)&rej_uniform_table[(good >> 24) & 0xFF]), + g1, _mm_loadl_epi64((__m128i *)&mlk_rej_uniform_table[(good >> 24) & 0xFF]), 1); g2 = _mm256_add_epi8(g0, ones); @@ -100,7 +100,7 @@ unsigned rej_uniform_avx2(int16_t *MLK_RESTRICT r, const uint8_t *buf) good = _mm_movemask_epi8(t); good = _pext_u32(good, 0x5555); - pilo = _mm_loadl_epi64((__m128i *)&rej_uniform_table[good]); + pilo = _mm_loadl_epi64((__m128i *)&mlk_rej_uniform_table[good]); pihi = _mm_add_epi8(pilo, _mm256_castsi256_si128(ones)); pilo = _mm_unpacklo_epi8(pilo, pihi); diff --git a/mlkem/native/x86_64/src/rej_uniform_table.c b/mlkem/native/x86_64/src/rej_uniform_table.c index c411e35e4..dce708456 100644 --- a/mlkem/native/x86_64/src/rej_uniform_table.c +++ b/mlkem/native/x86_64/src/rej_uniform_table.c @@ -20,7 +20,7 @@ * Lookup table used by rejection sampling of the public matrix. * See autogen for details. */ -MLK_ALIGN const uint8_t rej_uniform_table[256][8] = { +MLK_ALIGN const uint8_t mlk_rej_uniform_table[256][8] = { {-1, -1, -1, -1, -1, -1, -1, -1}, {0, -1, -1, -1, -1, -1, -1, -1}, {2, -1, -1, -1, -1, -1, -1, -1}, {0, 2, -1, -1, -1, -1, -1, -1}, {4, -1, -1, -1, -1, -1, -1, -1}, {0, 4, -1, -1, -1, -1, -1, -1}, diff --git a/mlkem/native/x86_64/src/tomont.S b/mlkem/native/x86_64/src/tomont.S index d1dbb8117..fff493e59 100644 --- a/mlkem/native/x86_64/src/tomont.S +++ b/mlkem/native/x86_64/src/tomont.S @@ -9,7 +9,7 @@ // Changes: // - Add call to csub in reduce128_avx to produce outputs // in [0,1,...,q-1] rather than [0,1,...,q], matching the -// semantics of poly_reduce(). +// semantics of mlk_poly_reduce(). #include "../../../common.h" #if defined(MLK_ARITH_BACKEND_X86_64_DEFAULT) && \ diff --git a/mlkem/poly.c b/mlkem/poly.c index 202433ec1..b0ec9dd52 100644 --- a/mlkem/poly.c +++ b/mlkem/poly.c @@ -20,19 +20,19 @@ * This is to facilitate building multiple instances * of mlkem-native (e.g. with varying security levels) * within a single compilation unit. */ -#define fqmul MLK_NAMESPACE(fqmul) -#define barrett_reduce MLK_NAMESPACE(barrett_reduce) -#define scalar_signed_to_unsigned_q MLK_NAMESPACE(scalar_signed_to_unsigned_q) -#define ntt_butterfly_block MLK_NAMESPACE(ntt_butterfly_block) -#define ntt_layer MLK_NAMESPACE(ntt_layer) -#define invntt_layer MLK_NAMESPACE(invntt_layer) +#define mlk_fqmul MLK_NAMESPACE(fqmul) +#define mlk_barrett_reduce MLK_NAMESPACE(barrett_reduce) +#define mlk_scalar_signed_to_unsigned_q MLK_NAMESPACE(scalar_signed_to_unsigned_q) +#define mlk_ntt_butterfly_block MLK_NAMESPACE(ntt_butterfly_block) +#define mlk_ntt_layer MLK_NAMESPACE(ntt_layer) +#define mlk_invntt_layer MLK_NAMESPACE(invntt_layer) /* End of static namespacing */ #if !defined(MLK_USE_NATIVE_POLY_TOMONT) || \ !defined(MLK_USE_NATIVE_POLY_MULCACHE_COMPUTE) || \ !defined(MLK_USE_NATIVE_NTT) || !defined(MLK_USE_NATIVE_INTT) /************************************************* - * Name: fqmul + * Name: mlk_fqmul * * Description: Montgomery multiplication modulo q=3329 * @@ -45,7 +45,7 @@ * smaller than q in absolute value. * **************************************************/ -static MLK_INLINE int16_t fqmul(int16_t a, int16_t b) +static MLK_INLINE int16_t mlk_fqmul(int16_t a, int16_t b) __contract__( requires(b > -MLKEM_Q_HALF && b < MLKEM_Q_HALF) ensures(return_value > -MLKEM_Q && return_value < MLKEM_Q) @@ -54,7 +54,7 @@ __contract__( int16_t res; debug_assert_abs_bound(&b, 1, MLKEM_Q_HALF); - res = montgomery_reduce((int32_t)a * (int32_t)b); + res = mlk_montgomery_reduce((int32_t)a * (int32_t)b); /* Bounds: * |res| <= ceil(|a| * |b| / 2^16) + (MLKEM_Q + 1) / 2 * <= ceil(2^15 * ((MLKEM_Q - 1)/2) / 2^16) + (MLKEM_Q + 1) / 2 @@ -72,7 +72,7 @@ __contract__( #if !defined(MLK_USE_NATIVE_POLY_REDUCE) || !defined(MLK_USE_NATIVE_INTT) /************************************************* - * Name: barrett_reduce + * Name: mlk_barrett_reduce * * Description: Barrett reduction; given a 16-bit integer a, computes * centered representative congruent to a mod q in @@ -82,7 +82,7 @@ __contract__( * * Returns: integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q. **************************************************/ -static MLK_INLINE int16_t barrett_reduce(int16_t a) +static MLK_INLINE int16_t mlk_barrett_reduce(int16_t a) __contract__( ensures(return_value > -MLKEM_Q_HALF && return_value < MLKEM_Q_HALF) ) @@ -117,7 +117,7 @@ __contract__( #if !defined(MLK_USE_NATIVE_POLY_TOMONT) MLK_INTERNAL_API -void poly_tomont(poly *r) +void mlk_poly_tomont(mlk_poly *r) { unsigned i; const int16_t f = (1ULL << 32) % MLKEM_Q; /* 1353 */ @@ -126,14 +126,14 @@ void poly_tomont(poly *r) invariant(i <= MLKEM_N) invariant(array_abs_bound(r->coeffs, 0, i, MLKEM_Q))) { - r->coeffs[i] = fqmul(r->coeffs[i], f); + r->coeffs[i] = mlk_fqmul(r->coeffs[i], f); } debug_assert_abs_bound(r, MLKEM_N, MLKEM_Q); } #else /* MLK_USE_NATIVE_POLY_TOMONT */ MLK_INTERNAL_API -void poly_tomont(poly *r) +void mlk_poly_tomont(mlk_poly *r) { poly_tomont_native(r->coeffs); debug_assert_abs_bound(r, MLKEM_N, MLKEM_Q); @@ -142,7 +142,7 @@ void poly_tomont(poly *r) #if !defined(MLK_USE_NATIVE_POLY_REDUCE) /************************************************************ - * Name: scalar_signed_to_unsigned_q + * Name: mlk_scalar_signed_to_unsigned_q * * Description: converts signed polynomial coefficient * from signed (-3328 .. 3328) form to @@ -159,7 +159,7 @@ void poly_tomont(poly *r) * * Arguments: c: signed coefficient to be converted ************************************************************/ -static MLK_INLINE uint16_t scalar_signed_to_unsigned_q(int16_t c) +static MLK_INLINE uint16_t mlk_scalar_signed_to_unsigned_q(int16_t c) __contract__( requires(c > -MLKEM_Q && c < MLKEM_Q) ensures(return_value >= 0 && return_value < MLKEM_Q) @@ -168,7 +168,7 @@ __contract__( debug_assert_abs_bound(&c, 1, MLKEM_Q); /* Add Q if c is negative, but in constant time */ - c = ct_sel_int16(c + MLKEM_Q, c, ct_cmask_neg_i16(c)); + c = mlk_ct_sel_int16(c + MLKEM_Q, c, mlk_ct_cmask_neg_i16(c)); /* and therefore cast to uint16_t is safe. */ debug_assert_bound(&c, 1, 0, MLKEM_Q); @@ -176,7 +176,7 @@ __contract__( } MLK_INTERNAL_API -void poly_reduce(poly *r) +void mlk_poly_reduce(mlk_poly *r) { unsigned i; for (i = 0; i < MLKEM_N; i++) @@ -185,16 +185,16 @@ void poly_reduce(poly *r) invariant(array_bound(r->coeffs, 0, i, 0, MLKEM_Q))) { /* Barrett reduction, giving signed canonical representative */ - int16_t t = barrett_reduce(r->coeffs[i]); + int16_t t = mlk_barrett_reduce(r->coeffs[i]); /* Conditional addition to get unsigned canonical representative */ - r->coeffs[i] = scalar_signed_to_unsigned_q(t); + r->coeffs[i] = mlk_scalar_signed_to_unsigned_q(t); } debug_assert_bound(r, MLKEM_N, 0, MLKEM_Q); } #else /* MLK_USE_NATIVE_POLY_REDUCE */ MLK_INTERNAL_API -void poly_reduce(poly *r) +void mlk_poly_reduce(mlk_poly *r) { poly_reduce_native(r->coeffs); debug_assert_bound(r, MLKEM_N, 0, MLKEM_Q); @@ -202,7 +202,7 @@ void poly_reduce(poly *r) #endif /* MLK_USE_NATIVE_POLY_REDUCE */ MLK_INTERNAL_API -void poly_add(poly *r, const poly *b) +void mlk_poly_add(mlk_poly *r, const mlk_poly *b) { unsigned i; for (i = 0; i < MLKEM_N; i++) @@ -216,7 +216,7 @@ void poly_add(poly *r, const poly *b) } MLK_INTERNAL_API -void poly_sub(poly *r, const poly *b) +void mlk_poly_sub(mlk_poly *r, const mlk_poly *b) { unsigned i; for (i = 0; i < MLKEM_N; i++) @@ -231,7 +231,7 @@ void poly_sub(poly *r, const poly *b) #if !defined(MLK_USE_NATIVE_POLY_MULCACHE_COMPUTE) MLK_INTERNAL_API -void poly_mulcache_compute(poly_mulcache *x, const poly *a) +void mlk_poly_mulcache_compute(mlk_poly_mulcache *x, const mlk_poly *a) { unsigned i; for (i = 0; i < MLKEM_N / 4; i++) @@ -239,8 +239,8 @@ void poly_mulcache_compute(poly_mulcache *x, const poly *a) invariant(i <= MLKEM_N / 4) invariant(array_abs_bound(x->coeffs, 0, 2 * i, MLKEM_Q))) { - x->coeffs[2 * i + 0] = fqmul(a->coeffs[4 * i + 1], zetas[64 + i]); - x->coeffs[2 * i + 1] = fqmul(a->coeffs[4 * i + 3], -zetas[64 + i]); + x->coeffs[2 * i + 0] = mlk_fqmul(a->coeffs[4 * i + 1], mlk_zetas[64 + i]); + x->coeffs[2 * i + 1] = mlk_fqmul(a->coeffs[4 * i + 3], -mlk_zetas[64 + i]); } /* @@ -253,7 +253,7 @@ void poly_mulcache_compute(poly_mulcache *x, const poly *a) } #else /* MLK_USE_NATIVE_POLY_MULCACHE_COMPUTE */ MLK_INTERNAL_API -void poly_mulcache_compute(poly_mulcache *x, const poly *a) +void mlk_poly_mulcache_compute(mlk_poly_mulcache *x, const mlk_poly *a) { poly_mulcache_compute_native(x->coeffs, a->coeffs); /* Omitting bounds assertion since native implementations may @@ -289,7 +289,7 @@ void poly_mulcache_compute(poly_mulcache *x, const poly *a) * 4 -- 6 * 5 -- 7 */ -static void ntt_butterfly_block(int16_t r[MLKEM_N], int16_t zeta, +static void mlk_ntt_butterfly_block(int16_t r[MLKEM_N], int16_t zeta, unsigned start, unsigned len, int bound) __contract__( requires(start < MLKEM_N) @@ -319,7 +319,7 @@ __contract__( invariant(array_abs_bound(r, j + len, MLKEM_N, bound))) { int16_t t; - t = fqmul(r[j + len], zeta); + t = mlk_fqmul(r[j + len], zeta); r[j + len] = r[j] - t; r[j] = r[j] + t; } @@ -337,7 +337,7 @@ __contract__( * official Kyber implementation here, merely adding `layer` as * a ghost variable for the specifications. */ -static void ntt_layer(int16_t r[MLKEM_N], unsigned len, unsigned layer) +static void mlk_ntt_layer(int16_t r[MLKEM_N], unsigned len, unsigned layer) __contract__( requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N)) requires(1 <= layer && layer <= 7 && len == (MLKEM_N >> layer)) @@ -357,8 +357,8 @@ __contract__( invariant(array_abs_bound(r, 0, start, layer * MLKEM_Q + MLKEM_Q)) invariant(array_abs_bound(r, start, MLKEM_N, layer * MLKEM_Q))) { - int16_t zeta = zetas[k++]; - ntt_butterfly_block(r, zeta, start, len, layer * MLKEM_Q); + int16_t zeta = mlk_zetas[k++]; + mlk_ntt_butterfly_block(r, zeta, start, len, layer * MLKEM_Q); } } @@ -372,7 +372,7 @@ __contract__( */ MLK_INTERNAL_API -void poly_ntt(poly *p) +void mlk_poly_ntt(mlk_poly *p) { unsigned len, layer; int16_t *r; @@ -384,7 +384,7 @@ void poly_ntt(poly *p) invariant(1 <= layer && layer <= 8 && len == (MLKEM_N >> layer)) invariant(array_abs_bound(r, 0, MLKEM_N, layer * MLKEM_Q))) { - ntt_layer(r, len, layer); + mlk_ntt_layer(r, len, layer); } /* Check the stronger bound */ @@ -393,7 +393,7 @@ void poly_ntt(poly *p) #else /* MLK_USE_NATIVE_NTT */ MLK_INTERNAL_API -void poly_ntt(poly *p) +void mlk_poly_ntt(mlk_poly *p) { debug_assert_abs_bound(p, MLKEM_N, MLKEM_Q); ntt_native(p->coeffs); @@ -404,7 +404,7 @@ void poly_ntt(poly *p) #if !defined(MLK_USE_NATIVE_INTT) /* Compute one layer of inverse NTT */ -static void invntt_layer(int16_t *r, unsigned len, unsigned layer) +static void mlk_invntt_layer(int16_t *r, unsigned len, unsigned layer) __contract__( requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N)) requires(2 <= len && len <= 128 && 1 <= layer && layer <= 7) @@ -425,7 +425,7 @@ __contract__( invariant(2 * len * k + start == 2 * MLKEM_N - 2 * len)) { unsigned j; - int16_t zeta = zetas[k--]; + int16_t zeta = mlk_zetas[k--]; for (j = start; j < start + len; j++) __loop__( invariant(start <= j && j <= start + len) @@ -433,15 +433,15 @@ __contract__( invariant(array_abs_bound(r, 0, MLKEM_N, MLKEM_Q))) { int16_t t = r[j]; - r[j] = barrett_reduce(t + r[j + len]); + r[j] = mlk_barrett_reduce(t + r[j + len]); r[j + len] = r[j + len] - t; - r[j + len] = fqmul(r[j + len], zeta); + r[j + len] = mlk_fqmul(r[j + len], zeta); } } } MLK_INTERNAL_API -void poly_invntt_tomont(poly *p) +void mlk_poly_invntt_tomont(mlk_poly *p) { /* * Scale input polynomial to account for Montgomery factor @@ -457,7 +457,7 @@ void poly_invntt_tomont(poly *p) invariant(j <= MLKEM_N) invariant(array_abs_bound(r, 0, j, MLKEM_Q))) { - r[j] = fqmul(r[j], f); + r[j] = mlk_fqmul(r[j], f); } /* Run the invNTT layers */ @@ -466,7 +466,7 @@ void poly_invntt_tomont(poly *p) invariant(2 <= len && len <= 256 && layer <= 7 && len == (1 << (8 - layer))) invariant(array_abs_bound(r, 0, MLKEM_N, MLKEM_Q))) { - invntt_layer(p->coeffs, len, layer); + mlk_invntt_layer(p->coeffs, len, layer); } debug_assert_abs_bound(p, MLKEM_N, MLK_INVNTT_BOUND); @@ -474,7 +474,7 @@ void poly_invntt_tomont(poly *p) #else /* MLK_USE_NATIVE_INTT */ MLK_INTERNAL_API -void poly_invntt_tomont(poly *p) +void mlk_poly_invntt_tomont(mlk_poly *p) { intt_native(p->coeffs); debug_assert_abs_bound(p, MLKEM_N, MLK_INVNTT_BOUND); @@ -483,15 +483,15 @@ void poly_invntt_tomont(poly *p) #else /* MLK_MULTILEVEL_BUILD_NO_SHARED */ -MLK_EMPTY_CU(poly) +MLK_EMPTY_CU(mlk_poly) #endif /* MLK_MULTILEVEL_BUILD_NO_SHARED */ /* To facilitate single-compilation-unit (SCU) builds, undefine all macros. * Don't modify by hand -- this is auto-generated by scripts/autogen. */ -#undef fqmul -#undef barrett_reduce -#undef scalar_signed_to_unsigned_q -#undef ntt_butterfly_block -#undef ntt_layer -#undef invntt_layer +#undef mlk_fqmul +#undef mlk_barrett_reduce +#undef mlk_scalar_signed_to_unsigned_q +#undef mlk_ntt_butterfly_block +#undef mlk_ntt_layer +#undef mlk_invntt_layer diff --git a/mlkem/poly.h b/mlkem/poly.h index cded32ba8..5a9db9d87 100644 --- a/mlkem/poly.h +++ b/mlkem/poly.h @@ -18,32 +18,32 @@ /* Absolute exclusive upper bound for the output of the forward NTT */ #define MLK_NTT_BOUND (8 * MLKEM_Q) -#define zetas MLK_NAMESPACE(zetas) -extern const int16_t zetas[128]; +#define mlk_zetas MLK_NAMESPACE(zetas) +extern const int16_t mlk_zetas[128]; /* * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial * coeffs[0] + X*coeffs[1] + X^2*coeffs[2] + ... + X^{n-1}*coeffs[n-1] */ -#define poly MLK_NAMESPACE(poly) +#define mlk_poly MLK_NAMESPACE(poly) typedef struct { int16_t coeffs[MLKEM_N]; -} MLK_ALIGN poly; +} MLK_ALIGN mlk_poly; /* * INTERNAL presentation of precomputed data speeding up * the base multiplication of two polynomials in NTT domain. */ -#define poly_mulcache MLK_NAMESPACE(poly_mulcache) +#define mlk_poly_mulcache MLK_NAMESPACE(poly_mulcache) typedef struct { int16_t coeffs[MLKEM_N >> 1]; -} poly_mulcache; +} mlk_poly_mulcache; -#define cast_uint16_to_int16 MLK_NAMESPACE(cast_uint16_to_int16) +#define mlk_cast_uint16_to_int16 MLK_NAMESPACE(cast_uint16_to_int16) /************************************************* - * Name: cast_uint16_to_int16 + * Name: mlk_cast_uint16_to_int16 * * Description: Cast uint16 value to int16 * @@ -56,7 +56,7 @@ typedef struct #pragma CPROVER check disable "conversion" #endif MLK_ALWAYS_INLINE -static MLK_INLINE int16_t cast_uint16_to_int16(uint16_t x) +static MLK_INLINE int16_t mlk_cast_uint16_to_int16(uint16_t x) { /* * PORTABILITY: This relies on uint16_t -> int16_t @@ -71,9 +71,9 @@ static MLK_INLINE int16_t cast_uint16_to_int16(uint16_t x) #pragma CPROVER check pop #endif -#define montgomery_reduce MLK_NAMESPACE(montgomery_reduce) +#define mlk_montgomery_reduce MLK_NAMESPACE(montgomery_reduce) /************************************************* - * Name: montgomery_reduce + * Name: mlk_montgomery_reduce * * Description: Generic Montgomery reduction; given a 32-bit integer a, computes * 16-bit integer congruent to a * R^-1 mod q, where R=2^16 @@ -86,7 +86,7 @@ static MLK_INLINE int16_t cast_uint16_to_int16(uint16_t x) * **************************************************/ MLK_ALWAYS_INLINE -static MLK_INLINE int16_t montgomery_reduce(int32_t a) +static MLK_INLINE int16_t mlk_montgomery_reduce(int32_t a) __contract__( requires(a < +(INT32_MAX - (((int32_t)1 << 15) * MLKEM_Q)) && a > -(INT32_MAX - (((int32_t)1 << 15) * MLKEM_Q))) @@ -94,8 +94,8 @@ __contract__( * as the post-condition here. There are two call-sites for this * function: * - The base multiplication: Here, we need no output bound. - * - fqmul: Here, we inline this function and prove another spec - * for fqmul which does have a post-condition bound. */ + * - mlk_fqmul: Here, we inline this function and prove another spec + * for mlk_fqmul which does have a post-condition bound. */ ) { /* QINV == -3327 converted to uint16_t == -3327 + 65536 == 62209 */ @@ -106,7 +106,7 @@ __contract__( const uint16_t a_inverted = (a_reduced * QINV) & UINT16_MAX; /* Lift to signed canonical representative mod 2^16. */ - const int16_t t = cast_uint16_to_int16(a_inverted); + const int16_t t = mlk_cast_uint16_to_int16(a_inverted); int32_t r; @@ -130,28 +130,28 @@ __contract__( return (int16_t)r; } -#define poly_tomont MLK_NAMESPACE(poly_tomont) +#define mlk_poly_tomont MLK_NAMESPACE(poly_tomont) /************************************************* - * Name: poly_tomont + * Name: mlk_poly_tomont * * Description: Inplace conversion of all coefficients of a polynomial * from normal domain to Montgomery domain * * Bounds: Output < q in absolute value. * - * Arguments: - poly *r: pointer to input/output polynomial + * Arguments: - mlk_poly *r: pointer to input/output polynomial **************************************************/ MLK_INTERNAL_API -void poly_tomont(poly *r) +void mlk_poly_tomont(mlk_poly *r) __contract__( - requires(memory_no_alias(r, sizeof(poly))) - assigns(memory_slice(r, sizeof(poly))) + requires(memory_no_alias(r, sizeof(mlk_poly))) + assigns(memory_slice(r, sizeof(mlk_poly))) ensures(array_abs_bound(r->coeffs, 0, MLKEM_N, MLKEM_Q)) ); -#define poly_mulcache_compute MLK_NAMESPACE(poly_mulcache_compute) +#define mlk_poly_mulcache_compute MLK_NAMESPACE(poly_mulcache_compute) /************************************************************ - * Name: poly_mulcache_compute + * Name: mlk_poly_mulcache_compute * * Description: Computes the mulcache for a polynomial in NTT domain * @@ -173,42 +173,42 @@ __contract__( * higher level safety proofs, and thus not part of the spec. */ MLK_INTERNAL_API -void poly_mulcache_compute(poly_mulcache *x, const poly *a) +void mlk_poly_mulcache_compute(mlk_poly_mulcache *x, const mlk_poly *a) __contract__( - requires(memory_no_alias(x, sizeof(poly_mulcache))) - requires(memory_no_alias(a, sizeof(poly))) + requires(memory_no_alias(x, sizeof(mlk_poly_mulcache))) + requires(memory_no_alias(a, sizeof(mlk_poly))) assigns(object_whole(x)) ); -#define poly_reduce MLK_NAMESPACE(poly_reduce) +#define mlk_poly_reduce MLK_NAMESPACE(poly_reduce) /************************************************* - * Name: poly_reduce + * Name: mlk_poly_reduce * * Description: Converts polynomial to _unsigned canonical_ representatives. * * The input coefficients can be arbitrary integers in int16_t. * The output coefficients are in [0,1,...,MLKEM_Q-1]. * - * Arguments: - poly *r: pointer to input/output polynomial + * Arguments: - mlk_poly *r: pointer to input/output polynomial **************************************************/ /* - * NOTE: The semantics of poly_reduce() is different in + * NOTE: The semantics of mlk_poly_reduce() is different in * the reference implementation, which requires * signed canonical output data. Unsigned canonical * outputs are better suited to the only remaining - * use of poly_reduce() in the context of (de)serialization. + * use of mlk_poly_reduce() in the context of (de)serialization. */ MLK_INTERNAL_API -void poly_reduce(poly *r) +void mlk_poly_reduce(mlk_poly *r) __contract__( - requires(memory_no_alias(r, sizeof(poly))) - assigns(memory_slice(r, sizeof(poly))) + requires(memory_no_alias(r, sizeof(mlk_poly))) + assigns(memory_slice(r, sizeof(mlk_poly))) ensures(array_bound(r->coeffs, 0, MLKEM_N, 0, MLKEM_Q)) ); -#define poly_add MLK_NAMESPACE(poly_add) +#define mlk_poly_add MLK_NAMESPACE(poly_add) /************************************************************ - * Name: poly_add + * Name: mlk_poly_add * * Description: Adds two polynomials in place * @@ -225,44 +225,44 @@ __contract__( * We specialize to the accumulator form to avoid reasoning about aliasing. */ MLK_INTERNAL_API -void poly_add(poly *r, const poly *b) +void mlk_poly_add(mlk_poly *r, const mlk_poly *b) __contract__( - requires(memory_no_alias(r, sizeof(poly))) - requires(memory_no_alias(b, sizeof(poly))) + requires(memory_no_alias(r, sizeof(mlk_poly))) + requires(memory_no_alias(b, sizeof(mlk_poly))) requires(forall(k0, 0, MLKEM_N, (int32_t) r->coeffs[k0] + b->coeffs[k0] <= INT16_MAX)) requires(forall(k1, 0, MLKEM_N, (int32_t) r->coeffs[k1] + b->coeffs[k1] >= INT16_MIN)) ensures(forall(k, 0, MLKEM_N, r->coeffs[k] == old(*r).coeffs[k] + b->coeffs[k])) - assigns(memory_slice(r, sizeof(poly))) + assigns(memory_slice(r, sizeof(mlk_poly))) ); -#define poly_sub MLK_NAMESPACE(poly_sub) +#define mlk_poly_sub MLK_NAMESPACE(poly_sub) /************************************************* - * Name: poly_sub + * Name: mlk_poly_sub * * Description: Subtract two polynomials; no modular reduction is performed * - * Arguments: - poly *r: Pointer to input-output polynomial to be added + * Arguments: - mlk_poly *r: Pointer to input-output polynomial to be added *to. - * - const poly *b: Pointer to second input polynomial + * - const mlk_poly *b: Pointer to second input polynomial **************************************************/ /* * NOTE: The reference implementation uses a 3-argument poly_sub. * We specialize to the accumulator form to avoid reasoning about aliasing. */ MLK_INTERNAL_API -void poly_sub(poly *r, const poly *b) +void mlk_poly_sub(mlk_poly *r, const mlk_poly *b) __contract__( - requires(memory_no_alias(r, sizeof(poly))) - requires(memory_no_alias(b, sizeof(poly))) + requires(memory_no_alias(r, sizeof(mlk_poly))) + requires(memory_no_alias(b, sizeof(mlk_poly))) requires(forall(k0, 0, MLKEM_N, (int32_t) r->coeffs[k0] - b->coeffs[k0] <= INT16_MAX)) requires(forall(k1, 0, MLKEM_N, (int32_t) r->coeffs[k1] - b->coeffs[k1] >= INT16_MIN)) ensures(forall(k, 0, MLKEM_N, r->coeffs[k] == old(*r).coeffs[k] - b->coeffs[k])) assigns(object_whole(r)) ); -#define poly_ntt MLK_NAMESPACE(poly_ntt) +#define mlk_poly_ntt MLK_NAMESPACE(poly_ntt) /************************************************* - * Name: poly_ntt + * Name: mlk_poly_ntt * * Description: Computes negacyclic number-theoretic transform (NTT) of * a polynomial in place. @@ -276,20 +276,20 @@ __contract__( * (NOTE: Sometimes the input to the NTT is actually smaller, * which gives better bounds.) * - * Arguments: - poly *p: pointer to in/output polynomial + * Arguments: - mlk_poly *p: pointer to in/output polynomial **************************************************/ MLK_INTERNAL_API -void poly_ntt(poly *r) +void mlk_poly_ntt(mlk_poly *r) __contract__( - requires(memory_no_alias(r, sizeof(poly))) + requires(memory_no_alias(r, sizeof(mlk_poly))) requires(array_abs_bound(r->coeffs, 0, MLKEM_N, MLKEM_Q)) - assigns(memory_slice(r, sizeof(poly))) + assigns(memory_slice(r, sizeof(mlk_poly))) ensures(array_abs_bound(r->coeffs, 0, MLKEM_N, MLK_NTT_BOUND)) ); -#define poly_invntt_tomont MLK_NAMESPACE(poly_invntt_tomont) +#define mlk_poly_invntt_tomont MLK_NAMESPACE(poly_invntt_tomont) /************************************************* - * Name: poly_invntt_tomont + * Name: mlk_poly_invntt_tomont * * Description: Computes inverse of negacyclic number-theoretic transform (NTT) * of a polynomial in place; @@ -305,10 +305,10 @@ __contract__( * Arguments: - uint16_t *a: pointer to in/output polynomial **************************************************/ MLK_INTERNAL_API -void poly_invntt_tomont(poly *r) +void mlk_poly_invntt_tomont(mlk_poly *r) __contract__( - requires(memory_no_alias(r, sizeof(poly))) - assigns(memory_slice(r, sizeof(poly))) + requires(memory_no_alias(r, sizeof(mlk_poly))) + assigns(memory_slice(r, sizeof(mlk_poly))) ensures(array_abs_bound(r->coeffs, 0, MLKEM_N, MLK_INVNTT_BOUND)) ); diff --git a/mlkem/poly_k.c b/mlkem/poly_k.c index 44eadcea8..714fc0d45 100644 --- a/mlkem/poly_k.c +++ b/mlkem/poly_k.c @@ -16,79 +16,79 @@ * This is to facilitate building multiple instances * of mlkem-native (e.g. with varying security levels) * within a single compilation unit. */ -#define poly_cbd_eta1 MLK_NAMESPACE_K(poly_cbd_eta1) -#define poly_cbd_eta2 MLK_NAMESPACE_K(poly_cbd_eta2) +#define mlk_poly_cbd_eta1 MLK_NAMESPACE_K(poly_cbd_eta1) +#define mlk_poly_cbd_eta2 MLK_NAMESPACE_K(poly_cbd_eta2) /* End of static namespacing */ MLK_INTERNAL_API -void polyvec_compress_du(uint8_t r[MLKEM_POLYVECCOMPRESSEDBYTES_DU], - const polyvec *a) +void mlk_polyvec_compress_du(uint8_t r[MLKEM_POLYVECCOMPRESSEDBYTES_DU], + const mlk_polyvec *a) { unsigned i; debug_assert_bound_2d(a, MLKEM_K, MLKEM_N, 0, MLKEM_Q); for (i = 0; i < MLKEM_K; i++) { - poly_compress_du(r + i * MLKEM_POLYCOMPRESSEDBYTES_DU, &a->vec[i]); + mlk_poly_compress_du(r + i * MLKEM_POLYCOMPRESSEDBYTES_DU, &a->vec[i]); } } MLK_INTERNAL_API -void polyvec_decompress_du(polyvec *r, +void mlk_polyvec_decompress_du(mlk_polyvec *r, const uint8_t a[MLKEM_POLYVECCOMPRESSEDBYTES_DU]) { unsigned i; for (i = 0; i < MLKEM_K; i++) { - poly_decompress_du(&r->vec[i], a + i * MLKEM_POLYCOMPRESSEDBYTES_DU); + mlk_poly_decompress_du(&r->vec[i], a + i * MLKEM_POLYCOMPRESSEDBYTES_DU); } debug_assert_bound_2d(r, MLKEM_K, MLKEM_N, 0, MLKEM_Q); } MLK_INTERNAL_API -void polyvec_tobytes(uint8_t r[MLKEM_POLYVECBYTES], const polyvec *a) +void mlk_polyvec_tobytes(uint8_t r[MLKEM_POLYVECBYTES], const mlk_polyvec *a) { unsigned i; debug_assert_bound_2d(a, MLKEM_K, MLKEM_N, 0, MLKEM_Q); for (i = 0; i < MLKEM_K; i++) { - poly_tobytes(r + i * MLKEM_POLYBYTES, &a->vec[i]); + mlk_poly_tobytes(r + i * MLKEM_POLYBYTES, &a->vec[i]); } } MLK_INTERNAL_API -void polyvec_frombytes(polyvec *r, const uint8_t a[MLKEM_POLYVECBYTES]) +void mlk_polyvec_frombytes(mlk_polyvec *r, const uint8_t a[MLKEM_POLYVECBYTES]) { unsigned i; for (i = 0; i < MLKEM_K; i++) { - poly_frombytes(&r->vec[i], a + i * MLKEM_POLYBYTES); + mlk_poly_frombytes(&r->vec[i], a + i * MLKEM_POLYBYTES); } debug_assert_bound_2d(r, MLKEM_K, MLKEM_N, 0, MLKEM_UINT12_LIMIT); } MLK_INTERNAL_API -void polyvec_ntt(polyvec *r) +void mlk_polyvec_ntt(mlk_polyvec *r) { unsigned i; for (i = 0; i < MLKEM_K; i++) { - poly_ntt(&r->vec[i]); + mlk_poly_ntt(&r->vec[i]); } debug_assert_abs_bound_2d(r, MLKEM_K, MLKEM_N, MLK_NTT_BOUND); } MLK_INTERNAL_API -void polyvec_invntt_tomont(polyvec *r) +void mlk_polyvec_invntt_tomont(mlk_polyvec *r) { unsigned i; for (i = 0; i < MLKEM_K; i++) { - poly_invntt_tomont(&r->vec[i]); + mlk_poly_invntt_tomont(&r->vec[i]); } debug_assert_abs_bound_2d(r, MLKEM_K, MLKEM_N, MLK_INVNTT_BOUND); @@ -96,9 +96,9 @@ void polyvec_invntt_tomont(polyvec *r) #if !defined(MLK_USE_NATIVE_POLYVEC_BASEMUL_ACC_MONTGOMERY_CACHED) MLK_INTERNAL_API -void polyvec_basemul_acc_montgomery_cached(poly *r, const polyvec *a, - const polyvec *b, - const polyvec_mulcache *b_cache) +void mlk_polyvec_basemul_acc_montgomery_cached(mlk_poly *r, const mlk_polyvec *a, + const mlk_polyvec *b, + const mlk_polyvec_mulcache *b_cache) { unsigned i; debug_assert_bound_2d(a, MLKEM_K, MLKEM_N, 0, MLKEM_UINT12_LIMIT); @@ -120,16 +120,16 @@ void polyvec_basemul_acc_montgomery_cached(poly *r, const polyvec *a, t[1] += (int32_t)a->vec[k].coeffs[2 * i] * b->vec[k].coeffs[2 * i + 1]; t[1] += (int32_t)a->vec[k].coeffs[2 * i + 1] * b->vec[k].coeffs[2 * i]; } - r->coeffs[2 * i + 0] = montgomery_reduce(t[0]); - r->coeffs[2 * i + 1] = montgomery_reduce(t[1]); + r->coeffs[2 * i + 0] = mlk_montgomery_reduce(t[0]); + r->coeffs[2 * i + 1] = mlk_montgomery_reduce(t[1]); } } #else /* !MLK_USE_NATIVE_POLYVEC_BASEMUL_ACC_MONTGOMERY_CACHED */ MLK_INTERNAL_API -void polyvec_basemul_acc_montgomery_cached(poly *r, const polyvec *a, - const polyvec *b, - const polyvec_mulcache *b_cache) +void mlk_polyvec_basemul_acc_montgomery_cached(mlk_poly *r, const mlk_polyvec *a, + const mlk_polyvec *b, + const mlk_polyvec_mulcache *b_cache) { debug_assert_bound_2d(a, MLKEM_K, MLKEM_N, 0, MLKEM_UINT12_LIMIT); /* Omitting bounds assertion for cache since native implementations may @@ -152,52 +152,52 @@ void polyvec_basemul_acc_montgomery_cached(poly *r, const polyvec *a, #endif /* MLK_USE_NATIVE_POLYVEC_BASEMUL_ACC_MONTGOMERY_CACHED */ MLK_INTERNAL_API -void polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) +void mlk_polyvec_basemul_acc_montgomery(mlk_poly *r, const mlk_polyvec *a, const mlk_polyvec *b) { - polyvec_mulcache b_cache; - polyvec_mulcache_compute(&b_cache, b); - polyvec_basemul_acc_montgomery_cached(r, a, b, &b_cache); + mlk_polyvec_mulcache b_cache; + mlk_polyvec_mulcache_compute(&b_cache, b); + mlk_polyvec_basemul_acc_montgomery_cached(r, a, b, &b_cache); } MLK_INTERNAL_API -void polyvec_mulcache_compute(polyvec_mulcache *x, const polyvec *a) +void mlk_polyvec_mulcache_compute(mlk_polyvec_mulcache *x, const mlk_polyvec *a) { unsigned i; for (i = 0; i < MLKEM_K; i++) { - poly_mulcache_compute(&x->vec[i], &a->vec[i]); + mlk_poly_mulcache_compute(&x->vec[i], &a->vec[i]); } } MLK_INTERNAL_API -void polyvec_reduce(polyvec *r) +void mlk_polyvec_reduce(mlk_polyvec *r) { unsigned i; for (i = 0; i < MLKEM_K; i++) { - poly_reduce(&r->vec[i]); + mlk_poly_reduce(&r->vec[i]); } debug_assert_bound_2d(r, MLKEM_K, MLKEM_N, 0, MLKEM_Q); } MLK_INTERNAL_API -void polyvec_add(polyvec *r, const polyvec *b) +void mlk_polyvec_add(mlk_polyvec *r, const mlk_polyvec *b) { unsigned i; for (i = 0; i < MLKEM_K; i++) { - poly_add(&r->vec[i], &b->vec[i]); + mlk_poly_add(&r->vec[i], &b->vec[i]); } } MLK_INTERNAL_API -void polyvec_tomont(polyvec *r) +void mlk_polyvec_tomont(mlk_polyvec *r) { unsigned i; for (i = 0; i < MLKEM_K; i++) { - poly_tomont(&r->vec[i]); + mlk_poly_tomont(&r->vec[i]); } debug_assert_abs_bound_2d(r, MLKEM_K, MLKEM_N, MLKEM_Q); @@ -205,35 +205,35 @@ void polyvec_tomont(polyvec *r) /************************************************* - * Name: poly_cbd_eta1 + * Name: mlk_poly_cbd_eta1 * * Description: Given an array of uniformly random bytes, compute * polynomial with coefficients distributed according to * a centered binomial distribution with parameter MLKEM_ETA1. * - * Arguments: - poly *r: pointer to output polynomial + * Arguments: - mlk_poly *r: pointer to output polynomial * - const uint8_t *buf: pointer to input byte array **************************************************/ -static MLK_INLINE void poly_cbd_eta1( - poly *r, const uint8_t buf[MLKEM_ETA1 * MLKEM_N / 4]) +static MLK_INLINE void mlk_poly_cbd_eta1( + mlk_poly *r, const uint8_t buf[MLKEM_ETA1 * MLKEM_N / 4]) __contract__( - requires(memory_no_alias(r, sizeof(poly))) + requires(memory_no_alias(r, sizeof(mlk_poly))) requires(memory_no_alias(buf, MLKEM_ETA1 * MLKEM_N / 4)) - assigns(memory_slice(r, sizeof(poly))) + assigns(memory_slice(r, sizeof(mlk_poly))) ensures(array_abs_bound(r->coeffs, 0, MLKEM_N, MLKEM_ETA1 + 1)) ) { #if MLKEM_ETA1 == 2 - poly_cbd2(r, buf); + mlk_poly_cbd2(r, buf); #elif MLKEM_ETA1 == 3 - poly_cbd3(r, buf); + mlk_poly_cbd3(r, buf); #else #error "Invalid value of MLKEM_ETA1" #endif } MLK_INTERNAL_API -void poly_getnoise_eta1_4x(poly *r0, poly *r1, poly *r2, poly *r3, +void mlk_poly_getnoise_eta1_4x(mlk_poly *r0, mlk_poly *r1, mlk_poly *r2, mlk_poly *r3, const uint8_t seed[MLKEM_SYMBYTES], uint8_t nonce0, uint8_t nonce1, uint8_t nonce2, uint8_t nonce3) { @@ -254,10 +254,10 @@ void poly_getnoise_eta1_4x(poly *r0, poly *r1, poly *r2, poly *r3, extkey2[MLKEM_SYMBYTES] = nonce2; extkey3[MLKEM_SYMBYTES] = nonce3; prf_eta1_x4(buf0, buf1, buf2, buf3, extkey0, extkey1, extkey2, extkey3); - poly_cbd_eta1(r0, buf0); - poly_cbd_eta1(r1, buf1); - poly_cbd_eta1(r2, buf2); - poly_cbd_eta1(r3, buf3); + mlk_poly_cbd_eta1(r0, buf0); + mlk_poly_cbd_eta1(r1, buf1); + mlk_poly_cbd_eta1(r2, buf2); + mlk_poly_cbd_eta1(r3, buf3); debug_assert_abs_bound(r0, MLKEM_N, MLKEM_ETA1 + 1); debug_assert_abs_bound(r1, MLKEM_N, MLKEM_ETA1 + 1); @@ -267,32 +267,32 @@ void poly_getnoise_eta1_4x(poly *r0, poly *r1, poly *r2, poly *r3, #if MLKEM_K == 2 || MLKEM_K == 4 /************************************************* - * Name: poly_cbd_eta2 + * Name: mlk_poly_cbd_eta2 * * Description: Given an array of uniformly random bytes, compute * polynomial with coefficients distributed according to * a centered binomial distribution with parameter MLKEM_ETA2. * - * Arguments: - poly *r: pointer to output polynomial + * Arguments: - mlk_poly *r: pointer to output polynomial * - const uint8_t *buf: pointer to input byte array **************************************************/ -static MLK_INLINE void poly_cbd_eta2( - poly *r, const uint8_t buf[MLKEM_ETA2 * MLKEM_N / 4]) +static MLK_INLINE void mlk_poly_cbd_eta2( + mlk_poly *r, const uint8_t buf[MLKEM_ETA2 * MLKEM_N / 4]) __contract__( - requires(memory_no_alias(r, sizeof(poly))) + requires(memory_no_alias(r, sizeof(mlk_poly))) requires(memory_no_alias(buf, MLKEM_ETA2 * MLKEM_N / 4)) - assigns(memory_slice(r, sizeof(poly))) + assigns(memory_slice(r, sizeof(mlk_poly))) ensures(array_abs_bound(r->coeffs, 0, MLKEM_N, MLKEM_ETA2 + 1))) { #if MLKEM_ETA2 == 2 - poly_cbd2(r, buf); + mlk_poly_cbd2(r, buf); #else #error "Invalid value of MLKEM_ETA2" #endif } MLK_INTERNAL_API -void poly_getnoise_eta2(poly *r, const uint8_t seed[MLKEM_SYMBYTES], +void mlk_poly_getnoise_eta2(mlk_poly *r, const uint8_t seed[MLKEM_SYMBYTES], uint8_t nonce) { MLK_ALIGN uint8_t buf[MLKEM_ETA2 * MLKEM_N / 4]; @@ -302,7 +302,7 @@ void poly_getnoise_eta2(poly *r, const uint8_t seed[MLKEM_SYMBYTES], extkey[MLKEM_SYMBYTES] = nonce; prf_eta2(buf, extkey); - poly_cbd_eta2(r, buf); + mlk_poly_cbd_eta2(r, buf); debug_assert_abs_bound(r, MLKEM_N, MLKEM_ETA1 + 1); } @@ -311,13 +311,13 @@ void poly_getnoise_eta2(poly *r, const uint8_t seed[MLKEM_SYMBYTES], #if MLKEM_K == 2 MLK_INTERNAL_API -void poly_getnoise_eta1122_4x(poly *r0, poly *r1, poly *r2, poly *r3, +void mlk_poly_getnoise_eta1122_4x(mlk_poly *r0, mlk_poly *r1, mlk_poly *r2, mlk_poly *r3, const uint8_t seed[MLKEM_SYMBYTES], uint8_t nonce0, uint8_t nonce1, uint8_t nonce2, uint8_t nonce3) { #if MLKEM_ETA2 >= MLKEM_ETA1 -#error poly_getnoise_eta1122_4x assumes MLKEM_ETA1 > MLKEM_ETA2 +#error mlk_poly_getnoise_eta1122_4x assumes MLKEM_ETA1 > MLKEM_ETA2 #endif MLK_ALIGN uint8_t buf0[MLKEM_ETA1 * MLKEM_N / 4]; MLK_ALIGN uint8_t buf1[MLKEM_ETA1 * MLKEM_N / 4]; @@ -351,10 +351,10 @@ void poly_getnoise_eta1122_4x(poly *r0, poly *r1, poly *r2, poly *r3, prf_eta2(buf3, extkey3); #endif /* FIPS202_X4_DEFAULT_IMPLEMENTATION */ - poly_cbd_eta1(r0, buf0); - poly_cbd_eta1(r1, buf1); - poly_cbd_eta2(r2, buf2); - poly_cbd_eta2(r3, buf3); + mlk_poly_cbd_eta1(r0, buf0); + mlk_poly_cbd_eta1(r1, buf1); + mlk_poly_cbd_eta2(r2, buf2); + mlk_poly_cbd_eta2(r3, buf3); debug_assert_abs_bound(r0, MLKEM_N, MLKEM_ETA1 + 1); debug_assert_abs_bound(r1, MLKEM_N, MLKEM_ETA1 + 1); @@ -365,5 +365,5 @@ void poly_getnoise_eta1122_4x(poly *r0, poly *r1, poly *r2, poly *r3, /* To facilitate single-compilation-unit (SCU) builds, undefine all macros. * Don't modify by hand -- this is auto-generated by scripts/autogen. */ -#undef poly_cbd_eta1 -#undef poly_cbd_eta2 +#undef mlk_poly_cbd_eta1 +#undef mlk_poly_cbd_eta2 diff --git a/mlkem/poly_k.h b/mlkem/poly_k.h index 89603a5a9..d53cf6484 100644 --- a/mlkem/poly_k.h +++ b/mlkem/poly_k.h @@ -10,56 +10,56 @@ #include "compress.h" #include "poly.h" -#define polyvec MLK_NAMESPACE_K(polyvec) +#define mlk_polyvec MLK_NAMESPACE_K(polyvec) typedef struct { - poly vec[MLKEM_K]; -} MLK_ALIGN polyvec; + mlk_poly vec[MLKEM_K]; +} MLK_ALIGN mlk_polyvec; -#define polyvec_mulcache MLK_NAMESPACE_K(polyvec_mulcache) +#define mlk_polyvec_mulcache MLK_NAMESPACE_K(polyvec_mulcache) typedef struct { - poly_mulcache vec[MLKEM_K]; -} polyvec_mulcache; + mlk_poly_mulcache vec[MLKEM_K]; +} mlk_polyvec_mulcache; -#define poly_compress_du MLK_NAMESPACE_K(poly_compress_du) +#define mlk_poly_compress_du MLK_NAMESPACE_K(poly_compress_du) /************************************************* - * Name: poly_compress_du + * Name: mlk_poly_compress_du * * Description: Compression (du bits) and subsequent serialization of a * polynomial * * Arguments: - uint8_t *r: pointer to output byte array * (of length MLKEM_POLYCOMPRESSEDBYTES_DU bytes) - * - const poly *a: pointer to input polynomial + * - const mlk_poly *a: pointer to input polynomial * Coefficients must be unsigned canonical, * i.e. in [0,1,..,MLKEM_Q-1]. **************************************************/ -static MLK_INLINE void poly_compress_du(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_DU], - const poly *a) +static MLK_INLINE void mlk_poly_compress_du(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_DU], + const mlk_poly *a) __contract__( requires(memory_no_alias(r, MLKEM_POLYCOMPRESSEDBYTES_DU)) - requires(memory_no_alias(a, sizeof(poly))) + requires(memory_no_alias(a, sizeof(mlk_poly))) requires(array_bound(a->coeffs, 0, MLKEM_N, 0, MLKEM_Q)) assigns(memory_slice(r, MLKEM_POLYCOMPRESSEDBYTES_DU))) { #if MLKEM_DU == 10 - poly_compress_d10(r, a); + mlk_poly_compress_d10(r, a); #elif MLKEM_DU == 11 - poly_compress_d11(r, a); + mlk_poly_compress_d11(r, a); #else #error "Invalid value of MLKEM_DU" #endif } -#define poly_decompress_du MLK_NAMESPACE_K(poly_decompress_du) +#define mlk_poly_decompress_du MLK_NAMESPACE_K(poly_decompress_du) /************************************************* - * Name: poly_decompress_du + * Name: mlk_poly_decompress_du * * Description: De-serialization and subsequent decompression (du bits) of a - * polynomial; approximate inverse of poly_compress_du + * polynomial; approximate inverse of mlk_poly_compress_du * - * Arguments: - poly *r: pointer to output polynomial + * Arguments: - mlk_poly *r: pointer to output polynomial * - const uint8_t *a: pointer to input byte array * (of length MLKEM_POLYCOMPRESSEDBYTES_DU bytes) * @@ -67,62 +67,62 @@ __contract__( * (non-negative and smaller than MLKEM_Q). * **************************************************/ -static MLK_INLINE void poly_decompress_du( - poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_DU]) +static MLK_INLINE void mlk_poly_decompress_du( + mlk_poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_DU]) __contract__( requires(memory_no_alias(a, MLKEM_POLYCOMPRESSEDBYTES_DU)) - requires(memory_no_alias(r, sizeof(poly))) - assigns(memory_slice(r, sizeof(poly))) + requires(memory_no_alias(r, sizeof(mlk_poly))) + assigns(memory_slice(r, sizeof(mlk_poly))) ensures(array_bound(r->coeffs, 0, MLKEM_N, 0, MLKEM_Q))) { #if MLKEM_DU == 10 - poly_decompress_d10(r, a); + mlk_poly_decompress_d10(r, a); #elif MLKEM_DU == 11 - poly_decompress_d11(r, a); + mlk_poly_decompress_d11(r, a); #else #error "Invalid value of MLKEM_DU" #endif } -#define poly_compress_dv MLK_NAMESPACE_K(poly_compress_dv) +#define mlk_poly_compress_dv MLK_NAMESPACE_K(poly_compress_dv) /************************************************* - * Name: poly_compress_dv + * Name: mlk_poly_compress_dv * * Description: Compression (dv bits) and subsequent serialization of a * polynomial * * Arguments: - uint8_t *r: pointer to output byte array * (of length MLKEM_POLYCOMPRESSEDBYTES_DV bytes) - * - const poly *a: pointer to input polynomial + * - const mlk_poly *a: pointer to input polynomial * Coefficients must be unsigned canonical, * i.e. in [0,1,..,MLKEM_Q-1]. **************************************************/ -static MLK_INLINE void poly_compress_dv(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_DV], - const poly *a) +static MLK_INLINE void mlk_poly_compress_dv(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_DV], + const mlk_poly *a) __contract__( requires(memory_no_alias(r, MLKEM_POLYCOMPRESSEDBYTES_DV)) - requires(memory_no_alias(a, sizeof(poly))) + requires(memory_no_alias(a, sizeof(mlk_poly))) requires(array_bound(a->coeffs, 0, MLKEM_N, 0, MLKEM_Q)) assigns(object_whole(r))) { #if MLKEM_DV == 4 - poly_compress_d4(r, a); + mlk_poly_compress_d4(r, a); #elif MLKEM_DV == 5 - poly_compress_d5(r, a); + mlk_poly_compress_d5(r, a); #else #error "Invalid value of MLKEM_DV" #endif } -#define poly_decompress_dv MLK_NAMESPACE_K(poly_decompress_dv) +#define mlk_poly_decompress_dv MLK_NAMESPACE_K(poly_decompress_dv) /************************************************* - * Name: poly_decompress_dv + * Name: mlk_poly_decompress_dv * * Description: De-serialization and subsequent decompression (dv bits) of a * polynomial; approximate inverse of poly_compress * - * Arguments: - poly *r: pointer to output polynomial + * Arguments: - mlk_poly *r: pointer to output polynomial * - const uint8_t *a: pointer to input byte array * (of length MLKEM_POLYCOMPRESSEDBYTES_DV bytes) * @@ -130,115 +130,115 @@ __contract__( * (non-negative and smaller than MLKEM_Q). * **************************************************/ -static MLK_INLINE void poly_decompress_dv( - poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_DV]) +static MLK_INLINE void mlk_poly_decompress_dv( + mlk_poly *r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_DV]) __contract__( requires(memory_no_alias(a, MLKEM_POLYCOMPRESSEDBYTES_DV)) - requires(memory_no_alias(r, sizeof(poly))) + requires(memory_no_alias(r, sizeof(mlk_poly))) assigns(object_whole(r)) ensures(array_bound(r->coeffs, 0, MLKEM_N, 0, MLKEM_Q))) { #if MLKEM_DV == 4 - poly_decompress_d4(r, a); + mlk_poly_decompress_d4(r, a); #elif MLKEM_DV == 5 - poly_decompress_d5(r, a); + mlk_poly_decompress_d5(r, a); #else #error "Invalid value of MLKEM_DV" #endif } -#define polyvec_compress_du MLK_NAMESPACE_K(polyvec_compress_du) +#define mlk_polyvec_compress_du MLK_NAMESPACE_K(polyvec_compress_du) /************************************************* - * Name: polyvec_compress_du + * Name: mlk_polyvec_compress_du * * Description: Compress and serialize vector of polynomials * * Arguments: - uint8_t *r: pointer to output byte array * (needs space for MLKEM_POLYVECCOMPRESSEDBYTES_DU) - * - const polyvec *a: pointer to input vector of polynomials. + * - const mlk_polyvec *a: pointer to input vector of polynomials. * Coefficients must be unsigned canonical, * i.e. in [0,1,..,MLKEM_Q-1]. **************************************************/ MLK_INTERNAL_API -void polyvec_compress_du(uint8_t r[MLKEM_POLYVECCOMPRESSEDBYTES_DU], - const polyvec *a) +void mlk_polyvec_compress_du(uint8_t r[MLKEM_POLYVECCOMPRESSEDBYTES_DU], + const mlk_polyvec *a) __contract__( requires(memory_no_alias(r, MLKEM_POLYVECCOMPRESSEDBYTES_DU)) - requires(memory_no_alias(a, sizeof(polyvec))) + requires(memory_no_alias(a, sizeof(mlk_polyvec))) requires(forall(k0, 0, MLKEM_K, array_bound(a->vec[k0].coeffs, 0, MLKEM_N, 0, MLKEM_Q))) assigns(object_whole(r)) ); -#define polyvec_decompress_du MLK_NAMESPACE_K(polyvec_decompress_du) +#define mlk_polyvec_decompress_du MLK_NAMESPACE_K(polyvec_decompress_du) /************************************************* - * Name: polyvec_decompress_du + * Name: mlk_polyvec_decompress_du * * Description: De-serialize and decompress vector of polynomials; - * approximate inverse of polyvec_compress_du + * approximate inverse of mlk_polyvec_compress_du * - * Arguments: - polyvec *r: pointer to output vector of polynomials. + * Arguments: - mlk_polyvec *r: pointer to output vector of polynomials. * Output will have coefficients normalized to [0,..,q-1]. * - const uint8_t *a: pointer to input byte array * (of length MLKEM_POLYVECCOMPRESSEDBYTES_DU) **************************************************/ MLK_INTERNAL_API -void polyvec_decompress_du(polyvec *r, +void mlk_polyvec_decompress_du(mlk_polyvec *r, const uint8_t a[MLKEM_POLYVECCOMPRESSEDBYTES_DU]) __contract__( requires(memory_no_alias(a, MLKEM_POLYVECCOMPRESSEDBYTES_DU)) - requires(memory_no_alias(r, sizeof(polyvec))) + requires(memory_no_alias(r, sizeof(mlk_polyvec))) assigns(object_whole(r)) ensures(forall(k0, 0, MLKEM_K, array_bound(r->vec[k0].coeffs, 0, MLKEM_N, 0, MLKEM_Q))) ); -#define polyvec_tobytes MLK_NAMESPACE_K(polyvec_tobytes) +#define mlk_polyvec_tobytes MLK_NAMESPACE_K(polyvec_tobytes) /************************************************* - * Name: polyvec_tobytes + * Name: mlk_polyvec_tobytes * * Description: Serialize vector of polynomials * * Arguments: - uint8_t *r: pointer to output byte array * (needs space for MLKEM_POLYVECBYTES) - * - const polyvec *a: pointer to input vector of polynomials + * - const mlk_polyvec *a: pointer to input vector of polynomials * Each polynomial must have coefficients in [0,..,q-1]. **************************************************/ MLK_INTERNAL_API -void polyvec_tobytes(uint8_t r[MLKEM_POLYVECBYTES], const polyvec *a) +void mlk_polyvec_tobytes(uint8_t r[MLKEM_POLYVECBYTES], const mlk_polyvec *a) __contract__( - requires(memory_no_alias(a, sizeof(polyvec))) + requires(memory_no_alias(a, sizeof(mlk_polyvec))) requires(memory_no_alias(r, MLKEM_POLYVECBYTES)) requires(forall(k0, 0, MLKEM_K, array_bound(a->vec[k0].coeffs, 0, MLKEM_N, 0, MLKEM_Q))) assigns(object_whole(r)) ); -#define polyvec_frombytes MLK_NAMESPACE_K(polyvec_frombytes) +#define mlk_polyvec_frombytes MLK_NAMESPACE_K(polyvec_frombytes) /************************************************* - * Name: polyvec_frombytes + * Name: mlk_polyvec_frombytes * * Description: De-serialize vector of polynomials; - * inverse of polyvec_tobytes + * inverse of mlk_polyvec_tobytes * - * Arguments: - const polyvec *a: pointer to output vector of polynomials + * Arguments: - const mlk_polyvec *a: pointer to output vector of polynomials * (of length MLKEM_POLYVECBYTES). Output will have coefficients * normalized in [0..4095]. * - uint8_t *r: pointer to input byte array **************************************************/ MLK_INTERNAL_API -void polyvec_frombytes(polyvec *r, const uint8_t a[MLKEM_POLYVECBYTES]) +void mlk_polyvec_frombytes(mlk_polyvec *r, const uint8_t a[MLKEM_POLYVECBYTES]) __contract__( - requires(memory_no_alias(r, sizeof(polyvec))) + requires(memory_no_alias(r, sizeof(mlk_polyvec))) requires(memory_no_alias(a, MLKEM_POLYVECBYTES)) assigns(object_whole(r)) ensures(forall(k0, 0, MLKEM_K, array_bound(r->vec[k0].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT))) ); -#define polyvec_ntt MLK_NAMESPACE_K(polyvec_ntt) +#define mlk_polyvec_ntt MLK_NAMESPACE_K(polyvec_ntt) /************************************************* - * Name: polyvec_ntt + * Name: mlk_polyvec_ntt * * Description: Apply forward NTT to all elements of a vector of polynomials. * @@ -248,13 +248,13 @@ __contract__( * The output polynomial is in bitreversed order, and * coefficient-wise bound by MLK_NTT_BOUND in absolute value. * - * Arguments: - polyvec *r: pointer to in/output vector of polynomials + * Arguments: - mlk_polyvec *r: pointer to in/output vector of polynomials * **************************************************/ MLK_INTERNAL_API -void polyvec_ntt(polyvec *r) +void mlk_polyvec_ntt(mlk_polyvec *r) __contract__( - requires(memory_no_alias(r, sizeof(polyvec))) + requires(memory_no_alias(r, sizeof(mlk_polyvec))) requires(forall(j, 0, MLKEM_K, array_abs_bound(r->vec[j].coeffs, 0, MLKEM_N, MLKEM_Q))) assigns(object_whole(r)) @@ -262,9 +262,9 @@ __contract__( array_abs_bound(r->vec[j].coeffs, 0, MLKEM_N, MLK_NTT_BOUND))) ); -#define polyvec_invntt_tomont MLK_NAMESPACE_K(polyvec_invntt_tomont) +#define mlk_polyvec_invntt_tomont MLK_NAMESPACE_K(polyvec_invntt_tomont) /************************************************* - * Name: polyvec_invntt_tomont + * Name: mlk_polyvec_invntt_tomont * * Description: Apply inverse NTT to all elements of a vector of polynomials * and multiply by Montgomery factor 2^16 @@ -276,45 +276,45 @@ __contract__( * coefficient-wise bound by MLK_INVNTT_BOUND in absolute value. * * - * Arguments: - polyvec *r: pointer to in/output vector of polynomials + * Arguments: - mlk_polyvec *r: pointer to in/output vector of polynomials **************************************************/ MLK_INTERNAL_API -void polyvec_invntt_tomont(polyvec *r) +void mlk_polyvec_invntt_tomont(mlk_polyvec *r) __contract__( - requires(memory_no_alias(r, sizeof(polyvec))) + requires(memory_no_alias(r, sizeof(mlk_polyvec))) assigns(object_whole(r)) ensures(forall(j, 0, MLKEM_K, array_abs_bound(r->vec[j].coeffs, 0, MLKEM_N, MLK_INVNTT_BOUND))) ); -#define polyvec_basemul_acc_montgomery \ +#define mlk_polyvec_basemul_acc_montgomery \ MLK_NAMESPACE_K(polyvec_basemul_acc_montgomery) /************************************************* - * Name: polyvec_basemul_acc_montgomery + * Name: mlk_polyvec_basemul_acc_montgomery * * Description: Multiply elements of a and b in NTT domain, accumulate into r, * and multiply by 2^-16. * - * Arguments: - poly *r: pointer to output polynomial - * - const polyvec *a: pointer to first input vector of polynomials - * - const polyvec *b: pointer to second input vector of polynomials + * Arguments: - mlk_poly *r: pointer to output polynomial + * - const mlk_polyvec *a: pointer to first input vector of polynomials + * - const mlk_polyvec *b: pointer to second input vector of polynomials **************************************************/ MLK_INTERNAL_API -void polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) +void mlk_polyvec_basemul_acc_montgomery(mlk_poly *r, const mlk_polyvec *a, const mlk_polyvec *b) __contract__( - requires(memory_no_alias(r, sizeof(poly))) - requires(memory_no_alias(a, sizeof(polyvec))) - requires(memory_no_alias(b, sizeof(polyvec))) + requires(memory_no_alias(r, sizeof(mlk_poly))) + requires(memory_no_alias(a, sizeof(mlk_polyvec))) + requires(memory_no_alias(b, sizeof(mlk_polyvec))) requires(forall(k1, 0, MLKEM_K, array_bound(a->vec[k1].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT))) - assigns(memory_slice(r, sizeof(poly))) + assigns(memory_slice(r, sizeof(mlk_poly))) ); -#define polyvec_basemul_acc_montgomery_cached \ +#define mlk_polyvec_basemul_acc_montgomery_cached \ MLK_NAMESPACE_K(polyvec_basemul_acc_montgomery_cached) /************************************************* - * Name: polyvec_basemul_acc_montgomery_cached + * Name: mlk_polyvec_basemul_acc_montgomery_cached * * Description: Scalar product of two vectors of polynomials in NTT domain, * using mulcache for second operand. @@ -323,30 +323,30 @@ __contract__( * - Every coefficient of a is assumed to be in [0..4095] * - No bounds guarantees for the coefficients in the result. * - * Arguments: - poly *r: pointer to output polynomial - * - const polyvec *a: pointer to first input polynomial vector - * - const polyvec *b: pointer to second input polynomial vector - * - const polyvec_mulcache *b_cache: pointer to mulcache + * Arguments: - mlk_poly *r: pointer to output polynomial + * - const mlk_polyvec *a: pointer to first input polynomial vector + * - const mlk_polyvec *b: pointer to second input polynomial vector + * - const mlk_polyvec_mulcache *b_cache: pointer to mulcache * for second input polynomial vector. Can be computed - * via polyvec_mulcache_compute(). + * via mlk_polyvec_mulcache_compute(). **************************************************/ MLK_INTERNAL_API -void polyvec_basemul_acc_montgomery_cached(poly *r, const polyvec *a, - const polyvec *b, - const polyvec_mulcache *b_cache) +void mlk_polyvec_basemul_acc_montgomery_cached(mlk_poly *r, const mlk_polyvec *a, + const mlk_polyvec *b, + const mlk_polyvec_mulcache *b_cache) __contract__( - requires(memory_no_alias(r, sizeof(poly))) - requires(memory_no_alias(a, sizeof(polyvec))) - requires(memory_no_alias(b, sizeof(polyvec))) - requires(memory_no_alias(b_cache, sizeof(polyvec_mulcache))) + requires(memory_no_alias(r, sizeof(mlk_poly))) + requires(memory_no_alias(a, sizeof(mlk_polyvec))) + requires(memory_no_alias(b, sizeof(mlk_polyvec))) + requires(memory_no_alias(b_cache, sizeof(mlk_polyvec_mulcache))) requires(forall(k1, 0, MLKEM_K, array_bound(a->vec[k1].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT))) assigns(object_whole(r)) ); -#define polyvec_mulcache_compute MLK_NAMESPACE_K(polyvec_mulcache_compute) +#define mlk_polyvec_mulcache_compute MLK_NAMESPACE_K(polyvec_mulcache_compute) /************************************************************ - * Name: polyvec_mulcache_compute + * Name: mlk_polyvec_mulcache_compute * * Description: Computes the mulcache for a vector of polynomials in NTT domain * @@ -371,48 +371,48 @@ __contract__( * higher level safety proofs, and thus not part of the spec. */ MLK_INTERNAL_API -void polyvec_mulcache_compute(polyvec_mulcache *x, const polyvec *a) +void mlk_polyvec_mulcache_compute(mlk_polyvec_mulcache *x, const mlk_polyvec *a) __contract__( - requires(memory_no_alias(x, sizeof(polyvec_mulcache))) - requires(memory_no_alias(a, sizeof(polyvec))) + requires(memory_no_alias(x, sizeof(mlk_polyvec_mulcache))) + requires(memory_no_alias(a, sizeof(mlk_polyvec))) assigns(object_whole(x)) ); -#define polyvec_reduce MLK_NAMESPACE_K(polyvec_reduce) +#define mlk_polyvec_reduce MLK_NAMESPACE_K(polyvec_reduce) /************************************************* - * Name: polyvec_reduce + * Name: mlk_polyvec_reduce * * Description: Applies Barrett reduction to each coefficient * of each element of a vector of polynomials; * for details of the Barrett reduction see comments in reduce.c * - * Arguments: - polyvec *r: pointer to input/output polynomial + * Arguments: - mlk_polyvec *r: pointer to input/output polynomial **************************************************/ /* - * NOTE: The semantics of polyvec_reduce() is different in + * NOTE: The semantics of mlk_polyvec_reduce() is different in * the reference implementation, which requires * signed canonical output data. Unsigned canonical * outputs are better suited to the only remaining - * use of poly_reduce() in the context of (de)serialization. + * use of mlk_poly_reduce() in the context of (de)serialization. */ MLK_INTERNAL_API -void polyvec_reduce(polyvec *r) +void mlk_polyvec_reduce(mlk_polyvec *r) __contract__( - requires(memory_no_alias(r, sizeof(polyvec))) + requires(memory_no_alias(r, sizeof(mlk_polyvec))) assigns(object_whole(r)) ensures(forall(k0, 0, MLKEM_K, array_bound(r->vec[k0].coeffs, 0, MLKEM_N, 0, MLKEM_Q))) ); -#define polyvec_add MLK_NAMESPACE_K(polyvec_add) +#define mlk_polyvec_add MLK_NAMESPACE_K(polyvec_add) /************************************************* - * Name: polyvec_add + * Name: mlk_polyvec_add * * Description: Add vectors of polynomials * - * Arguments: - polyvec *r: pointer to input-output vector of polynomials to be + * Arguments: - mlk_polyvec *r: pointer to input-output vector of polynomials to be * added to - * - const polyvec *b: pointer to second input vector of polynomials + * - const mlk_polyvec *b: pointer to second input vector of polynomials * * The coefficients of r and b must be so that the addition does * not overflow. Otherwise, the behaviour of this function is undefined. @@ -422,10 +422,10 @@ __contract__( * ensures clause is required on this function. **************************************************/ MLK_INTERNAL_API -void polyvec_add(polyvec *r, const polyvec *b) +void mlk_polyvec_add(mlk_polyvec *r, const mlk_polyvec *b) __contract__( - requires(memory_no_alias(r, sizeof(polyvec))) - requires(memory_no_alias(b, sizeof(polyvec))) + requires(memory_no_alias(r, sizeof(mlk_polyvec))) + requires(memory_no_alias(b, sizeof(mlk_polyvec))) requires(forall(j0, 0, MLKEM_K, forall(k0, 0, MLKEM_N, (int32_t)r->vec[j0].coeffs[k0] + b->vec[j0].coeffs[k0] <= INT16_MAX))) @@ -435,9 +435,9 @@ __contract__( assigns(object_whole(r)) ); -#define polyvec_tomont MLK_NAMESPACE_K(polyvec_tomont) +#define mlk_polyvec_tomont MLK_NAMESPACE_K(polyvec_tomont) /************************************************* - * Name: polyvec_tomont + * Name: mlk_polyvec_tomont * * Description: Inplace conversion of all coefficients of a polynomial * vector from normal domain to Montgomery domain @@ -446,30 +446,30 @@ __contract__( * **************************************************/ MLK_INTERNAL_API -void polyvec_tomont(polyvec *r) +void mlk_polyvec_tomont(mlk_polyvec *r) __contract__( - requires(memory_no_alias(r, sizeof(polyvec))) - assigns(memory_slice(r, sizeof(polyvec))) + requires(memory_no_alias(r, sizeof(mlk_polyvec))) + assigns(memory_slice(r, sizeof(mlk_polyvec))) assigns(object_whole(r)) ensures(forall(j, 0, MLKEM_K, array_abs_bound(r->vec[j].coeffs, 0, MLKEM_N, MLKEM_Q))) ); -#define poly_getnoise_eta1_4x MLK_NAMESPACE_K(poly_getnoise_eta1_4x) +#define mlk_poly_getnoise_eta1_4x MLK_NAMESPACE_K(poly_getnoise_eta1_4x) /************************************************* - * Name: poly_getnoise_eta1_4x + * Name: mlk_poly_getnoise_eta1_4x * * Description: Batch sample four polynomials deterministically from a seed * and nonces, with output polynomials close to centered binomial distribution * with parameter MLKEM_ETA1. * - * Arguments: - poly *r{0,1,2,3}: pointer to output polynomial + * Arguments: - mlk_poly *r{0,1,2,3}: pointer to output polynomial * - const uint8_t *seed: pointer to input seed * (of length MLKEM_SYMBYTES bytes) * - uint8_t nonce{0,1,2,3}: one-byte input nonce **************************************************/ MLK_INTERNAL_API -void poly_getnoise_eta1_4x(poly *r0, poly *r1, poly *r2, poly *r3, +void mlk_poly_getnoise_eta1_4x(mlk_poly *r0, mlk_poly *r1, mlk_poly *r2, mlk_poly *r3, const uint8_t seed[MLKEM_SYMBYTES], uint8_t nonce0, uint8_t nonce1, uint8_t nonce2, uint8_t nonce3) /* Depending on MLKEM_K, the pointers passed to this function belong @@ -482,12 +482,12 @@ void poly_getnoise_eta1_4x(poly *r0, poly *r1, poly *r2, poly *r3, __contract__( requires(memory_no_alias(seed, MLKEM_SYMBYTES)) requires( /* Case A: r0, r1 consecutive, r2, r3 consecutive */ - (memory_no_alias(r0, 2 * sizeof(poly)) && memory_no_alias(r2, 2 * sizeof(poly)) && + (memory_no_alias(r0, 2 * sizeof(mlk_poly)) && memory_no_alias(r2, 2 * sizeof(mlk_poly)) && r1 == r0 + 1 && r3 == r2 + 1 && !same_object(r0, r2))) - assigns(memory_slice(r0, sizeof(poly))) - assigns(memory_slice(r1, sizeof(poly))) - assigns(memory_slice(r2, sizeof(poly))) - assigns(memory_slice(r3, sizeof(poly))) + assigns(memory_slice(r0, sizeof(mlk_poly))) + assigns(memory_slice(r1, sizeof(mlk_poly))) + assigns(memory_slice(r2, sizeof(mlk_poly))) + assigns(memory_slice(r3, sizeof(mlk_poly))) ensures( array_abs_bound(r0->coeffs,0, MLKEM_N, MLKEM_ETA1 + 1) && array_abs_bound(r1->coeffs,0, MLKEM_N, MLKEM_ETA1 + 1) @@ -498,11 +498,11 @@ __contract__( __contract__( requires(memory_no_alias(seed, MLKEM_SYMBYTES)) requires( /* Case B: r0, r1, r2, r3 consecutive */ - (memory_no_alias(r0, 4 * sizeof(poly)) && r1 == r0 + 1 && r2 == r0 + 2 && r3 == r0 + 3)) - assigns(memory_slice(r0, sizeof(poly))) - assigns(memory_slice(r1, sizeof(poly))) - assigns(memory_slice(r2, sizeof(poly))) - assigns(memory_slice(r3, sizeof(poly))) + (memory_no_alias(r0, 4 * sizeof(mlk_poly)) && r1 == r0 + 1 && r2 == r0 + 2 && r3 == r0 + 3)) + assigns(memory_slice(r0, sizeof(mlk_poly))) + assigns(memory_slice(r1, sizeof(mlk_poly))) + assigns(memory_slice(r2, sizeof(mlk_poly))) + assigns(memory_slice(r3, sizeof(mlk_poly))) ensures( array_abs_bound(r0->coeffs,0, MLKEM_N, MLKEM_ETA1 + 1) && array_abs_bound(r1->coeffs,0, MLKEM_N, MLKEM_ETA1 + 1) @@ -513,12 +513,12 @@ __contract__( __contract__( requires(memory_no_alias(seed, MLKEM_SYMBYTES)) requires( /* Case C: r0, r1, r2 consecutive */ - (memory_no_alias(r0, 3 * sizeof(poly)) && memory_no_alias(r3, 1 * sizeof(poly)) && + (memory_no_alias(r0, 3 * sizeof(mlk_poly)) && memory_no_alias(r3, 1 * sizeof(mlk_poly)) && r1 == r0 + 1 && r2 == r0 + 2 && !same_object(r3, r0))) - assigns(memory_slice(r0, sizeof(poly))) - assigns(memory_slice(r1, sizeof(poly))) - assigns(memory_slice(r2, sizeof(poly))) - assigns(memory_slice(r3, sizeof(poly))) + assigns(memory_slice(r0, sizeof(mlk_poly))) + assigns(memory_slice(r1, sizeof(mlk_poly))) + assigns(memory_slice(r2, sizeof(mlk_poly))) + assigns(memory_slice(r3, sizeof(mlk_poly))) ensures( array_abs_bound(r0->coeffs,0, MLKEM_N, MLKEM_ETA1 + 1) && array_abs_bound(r1->coeffs,0, MLKEM_N, MLKEM_ETA1 + 1) @@ -529,32 +529,32 @@ __contract__( #if MLKEM_ETA1 == MLKEM_ETA2 /* - * We only require poly_getnoise_eta2_4x for ml-kem-768 and ml-kem-1024 + * We only require mlk_poly_getnoise_eta2_4x for ml-kem-768 and ml-kem-1024 * where MLKEM_ETA2 = MLKEM_ETA1 = 2. - * For ml-kem-512, poly_getnoise_eta1122_4x is used instead. + * For ml-kem-512, mlk_poly_getnoise_eta1122_4x is used instead. */ -#define poly_getnoise_eta2_4x poly_getnoise_eta1_4x +#define mlk_poly_getnoise_eta2_4x mlk_poly_getnoise_eta1_4x #endif /* MLKEM_ETA1 == MLKEM_ETA2 */ #if MLKEM_K == 2 || MLKEM_K == 4 -#define poly_getnoise_eta2 MLK_NAMESPACE_K(poly_getnoise_eta2) +#define mlk_poly_getnoise_eta2 MLK_NAMESPACE_K(poly_getnoise_eta2) /************************************************* - * Name: poly_getnoise_eta2 + * Name: mlk_poly_getnoise_eta2 * * Description: Sample a polynomial deterministically from a seed and a nonce, * with output polynomial close to centered binomial distribution * with parameter MLKEM_ETA2 * - * Arguments: - poly *r: pointer to output polynomial + * Arguments: - mlk_poly *r: pointer to output polynomial * - const uint8_t *seed: pointer to input seed * (of length MLKEM_SYMBYTES bytes) * - uint8_t nonce: one-byte input nonce **************************************************/ MLK_INTERNAL_API -void poly_getnoise_eta2(poly *r, const uint8_t seed[MLKEM_SYMBYTES], +void mlk_poly_getnoise_eta2(mlk_poly *r, const uint8_t seed[MLKEM_SYMBYTES], uint8_t nonce) __contract__( - requires(memory_no_alias(r, sizeof(poly))) + requires(memory_no_alias(r, sizeof(mlk_poly))) requires(memory_no_alias(seed, MLKEM_SYMBYTES)) assigns(object_whole(r)) ensures(array_abs_bound(r->coeffs, 0, MLKEM_N, MLKEM_ETA2 + 1)) @@ -562,27 +562,27 @@ __contract__( #endif /* MLKEM_K == 2 || MLKEM_K == 4 */ #if MLKEM_K == 2 -#define poly_getnoise_eta1122_4x MLK_NAMESPACE_K(poly_getnoise_eta1122_4x) +#define mlk_poly_getnoise_eta1122_4x MLK_NAMESPACE_K(poly_getnoise_eta1122_4x) /************************************************* - * Name: poly_getnoise_eta1122_4x + * Name: mlk_poly_getnoise_eta1122_4x * * Description: Batch sample four polynomials deterministically from a seed * and a nonces, with output polynomials close to centered binomial * distribution with parameter MLKEM_ETA1 and MLKEM_ETA2 * - * Arguments: - poly *r{0,1,2,3}: pointer to output polynomial + * Arguments: - mlk_poly *r{0,1,2,3}: pointer to output polynomial * - const uint8_t *seed: pointer to input seed * (of length MLKEM_SYMBYTES bytes) * - uint8_t nonce{0,1,2,3}: one-byte input nonce **************************************************/ MLK_INTERNAL_API -void poly_getnoise_eta1122_4x(poly *r0, poly *r1, poly *r2, poly *r3, +void mlk_poly_getnoise_eta1122_4x(mlk_poly *r0, mlk_poly *r1, mlk_poly *r2, mlk_poly *r3, const uint8_t seed[MLKEM_SYMBYTES], uint8_t nonce0, uint8_t nonce1, uint8_t nonce2, uint8_t nonce3) __contract__( requires( /* r0, r1 consecutive, r2, r3 consecutive */ - (memory_no_alias(r0, 2 * sizeof(poly)) && memory_no_alias(r2, 2 * sizeof(poly)) && + (memory_no_alias(r0, 2 * sizeof(mlk_poly)) && memory_no_alias(r2, 2 * sizeof(mlk_poly)) && r1 == r0 + 1 && r3 == r2 + 1 && !same_object(r0, r2))) requires(memory_no_alias(seed, MLKEM_SYMBYTES)) assigns(object_whole(r0), object_whole(r1), object_whole(r2), object_whole(r3)) diff --git a/mlkem/sampling.c b/mlkem/sampling.c index dcc1cb7f5..62c2fe98e 100644 --- a/mlkem/sampling.c +++ b/mlkem/sampling.c @@ -16,13 +16,13 @@ * This is to facilitate building multiple instances * of mlkem-native (e.g. with varying security levels) * within a single compilation unit. */ -#define rej_uniform MLK_NAMESPACE(rej_uniform) -#define rej_uniform_scalar MLK_NAMESPACE(rej_uniform_scalar) -#define load32_littleendian MLK_NAMESPACE(load32_littleendian) -#define load24_littleendian MLK_NAMESPACE(load24_littleendian) +#define mlk_rej_uniform MLK_NAMESPACE(rej_uniform) +#define mlk_rej_uniform_scalar MLK_NAMESPACE(rej_uniform_scalar) +#define mlk_load32_littleendian MLK_NAMESPACE(load32_littleendian) +#define mlk_load24_littleendian MLK_NAMESPACE(load24_littleendian) /* End of static namespacing */ -static unsigned rej_uniform_scalar(int16_t *r, unsigned target, unsigned offset, +static unsigned mlk_rej_uniform_scalar(int16_t *r, unsigned target, unsigned offset, const uint8_t *buf, unsigned buflen) __contract__( requires(offset <= target && target <= 4096 && buflen <= 4096 && buflen % 3 == 0) @@ -66,7 +66,7 @@ __contract__( } /************************************************* - * Name: rej_uniform + * Name: mlk_rej_uniform * * Description: Run rejection sampling on uniform random bytes to generate * uniform random integers mod q @@ -101,7 +101,7 @@ __contract__( * buffer. This avoids shifting the buffer base in the caller, which appears * tricky to reason about. */ -static unsigned rej_uniform(int16_t *r, unsigned target, unsigned offset, +static unsigned mlk_rej_uniform(int16_t *r, unsigned target, unsigned offset, const uint8_t *buf, unsigned buflen) __contract__( requires(offset <= target && target <= 4096 && buflen <= 4096 && buflen % 3 == 0) @@ -126,7 +126,7 @@ __contract__( } #endif /* MLK_USE_NATIVE_REJ_UNIFORM */ - return rej_uniform_scalar(r, target, offset, buf, buflen); + return mlk_rej_uniform_scalar(r, target, offset, buf, buflen); } #ifndef MLKEM_GEN_MATRIX_NBLOCKS @@ -135,7 +135,7 @@ __contract__( #endif MLK_INTERNAL_API -void poly_rej_uniform_x4(poly *vec, uint8_t *seed[4]) +void mlk_poly_rej_uniform_x4(mlk_poly *vec, uint8_t *seed[4]) { /* Temporary buffers for XOF output before rejection sampling */ MLK_ALIGN uint8_t buf0[MLKEM_GEN_MATRIX_NBLOCKS * XOF_RATE]; @@ -160,10 +160,10 @@ void poly_rej_uniform_x4(poly *vec, uint8_t *seed[4]) xof_x4_squeezeblocks(buf0, buf1, buf2, buf3, MLKEM_GEN_MATRIX_NBLOCKS, &statex); buflen = MLKEM_GEN_MATRIX_NBLOCKS * XOF_RATE; - ctr[0] = rej_uniform(vec[0].coeffs, MLKEM_N, 0, buf0, buflen); - ctr[1] = rej_uniform(vec[1].coeffs, MLKEM_N, 0, buf1, buflen); - ctr[2] = rej_uniform(vec[2].coeffs, MLKEM_N, 0, buf2, buflen); - ctr[3] = rej_uniform(vec[3].coeffs, MLKEM_N, 0, buf3, buflen); + ctr[0] = mlk_rej_uniform(vec[0].coeffs, MLKEM_N, 0, buf0, buflen); + ctr[1] = mlk_rej_uniform(vec[1].coeffs, MLKEM_N, 0, buf1, buflen); + ctr[2] = mlk_rej_uniform(vec[2].coeffs, MLKEM_N, 0, buf2, buflen); + ctr[3] = mlk_rej_uniform(vec[3].coeffs, MLKEM_N, 0, buf3, buflen); /* * So long as not all matrix entries have been generated, squeeze @@ -173,7 +173,7 @@ void poly_rej_uniform_x4(poly *vec, uint8_t *seed[4]) while (ctr[0] < MLKEM_N || ctr[1] < MLKEM_N || ctr[2] < MLKEM_N || ctr[3] < MLKEM_N) __loop__( - assigns(ctr, statex, memory_slice(vec, sizeof(poly) * 4), object_whole(buf0), + assigns(ctr, statex, memory_slice(vec, sizeof(mlk_poly) * 4), object_whole(buf0), object_whole(buf1), object_whole(buf2), object_whole(buf3)) invariant(ctr[0] <= MLKEM_N && ctr[1] <= MLKEM_N) invariant(ctr[2] <= MLKEM_N && ctr[3] <= MLKEM_N) @@ -183,17 +183,17 @@ void poly_rej_uniform_x4(poly *vec, uint8_t *seed[4]) invariant(ctr[3] > 0 ==> array_bound(vec[3].coeffs, 0, ctr[3], 0, MLKEM_Q))) { xof_x4_squeezeblocks(buf0, buf1, buf2, buf3, 1, &statex); - ctr[0] = rej_uniform(vec[0].coeffs, MLKEM_N, ctr[0], buf0, buflen); - ctr[1] = rej_uniform(vec[1].coeffs, MLKEM_N, ctr[1], buf1, buflen); - ctr[2] = rej_uniform(vec[2].coeffs, MLKEM_N, ctr[2], buf2, buflen); - ctr[3] = rej_uniform(vec[3].coeffs, MLKEM_N, ctr[3], buf3, buflen); + ctr[0] = mlk_rej_uniform(vec[0].coeffs, MLKEM_N, ctr[0], buf0, buflen); + ctr[1] = mlk_rej_uniform(vec[1].coeffs, MLKEM_N, ctr[1], buf1, buflen); + ctr[2] = mlk_rej_uniform(vec[2].coeffs, MLKEM_N, ctr[2], buf2, buflen); + ctr[3] = mlk_rej_uniform(vec[3].coeffs, MLKEM_N, ctr[3], buf3, buflen); } xof_x4_release(&statex); } MLK_INTERNAL_API -void poly_rej_uniform(poly *entry, uint8_t seed[MLKEM_SYMBYTES + 2]) +void mlk_poly_rej_uniform(mlk_poly *entry, uint8_t seed[MLKEM_SYMBYTES + 2]) { xof_ctx state; MLK_ALIGN uint8_t buf[MLKEM_GEN_MATRIX_NBLOCKS * XOF_RATE]; @@ -207,18 +207,18 @@ void poly_rej_uniform(poly *entry, uint8_t seed[MLKEM_SYMBYTES + 2]) /* This should generate the matrix entry with high probability. */ xof_squeezeblocks(buf, MLKEM_GEN_MATRIX_NBLOCKS, &state); buflen = MLKEM_GEN_MATRIX_NBLOCKS * XOF_RATE; - ctr = rej_uniform(entry->coeffs, MLKEM_N, 0, buf, buflen); + ctr = mlk_rej_uniform(entry->coeffs, MLKEM_N, 0, buf, buflen); /* Squeeze + sample one more block a time until we're done */ buflen = XOF_RATE; while (ctr < MLKEM_N) __loop__( - assigns(ctr, state, memory_slice(entry, sizeof(poly)), object_whole(buf)) + assigns(ctr, state, memory_slice(entry, sizeof(mlk_poly)), object_whole(buf)) invariant(ctr <= MLKEM_N) invariant(array_bound(entry->coeffs, 0, ctr, 0, MLKEM_Q))) { xof_squeezeblocks(buf, 1, &state); - ctr = rej_uniform(entry->coeffs, MLKEM_N, ctr, buf, buflen); + ctr = mlk_rej_uniform(entry->coeffs, MLKEM_N, ctr, buf, buflen); } xof_release(&state); @@ -228,12 +228,12 @@ void poly_rej_uniform(poly *entry, uint8_t seed[MLKEM_SYMBYTES + 2]) * This is to facilitate building multiple instances * of mlkem-native (e.g. with varying security levels) * within a single compilation unit. */ -#define load32_littleendian MLK_NAMESPACE(load32_littleendian) -#define load24_littleendian MLK_NAMESPACE(load24_littleendian) +#define mlk_load32_littleendian MLK_NAMESPACE(load32_littleendian) +#define mlk_load24_littleendian MLK_NAMESPACE(load24_littleendian) /* End of static namespacing */ /************************************************* - * Name: load32_littleendian + * Name: mlk_load32_littleendian * * Description: load 4 bytes into a 32-bit integer * in little-endian order @@ -242,7 +242,7 @@ void poly_rej_uniform(poly *entry, uint8_t seed[MLKEM_SYMBYTES + 2]) * * Returns 32-bit unsigned integer loaded from x **************************************************/ -static uint32_t load32_littleendian(const uint8_t x[4]) +static uint32_t mlk_load32_littleendian(const uint8_t x[4]) { uint32_t r; r = (uint32_t)x[0]; @@ -253,7 +253,7 @@ static uint32_t load32_littleendian(const uint8_t x[4]) } MLK_INTERNAL_API -void poly_cbd2(poly *r, const uint8_t buf[2 * MLKEM_N / 4]) +void mlk_poly_cbd2(mlk_poly *r, const uint8_t buf[2 * MLKEM_N / 4]) { unsigned i; for (i = 0; i < MLKEM_N / 8; i++) @@ -262,7 +262,7 @@ void poly_cbd2(poly *r, const uint8_t buf[2 * MLKEM_N / 4]) invariant(array_abs_bound(r->coeffs, 0, 8 * i, 3))) { unsigned j; - uint32_t t = load32_littleendian(buf + 4 * i); + uint32_t t = mlk_load32_littleendian(buf + 4 * i); uint32_t d = t & 0x55555555; d += (t >> 1) & 0x55555555; @@ -280,7 +280,7 @@ void poly_cbd2(poly *r, const uint8_t buf[2 * MLKEM_N / 4]) #if defined(MLK_MULTILEVEL_BUILD_WITH_SHARED) || MLKEM_ETA1 == 3 /************************************************* - * Name: load24_littleendian + * Name: mlk_load24_littleendian * * Description: load 3 bytes into a 32-bit integer * in little-endian order. @@ -290,7 +290,7 @@ void poly_cbd2(poly *r, const uint8_t buf[2 * MLKEM_N / 4]) * * Returns 32-bit unsigned integer loaded from x (most significant byte is zero) **************************************************/ -static uint32_t load24_littleendian(const uint8_t x[3]) +static uint32_t mlk_load24_littleendian(const uint8_t x[3]) { uint32_t r; r = (uint32_t)x[0]; @@ -300,7 +300,7 @@ static uint32_t load24_littleendian(const uint8_t x[3]) } MLK_INTERNAL_API -void poly_cbd3(poly *r, const uint8_t buf[3 * MLKEM_N / 4]) +void mlk_poly_cbd3(mlk_poly *r, const uint8_t buf[3 * MLKEM_N / 4]) { unsigned i; for (i = 0; i < MLKEM_N / 4; i++) @@ -309,7 +309,7 @@ void poly_cbd3(poly *r, const uint8_t buf[3 * MLKEM_N / 4]) invariant(array_abs_bound(r->coeffs, 0, 4 * i, 4))) { unsigned j; - const uint32_t t = load24_littleendian(buf + 3 * i); + const uint32_t t = mlk_load24_littleendian(buf + 3 * i); uint32_t d = t & 0x00249249; d += (t >> 1) & 0x00249249; d += (t >> 2) & 0x00249249; @@ -336,10 +336,10 @@ MLK_EMPTY_CU(sampling) /* To facilitate single-compilation-unit (SCU) builds, undefine all macros. * Don't modify by hand -- this is auto-generated by scripts/autogen. */ -#undef rej_uniform -#undef rej_uniform_scalar -#undef load32_littleendian -#undef load24_littleendian +#undef mlk_rej_uniform +#undef mlk_rej_uniform_scalar +#undef mlk_load32_littleendian +#undef mlk_load24_littleendian #undef MLKEM_GEN_MATRIX_NBLOCKS -#undef load32_littleendian -#undef load24_littleendian +#undef mlk_load32_littleendian +#undef mlk_load24_littleendian diff --git a/mlkem/sampling.h b/mlkem/sampling.h index 1f31b6d64..9aa8ed328 100644 --- a/mlkem/sampling.h +++ b/mlkem/sampling.h @@ -11,45 +11,45 @@ #include "common.h" #include "poly.h" -#define poly_cbd2 MLK_NAMESPACE(poly_cbd2) +#define mlk_poly_cbd2 MLK_NAMESPACE(poly_cbd2) /************************************************* - * Name: poly_cbd2 + * Name: mlk_poly_cbd2 * * Description: Given an array of uniformly random bytes, compute * polynomial with coefficients distributed according to * a centered binomial distribution with parameter eta=2 * - * Arguments: - poly *r: pointer to output polynomial + * Arguments: - mlk_poly *r: pointer to output polynomial * - const uint8_t *buf: pointer to input byte array **************************************************/ MLK_INTERNAL_API -void poly_cbd2(poly *r, const uint8_t buf[2 * MLKEM_N / 4]); +void mlk_poly_cbd2(mlk_poly *r, const uint8_t buf[2 * MLKEM_N / 4]); #if defined(MLK_MULTILEVEL_BUILD_WITH_SHARED) || MLKEM_ETA1 == 3 -#define poly_cbd3 MLK_NAMESPACE(poly_cbd3) +#define mlk_poly_cbd3 MLK_NAMESPACE(poly_cbd3) /************************************************* - * Name: poly_cbd3 + * Name: mlk_poly_cbd3 * * Description: Given an array of uniformly random bytes, compute * polynomial with coefficients distributed according to * a centered binomial distribution with parameter eta=3. * This function is only needed for ML-KEM-512 * - * Arguments: - poly *r: pointer to output polynomial + * Arguments: - mlk_poly *r: pointer to output polynomial * - const uint8_t *buf: pointer to input byte array **************************************************/ MLK_INTERNAL_API -void poly_cbd3(poly *r, const uint8_t buf[3 * MLKEM_N / 4]); +void mlk_poly_cbd3(mlk_poly *r, const uint8_t buf[3 * MLKEM_N / 4]); #endif /* MLK_MULTILEVEL_BUILD || MLKEM_ETA1 == 3 */ -#define poly_rej_uniform_x4 MLK_NAMESPACE(poly_rej_uniform_x4) +#define mlk_poly_rej_uniform_x4 MLK_NAMESPACE(poly_rej_uniform_x4) /************************************************* - * Name: poly_rej_uniform_x4 + * Name: mlk_poly_rej_uniform_x4 * * Description: Generate four polynomials using rejection sampling * on (pseudo-)uniformly random bytes sampled from a seed. * - * Arguments: - poly *vec: Pointer to an array of 4 polynomials + * Arguments: - mlk_poly *vec: Pointer to an array of 4 polynomials * to be sampled. * - uint8_t *seed[4]: Pointer to array of four pointers * pointing to the seed buffers of size @@ -57,38 +57,38 @@ void poly_cbd3(poly *r, const uint8_t buf[3 * MLKEM_N / 4]); * **************************************************/ MLK_INTERNAL_API -void poly_rej_uniform_x4(poly *vec, uint8_t *seed[4]) +void mlk_poly_rej_uniform_x4(mlk_poly *vec, uint8_t *seed[4]) __contract__( - requires(memory_no_alias(vec, sizeof(poly) * 4)) + requires(memory_no_alias(vec, sizeof(mlk_poly) * 4)) requires(memory_no_alias(seed, sizeof(uint8_t*) * 4)) requires(memory_no_alias(seed[0], MLKEM_SYMBYTES + 2)) requires(memory_no_alias(seed[1], MLKEM_SYMBYTES + 2)) requires(memory_no_alias(seed[2], MLKEM_SYMBYTES + 2)) requires(memory_no_alias(seed[3], MLKEM_SYMBYTES + 2)) - assigns(memory_slice(vec, sizeof(poly) * 4)) + assigns(memory_slice(vec, sizeof(mlk_poly) * 4)) ensures(array_bound(vec[0].coeffs, 0, MLKEM_N, 0, MLKEM_Q)) ensures(array_bound(vec[1].coeffs, 0, MLKEM_N, 0, MLKEM_Q)) ensures(array_bound(vec[2].coeffs, 0, MLKEM_N, 0, MLKEM_Q)) ensures(array_bound(vec[3].coeffs, 0, MLKEM_N, 0, MLKEM_Q))); -#define poly_rej_uniform MLK_NAMESPACE(poly_rej_uniform) +#define mlk_poly_rej_uniform MLK_NAMESPACE(poly_rej_uniform) /************************************************* - * Name: poly_rej_uniform + * Name: mlk_poly_rej_uniform * * Description: Generate polynomial using rejection sampling * on (pseudo-)uniformly random bytes sampled from a seed. * - * Arguments: - poly *vec: Pointer to polynomial to be sampled. + * Arguments: - mlk_poly *vec: Pointer to polynomial to be sampled. * - uint8_t *seed: Pointer to seed buffer of size * MLKEM_SYMBYTES + 2 each. * **************************************************/ MLK_INTERNAL_API -void poly_rej_uniform(poly *entry, uint8_t seed[MLKEM_SYMBYTES + 2]) +void mlk_poly_rej_uniform(mlk_poly *entry, uint8_t seed[MLKEM_SYMBYTES + 2]) __contract__( - requires(memory_no_alias(entry, sizeof(poly))) + requires(memory_no_alias(entry, sizeof(mlk_poly))) requires(memory_no_alias(seed, MLKEM_SYMBYTES + 2)) - assigns(memory_slice(entry, sizeof(poly))) + assigns(memory_slice(entry, sizeof(mlk_poly))) ensures(array_bound(entry->coeffs, 0, MLKEM_N, 0, MLKEM_Q))); #endif /* MLK_SAMPLING_H */ diff --git a/mlkem/verify.c b/mlkem/verify.c index 343061584..1e0a220f6 100644 --- a/mlkem/verify.c +++ b/mlkem/verify.c @@ -11,7 +11,7 @@ * verify.h to block the compiler's range analysis and * thereby reduce the risk of compiler-introduced branches. */ -volatile uint64_t ct_opt_blocker_u64 = 0; +volatile uint64_t mlk_ct_opt_blocker_u64 = 0; #else /* MLK_USE_ASM_VALUE_BARRIER && \ !MLK_MULTILEVEL_BUILD_NO_SHARED */ diff --git a/mlkem/verify.h b/mlkem/verify.h index 49de7a91c..b4d3bdca3 100644 --- a/mlkem/verify.h +++ b/mlkem/verify.h @@ -15,16 +15,16 @@ * This is to facilitate building multiple instances * of mlkem-native (e.g. with varying security levels) * within a single compilation unit. */ -#define value_barrier_u8 MLK_NAMESPACE(value_barrier_u8) -#define value_barrier_u32 MLK_NAMESPACE(value_barrier_u32) -#define value_barrier_i32 MLK_NAMESPACE(value_barrier_i32) -#define ct_cmask_neg_i16 MLK_NAMESPACE(ct_cmask_neg_i16) -#define ct_cmask_nonzero_u8 MLK_NAMESPACE(ct_cmask_nonzero_u8) -#define ct_cmask_nonzero_u16 MLK_NAMESPACE(ct_cmask_nonzero_u16) -#define ct_sel_uint8 MLK_NAMESPACE(ct_sel_uint8) -#define ct_sel_int16 MLK_NAMESPACE(ct_sel_int16) -#define ct_memcmp MLK_NAMESPACE(ct_memcmp) -#define ct_cmov_zero MLK_NAMESPACE(ct_cmov_zero) +#define mlk_value_barrier_u8 MLK_NAMESPACE(value_barrier_u8) +#define mlk_value_barrier_u32 MLK_NAMESPACE(value_barrier_u32) +#define mlk_value_barrier_i32 MLK_NAMESPACE(value_barrier_i32) +#define mlk_ct_cmask_neg_i16 MLK_NAMESPACE(ct_cmask_neg_i16) +#define mlk_ct_cmask_nonzero_u8 MLK_NAMESPACE(ct_cmask_nonzero_u8) +#define mlk_ct_cmask_nonzero_u16 MLK_NAMESPACE(ct_cmask_nonzero_u16) +#define mlk_ct_sel_uint8 MLK_NAMESPACE(ct_sel_uint8) +#define mlk_ct_sel_int16 MLK_NAMESPACE(ct_sel_int16) +#define mlk_ct_memcmp MLK_NAMESPACE(ct_memcmp) +#define mlk_ct_cmov_zero MLK_NAMESPACE(ct_cmov_zero) /* End of static namespacing */ /* Constant-time comparisons and conditional operations @@ -70,45 +70,45 @@ * Declaration of global volatile that the global value barrier * is loading from and masking with. */ -#define ct_opt_blocker_u64 MLK_NAMESPACE(ct_opt_blocker_u64) -extern volatile uint64_t ct_opt_blocker_u64; +#define mlk_ct_opt_blocker_u64 MLK_NAMESPACE(ct_opt_blocker_u64) +extern volatile uint64_t mlk_ct_opt_blocker_u64; /* Helper functions for obtaining masks of various sizes */ static MLK_INLINE uint8_t get_optblocker_u8(void) -__contract__(ensures(return_value == 0)) { return (uint8_t)ct_opt_blocker_u64; } +__contract__(ensures(return_value == 0)) { return (uint8_t)mlk_ct_opt_blocker_u64; } static MLK_INLINE uint32_t get_optblocker_u32(void) -__contract__(ensures(return_value == 0)) { return ct_opt_blocker_u64; } +__contract__(ensures(return_value == 0)) { return mlk_ct_opt_blocker_u64; } static MLK_INLINE uint32_t get_optblocker_i32(void) -__contract__(ensures(return_value == 0)) { return ct_opt_blocker_u64; } +__contract__(ensures(return_value == 0)) { return mlk_ct_opt_blocker_u64; } -static MLK_INLINE uint32_t value_barrier_u32(uint32_t b) +static MLK_INLINE uint32_t mlk_value_barrier_u32(uint32_t b) __contract__(ensures(return_value == b)) { return (b ^ get_optblocker_u32()); } -static MLK_INLINE int32_t value_barrier_i32(int32_t b) +static MLK_INLINE int32_t mlk_value_barrier_i32(int32_t b) __contract__(ensures(return_value == b)) { return (b ^ get_optblocker_i32()); } -static MLK_INLINE uint8_t value_barrier_u8(uint8_t b) +static MLK_INLINE uint8_t mlk_value_barrier_u8(uint8_t b) __contract__(ensures(return_value == b)) { return (b ^ get_optblocker_u8()); } #else /* !MLK_USE_ASM_VALUE_BARRIER */ -static MLK_INLINE uint32_t value_barrier_u32(uint32_t b) +static MLK_INLINE uint32_t mlk_value_barrier_u32(uint32_t b) __contract__(ensures(return_value == b)) { __asm__("" : "+r"(b)); return b; } -static MLK_INLINE int32_t value_barrier_i32(int32_t b) +static MLK_INLINE int32_t mlk_value_barrier_i32(int32_t b) __contract__(ensures(return_value == b)) { __asm__("" : "+r"(b)); return b; } -static MLK_INLINE uint8_t value_barrier_u8(uint8_t b) +static MLK_INLINE uint8_t mlk_value_barrier_u8(uint8_t b) __contract__(ensures(return_value == b)) { __asm__("" : "+r"(b)); @@ -128,31 +128,31 @@ __contract__(ensures(return_value == b)) #endif /************************************************* - * Name: ct_cmask_nonzero_u16 + * Name: mlk_ct_cmask_nonzero_u16 * * Description: Return 0 if input is zero, and -1 otherwise. * * Arguments: uint16_t x: Value to be converted into a mask **************************************************/ -static MLK_INLINE uint16_t ct_cmask_nonzero_u16(uint16_t x) +static MLK_INLINE uint16_t mlk_ct_cmask_nonzero_u16(uint16_t x) __contract__(ensures(return_value == ((x == 0) ? 0 : 0xFFFF))) { - uint32_t tmp = value_barrier_u32(-((uint32_t)x)); + uint32_t tmp = mlk_value_barrier_u32(-((uint32_t)x)); tmp >>= 16; return tmp; } /************************************************* - * Name: ct_cmask_nonzero_u8 + * Name: mlk_ct_cmask_nonzero_u8 * * Description: Return 0 if input is zero, and -1 otherwise. * * Arguments: uint8_t x: Value to be converted into a mask **************************************************/ -static MLK_INLINE uint8_t ct_cmask_nonzero_u8(uint8_t x) +static MLK_INLINE uint8_t mlk_ct_cmask_nonzero_u8(uint8_t x) __contract__(ensures(return_value == ((x == 0) ? 0 : 0xFF))) { - uint32_t tmp = value_barrier_u32(-((uint32_t)x)); + uint32_t tmp = mlk_value_barrier_u32(-((uint32_t)x)); tmp >>= 24; return tmp; } @@ -163,7 +163,7 @@ __contract__(ensures(return_value == ((x == 0) ? 0 : 0xFF))) #endif /* - * The ct_cmask_neg_i16 function below makes deliberate use of + * The mlk_ct_cmask_neg_i16 function below makes deliberate use of * signed to unsigned integer conversion, which is fully defined * behaviour in C. It is thus safe to disable this warning. */ @@ -173,16 +173,16 @@ __contract__(ensures(return_value == ((x == 0) ? 0 : 0xFF))) #endif /************************************************* - * Name: ct_cmask_neg_i16 + * Name: mlk_ct_cmask_neg_i16 * * Description: Return 0 if input is non-negative, and -1 otherwise. * * Arguments: uint16_t x: Value to be converted into a mask **************************************************/ -static MLK_INLINE uint16_t ct_cmask_neg_i16(int16_t x) +static MLK_INLINE uint16_t mlk_ct_cmask_neg_i16(int16_t x) __contract__(ensures(return_value == ((x < 0) ? 0xFFFF : 0))) { - int32_t tmp = value_barrier_i32((int32_t)x); + int32_t tmp = mlk_value_barrier_i32((int32_t)x); tmp >>= 16; return (int16_t)tmp; } @@ -204,7 +204,7 @@ __contract__(ensures(return_value == ((x < 0) ? 0xFFFF : 0))) #endif /************************************************* - * Name: ct_sel_int16 + * Name: mlk_ct_sel_int16 * * Description: Functionally equivalent to cond ? a : b, * but implemented with guards against @@ -214,11 +214,11 @@ __contract__(ensures(return_value == ((x < 0) ? 0xFFFF : 0))) * int16_t b: Second alternative * uint16_t cond: Condition variable. **************************************************/ -static MLK_INLINE int16_t ct_sel_int16(int16_t a, int16_t b, uint16_t cond) +static MLK_INLINE int16_t mlk_ct_sel_int16(int16_t a, int16_t b, uint16_t cond) __contract__(ensures(return_value == (cond ? a : b))) { uint16_t au = a, bu = b; - uint16_t res = bu ^ (ct_cmask_nonzero_u16(cond) & (au ^ bu)); + uint16_t res = bu ^ (mlk_ct_cmask_nonzero_u16(cond) & (au ^ bu)); return (int16_t)res; } @@ -228,7 +228,7 @@ __contract__(ensures(return_value == (cond ? a : b))) #endif /************************************************* - * Name: ct_sel_uint8 + * Name: mlk_ct_sel_uint8 * * Description: Functionally equivalent to cond ? a : b, * but implemented with guards against @@ -238,14 +238,14 @@ __contract__(ensures(return_value == (cond ? a : b))) * uint8_t b: Second alternative * uuint8_t cond: Condition variable. **************************************************/ -static MLK_INLINE uint8_t ct_sel_uint8(uint8_t a, uint8_t b, uint8_t cond) +static MLK_INLINE uint8_t mlk_ct_sel_uint8(uint8_t a, uint8_t b, uint8_t cond) __contract__(ensures(return_value == (cond ? a : b))) { - return b ^ (ct_cmask_nonzero_u8(cond) & (a ^ b)); + return b ^ (mlk_ct_cmask_nonzero_u8(cond) & (a ^ b)); } /************************************************* - * Name: ct_memcmp + * Name: mlk_ct_memcmp * * Description: Compare two arrays for equality in constant time. * @@ -255,7 +255,7 @@ __contract__(ensures(return_value == (cond ? a : b))) * * Returns 0 if the byte arrays are equal, a non-zero value otherwise **************************************************/ -static MLK_INLINE uint8_t ct_memcmp(const uint8_t *a, const uint8_t *b, +static MLK_INLINE uint8_t mlk_ct_memcmp(const uint8_t *a, const uint8_t *b, const size_t len) __contract__( requires(memory_no_alias(a, len)) @@ -283,11 +283,11 @@ __contract__( * - XOR twice with s, separated by a value barrier, to prevent the compile * from dropping the s computation in the loop. */ - return (value_barrier_u8(ct_cmask_nonzero_u8(r) ^ s) ^ s); + return (mlk_value_barrier_u8(mlk_ct_cmask_nonzero_u8(r) ^ s) ^ s); } /************************************************* - * Name: ct_cmov_zero + * Name: mlk_ct_cmov_zero * * Description: Copy len bytes from x to r if b is zero; * don't modify x if b is non-zero. @@ -299,7 +299,7 @@ __contract__( * size_t len: Amount of bytes to be copied * uint8_t b: Condition value. **************************************************/ -static MLK_INLINE void ct_cmov_zero(uint8_t *r, const uint8_t *x, size_t len, +static MLK_INLINE void mlk_ct_cmov_zero(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) __contract__( requires(memory_no_alias(r, len)) @@ -310,7 +310,7 @@ __contract__( for (i = 0; i < len; i++) __loop__(invariant(i <= len)) { - r[i] = ct_sel_uint8(r[i], x[i], b); + r[i] = mlk_ct_sel_uint8(r[i], x[i], b); } } diff --git a/mlkem/zetas.c b/mlkem/zetas.c index 5afc99eb7..ab2883e62 100644 --- a/mlkem/zetas.c +++ b/mlkem/zetas.c @@ -16,7 +16,7 @@ * Table of zeta values used in the reference NTT and inverse NTT. * See autogen for details. */ -MLK_ALIGN const int16_t zetas[128] = { +MLK_ALIGN const int16_t mlk_zetas[128] = { -1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, 182, 962, -1202, -1474, 1468, 573, -1325, 264, 383, -829, 1458, -1602, -130, -681, 1017, 732, 608, -1542, 411, -205, -1571, 1223, @@ -33,6 +33,6 @@ MLK_ALIGN const int16_t zetas[128] = { #else /* MLK_MULTILEVEL_BUILD_NO_SHARED */ -MLK_EMPTY_CU(zetas) +MLK_EMPTY_CU(mlk_zetas) #endif /* MLK_MULTILEVEL_BUILD_NO_SHARED */ diff --git a/proofs/cbmc/barrett_reduce/Makefile b/proofs/cbmc/barrett_reduce/Makefile index 2e88c321a..c59e2ce66 100644 --- a/proofs/cbmc/barrett_reduce/Makefile +++ b/proofs/cbmc/barrett_reduce/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = barrett_reduce_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = barrett_reduce +PROOF_UID = mlk_barrett_reduce DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)barrett_reduce +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_barrett_reduce USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = barrett_reduce +FUNCTION_NAME = mlk_barrett_reduce # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/barrett_reduce/barrett_reduce_harness.c b/proofs/cbmc/barrett_reduce/barrett_reduce_harness.c index e3c3dee86..56322ab0b 100644 --- a/proofs/cbmc/barrett_reduce/barrett_reduce_harness.c +++ b/proofs/cbmc/barrett_reduce/barrett_reduce_harness.c @@ -5,13 +5,13 @@ #include #include "common.h" -#define barrett_reduce MLK_NAMESPACE(barrett_reduce) -int16_t barrett_reduce(int16_t a); +#define mlk_barrett_reduce MLK_NAMESPACE(barrett_reduce) +int16_t mlk_barrett_reduce(int16_t a); void harness(void) { int16_t a; int16_t r; - r = barrett_reduce(a); + r = mlk_barrett_reduce(a); } diff --git a/proofs/cbmc/crypto_kem_dec/Makefile b/proofs/cbmc/crypto_kem_dec/Makefile index a0c8c0835..9ad115280 100644 --- a/proofs/cbmc/crypto_kem_dec/Makefile +++ b/proofs/cbmc/crypto_kem_dec/Makefile @@ -19,7 +19,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/kem.c CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)dec -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)sha3_512 $(MLK_NAMESPACE)sha3_256 $(MLK_NAMESPACE)indcpa_enc $(MLK_NAMESPACE)indcpa_dec $(MLK_NAMESPACE)shake256 $(MLK_NAMESPACE)ct_memcmp $(MLK_NAMESPACE)ct_cmov_zero memcmp +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)sha3_512 $(MLK_NAMESPACE)sha3_256 $(MLK_NAMESPACE)mlk_indcpa_enc $(MLK_NAMESPACE)mlk_indcpa_dec $(MLK_NAMESPACE)shake256 $(MLK_NAMESPACE)mlk_ct_memcmp $(MLK_NAMESPACE)mlk_ct_cmov_zero memcmp APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/crypto_kem_enc_derand/Makefile b/proofs/cbmc/crypto_kem_enc_derand/Makefile index 47e849451..df98d599f 100644 --- a/proofs/cbmc/crypto_kem_enc_derand/Makefile +++ b/proofs/cbmc/crypto_kem_enc_derand/Makefile @@ -19,7 +19,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/kem.c CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)enc_derand -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)sha3_256 $(MLK_NAMESPACE)sha3_512 $(MLK_NAMESPACE)indcpa_enc $(MLK_NAMESPACE)polyvec_frombytes $(MLK_NAMESPACE)polyvec_reduce $(MLK_NAMESPACE)polyvec_tobytes memcmp +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)sha3_256 $(MLK_NAMESPACE)sha3_512 $(MLK_NAMESPACE)mlk_indcpa_enc $(MLK_NAMESPACE)mlk_polyvec_frombytes $(MLK_NAMESPACE)mlk_polyvec_reduce $(MLK_NAMESPACE)mlk_polyvec_tobytes memcmp APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/crypto_kem_keypair_derand/Makefile b/proofs/cbmc/crypto_kem_keypair_derand/Makefile index be833d06c..47b629de8 100644 --- a/proofs/cbmc/crypto_kem_keypair_derand/Makefile +++ b/proofs/cbmc/crypto_kem_keypair_derand/Makefile @@ -19,7 +19,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/kem.c CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)keypair_derand -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)sha3_256 $(MLK_NAMESPACE)indcpa_keypair_derand +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)sha3_256 $(MLK_NAMESPACE)mlk_indcpa_keypair_derand APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/ct_cmask_neg_i16/Makefile b/proofs/cbmc/ct_cmask_neg_i16/Makefile index bdb63f241..f140abc12 100644 --- a/proofs/cbmc/ct_cmask_neg_i16/Makefile +++ b/proofs/cbmc/ct_cmask_neg_i16/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = ct_cmask_neg_i16_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = ct_cmask_neg_i16 +PROOF_UID = mlk_ct_cmask_neg_i16 DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c # Dummy because the Makefile wants _some_ project source -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ct_cmask_neg_i16 -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)value_barrier_i32 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ct_cmask_neg_i16 +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_value_barrier_i32 APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = ct_cmask_neg_i16 +FUNCTION_NAME = mlk_ct_cmask_neg_i16 # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/ct_cmask_neg_i16/ct_cmask_neg_i16_harness.c b/proofs/cbmc/ct_cmask_neg_i16/ct_cmask_neg_i16_harness.c index 85a61a89c..edc723aa8 100644 --- a/proofs/cbmc/ct_cmask_neg_i16/ct_cmask_neg_i16_harness.c +++ b/proofs/cbmc/ct_cmask_neg_i16/ct_cmask_neg_i16_harness.c @@ -9,5 +9,5 @@ void harness(void) int16_t a; uint16_t b; - b = ct_cmask_neg_i16(a); + b = mlk_ct_cmask_neg_i16(a); } diff --git a/proofs/cbmc/ct_cmask_nonzero_u16/Makefile b/proofs/cbmc/ct_cmask_nonzero_u16/Makefile index 47558cd7f..f9c3318d9 100644 --- a/proofs/cbmc/ct_cmask_nonzero_u16/Makefile +++ b/proofs/cbmc/ct_cmask_nonzero_u16/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = ct_cmask_nonzero_u16_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = ct_cmask_nonzero_u16 +PROOF_UID = mlk_ct_cmask_nonzero_u16 DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c # Dummy because the Makefile wants _some_ project source -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ct_cmask_nonzero_u16 -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)value_barrier_u32 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ct_cmask_nonzero_u16 +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_value_barrier_u32 APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = ct_cmask_nonzero_u16 +FUNCTION_NAME = mlk_ct_cmask_nonzero_u16 # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/ct_cmask_nonzero_u16/ct_cmask_nonzero_u16_harness.c b/proofs/cbmc/ct_cmask_nonzero_u16/ct_cmask_nonzero_u16_harness.c index 69af5ec0c..cfe9c9466 100644 --- a/proofs/cbmc/ct_cmask_nonzero_u16/ct_cmask_nonzero_u16_harness.c +++ b/proofs/cbmc/ct_cmask_nonzero_u16/ct_cmask_nonzero_u16_harness.c @@ -8,5 +8,5 @@ void harness(void) { uint16_t a, b; - b = ct_cmask_nonzero_u16(a); + b = mlk_ct_cmask_nonzero_u16(a); } diff --git a/proofs/cbmc/ct_cmask_nonzero_u8/Makefile b/proofs/cbmc/ct_cmask_nonzero_u8/Makefile index 756188615..344f3f147 100644 --- a/proofs/cbmc/ct_cmask_nonzero_u8/Makefile +++ b/proofs/cbmc/ct_cmask_nonzero_u8/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = ct_cmask_nonzero_u8_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = ct_cmask_nonzero_u8 +PROOF_UID = mlk_ct_cmask_nonzero_u8 DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c # Dummy because the Makefile wants _some_ project source -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ct_cmask_nonzero_u8 -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)value_barrier_u32 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ct_cmask_nonzero_u8 +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_value_barrier_u32 APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = ct_cmask_nonzero_u8 +FUNCTION_NAME = mlk_ct_cmask_nonzero_u8 # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/ct_cmask_nonzero_u8/ct_cmask_nonzero_u8_harness.c b/proofs/cbmc/ct_cmask_nonzero_u8/ct_cmask_nonzero_u8_harness.c index d3948737e..7e28157b5 100644 --- a/proofs/cbmc/ct_cmask_nonzero_u8/ct_cmask_nonzero_u8_harness.c +++ b/proofs/cbmc/ct_cmask_nonzero_u8/ct_cmask_nonzero_u8_harness.c @@ -8,5 +8,5 @@ void harness(void) { uint8_t a, b; - b = ct_cmask_nonzero_u8(a); + b = mlk_ct_cmask_nonzero_u8(a); } diff --git a/proofs/cbmc/ct_cmov_zero/Makefile b/proofs/cbmc/ct_cmov_zero/Makefile index 898b3f0d8..32ba0dc7c 100644 --- a/proofs/cbmc/ct_cmov_zero/Makefile +++ b/proofs/cbmc/ct_cmov_zero/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = ct_cmov_zero_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = ct_cmov_zero +PROOF_UID = mlk_ct_cmov_zero DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c # Dummy source -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ct_cmov_zero -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ct_sel_uint8 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ct_cmov_zero +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ct_sel_uint8 APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = ct_cmov_zero +FUNCTION_NAME = mlk_ct_cmov_zero # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/ct_cmov_zero/ct_cmov_zero_harness.c b/proofs/cbmc/ct_cmov_zero/ct_cmov_zero_harness.c index 2755f3ce9..a16ec3e18 100644 --- a/proofs/cbmc/ct_cmov_zero/ct_cmov_zero_harness.c +++ b/proofs/cbmc/ct_cmov_zero/ct_cmov_zero_harness.c @@ -9,5 +9,5 @@ void harness(void) uint8_t *x, *y; size_t len; uint8_t b; - ct_cmov_zero(x, y, len, b); + mlk_ct_cmov_zero(x, y, len, b); } diff --git a/proofs/cbmc/ct_memcmp/Makefile b/proofs/cbmc/ct_memcmp/Makefile index 07b0cc797..227c18aa4 100644 --- a/proofs/cbmc/ct_memcmp/Makefile +++ b/proofs/cbmc/ct_memcmp/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = ct_memcmp_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = ct_memcmp +PROOF_UID = mlk_ct_memcmp DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ct_memcmp -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)value_barrier_u8 $(MLK_NAMESPACE)ct_cmask_nonzero_u8 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ct_memcmp +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_value_barrier_u8 $(MLK_NAMESPACE)mlk_ct_cmask_nonzero_u8 APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = ct_memcmp +FUNCTION_NAME = mlk_ct_memcmp # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/ct_memcmp/ct_memcmp_harness.c b/proofs/cbmc/ct_memcmp/ct_memcmp_harness.c index c7d0e5233..2fb9b5f9e 100644 --- a/proofs/cbmc/ct_memcmp/ct_memcmp_harness.c +++ b/proofs/cbmc/ct_memcmp/ct_memcmp_harness.c @@ -10,5 +10,5 @@ void harness(void) uint8_t *b; size_t len; int r; - r = ct_memcmp(a, b, len); + r = mlk_ct_memcmp(a, b, len); } diff --git a/proofs/cbmc/ct_sel_int16/Makefile b/proofs/cbmc/ct_sel_int16/Makefile index e0a66afad..3bcf5339c 100644 --- a/proofs/cbmc/ct_sel_int16/Makefile +++ b/proofs/cbmc/ct_sel_int16/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = ct_sel_int16_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = ct_sel_int16 +PROOF_UID = mlk_ct_sel_int16 DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c # Dummy because the Makefile wants _some_ project source -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ct_sel_int16 -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ct_cmask_nonzero_u16 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ct_sel_int16 +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ct_cmask_nonzero_u16 APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = ct_sel_int16 +FUNCTION_NAME = mlk_ct_sel_int16 # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/ct_sel_int16/ct_sel_int16_harness.c b/proofs/cbmc/ct_sel_int16/ct_sel_int16_harness.c index c4b594a3b..338fa2828 100644 --- a/proofs/cbmc/ct_sel_int16/ct_sel_int16_harness.c +++ b/proofs/cbmc/ct_sel_int16/ct_sel_int16_harness.c @@ -9,5 +9,5 @@ void harness(void) int16_t a, b, c; uint16_t cond; - c = ct_sel_int16(a, b, cond); + c = mlk_ct_sel_int16(a, b, cond); } diff --git a/proofs/cbmc/ct_sel_uint8/Makefile b/proofs/cbmc/ct_sel_uint8/Makefile index 8d75e3792..5e3c3d84b 100644 --- a/proofs/cbmc/ct_sel_uint8/Makefile +++ b/proofs/cbmc/ct_sel_uint8/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = ct_sel_uint8_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = ct_sel_uint8 +PROOF_UID = mlk_ct_sel_uint8 DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c # Dummy because the Makefile wants _some_ project source -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ct_sel_uint8 -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ct_cmask_nonzero_u8 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ct_sel_uint8 +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ct_cmask_nonzero_u8 APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = ct_sel_uint8 +FUNCTION_NAME = mlk_ct_sel_uint8 # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/ct_sel_uint8/ct_sel_uint8_harness.c b/proofs/cbmc/ct_sel_uint8/ct_sel_uint8_harness.c index 910b3a5cc..468729064 100644 --- a/proofs/cbmc/ct_sel_uint8/ct_sel_uint8_harness.c +++ b/proofs/cbmc/ct_sel_uint8/ct_sel_uint8_harness.c @@ -8,5 +8,5 @@ void harness(void) { uint8_t a, b, c, cond; - c = ct_sel_uint8(a, b, cond); + c = mlk_ct_sel_uint8(a, b, cond); } diff --git a/proofs/cbmc/fqmul/Makefile b/proofs/cbmc/fqmul/Makefile index 32cb54cce..7225e81d5 100644 --- a/proofs/cbmc/fqmul/Makefile +++ b/proofs/cbmc/fqmul/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = fqmul_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = fqmul +PROOF_UID = mlk_fqmul DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c # Some unit including reduce.h -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)fqmul +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_fqmul USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = fqmul +FUNCTION_NAME = mlk_fqmul # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/fqmul/fqmul_harness.c b/proofs/cbmc/fqmul/fqmul_harness.c index b711a00d0..da8a29120 100644 --- a/proofs/cbmc/fqmul/fqmul_harness.c +++ b/proofs/cbmc/fqmul/fqmul_harness.c @@ -5,12 +5,12 @@ #include #include "common.h" -#define fqmul MLK_NAMESPACE(fqmul) -int16_t fqmul(int16_t a, int16_t b); +#define mlk_fqmul MLK_NAMESPACE(fqmul) +int16_t mlk_fqmul(int16_t a, int16_t b); void harness(void) { int16_t a, b, r; - r = fqmul(a, b); + r = mlk_fqmul(a, b); } diff --git a/proofs/cbmc/gen_matrix/Makefile b/proofs/cbmc/gen_matrix/Makefile index 617d5ce9f..e9e0238f1 100644 --- a/proofs/cbmc/gen_matrix/Makefile +++ b/proofs/cbmc/gen_matrix/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = gen_matrix_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = gen_matrix +PROOF_UID = mlk_gen_matrix DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += $(MLK_NAMESPACE)gen_matrix.0:4 $(MLK_NAMESPACE)gen_matrix.1:4 $(MLK PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/indcpa.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)gen_matrix -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_rej_uniform $(MLK_NAMESPACE)poly_rej_uniform_x4 $(MLK_NAMESPACE)poly_permute_bitrev_to_custom +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_gen_matrix +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_rej_uniform $(MLK_NAMESPACE)mlk_poly_rej_uniform_x4 $(MLK_NAMESPACE)poly_permute_bitrev_to_custom APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)gen_matrix +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_gen_matrix # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/gen_matrix/gen_matrix_harness.c b/proofs/cbmc/gen_matrix/gen_matrix_harness.c index 749620807..0da36069b 100644 --- a/proofs/cbmc/gen_matrix/gen_matrix_harness.c +++ b/proofs/cbmc/gen_matrix/gen_matrix_harness.c @@ -7,8 +7,8 @@ void harness(void) { - polyvec *a; + mlk_polyvec *a; uint8_t *seed; int transposed; - gen_matrix(a, seed, transposed); + mlk_gen_matrix(a, seed, transposed); } diff --git a/proofs/cbmc/gen_matrix_native/Makefile b/proofs/cbmc/gen_matrix_native/Makefile index 2a0aed9ba..0e834113b 100644 --- a/proofs/cbmc/gen_matrix_native/Makefile +++ b/proofs/cbmc/gen_matrix_native/Makefile @@ -18,8 +18,8 @@ UNWINDSET += $(MLK_NAMESPACE)gen_matrix.0:4 $(MLK_NAMESPACE)gen_matrix.1:4 $(MLK PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/indcpa.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)gen_matrix -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_rej_uniform $(MLK_NAMESPACE)poly_rej_uniform_x4 poly_permute_bitrev_to_custom +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_gen_matrix +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_rej_uniform $(MLK_NAMESPACE)mlk_poly_rej_uniform_x4 poly_permute_bitrev_to_custom APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/gen_matrix_native/gen_matrix_native_harness.c b/proofs/cbmc/gen_matrix_native/gen_matrix_native_harness.c index 749620807..0da36069b 100644 --- a/proofs/cbmc/gen_matrix_native/gen_matrix_native_harness.c +++ b/proofs/cbmc/gen_matrix_native/gen_matrix_native_harness.c @@ -7,8 +7,8 @@ void harness(void) { - polyvec *a; + mlk_polyvec *a; uint8_t *seed; int transposed; - gen_matrix(a, seed, transposed); + mlk_gen_matrix(a, seed, transposed); } diff --git a/proofs/cbmc/indcpa_dec/Makefile b/proofs/cbmc/indcpa_dec/Makefile index 86b2dec70..251b72a48 100644 --- a/proofs/cbmc/indcpa_dec/Makefile +++ b/proofs/cbmc/indcpa_dec/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = indcpa_dec_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = indcpa_dec +PROOF_UID = mlk_indcpa_dec DEFINES += INCLUDES += @@ -18,18 +18,18 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/indcpa.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)indcpa_dec +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_indcpa_dec -USED_FUNCTIONS = polyvec_ntt -USED_FUNCTIONS += polyvec_basemul_acc_montgomery -USED_FUNCTIONS += poly_invntt_tomont -USED_FUNCTIONS += poly_sub -USED_FUNCTIONS += poly_reduce -USED_FUNCTIONS += poly_tomsg -USED_FUNCTIONS += polyvec_decompress_du -USED_FUNCTIONS += poly_decompress_dv -USED_FUNCTIONS += polyvec_frombytes -USED_FUNCTIONS += polyvec_reduce +USED_FUNCTIONS = mlk_polyvec_ntt +USED_FUNCTIONS += mlk_polyvec_basemul_acc_montgomery +USED_FUNCTIONS += mlk_poly_invntt_tomont +USED_FUNCTIONS += mlk_poly_sub +USED_FUNCTIONS += mlk_poly_reduce +USED_FUNCTIONS += mlk_poly_tomsg +USED_FUNCTIONS += mlk_polyvec_decompress_du +USED_FUNCTIONS += mlk_poly_decompress_dv +USED_FUNCTIONS += mlk_polyvec_frombytes +USED_FUNCTIONS += mlk_polyvec_reduce USE_FUNCTION_CONTRACTS=$(addprefix $(MLK_NAMESPACE),$(USED_FUNCTIONS)) APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -38,7 +38,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)indcpa_dec +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_indcpa_dec # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/indcpa_dec/indcpa_dec_harness.c b/proofs/cbmc/indcpa_dec/indcpa_dec_harness.c index 93f2911af..f0e7a2128 100644 --- a/proofs/cbmc/indcpa_dec/indcpa_dec_harness.c +++ b/proofs/cbmc/indcpa_dec/indcpa_dec_harness.c @@ -8,5 +8,5 @@ void harness(void) { uint8_t *m, *c, *sk; - indcpa_dec(m, c, sk); + mlk_indcpa_dec(m, c, sk); } diff --git a/proofs/cbmc/indcpa_enc/Makefile b/proofs/cbmc/indcpa_enc/Makefile index 85057e419..7770fc3e6 100644 --- a/proofs/cbmc/indcpa_enc/Makefile +++ b/proofs/cbmc/indcpa_enc/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = indcpa_enc_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = indcpa_enc +PROOF_UID = mlk_indcpa_enc DEFINES += INCLUDES += @@ -18,33 +18,33 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/indcpa.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)indcpa_enc +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_indcpa_enc -USED_FUNCTIONS = poly_frommsg -USED_FUNCTIONS += gen_matrix +USED_FUNCTIONS = mlk_poly_frommsg +USED_FUNCTIONS += mlk_gen_matrix ifeq ($(MLKEM_K),2) -USED_FUNCTIONS += poly_getnoise_eta1122_4x -USED_FUNCTIONS += poly_getnoise_eta2 +USED_FUNCTIONS += mlk_poly_getnoise_eta1122_4x +USED_FUNCTIONS += mlk_poly_getnoise_eta2 else ifeq ($(MLKEM_K),3) -USED_FUNCTIONS += poly_getnoise_eta1_4x +USED_FUNCTIONS += mlk_poly_getnoise_eta1_4x else ifeq ($(MLKEM_K),4) -USED_FUNCTIONS += poly_getnoise_eta1_4x -USED_FUNCTIONS += poly_getnoise_eta2 +USED_FUNCTIONS += mlk_poly_getnoise_eta1_4x +USED_FUNCTIONS += mlk_poly_getnoise_eta2 endif -USED_FUNCTIONS += polyvec_ntt -USED_FUNCTIONS += polyvec_mulcache_compute -USED_FUNCTIONS += polyvec_basemul_acc_montgomery_cached -USED_FUNCTIONS += polyvec_invntt_tomont -USED_FUNCTIONS += poly_invntt_tomont -USED_FUNCTIONS += polyvec_add -USED_FUNCTIONS += poly_add -USED_FUNCTIONS += polyvec_reduce -USED_FUNCTIONS += poly_reduce -USED_FUNCTIONS += polyvec_compress_du -USED_FUNCTIONS += poly_compress_dv -USED_FUNCTIONS += polyvec_frombytes -USED_FUNCTIONS += matvec_mul +USED_FUNCTIONS += mlk_polyvec_ntt +USED_FUNCTIONS += mlk_polyvec_mulcache_compute +USED_FUNCTIONS += mlk_polyvec_basemul_acc_montgomery_cached +USED_FUNCTIONS += mlk_polyvec_invntt_tomont +USED_FUNCTIONS += mlk_poly_invntt_tomont +USED_FUNCTIONS += mlk_polyvec_add +USED_FUNCTIONS += mlk_poly_add +USED_FUNCTIONS += mlk_polyvec_reduce +USED_FUNCTIONS += mlk_poly_reduce +USED_FUNCTIONS += mlk_polyvec_compress_du +USED_FUNCTIONS += mlk_poly_compress_dv +USED_FUNCTIONS += mlk_polyvec_frombytes +USED_FUNCTIONS += mlk_matvec_mul USE_FUNCTION_CONTRACTS=$(addprefix $(MLK_NAMESPACE),$(USED_FUNCTIONS)) APPLY_LOOP_CONTRACTS=on @@ -54,7 +54,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)indcpa_enc +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_indcpa_enc # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/indcpa_enc/indcpa_enc_harness.c b/proofs/cbmc/indcpa_enc/indcpa_enc_harness.c index 31d7e939f..0a582a033 100644 --- a/proofs/cbmc/indcpa_enc/indcpa_enc_harness.c +++ b/proofs/cbmc/indcpa_enc/indcpa_enc_harness.c @@ -8,5 +8,5 @@ void harness(void) { uint8_t *a, *b, *c, *d; - indcpa_enc(a, b, c, d); + mlk_indcpa_enc(a, b, c, d); } diff --git a/proofs/cbmc/indcpa_keypair_derand/Makefile b/proofs/cbmc/indcpa_keypair_derand/Makefile index aaedb0f3b..e818d3611 100644 --- a/proofs/cbmc/indcpa_keypair_derand/Makefile +++ b/proofs/cbmc/indcpa_keypair_derand/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = indcpa_keypair_derand_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = indcpa_keypair_derand +PROOF_UID = mlk_indcpa_keypair_derand DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/indcpa.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)indcpa_keypair_derand -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)sha3_512 $(MLK_NAMESPACE)gen_matrix $(MLK_NAMESPACE)poly_getnoise_eta1_4x $(MLK_NAMESPACE)polyvec_ntt $(MLK_NAMESPACE)polyvec_mulcache_compute $(MLK_NAMESPACE)matvec_mul $(MLK_NAMESPACE)polyvec_tomont $(MLK_NAMESPACE)polyvec_add $(MLK_NAMESPACE)polyvec_reduce $(MLK_NAMESPACE)polyvec_tobytes +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_indcpa_keypair_derand +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)sha3_512 $(MLK_NAMESPACE)mlk_gen_matrix $(MLK_NAMESPACE)mlk_poly_getnoise_eta1_4x $(MLK_NAMESPACE)mlk_polyvec_ntt $(MLK_NAMESPACE)mlk_polyvec_mulcache_compute $(MLK_NAMESPACE)mlk_matvec_mul $(MLK_NAMESPACE)mlk_polyvec_tomont $(MLK_NAMESPACE)mlk_polyvec_add $(MLK_NAMESPACE)mlk_polyvec_reduce $(MLK_NAMESPACE)mlk_polyvec_tobytes APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)indcpa_keypair_derand +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_indcpa_keypair_derand # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/indcpa_keypair_derand/indcpa_keypair_derand_harness.c b/proofs/cbmc/indcpa_keypair_derand/indcpa_keypair_derand_harness.c index 2ce0ce991..adbc39c23 100644 --- a/proofs/cbmc/indcpa_keypair_derand/indcpa_keypair_derand_harness.c +++ b/proofs/cbmc/indcpa_keypair_derand/indcpa_keypair_derand_harness.c @@ -7,5 +7,5 @@ void harness(void) { uint8_t *a, *b, *c; - indcpa_keypair_derand(a, b, c); + mlk_indcpa_keypair_derand(a, b, c); } diff --git a/proofs/cbmc/invntt_layer/Makefile b/proofs/cbmc/invntt_layer/Makefile index d7137e1b0..8292106fe 100644 --- a/proofs/cbmc/invntt_layer/Makefile +++ b/proofs/cbmc/invntt_layer/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = invntt_layer_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = invntt_layer +PROOF_UID = mlk_invntt_layer DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c $(SRCDIR)/mlkem/zetas.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)invntt_layer -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)fqmul $(MLK_NAMESPACE)barrett_reduce +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_invntt_layer +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_fqmul $(MLK_NAMESPACE)mlk_barrett_reduce APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = invntt_layer +FUNCTION_NAME = mlk_invntt_layer # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/invntt_layer/invntt_layer_harness.c b/proofs/cbmc/invntt_layer/invntt_layer_harness.c index d12758fab..b69d858b2 100644 --- a/proofs/cbmc/invntt_layer/invntt_layer_harness.c +++ b/proofs/cbmc/invntt_layer/invntt_layer_harness.c @@ -5,12 +5,12 @@ #include #include "common.h" -#define invntt_layer MLK_NAMESPACE(invntt_layer) -void invntt_layer(int16_t *p, unsigned len, unsigned layer); +#define mlk_invntt_layer MLK_NAMESPACE(invntt_layer) +void mlk_invntt_layer(int16_t *p, unsigned len, unsigned layer); void harness(void) { int16_t *a; unsigned len, layer; - invntt_layer(a, len, layer); + mlk_invntt_layer(a, len, layer); } diff --git a/proofs/cbmc/keccak_absorb_once/Makefile b/proofs/cbmc/keccak_absorb_once/Makefile index a36d36435..950e77404 100644 --- a/proofs/cbmc/keccak_absorb_once/Makefile +++ b/proofs/cbmc/keccak_absorb_once/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = keccak_absorb_once_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = keccak_absorb_once +PROOF_UID = mlk_keccak_absorb_once DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/fips202.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)keccak_absorb_once +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_keccak_absorb_once USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)KeccakF1600_StateXORBytes $(MLK_NAMESPACE)KeccakF1600_StatePermute APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = keccak_absorb_once +FUNCTION_NAME = mlk_keccak_absorb_once # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/keccak_absorb_once/keccak_absorb_once_harness.c b/proofs/cbmc/keccak_absorb_once/keccak_absorb_once_harness.c index d27fc850a..35fa4fe50 100644 --- a/proofs/cbmc/keccak_absorb_once/keccak_absorb_once_harness.c +++ b/proofs/cbmc/keccak_absorb_once/keccak_absorb_once_harness.c @@ -7,8 +7,8 @@ #include #include -#define keccak_absorb_once MLK_NAMESPACE(keccak_absorb_once) -void keccak_absorb_once(uint64_t *s, uint32_t r, const uint8_t *m, size_t mlen, +#define mlk_keccak_absorb_once MLK_NAMESPACE(keccak_absorb_once) +void mlk_keccak_absorb_once(uint64_t *s, uint32_t r, const uint8_t *m, size_t mlen, uint8_t p); void harness(void) @@ -18,5 +18,5 @@ void harness(void) const uint8_t *m; size_t mlen; uint8_t p; - keccak_absorb_once(s, r, m, mlen, p); + mlk_keccak_absorb_once(s, r, m, mlen, p); } diff --git a/proofs/cbmc/keccak_absorb_once_x4/Makefile b/proofs/cbmc/keccak_absorb_once_x4/Makefile index 2670f196b..72bd7b3cc 100644 --- a/proofs/cbmc/keccak_absorb_once_x4/Makefile +++ b/proofs/cbmc/keccak_absorb_once_x4/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = keccak_absorb_once_x4_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = keccak_absorb_once_x4 +PROOF_UID = mlk_keccak_absorb_once_x4 DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/fips202x4.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)keccak_absorb_once_x4 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_keccak_absorb_once_x4 USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)KeccakF1600x4_StatePermute $(MLK_NAMESPACE)KeccakF1600x4_StateXORBytes APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = keccak_absorb_once_x4 +FUNCTION_NAME = mlk_keccak_absorb_once_x4 # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/keccak_absorb_once_x4/keccak_absorb_once_x4_harness.c b/proofs/cbmc/keccak_absorb_once_x4/keccak_absorb_once_x4_harness.c index 7e91d69a9..4810adbc3 100644 --- a/proofs/cbmc/keccak_absorb_once_x4/keccak_absorb_once_x4_harness.c +++ b/proofs/cbmc/keccak_absorb_once_x4/keccak_absorb_once_x4_harness.c @@ -7,8 +7,8 @@ #include #include -#define keccak_absorb_once_x4 MLK_NAMESPACE(keccak_absorb_once_x4) -void keccak_absorb_once_x4(uint64_t *s, uint32_t r, const uint8_t *in0, +#define mlk_keccak_absorb_once_x4 MLK_NAMESPACE(keccak_absorb_once_x4) +void mlk_keccak_absorb_once_x4(uint64_t *s, uint32_t r, const uint8_t *in0, const uint8_t *in1, const uint8_t *in2, const uint8_t *in3, size_t inlen, uint8_t p); @@ -19,5 +19,5 @@ void harness(void) const uint8_t *in0, *in1, *in2, *in3; size_t inlen; uint8_t p; - keccak_absorb_once_x4(s, r, in0, in1, in2, in3, inlen, p); + mlk_keccak_absorb_once_x4(s, r, in0, in1, in2, in3, inlen, p); } diff --git a/proofs/cbmc/keccak_squeeze_once/Makefile b/proofs/cbmc/keccak_squeeze_once/Makefile index f14b78902..ae5ca70d1 100644 --- a/proofs/cbmc/keccak_squeeze_once/Makefile +++ b/proofs/cbmc/keccak_squeeze_once/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = keccak_squeeze_once_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = keccak_squeeze_once +PROOF_UID = mlk_keccak_squeeze_once DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/fips202.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)keccak_squeeze_once +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_keccak_squeeze_once USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)KeccakF1600_StateExtractBytes $(MLK_NAMESPACE)KeccakF1600_StatePermute APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -29,7 +29,7 @@ CBMCFLAGS=--bitwuzla CBMCFLAGS += --no-array-field-sensitivity --arrays-uf-always --slice-formula -FUNCTION_NAME = keccak_squeeze_once +FUNCTION_NAME = mlk_keccak_squeeze_once # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/keccak_squeeze_once/keccak_squeeze_once_harness.c b/proofs/cbmc/keccak_squeeze_once/keccak_squeeze_once_harness.c index 1f4cab848..55687fe62 100644 --- a/proofs/cbmc/keccak_squeeze_once/keccak_squeeze_once_harness.c +++ b/proofs/cbmc/keccak_squeeze_once/keccak_squeeze_once_harness.c @@ -7,8 +7,8 @@ #include #include -#define keccak_squeeze_once MLK_NAMESPACE(keccak_squeeze_once) -void keccak_squeeze_once(uint8_t *h, size_t outlen, uint64_t *s, uint32_t r); +#define mlk_keccak_squeeze_once MLK_NAMESPACE(keccak_squeeze_once) +void mlk_keccak_squeeze_once(uint8_t *h, size_t outlen, uint64_t *s, uint32_t r); void harness(void) { @@ -16,5 +16,5 @@ void harness(void) size_t outlen; uint64_t *s; uint32_t r; - keccak_squeeze_once(h, outlen, s, r); + mlk_keccak_squeeze_once(h, outlen, s, r); } diff --git a/proofs/cbmc/keccak_squeezeblocks/Makefile b/proofs/cbmc/keccak_squeezeblocks/Makefile index ba70dc8ab..4ca004a63 100644 --- a/proofs/cbmc/keccak_squeezeblocks/Makefile +++ b/proofs/cbmc/keccak_squeezeblocks/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = keccak_squeezeblocks_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = keccak_squeezeblocks +PROOF_UID = mlk_keccak_squeezeblocks DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/fips202.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)keccak_squeezeblocks +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_keccak_squeezeblocks USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)KeccakF1600_StateExtractBytes $(MLK_NAMESPACE)KeccakF1600_StatePermute APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -29,7 +29,7 @@ CBMCFLAGS=--bitwuzla CBMCFLAGS += --no-array-field-sensitivity --arrays-uf-always --slice-formula -FUNCTION_NAME = keccak_squeezeblocks +FUNCTION_NAME = mlk_keccak_squeezeblocks # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/keccak_squeezeblocks/keccak_squeezeblocks_harness.c b/proofs/cbmc/keccak_squeezeblocks/keccak_squeezeblocks_harness.c index 52b86ac74..ae464bb3f 100644 --- a/proofs/cbmc/keccak_squeezeblocks/keccak_squeezeblocks_harness.c +++ b/proofs/cbmc/keccak_squeezeblocks/keccak_squeezeblocks_harness.c @@ -7,8 +7,8 @@ #include #include -#define keccak_squeezeblocks MLK_NAMESPACE(keccak_squeezeblocks) -void keccak_squeezeblocks(uint8_t *h, size_t nblocks, uint64_t *s, uint32_t r); +#define mlk_keccak_squeezeblocks MLK_NAMESPACE(keccak_squeezeblocks) +void mlk_keccak_squeezeblocks(uint8_t *h, size_t nblocks, uint64_t *s, uint32_t r); void harness(void) { @@ -16,5 +16,5 @@ void harness(void) size_t nblocks; uint64_t *s; uint32_t r; - keccak_squeezeblocks(h, nblocks, s, r); + mlk_keccak_squeezeblocks(h, nblocks, s, r); } diff --git a/proofs/cbmc/keccak_squeezeblocks_x4/Makefile b/proofs/cbmc/keccak_squeezeblocks_x4/Makefile index c7bd13ef3..9c4bbf180 100644 --- a/proofs/cbmc/keccak_squeezeblocks_x4/Makefile +++ b/proofs/cbmc/keccak_squeezeblocks_x4/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = keccak_squeezeblocks_x4_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = keccak_squeezeblocks_x4 +PROOF_UID = mlk_keccak_squeezeblocks_x4 DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/fips202x4.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)keccak_squeezeblocks_x4 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_keccak_squeezeblocks_x4 USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)KeccakF1600x4_StateExtractBytes $(MLK_NAMESPACE)KeccakF1600x4_StatePermute APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -29,7 +29,7 @@ CBMCFLAGS=--bitwuzla CBMCFLAGS += --no-array-field-sensitivity --arrays-uf-always --slice-formula -FUNCTION_NAME = keccak_squeezeblocks_x4 +FUNCTION_NAME = mlk_keccak_squeezeblocks_x4 # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/keccak_squeezeblocks_x4/keccak_squeezeblocks_x4_harness.c b/proofs/cbmc/keccak_squeezeblocks_x4/keccak_squeezeblocks_x4_harness.c index e05bbb049..533d09589 100644 --- a/proofs/cbmc/keccak_squeezeblocks_x4/keccak_squeezeblocks_x4_harness.c +++ b/proofs/cbmc/keccak_squeezeblocks_x4/keccak_squeezeblocks_x4_harness.c @@ -7,8 +7,8 @@ #include #include -#define keccak_squeezeblocks_x4 MLK_NAMESPACE(keccak_squeezeblocks_x4) -void keccak_squeezeblocks_x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, +#define mlk_keccak_squeezeblocks_x4 MLK_NAMESPACE(keccak_squeezeblocks_x4) +void mlk_keccak_squeezeblocks_x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3, size_t nblocks, uint64_t *s, uint32_t r); @@ -18,5 +18,5 @@ void harness(void) size_t nblocks; uint64_t *s; uint32_t r; - keccak_squeezeblocks_x4(out0, out1, out2, out3, nblocks, s, r); + mlk_keccak_squeezeblocks_x4(out0, out1, out2, out3, nblocks, s, r); } diff --git a/proofs/cbmc/matvec_mul/Makefile b/proofs/cbmc/matvec_mul/Makefile index 2e91f2f78..6e4318e3a 100644 --- a/proofs/cbmc/matvec_mul/Makefile +++ b/proofs/cbmc/matvec_mul/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = matvec_mul_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = matvec_mul +PROOF_UID = mlk_matvec_mul DEFINES += INCLUDES += @@ -17,8 +17,8 @@ REMOVE_FUNCTION_BODY += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/indcpa.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)matvec_mul -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)polyvec_basemul_acc_montgomery_cached +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_matvec_mul +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_polyvec_basemul_acc_montgomery_cached APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -37,7 +37,7 @@ CBMCFLAGS=--smt2 # a substantial improvement in proof performance. CBMCFLAGS += --no-array-field-sensitivity --arrays-uf-always --slice-formula -FUNCTION_NAME = $(MLK_NAMESPACE)matvec_mul +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_matvec_mul # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/matvec_mul/matvec_mul_harness.c b/proofs/cbmc/matvec_mul/matvec_mul_harness.c index 8ef1e7771..50bd4a81f 100644 --- a/proofs/cbmc/matvec_mul/matvec_mul_harness.c +++ b/proofs/cbmc/matvec_mul/matvec_mul_harness.c @@ -5,13 +5,13 @@ #include "indcpa.h" #include "poly_k.h" -#define matvec_mul MLK_NAMESPACE(matvec_mul) -void matvec_mul(polyvec *out, polyvec const *a, polyvec const *v, - polyvec_mulcache const *vc); +#define mlk_matvec_mul MLK_NAMESPACE(matvec_mul) +void mlk_matvec_mul(mlk_polyvec *out, mlk_polyvec const *a, mlk_polyvec const *v, + mlk_polyvec_mulcache const *vc); void harness(void) { - polyvec *out, *a, *v; - polyvec_mulcache *vc; - matvec_mul(out, a, v, vc); + mlk_polyvec *out, *a, *v; + mlk_polyvec_mulcache *vc; + mlk_matvec_mul(out, a, v, vc); } diff --git a/proofs/cbmc/montgomery_reduce/Makefile b/proofs/cbmc/montgomery_reduce/Makefile index 88a0e154c..5329f816e 100644 --- a/proofs/cbmc/montgomery_reduce/Makefile +++ b/proofs/cbmc/montgomery_reduce/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = montgomery_reduce_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = montgomery_reduce +PROOF_UID = mlk_montgomery_reduce DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c # Some unit including reduce.h -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)montgomery_reduce +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_montgomery_reduce USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = montgomery_reduce +FUNCTION_NAME = mlk_montgomery_reduce # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/montgomery_reduce/montgomery_reduce_harness.c b/proofs/cbmc/montgomery_reduce/montgomery_reduce_harness.c index df4869743..7ef2efd25 100644 --- a/proofs/cbmc/montgomery_reduce/montgomery_reduce_harness.c +++ b/proofs/cbmc/montgomery_reduce/montgomery_reduce_harness.c @@ -5,13 +5,13 @@ #include #include "common.h" -#define montgomery_reduce MLK_NAMESPACE(montgomery_reduce) -int16_t montgomery_reduce(int32_t a); +#define mlk_montgomery_reduce MLK_NAMESPACE(montgomery_reduce) +int16_t mlk_montgomery_reduce(int32_t a); void harness(void) { int32_t a; int16_t r; - r = montgomery_reduce(a); + r = mlk_montgomery_reduce(a); } diff --git a/proofs/cbmc/ntt_butterfly_block/Makefile b/proofs/cbmc/ntt_butterfly_block/Makefile index b6fd50796..8ff5f77e2 100644 --- a/proofs/cbmc/ntt_butterfly_block/Makefile +++ b/proofs/cbmc/ntt_butterfly_block/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = ntt_butterfly_block_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = ntt_butterfly_block +PROOF_UID = mlk_ntt_butterfly_block DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ntt_butterfly_block -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)fqmul +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ntt_butterfly_block +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_fqmul APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = ntt_butterfly_block +FUNCTION_NAME = mlk_ntt_butterfly_block # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/ntt_butterfly_block/ntt_butterfly_block_harness.c b/proofs/cbmc/ntt_butterfly_block/ntt_butterfly_block_harness.c index 6d68bcd14..96a1a65f9 100644 --- a/proofs/cbmc/ntt_butterfly_block/ntt_butterfly_block_harness.c +++ b/proofs/cbmc/ntt_butterfly_block/ntt_butterfly_block_harness.c @@ -5,8 +5,8 @@ #include #include "common.h" -#define ntt_butterfly_block MLK_NAMESPACE(ntt_butterfly_block) -void ntt_butterfly_block(int16_t *r, int16_t root, unsigned start, unsigned len, +#define mlk_ntt_butterfly_block MLK_NAMESPACE(ntt_butterfly_block) +void mlk_ntt_butterfly_block(int16_t *r, int16_t root, unsigned start, unsigned len, int bound); void harness(void) @@ -14,5 +14,5 @@ void harness(void) int16_t *r, root; unsigned start, stride; int bound; - ntt_butterfly_block(r, root, start, stride, bound); + mlk_ntt_butterfly_block(r, root, start, stride, bound); } diff --git a/proofs/cbmc/ntt_layer/Makefile b/proofs/cbmc/ntt_layer/Makefile index 470edf4e8..d272d1df7 100644 --- a/proofs/cbmc/ntt_layer/Makefile +++ b/proofs/cbmc/ntt_layer/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = ntt_layer_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = ntt_layer +PROOF_UID = mlk_ntt_layer DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c $(SRCDIR)/mlkem/zetas.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ntt_layer -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ntt_butterfly_block +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ntt_layer +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ntt_butterfly_block APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = ntt_layer +FUNCTION_NAME = mlk_ntt_layer # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/ntt_layer/ntt_layer_harness.c b/proofs/cbmc/ntt_layer/ntt_layer_harness.c index 731f5a552..3df418832 100644 --- a/proofs/cbmc/ntt_layer/ntt_layer_harness.c +++ b/proofs/cbmc/ntt_layer/ntt_layer_harness.c @@ -4,12 +4,12 @@ #include "poly.h" -#define ntt_layer MLK_NAMESPACE(ntt_layer) -void ntt_layer(int16_t *p, unsigned len, unsigned layer); +#define mlk_ntt_layer MLK_NAMESPACE(ntt_layer) +void mlk_ntt_layer(int16_t *p, unsigned len, unsigned layer); void harness(void) { int16_t *a; unsigned len, layer; - ntt_layer(a, len, layer); + mlk_ntt_layer(a, len, layer); } diff --git a/proofs/cbmc/poly_add/Makefile b/proofs/cbmc/poly_add/Makefile index 624d4c2bc..f5050b5a9 100644 --- a/proofs/cbmc/poly_add/Makefile +++ b/proofs/cbmc/poly_add/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_add_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_add +PROOF_UID = mlk_poly_add DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_add +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_add USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = poly_add +FUNCTION_NAME = mlk_poly_add # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_add/poly_add_harness.c b/proofs/cbmc/poly_add/poly_add_harness.c index 928837c1a..3da847711 100644 --- a/proofs/cbmc/poly_add/poly_add_harness.c +++ b/proofs/cbmc/poly_add/poly_add_harness.c @@ -6,6 +6,6 @@ void harness(void) { - poly *r, *b; - poly_add(r, b); + mlk_poly *r, *b; + mlk_poly_add(r, b); } diff --git a/proofs/cbmc/poly_cbd_eta1/Makefile b/proofs/cbmc/poly_cbd_eta1/Makefile index 8c16865a4..5d1592d44 100644 --- a/proofs/cbmc/poly_cbd_eta1/Makefile +++ b/proofs/cbmc/poly_cbd_eta1/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_cbd_eta1_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_cbd_eta1 +PROOF_UID = mlk_poly_cbd_eta1 DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/sampling.c $(SRCDIR)/mlkem/poly_k.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_cbd_eta1 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_cbd_eta1 USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)poly_cbd_eta1 +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_cbd_eta1 # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_cbd_eta1/poly_cbd_eta1_harness.c b/proofs/cbmc/poly_cbd_eta1/poly_cbd_eta1_harness.c index c0d5b1ec8..0aafa4a3c 100644 --- a/proofs/cbmc/poly_cbd_eta1/poly_cbd_eta1_harness.c +++ b/proofs/cbmc/poly_cbd_eta1/poly_cbd_eta1_harness.c @@ -4,13 +4,13 @@ #include "poly.h" -#define poly_cbd_eta1 MLK_NAMESPACE(poly_cbd_eta1) -void poly_cbd_eta1(poly *r, const uint8_t buf[MLKEM_ETA1 * MLKEM_N / 4]); +#define mlk_poly_cbd_eta1 MLK_NAMESPACE(poly_cbd_eta1) +void mlk_poly_cbd_eta1(mlk_poly *r, const uint8_t buf[MLKEM_ETA1 * MLKEM_N / 4]); void harness(void) { uint8_t *buf; - poly *a; + mlk_poly *a; - poly_cbd_eta1(a, buf); + mlk_poly_cbd_eta1(a, buf); } diff --git a/proofs/cbmc/poly_cbd_eta2/Makefile b/proofs/cbmc/poly_cbd_eta2/Makefile index 5d5a6edda..de621706b 100644 --- a/proofs/cbmc/poly_cbd_eta2/Makefile +++ b/proofs/cbmc/poly_cbd_eta2/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_cbd_eta2_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_cbd_eta2 +PROOF_UID = mlk_poly_cbd_eta2 DEFINES += INCLUDES += @@ -20,9 +20,9 @@ PROJECT_SOURCES += $(SRCDIR)/mlkem/sampling.c $(SRCDIR)/mlkem/poly_k.c # Only relevant for K=2 or K=4 ifeq ($(MLKEM_K),2) -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_cbd_eta2 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_cbd_eta2 else ifeq ($(MLKEM_K),4) -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_cbd_eta2 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_cbd_eta2 else CHECK_FUNCTION_CONTRACTS= endif @@ -35,7 +35,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)poly_cbd_eta2 +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_cbd_eta2 # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_cbd_eta2/poly_cbd_eta2_harness.c b/proofs/cbmc/poly_cbd_eta2/poly_cbd_eta2_harness.c index b7799a376..e83466125 100644 --- a/proofs/cbmc/poly_cbd_eta2/poly_cbd_eta2_harness.c +++ b/proofs/cbmc/poly_cbd_eta2/poly_cbd_eta2_harness.c @@ -4,16 +4,16 @@ #include "poly.h" -#define poly_cbd_eta2 MLK_NAMESPACE(poly_cbd_eta2) -void poly_cbd_eta2(poly *r, const uint8_t buf[MLKEM_ETA2 * MLKEM_N / 4]); +#define mlk_poly_cbd_eta2 MLK_NAMESPACE(poly_cbd_eta2) +void mlk_poly_cbd_eta2(mlk_poly *r, const uint8_t buf[MLKEM_ETA2 * MLKEM_N / 4]); void harness(void) { - /* poly_cbd_eta2() is only defined for MLKEM_K == 2 or 4 */ + /* mlk_poly_cbd_eta2() is only defined for MLKEM_K == 2 or 4 */ #if MLKEM_K == 2 || MLKEM_K == 4 uint8_t *buf; - poly *a; + mlk_poly *a; - poly_cbd_eta2(a, buf); + mlk_poly_cbd_eta2(a, buf); #endif /* MLKEM_K == 2 || MLKEM_K == 4 */ } diff --git a/proofs/cbmc/poly_compress_du/Makefile b/proofs/cbmc/poly_compress_du/Makefile index 0dbc3fa87..d8cbfa2d5 100644 --- a/proofs/cbmc/poly_compress_du/Makefile +++ b/proofs/cbmc/poly_compress_du/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_compress_du_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_compress_du +PROOF_UID = mlk_poly_compress_du DEFINES += INCLUDES += @@ -18,16 +18,16 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/compress.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_compress_du +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_compress_du USE_FUNCTION_CONTRACTS = # TODO: We should be calling scalar_decompress_xxx by contract here, # but it does not seem to work yet because they are marked as static inline. -# For K = 2 or 3, the code calls scalar_compress_d10, so +# For K = 2 or 3, the code calls mlk_scalar_compress_d10, so # ifeq ($(MLKEM_K),4) -# USE_FUNCTION_CONTRACTS = scalar_compress_d11 +# USE_FUNCTION_CONTRACTS = mlk_scalar_compress_d11 # else -# USE_FUNCTION_CONTRACTS = scalar_compress_d10 +# USE_FUNCTION_CONTRACTS = mlk_scalar_compress_d10 # endif APPLY_LOOP_CONTRACTS=on @@ -37,7 +37,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)poly_compress_du +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_compress_du # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_compress_du/poly_compress_du_harness.c b/proofs/cbmc/poly_compress_du/poly_compress_du_harness.c index cb2232cc8..fd90667ea 100644 --- a/proofs/cbmc/poly_compress_du/poly_compress_du_harness.c +++ b/proofs/cbmc/poly_compress_du/poly_compress_du_harness.c @@ -6,8 +6,8 @@ void harness(void) { - poly *r; + mlk_poly *r; uint8_t *a; - poly_compress_du(a, r); + mlk_poly_compress_du(a, r); } diff --git a/proofs/cbmc/poly_compress_dv/Makefile b/proofs/cbmc/poly_compress_dv/Makefile index 36d462f3b..d1a8398f4 100644 --- a/proofs/cbmc/poly_compress_dv/Makefile +++ b/proofs/cbmc/poly_compress_dv/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_compress_dv_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_compress_dv +PROOF_UID = mlk_poly_compress_dv DEFINES += INCLUDES += @@ -18,15 +18,15 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/compress.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_compress_dv +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_compress_dv USE_FUNCTION_CONTRACTS = # TODO: We should be calling scalar_decompress_xxx by contract here, # but it does not seem to work yet because they are marked as static inline. # ifeq ($(MLKEM_K),4) -# USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)scalar_compress_d5 +# USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_scalar_compress_d5 # else -# USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)scalar_compress_d4 +# USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_scalar_compress_d4 # endif APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -35,7 +35,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)poly_compress_dv +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_compress_dv # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_compress_dv/poly_compress_dv_harness.c b/proofs/cbmc/poly_compress_dv/poly_compress_dv_harness.c index f15d385fc..758d6dae8 100644 --- a/proofs/cbmc/poly_compress_dv/poly_compress_dv_harness.c +++ b/proofs/cbmc/poly_compress_dv/poly_compress_dv_harness.c @@ -6,8 +6,8 @@ void harness(void) { - poly *r; + mlk_poly *r; uint8_t *a; - poly_compress_dv(a, r); + mlk_poly_compress_dv(a, r); } diff --git a/proofs/cbmc/poly_decompress_du/Makefile b/proofs/cbmc/poly_decompress_du/Makefile index 442c11ae8..128c31f26 100644 --- a/proofs/cbmc/poly_decompress_du/Makefile +++ b/proofs/cbmc/poly_decompress_du/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_decompress_du_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_decompress_du +PROOF_UID = mlk_poly_decompress_du DEFINES += INCLUDES += @@ -18,16 +18,16 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/compress.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_decompress_du +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_decompress_du USE_FUNCTION_CONTRACTS = # TODO: We should be calling scalar_decompress_xxx by contract here, # but it does not seem to work yet because they are marked as static inline. -# For K = 2 or 3, the code calls scalar_decompress_d10, so +# For K = 2 or 3, the code calls mlk_scalar_decompress_d10, so # ifeq ($(MLKEM_K),4) -# USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)scalar_decompress_d11 +# USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_scalar_decompress_d11 # else -# USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)scalar_decompress_d10 +# USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_scalar_decompress_d10 # endif APPLY_LOOP_CONTRACTS=on @@ -37,7 +37,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)poly_decompress_du +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_decompress_du # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_decompress_du/poly_decompress_du_harness.c b/proofs/cbmc/poly_decompress_du/poly_decompress_du_harness.c index dac5789f5..620c1f258 100644 --- a/proofs/cbmc/poly_decompress_du/poly_decompress_du_harness.c +++ b/proofs/cbmc/poly_decompress_du/poly_decompress_du_harness.c @@ -6,8 +6,8 @@ void harness(void) { - poly *r; + mlk_poly *r; uint8_t *a; - poly_decompress_du(r, a); + mlk_poly_decompress_du(r, a); } diff --git a/proofs/cbmc/poly_decompress_dv/Makefile b/proofs/cbmc/poly_decompress_dv/Makefile index 368be3d90..d173a7df2 100644 --- a/proofs/cbmc/poly_decompress_dv/Makefile +++ b/proofs/cbmc/poly_decompress_dv/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_decompress_dv_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_decompress_dv +PROOF_UID = mlk_poly_decompress_dv DEFINES += INCLUDES += @@ -18,16 +18,16 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/compress.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_decompress_dv +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_decompress_dv USE_FUNCTION_CONTRACTS = # TODO: We should be calling scalar_decompress_xxx by contract here, # but it does not seem to work yet because they are marked as static inline. -# For K = 2 or 3, the code calls scalar_decompress_d4, so +# For K = 2 or 3, the code calls mlk_scalar_decompress_d4, so # ifeq ($(MLKEM_K),4) -# USE_FUNCTION_CONTRACTS = scalar_decompress_d5 +# USE_FUNCTION_CONTRACTS = mlk_scalar_decompress_d5 # else -# USE_FUNCTION_CONTRACTS = scalar_decompress_d4 +# USE_FUNCTION_CONTRACTS = mlk_scalar_decompress_d4 # endif APPLY_LOOP_CONTRACTS=on @@ -37,7 +37,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = $(MLK_NAMESPACE)poly_decompress_dv +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_decompress_dv # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_decompress_dv/poly_decompress_dv_harness.c b/proofs/cbmc/poly_decompress_dv/poly_decompress_dv_harness.c index e6d700cd5..b70fc0356 100644 --- a/proofs/cbmc/poly_decompress_dv/poly_decompress_dv_harness.c +++ b/proofs/cbmc/poly_decompress_dv/poly_decompress_dv_harness.c @@ -6,8 +6,8 @@ void harness(void) { - poly *r; + mlk_poly *r; uint8_t *a; - poly_decompress_dv(r, a); + mlk_poly_decompress_dv(r, a); } diff --git a/proofs/cbmc/poly_frombytes/Makefile b/proofs/cbmc/poly_frombytes/Makefile index 13c8157b6..6e53e6b4b 100644 --- a/proofs/cbmc/poly_frombytes/Makefile +++ b/proofs/cbmc/poly_frombytes/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_frombytes_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_frombytes +PROOF_UID = mlk_poly_frombytes DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/compress.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_frombytes +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_frombytes USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = $(MLK_NAMESPACE)poly_frombytes +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_frombytes # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_frombytes/poly_frombytes_harness.c b/proofs/cbmc/poly_frombytes/poly_frombytes_harness.c index e8a44a845..a1e2d354f 100644 --- a/proofs/cbmc/poly_frombytes/poly_frombytes_harness.c +++ b/proofs/cbmc/poly_frombytes/poly_frombytes_harness.c @@ -6,9 +6,9 @@ void harness(void) { - poly *a; + mlk_poly *a; uint8_t *r; /* Contracts for this function are in compress.h */ - poly_frombytes(a, r); + mlk_poly_frombytes(a, r); } diff --git a/proofs/cbmc/poly_frombytes_native/Makefile b/proofs/cbmc/poly_frombytes_native/Makefile index 079b72377..b66310a8d 100644 --- a/proofs/cbmc/poly_frombytes_native/Makefile +++ b/proofs/cbmc/poly_frombytes_native/Makefile @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/compress.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_frombytes +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_frombytes USE_FUNCTION_CONTRACTS=poly_frombytes_native APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/poly_frombytes_native/poly_frombytes_native_harness.c b/proofs/cbmc/poly_frombytes_native/poly_frombytes_native_harness.c index e8a44a845..a1e2d354f 100644 --- a/proofs/cbmc/poly_frombytes_native/poly_frombytes_native_harness.c +++ b/proofs/cbmc/poly_frombytes_native/poly_frombytes_native_harness.c @@ -6,9 +6,9 @@ void harness(void) { - poly *a; + mlk_poly *a; uint8_t *r; /* Contracts for this function are in compress.h */ - poly_frombytes(a, r); + mlk_poly_frombytes(a, r); } diff --git a/proofs/cbmc/poly_frommsg/Makefile b/proofs/cbmc/poly_frommsg/Makefile index 4343054dd..c1b6a5170 100644 --- a/proofs/cbmc/poly_frommsg/Makefile +++ b/proofs/cbmc/poly_frommsg/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_frommsg_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_frommsg +PROOF_UID = mlk_poly_frommsg DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/compress.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_frommsg -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ct_sel_int16 $(MLK_NAMESPACE)value_barrier_u8 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_frommsg +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ct_sel_int16 $(MLK_NAMESPACE)mlk_value_barrier_u8 APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = $(MLK_NAMESPACE)poly_frommsg +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_frommsg # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_frommsg/poly_frommsg_harness.c b/proofs/cbmc/poly_frommsg/poly_frommsg_harness.c index 42e13f444..bec0f1fa5 100644 --- a/proofs/cbmc/poly_frommsg/poly_frommsg_harness.c +++ b/proofs/cbmc/poly_frommsg/poly_frommsg_harness.c @@ -6,8 +6,8 @@ void harness(void) { - poly *a; + mlk_poly *a; uint8_t *msg; - poly_frommsg(a, msg); + mlk_poly_frommsg(a, msg); } diff --git a/proofs/cbmc/poly_getnoise_eta1122_4x/Makefile b/proofs/cbmc/poly_getnoise_eta1122_4x/Makefile index 9300708b4..9906f3662 100644 --- a/proofs/cbmc/poly_getnoise_eta1122_4x/Makefile +++ b/proofs/cbmc/poly_getnoise_eta1122_4x/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_getnoise_eta1122_4x_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_getnoise_eta1122_4x +PROOF_UID = mlk_poly_getnoise_eta1122_4x DEFINES += INCLUDES += @@ -20,8 +20,8 @@ PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c # Only relevant for K=2 ifeq ($(MLKEM_K),2) -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_getnoise_eta1122_4x -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_cbd_eta1 $(MLK_NAMESPACE)poly_cbd_eta2 $(MLK_NAMESPACE)shake256 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_getnoise_eta1122_4x +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_cbd_eta1 $(MLK_NAMESPACE)mlk_poly_cbd_eta2 $(MLK_NAMESPACE)shake256 else CHECK_FUNCTION_CONTRACTS= USE_FUNCTION_CONTRACTS= @@ -33,7 +33,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)poly_getnoise_eta1122_4x +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_getnoise_eta1122_4x # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_getnoise_eta1122_4x/poly_getnoise_eta1122_4x_harness.c b/proofs/cbmc/poly_getnoise_eta1122_4x/poly_getnoise_eta1122_4x_harness.c index 7b16dd21e..e79889390 100644 --- a/proofs/cbmc/poly_getnoise_eta1122_4x/poly_getnoise_eta1122_4x_harness.c +++ b/proofs/cbmc/poly_getnoise_eta1122_4x/poly_getnoise_eta1122_4x_harness.c @@ -6,13 +6,13 @@ void harness(void) { - /* poly_getnoise_eta1122_4x is only defines for MLKEM_K == 2 */ + /* mlk_poly_getnoise_eta1122_4x is only defines for MLKEM_K == 2 */ #if MLKEM_K == 2 uint8_t *seed; - poly *r0, *r1, *r2, *r3; + mlk_poly *r0, *r1, *r2, *r3; uint8_t nonce0, nonce1, nonce2, nonce3; - poly_getnoise_eta1122_4x(r0, r1, r2, r3, seed, nonce0, nonce1, nonce2, + mlk_poly_getnoise_eta1122_4x(r0, r1, r2, r3, seed, nonce0, nonce1, nonce2, nonce3); #endif /* MLKEM_K == 2 */ } diff --git a/proofs/cbmc/poly_getnoise_eta1122_4x_native/Makefile b/proofs/cbmc/poly_getnoise_eta1122_4x_native/Makefile index b1d58a505..fb4cdf7a7 100644 --- a/proofs/cbmc/poly_getnoise_eta1122_4x_native/Makefile +++ b/proofs/cbmc/poly_getnoise_eta1122_4x_native/Makefile @@ -20,8 +20,8 @@ PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c # Only relevant for K=2 ifeq ($(MLKEM_K),2) -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_getnoise_eta1122_4x -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_cbd_eta1 $(MLK_NAMESPACE)poly_cbd_eta2 $(MLK_NAMESPACE)shake256x4 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_getnoise_eta1122_4x +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_cbd_eta1 $(MLK_NAMESPACE)mlk_poly_cbd_eta2 $(MLK_NAMESPACE)shake256x4 else CHECK_FUNCTION_CONTRACTS= USE_FUNCTION_CONTRACTS= @@ -33,7 +33,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)poly_getnoise_eta1122_4x +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_getnoise_eta1122_4x # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_getnoise_eta1122_4x_native/poly_getnoise_eta1122_4x_native_harness.c b/proofs/cbmc/poly_getnoise_eta1122_4x_native/poly_getnoise_eta1122_4x_native_harness.c index 7b16dd21e..e79889390 100644 --- a/proofs/cbmc/poly_getnoise_eta1122_4x_native/poly_getnoise_eta1122_4x_native_harness.c +++ b/proofs/cbmc/poly_getnoise_eta1122_4x_native/poly_getnoise_eta1122_4x_native_harness.c @@ -6,13 +6,13 @@ void harness(void) { - /* poly_getnoise_eta1122_4x is only defines for MLKEM_K == 2 */ + /* mlk_poly_getnoise_eta1122_4x is only defines for MLKEM_K == 2 */ #if MLKEM_K == 2 uint8_t *seed; - poly *r0, *r1, *r2, *r3; + mlk_poly *r0, *r1, *r2, *r3; uint8_t nonce0, nonce1, nonce2, nonce3; - poly_getnoise_eta1122_4x(r0, r1, r2, r3, seed, nonce0, nonce1, nonce2, + mlk_poly_getnoise_eta1122_4x(r0, r1, r2, r3, seed, nonce0, nonce1, nonce2, nonce3); #endif /* MLKEM_K == 2 */ } diff --git a/proofs/cbmc/poly_getnoise_eta1_4x/Makefile b/proofs/cbmc/poly_getnoise_eta1_4x/Makefile index c0ae0d016..a1ae232aa 100644 --- a/proofs/cbmc/poly_getnoise_eta1_4x/Makefile +++ b/proofs/cbmc/poly_getnoise_eta1_4x/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_getnoise_eta1_4x_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_getnoise_eta1_4x +PROOF_UID = mlk_poly_getnoise_eta1_4x DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_getnoise_eta1_4x -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_cbd_eta1 $(MLK_NAMESPACE)shake256x4 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_getnoise_eta1_4x +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_cbd_eta1 $(MLK_NAMESPACE)shake256x4 APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)poly_getnoise_eta1_4x +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_getnoise_eta1_4x # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_getnoise_eta1_4x/poly_getnoise_eta1_4x_harness.c b/proofs/cbmc/poly_getnoise_eta1_4x/poly_getnoise_eta1_4x_harness.c index 0c6b83988..0f5932079 100644 --- a/proofs/cbmc/poly_getnoise_eta1_4x/poly_getnoise_eta1_4x_harness.c +++ b/proofs/cbmc/poly_getnoise_eta1_4x/poly_getnoise_eta1_4x_harness.c @@ -7,8 +7,8 @@ void harness(void) { uint8_t *seed; - poly *r0, *r1, *r2, *r3; + mlk_poly *r0, *r1, *r2, *r3; uint8_t nonce0, nonce1, nonce2, nonce3; - poly_getnoise_eta1_4x(r0, r1, r2, r3, seed, nonce0, nonce1, nonce2, nonce3); + mlk_poly_getnoise_eta1_4x(r0, r1, r2, r3, seed, nonce0, nonce1, nonce2, nonce3); } diff --git a/proofs/cbmc/poly_getnoise_eta2/Makefile b/proofs/cbmc/poly_getnoise_eta2/Makefile index d0f78c272..9bb53bd96 100644 --- a/proofs/cbmc/poly_getnoise_eta2/Makefile +++ b/proofs/cbmc/poly_getnoise_eta2/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_getnoise_eta2_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_getnoise_eta2 +PROOF_UID = mlk_poly_getnoise_eta2 DEFINES += INCLUDES += @@ -20,11 +20,11 @@ PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c # Only relevant for K=2 or K=4 ifeq ($(MLKEM_K),2) -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_getnoise_eta2 -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_cbd_eta2 $(MLK_NAMESPACE)shake256 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_getnoise_eta2 +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_cbd_eta2 $(MLK_NAMESPACE)shake256 else ifeq ($(MLKEM_K),4) -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_getnoise_eta2 -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_cbd_eta2 $(MLK_NAMESPACE)shake256 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_getnoise_eta2 +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_cbd_eta2 $(MLK_NAMESPACE)shake256 else CHECK_FUNCTION_CONTRACTS= USE_FUNCTION_CONTRACTS= @@ -37,7 +37,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)poly_getnoise_eta2 +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_getnoise_eta2 # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_getnoise_eta2/poly_getnoise_eta2_harness.c b/proofs/cbmc/poly_getnoise_eta2/poly_getnoise_eta2_harness.c index fe5b3521f..78020fdcf 100644 --- a/proofs/cbmc/poly_getnoise_eta2/poly_getnoise_eta2_harness.c +++ b/proofs/cbmc/poly_getnoise_eta2/poly_getnoise_eta2_harness.c @@ -6,12 +6,12 @@ void harness(void) { - /* poly_getnoise_eta2() is only defined for MLKEM_K == 2, 4 */ + /* mlk_poly_getnoise_eta2() is only defined for MLKEM_K == 2, 4 */ #if MLKEM_K == 2 || MLKEM_K == 4 uint8_t *seed; - poly *r; + mlk_poly *r; uint8_t nonce; - poly_getnoise_eta2(r, seed, nonce); + mlk_poly_getnoise_eta2(r, seed, nonce); #endif /* MLKEM_K == 2 || MLKEM_K == 4 */ } diff --git a/proofs/cbmc/poly_invntt_tomont/Makefile b/proofs/cbmc/poly_invntt_tomont/Makefile index 5b1129af2..37576e866 100644 --- a/proofs/cbmc/poly_invntt_tomont/Makefile +++ b/proofs/cbmc/poly_invntt_tomont/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_invntt_tomont_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_invntt_tomont +PROOF_UID = mlk_poly_invntt_tomont DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_invntt_tomont -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)invntt_layer $(MLK_NAMESPACE)fqmul +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_invntt_tomont +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_invntt_layer $(MLK_NAMESPACE)mlk_fqmul APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = poly_invntt_tomont +FUNCTION_NAME = mlk_poly_invntt_tomont # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_invntt_tomont/poly_invntt_tomont_harness.c b/proofs/cbmc/poly_invntt_tomont/poly_invntt_tomont_harness.c index 5f57c85ac..4dcd93b18 100644 --- a/proofs/cbmc/poly_invntt_tomont/poly_invntt_tomont_harness.c +++ b/proofs/cbmc/poly_invntt_tomont/poly_invntt_tomont_harness.c @@ -6,6 +6,6 @@ void harness(void) { - poly *p; - poly_invntt_tomont(p); + mlk_poly *p; + mlk_poly_invntt_tomont(p); } diff --git a/proofs/cbmc/poly_invntt_tomont_native/Makefile b/proofs/cbmc/poly_invntt_tomont_native/Makefile index 142e1f633..dc8fae273 100644 --- a/proofs/cbmc/poly_invntt_tomont_native/Makefile +++ b/proofs/cbmc/poly_invntt_tomont_native/Makefile @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_invntt_tomont +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_invntt_tomont USE_FUNCTION_CONTRACTS=intt_native APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/poly_invntt_tomont_native/poly_invntt_tomont_native_harness.c b/proofs/cbmc/poly_invntt_tomont_native/poly_invntt_tomont_native_harness.c index 5f57c85ac..4dcd93b18 100644 --- a/proofs/cbmc/poly_invntt_tomont_native/poly_invntt_tomont_native_harness.c +++ b/proofs/cbmc/poly_invntt_tomont_native/poly_invntt_tomont_native_harness.c @@ -6,6 +6,6 @@ void harness(void) { - poly *p; - poly_invntt_tomont(p); + mlk_poly *p; + mlk_poly_invntt_tomont(p); } diff --git a/proofs/cbmc/poly_mulcache_compute/Makefile b/proofs/cbmc/poly_mulcache_compute/Makefile index 84347baeb..efc688e8c 100644 --- a/proofs/cbmc/poly_mulcache_compute/Makefile +++ b/proofs/cbmc/poly_mulcache_compute/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_mulcache_compute_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_mulcache_compute +PROOF_UID = mlk_poly_mulcache_compute DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c $(SRCDIR)/mlkem/zetas.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_mulcache_compute -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)fqmul +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_mulcache_compute +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_fqmul APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = poly_mulcache_compute +FUNCTION_NAME = mlk_poly_mulcache_compute # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_mulcache_compute/poly_mulcache_compute_harness.c b/proofs/cbmc/poly_mulcache_compute/poly_mulcache_compute_harness.c index 32f07aae1..eab184d8c 100644 --- a/proofs/cbmc/poly_mulcache_compute/poly_mulcache_compute_harness.c +++ b/proofs/cbmc/poly_mulcache_compute/poly_mulcache_compute_harness.c @@ -6,8 +6,8 @@ void harness(void) { - poly_mulcache *x; - poly *a; + mlk_poly_mulcache *x; + mlk_poly *a; - poly_mulcache_compute(x, a); + mlk_poly_mulcache_compute(x, a); } diff --git a/proofs/cbmc/poly_mulcache_compute_native/Makefile b/proofs/cbmc/poly_mulcache_compute_native/Makefile index 70a0f066e..9225f1e20 100644 --- a/proofs/cbmc/poly_mulcache_compute_native/Makefile +++ b/proofs/cbmc/poly_mulcache_compute_native/Makefile @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c $(SRCDIR)/mlkem/zetas.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_mulcache_compute +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_mulcache_compute USE_FUNCTION_CONTRACTS=poly_mulcache_compute_native APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/poly_mulcache_compute_native/poly_mulcache_compute_native_harness.c b/proofs/cbmc/poly_mulcache_compute_native/poly_mulcache_compute_native_harness.c index 32f07aae1..eab184d8c 100644 --- a/proofs/cbmc/poly_mulcache_compute_native/poly_mulcache_compute_native_harness.c +++ b/proofs/cbmc/poly_mulcache_compute_native/poly_mulcache_compute_native_harness.c @@ -6,8 +6,8 @@ void harness(void) { - poly_mulcache *x; - poly *a; + mlk_poly_mulcache *x; + mlk_poly *a; - poly_mulcache_compute(x, a); + mlk_poly_mulcache_compute(x, a); } diff --git a/proofs/cbmc/poly_ntt/Makefile b/proofs/cbmc/poly_ntt/Makefile index 03a5fab49..8a2eeed76 100644 --- a/proofs/cbmc/poly_ntt/Makefile +++ b/proofs/cbmc/poly_ntt/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_ntt_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_ntt +PROOF_UID = mlk_poly_ntt DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c - CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_ntt -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ntt_layer + CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_ntt +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ntt_layer APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = $(MLK_NAMESPACE)poly_ntt +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_ntt # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_ntt/poly_ntt_harness.c b/proofs/cbmc/poly_ntt/poly_ntt_harness.c index f2d4478ff..1cb365157 100644 --- a/proofs/cbmc/poly_ntt/poly_ntt_harness.c +++ b/proofs/cbmc/poly_ntt/poly_ntt_harness.c @@ -6,6 +6,6 @@ void harness(void) { - poly *a; - poly_ntt(a); + mlk_poly *a; + mlk_poly_ntt(a); } diff --git a/proofs/cbmc/poly_ntt_native/Makefile b/proofs/cbmc/poly_ntt_native/Makefile index 056718470..5fe93f573 100644 --- a/proofs/cbmc/poly_ntt_native/Makefile +++ b/proofs/cbmc/poly_ntt_native/Makefile @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_ntt +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_ntt USE_FUNCTION_CONTRACTS=ntt_native APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = poly_ntt +FUNCTION_NAME = mlk_poly_ntt # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_ntt_native/poly_ntt_native_harness.c b/proofs/cbmc/poly_ntt_native/poly_ntt_native_harness.c index f2d4478ff..1cb365157 100644 --- a/proofs/cbmc/poly_ntt_native/poly_ntt_native_harness.c +++ b/proofs/cbmc/poly_ntt_native/poly_ntt_native_harness.c @@ -6,6 +6,6 @@ void harness(void) { - poly *a; - poly_ntt(a); + mlk_poly *a; + mlk_poly_ntt(a); } diff --git a/proofs/cbmc/poly_reduce/Makefile b/proofs/cbmc/poly_reduce/Makefile index fa15cc30f..9ce37ab38 100644 --- a/proofs/cbmc/poly_reduce/Makefile +++ b/proofs/cbmc/poly_reduce/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_reduce_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_reduce +PROOF_UID = mlk_poly_reduce DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_reduce -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)scalar_signed_to_unsigned_q $(MLK_NAMESPACE)barrett_reduce +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_reduce +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_scalar_signed_to_unsigned_q $(MLK_NAMESPACE)mlk_barrett_reduce APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = $(MLK_NAMESPACE)poly_reduce +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_reduce # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_reduce/poly_reduce_harness.c b/proofs/cbmc/poly_reduce/poly_reduce_harness.c index 18f5ed531..1efec2b4e 100644 --- a/proofs/cbmc/poly_reduce/poly_reduce_harness.c +++ b/proofs/cbmc/poly_reduce/poly_reduce_harness.c @@ -6,8 +6,8 @@ void harness(void) { - poly *a; + mlk_poly *a; /* Contracts for this function are in poly.h */ - poly_reduce(a); + mlk_poly_reduce(a); } diff --git a/proofs/cbmc/poly_reduce_native/Makefile b/proofs/cbmc/poly_reduce_native/Makefile index f5cfbf3ee..96a1908c1 100644 --- a/proofs/cbmc/poly_reduce_native/Makefile +++ b/proofs/cbmc/poly_reduce_native/Makefile @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_reduce +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_reduce USE_FUNCTION_CONTRACTS=poly_reduce_native APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/poly_reduce_native/poly_reduce_native_harness.c b/proofs/cbmc/poly_reduce_native/poly_reduce_native_harness.c index 116793fa4..ae13b3e1d 100644 --- a/proofs/cbmc/poly_reduce_native/poly_reduce_native_harness.c +++ b/proofs/cbmc/poly_reduce_native/poly_reduce_native_harness.c @@ -6,8 +6,8 @@ void harness(void) { - poly *a; + mlk_poly *a; /* Contracts for this function are in compress.h */ - poly_reduce(a); + mlk_poly_reduce(a); } diff --git a/proofs/cbmc/poly_rej_uniform/Makefile b/proofs/cbmc/poly_rej_uniform/Makefile index 08c2d577c..83d8c7983 100644 --- a/proofs/cbmc/poly_rej_uniform/Makefile +++ b/proofs/cbmc/poly_rej_uniform/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_rej_uniform_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_rej_uniform +PROOF_UID = mlk_poly_rej_uniform DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/sampling.c $(SRCDIR)/mlkem/fips202/fips202.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_rej_uniform -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)shake128_absorb_once $(MLK_NAMESPACE)shake128_squeezeblocks $(MLK_NAMESPACE)rej_uniform +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_rej_uniform +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)shake128_absorb_once $(MLK_NAMESPACE)shake128_squeezeblocks $(MLK_NAMESPACE)mlk_rej_uniform APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = $(MLK_NAMESPACE)poly_rej_uniform +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_rej_uniform # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_rej_uniform/poly_rej_uniform_harness.c b/proofs/cbmc/poly_rej_uniform/poly_rej_uniform_harness.c index 3e411b6a7..7dbae235e 100644 --- a/proofs/cbmc/poly_rej_uniform/poly_rej_uniform_harness.c +++ b/proofs/cbmc/poly_rej_uniform/poly_rej_uniform_harness.c @@ -7,7 +7,7 @@ void harness(void) { - poly *out; + mlk_poly *out; uint8_t *seed; - poly_rej_uniform(out, seed); + mlk_poly_rej_uniform(out, seed); } diff --git a/proofs/cbmc/poly_rej_uniform_x4/Makefile b/proofs/cbmc/poly_rej_uniform_x4/Makefile index eda43dccd..ef2299c86 100644 --- a/proofs/cbmc/poly_rej_uniform_x4/Makefile +++ b/proofs/cbmc/poly_rej_uniform_x4/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_rej_uniform_x4_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_rej_uniform_x4 +PROOF_UID = mlk_poly_rej_uniform_x4 DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/sampling.c $(SRCDIR)/mlkem/fips202/fips202x4.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_rej_uniform_x4 -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)shake128x4_absorb_once $(MLK_NAMESPACE)shake128x4_squeezeblocks $(MLK_NAMESPACE)rej_uniform +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_rej_uniform_x4 +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)shake128x4_absorb_once $(MLK_NAMESPACE)shake128x4_squeezeblocks $(MLK_NAMESPACE)mlk_rej_uniform APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)poly_rej_uniform_x4 +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_rej_uniform_x4 # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_rej_uniform_x4/poly_rej_uniform_x4_harness.c b/proofs/cbmc/poly_rej_uniform_x4/poly_rej_uniform_x4_harness.c index 0e9c034cd..5e6cbda62 100644 --- a/proofs/cbmc/poly_rej_uniform_x4/poly_rej_uniform_x4_harness.c +++ b/proofs/cbmc/poly_rej_uniform_x4/poly_rej_uniform_x4_harness.c @@ -7,7 +7,7 @@ void harness(void) { - poly out[4]; + mlk_poly out[4]; uint8_t *seed[4]; - poly_rej_uniform_x4(out, seed); + mlk_poly_rej_uniform_x4(out, seed); } diff --git a/proofs/cbmc/poly_sub/Makefile b/proofs/cbmc/poly_sub/Makefile index 99c01d33a..b75a06131 100644 --- a/proofs/cbmc/poly_sub/Makefile +++ b/proofs/cbmc/poly_sub/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_sub_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_sub +PROOF_UID = mlk_poly_sub DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_sub +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_sub USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = poly_sub +FUNCTION_NAME = mlk_poly_sub # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_sub/poly_sub_harness.c b/proofs/cbmc/poly_sub/poly_sub_harness.c index 8dc700fec..2ec0c2f92 100644 --- a/proofs/cbmc/poly_sub/poly_sub_harness.c +++ b/proofs/cbmc/poly_sub/poly_sub_harness.c @@ -6,6 +6,6 @@ void harness(void) { - poly *r, *b; - poly_sub(r, b); + mlk_poly *r, *b; + mlk_poly_sub(r, b); } diff --git a/proofs/cbmc/poly_tobytes/Makefile b/proofs/cbmc/poly_tobytes/Makefile index ec332bbcd..8272a5433 100644 --- a/proofs/cbmc/poly_tobytes/Makefile +++ b/proofs/cbmc/poly_tobytes/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_tobytes_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_tobytes +PROOF_UID = mlk_poly_tobytes DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/compress.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_tobytes +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_tobytes USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = $(MLK_NAMESPACE)poly_tobytes +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_tobytes # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_tobytes/poly_tobytes_harness.c b/proofs/cbmc/poly_tobytes/poly_tobytes_harness.c index e48cb927a..bdaabef79 100644 --- a/proofs/cbmc/poly_tobytes/poly_tobytes_harness.c +++ b/proofs/cbmc/poly_tobytes/poly_tobytes_harness.c @@ -6,9 +6,9 @@ void harness(void) { - poly *a; + mlk_poly *a; uint8_t *r; /* Contracts for this function are in compress.h */ - poly_tobytes(r, a); + mlk_poly_tobytes(r, a); } diff --git a/proofs/cbmc/poly_tobytes_native/Makefile b/proofs/cbmc/poly_tobytes_native/Makefile index 3036d5b9a..e0455730d 100644 --- a/proofs/cbmc/poly_tobytes_native/Makefile +++ b/proofs/cbmc/poly_tobytes_native/Makefile @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/compress.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_tobytes +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_tobytes USE_FUNCTION_CONTRACTS=poly_tobytes_native APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/poly_tobytes_native/poly_tobytes_native_harness.c b/proofs/cbmc/poly_tobytes_native/poly_tobytes_native_harness.c index e48cb927a..bdaabef79 100644 --- a/proofs/cbmc/poly_tobytes_native/poly_tobytes_native_harness.c +++ b/proofs/cbmc/poly_tobytes_native/poly_tobytes_native_harness.c @@ -6,9 +6,9 @@ void harness(void) { - poly *a; + mlk_poly *a; uint8_t *r; /* Contracts for this function are in compress.h */ - poly_tobytes(r, a); + mlk_poly_tobytes(r, a); } diff --git a/proofs/cbmc/poly_tomont/Makefile b/proofs/cbmc/poly_tomont/Makefile index 29f552ea3..5edd04200 100644 --- a/proofs/cbmc/poly_tomont/Makefile +++ b/proofs/cbmc/poly_tomont/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_tomont_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_tomont +PROOF_UID = mlk_poly_tomont DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_tomont -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)fqmul +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_tomont +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_fqmul APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = poly_tomont +FUNCTION_NAME = mlk_poly_tomont # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_tomont/poly_tomont_harness.c b/proofs/cbmc/poly_tomont/poly_tomont_harness.c index ac9fd3b91..d0f1a6221 100644 --- a/proofs/cbmc/poly_tomont/poly_tomont_harness.c +++ b/proofs/cbmc/poly_tomont/poly_tomont_harness.c @@ -6,7 +6,7 @@ void harness(void) { - poly *a; + mlk_poly *a; - poly_tomont(a); + mlk_poly_tomont(a); } diff --git a/proofs/cbmc/poly_tomont_native/Makefile b/proofs/cbmc/poly_tomont_native/Makefile index 25f0a6cff..4f577e314 100644 --- a/proofs/cbmc/poly_tomont_native/Makefile +++ b/proofs/cbmc/poly_tomont_native/Makefile @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_tomont +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_tomont USE_FUNCTION_CONTRACTS=poly_tomont_native APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/poly_tomont_native/poly_tomont_native_harness.c b/proofs/cbmc/poly_tomont_native/poly_tomont_native_harness.c index ac9fd3b91..d0f1a6221 100644 --- a/proofs/cbmc/poly_tomont_native/poly_tomont_native_harness.c +++ b/proofs/cbmc/poly_tomont_native/poly_tomont_native_harness.c @@ -6,7 +6,7 @@ void harness(void) { - poly *a; + mlk_poly *a; - poly_tomont(a); + mlk_poly_tomont(a); } diff --git a/proofs/cbmc/poly_tomsg/Makefile b/proofs/cbmc/poly_tomsg/Makefile index 6b4b265a0..c02857831 100644 --- a/proofs/cbmc/poly_tomsg/Makefile +++ b/proofs/cbmc/poly_tomsg/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = poly_tomsg_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = poly_tomsg +PROOF_UID = mlk_poly_tomsg DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/compress.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_tomsg +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_tomsg USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = $(MLK_NAMESPACE)poly_tomsg +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_tomsg # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/poly_tomsg/poly_tomsg_harness.c b/proofs/cbmc/poly_tomsg/poly_tomsg_harness.c index 25c7b7ff2..3e1bc23c4 100644 --- a/proofs/cbmc/poly_tomsg/poly_tomsg_harness.c +++ b/proofs/cbmc/poly_tomsg/poly_tomsg_harness.c @@ -6,9 +6,9 @@ void harness(void) { - poly *a; + mlk_poly *a; uint8_t *msg; /* Contracts for this function are in compress.h */ - poly_tomsg(msg, a); + mlk_poly_tomsg(msg, a); } diff --git a/proofs/cbmc/polyvec_add/Makefile b/proofs/cbmc/polyvec_add/Makefile index 653cdf5ef..577f857d8 100644 --- a/proofs/cbmc/polyvec_add/Makefile +++ b/proofs/cbmc/polyvec_add/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = polyvec_add_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = polyvec_add +PROOF_UID = mlk_polyvec_add DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += $(MLK_NAMESPACE)polyvec_add.0:4 # Largest value of MLKEM_K PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)polyvec_add -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_add +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_polyvec_add +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_add APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -38,7 +38,7 @@ CBMCFLAGS=--smt2 # a substantial improvement in proof performance. CBMCFLAGS += --no-array-field-sensitivity --arrays-uf-always --slice-formula -FUNCTION_NAME = polyvec_add +FUNCTION_NAME = mlk_polyvec_add # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/polyvec_add/polyvec_add_harness.c b/proofs/cbmc/polyvec_add/polyvec_add_harness.c index 010737e4c..c982f2fbe 100644 --- a/proofs/cbmc/polyvec_add/polyvec_add_harness.c +++ b/proofs/cbmc/polyvec_add/polyvec_add_harness.c @@ -6,6 +6,6 @@ void harness(void) { - polyvec *r, *b; - polyvec_add(r, b); + mlk_polyvec *r, *b; + mlk_polyvec_add(r, b); } diff --git a/proofs/cbmc/polyvec_basemul_acc_montgomery/Makefile b/proofs/cbmc/polyvec_basemul_acc_montgomery/Makefile index 0406bb78c..2ac073422 100644 --- a/proofs/cbmc/polyvec_basemul_acc_montgomery/Makefile +++ b/proofs/cbmc/polyvec_basemul_acc_montgomery/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = polyvec_basemul_acc_montgomery_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = polyvec_basemul_acc_montgomery +PROOF_UID = mlk_polyvec_basemul_acc_montgomery DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)polyvec_basemul_acc_montgomery -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)polyvec_mulcache_compute $(MLK_NAMESPACE)polyvec_basemul_acc_montgomery_cached +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_polyvec_basemul_acc_montgomery +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_polyvec_mulcache_compute $(MLK_NAMESPACE)mlk_polyvec_basemul_acc_montgomery_cached APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = polyvec_basemul_acc_montgomery +FUNCTION_NAME = mlk_polyvec_basemul_acc_montgomery # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/polyvec_basemul_acc_montgomery/polyvec_basemul_acc_montgomery_harness.c b/proofs/cbmc/polyvec_basemul_acc_montgomery/polyvec_basemul_acc_montgomery_harness.c index e2d1f7ee9..1af2ba228 100644 --- a/proofs/cbmc/polyvec_basemul_acc_montgomery/polyvec_basemul_acc_montgomery_harness.c +++ b/proofs/cbmc/polyvec_basemul_acc_montgomery/polyvec_basemul_acc_montgomery_harness.c @@ -5,8 +5,8 @@ void harness(void) { - poly *r; - polyvec *a, *b; + mlk_poly *r; + mlk_polyvec *a, *b; - polyvec_basemul_acc_montgomery(r, a, b); + mlk_polyvec_basemul_acc_montgomery(r, a, b); } diff --git a/proofs/cbmc/polyvec_basemul_acc_montgomery_cached/Makefile b/proofs/cbmc/polyvec_basemul_acc_montgomery_cached/Makefile index 2ebdd1f0b..a23e7762a 100644 --- a/proofs/cbmc/polyvec_basemul_acc_montgomery_cached/Makefile +++ b/proofs/cbmc/polyvec_basemul_acc_montgomery_cached/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = polyvec_basemul_acc_montgomery_cached_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = polyvec_basemul_acc_montgomery_cached +PROOF_UID = mlk_polyvec_basemul_acc_montgomery_cached DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)polyvec_basemul_acc_montgomery_cached -USE_FUNCTION_CONTRACTS= $(MLK_NAMESPACE)montgomery_reduce +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_polyvec_basemul_acc_montgomery_cached +USE_FUNCTION_CONTRACTS= $(MLK_NAMESPACE)mlk_montgomery_reduce APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -28,7 +28,7 @@ EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 CBMCFLAGS += --no-array-field-sensitivity --arrays-uf-always --slice-formula -FUNCTION_NAME = polyvec_basemul_acc_montgomery_cached +FUNCTION_NAME = mlk_polyvec_basemul_acc_montgomery_cached # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/polyvec_basemul_acc_montgomery_cached/polyvec_basemul_acc_montgomery_cached_harness.c b/proofs/cbmc/polyvec_basemul_acc_montgomery_cached/polyvec_basemul_acc_montgomery_cached_harness.c index db4937b5e..229c5295b 100644 --- a/proofs/cbmc/polyvec_basemul_acc_montgomery_cached/polyvec_basemul_acc_montgomery_cached_harness.c +++ b/proofs/cbmc/polyvec_basemul_acc_montgomery_cached/polyvec_basemul_acc_montgomery_cached_harness.c @@ -6,9 +6,9 @@ void harness(void) { - poly *r; - polyvec *a, *b; - polyvec_mulcache *b_cached; + mlk_poly *r; + mlk_polyvec *a, *b; + mlk_polyvec_mulcache *b_cached; - polyvec_basemul_acc_montgomery_cached(r, a, b, b_cached); + mlk_polyvec_basemul_acc_montgomery_cached(r, a, b, b_cached); } diff --git a/proofs/cbmc/polyvec_basemul_acc_montgomery_cached_native/Makefile b/proofs/cbmc/polyvec_basemul_acc_montgomery_cached_native/Makefile index 733ec3865..61602d071 100644 --- a/proofs/cbmc/polyvec_basemul_acc_montgomery_cached_native/Makefile +++ b/proofs/cbmc/polyvec_basemul_acc_montgomery_cached_native/Makefile @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)polyvec_basemul_acc_montgomery_cached +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_polyvec_basemul_acc_montgomery_cached USE_FUNCTION_CONTRACTS=polyvec_basemul_acc_montgomery_cached_k$(MLKEM_K)_native APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/polyvec_basemul_acc_montgomery_cached_native/polyvec_basemul_acc_montgomery_cached_native_harness.c b/proofs/cbmc/polyvec_basemul_acc_montgomery_cached_native/polyvec_basemul_acc_montgomery_cached_native_harness.c index db4937b5e..229c5295b 100644 --- a/proofs/cbmc/polyvec_basemul_acc_montgomery_cached_native/polyvec_basemul_acc_montgomery_cached_native_harness.c +++ b/proofs/cbmc/polyvec_basemul_acc_montgomery_cached_native/polyvec_basemul_acc_montgomery_cached_native_harness.c @@ -6,9 +6,9 @@ void harness(void) { - poly *r; - polyvec *a, *b; - polyvec_mulcache *b_cached; + mlk_poly *r; + mlk_polyvec *a, *b; + mlk_polyvec_mulcache *b_cached; - polyvec_basemul_acc_montgomery_cached(r, a, b, b_cached); + mlk_polyvec_basemul_acc_montgomery_cached(r, a, b, b_cached); } diff --git a/proofs/cbmc/polyvec_compress_du/Makefile b/proofs/cbmc/polyvec_compress_du/Makefile index 61862a7b1..cf9f280a3 100644 --- a/proofs/cbmc/polyvec_compress_du/Makefile +++ b/proofs/cbmc/polyvec_compress_du/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = polyvec_compress_du_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = polyvec_compress_du +PROOF_UID = mlk_polyvec_compress_du DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += $(MLK_NAMESPACE)polyvec_compress_du.0:4 # Largest value of MLKEM_K PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)polyvec_compress_du -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_compress_du +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_polyvec_compress_du +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_compress_du APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)polyvec_compress_du +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_polyvec_compress_du # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/polyvec_compress_du/polyvec_compress_du_harness.c b/proofs/cbmc/polyvec_compress_du/polyvec_compress_du_harness.c index 60177059f..02623797a 100644 --- a/proofs/cbmc/polyvec_compress_du/polyvec_compress_du_harness.c +++ b/proofs/cbmc/polyvec_compress_du/polyvec_compress_du_harness.c @@ -7,8 +7,8 @@ void harness(void) { - polyvec *r; + mlk_polyvec *r; uint8_t *a; - polyvec_compress_du(a, r); + mlk_polyvec_compress_du(a, r); } diff --git a/proofs/cbmc/polyvec_decompress_du/Makefile b/proofs/cbmc/polyvec_decompress_du/Makefile index 60377f11b..7181ea160 100644 --- a/proofs/cbmc/polyvec_decompress_du/Makefile +++ b/proofs/cbmc/polyvec_decompress_du/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = polyvec_decompress_du_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = polyvec_decompress_du +PROOF_UID = mlk_polyvec_decompress_du DEFINES += INCLUDES += @@ -18,9 +18,9 @@ UNWINDSET += $(MLK_NAMESPACE)polyvec_decompress_du.0:4 # Largest value of MLKEM_ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)polyvec_decompress_du +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_polyvec_decompress_du -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_decompress_du +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_decompress_du APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -28,7 +28,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)polyvec_decompress_du +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_polyvec_decompress_du # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/polyvec_decompress_du/polyvec_decompress_du_harness.c b/proofs/cbmc/polyvec_decompress_du/polyvec_decompress_du_harness.c index ddb0b93a7..83140e42a 100644 --- a/proofs/cbmc/polyvec_decompress_du/polyvec_decompress_du_harness.c +++ b/proofs/cbmc/polyvec_decompress_du/polyvec_decompress_du_harness.c @@ -7,8 +7,8 @@ void harness(void) { - polyvec *a; + mlk_polyvec *a; uint8_t *r; - polyvec_decompress_du(a, r); + mlk_polyvec_decompress_du(a, r); } diff --git a/proofs/cbmc/polyvec_frombytes/Makefile b/proofs/cbmc/polyvec_frombytes/Makefile index 569bfb610..e6230126c 100644 --- a/proofs/cbmc/polyvec_frombytes/Makefile +++ b/proofs/cbmc/polyvec_frombytes/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = polyvec_frombytes_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = polyvec_frombytes +PROOF_UID = mlk_polyvec_frombytes DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += $(MLK_NAMESPACE)polyvec_frombytes.0:4 # Largest value of MLKEM_K PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)polyvec_frombytes -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_frombytes +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_polyvec_frombytes +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_frombytes APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)polyvec_frombytes +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_polyvec_frombytes # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/polyvec_frombytes/polyvec_frombytes_harness.c b/proofs/cbmc/polyvec_frombytes/polyvec_frombytes_harness.c index cb09b75ab..f6c2342ca 100644 --- a/proofs/cbmc/polyvec_frombytes/polyvec_frombytes_harness.c +++ b/proofs/cbmc/polyvec_frombytes/polyvec_frombytes_harness.c @@ -6,7 +6,7 @@ void harness(void) { - polyvec *a; + mlk_polyvec *a; uint8_t *r; - polyvec_frombytes(a, r); + mlk_polyvec_frombytes(a, r); } diff --git a/proofs/cbmc/polyvec_invntt_tomont/Makefile b/proofs/cbmc/polyvec_invntt_tomont/Makefile index 76c459c8c..cd635e919 100644 --- a/proofs/cbmc/polyvec_invntt_tomont/Makefile +++ b/proofs/cbmc/polyvec_invntt_tomont/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = polyvec_invntt_tomont_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = polyvec_invntt_tomont +PROOF_UID = mlk_polyvec_invntt_tomont DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += $(MLK_NAMESPACE)polyvec_invntt_tomont.0:4 # Largest value of MLKEM_ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)polyvec_invntt_tomont -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_invntt_tomont +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_polyvec_invntt_tomont +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_invntt_tomont APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = polyvec_invntt_tomont +FUNCTION_NAME = mlk_polyvec_invntt_tomont # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/polyvec_invntt_tomont/polyvec_invntt_tomont_harness.c b/proofs/cbmc/polyvec_invntt_tomont/polyvec_invntt_tomont_harness.c index e18487ede..d29b4020a 100644 --- a/proofs/cbmc/polyvec_invntt_tomont/polyvec_invntt_tomont_harness.c +++ b/proofs/cbmc/polyvec_invntt_tomont/polyvec_invntt_tomont_harness.c @@ -6,6 +6,6 @@ void harness(void) { - polyvec *r; - polyvec_invntt_tomont(r); + mlk_polyvec *r; + mlk_polyvec_invntt_tomont(r); } diff --git a/proofs/cbmc/polyvec_mulcache_compute/Makefile b/proofs/cbmc/polyvec_mulcache_compute/Makefile index e20e44e37..5d1abfef0 100644 --- a/proofs/cbmc/polyvec_mulcache_compute/Makefile +++ b/proofs/cbmc/polyvec_mulcache_compute/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = polyvec_mulcache_compute_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = polyvec_mulcache_compute +PROOF_UID = mlk_polyvec_mulcache_compute DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += $(MLK_NAMESPACE)polyvec_mulcache_compute.0:4 # Largest value of MLK PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c $(SRCDIR)/mlkem/poly_k.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)polyvec_mulcache_compute -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_mulcache_compute +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_polyvec_mulcache_compute +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_mulcache_compute APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = polyvec_mulcache_compute +FUNCTION_NAME = mlk_polyvec_mulcache_compute # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/polyvec_mulcache_compute/polyvec_mulcache_compute_harness.c b/proofs/cbmc/polyvec_mulcache_compute/polyvec_mulcache_compute_harness.c index dc077d83e..bb5f1ae4d 100644 --- a/proofs/cbmc/polyvec_mulcache_compute/polyvec_mulcache_compute_harness.c +++ b/proofs/cbmc/polyvec_mulcache_compute/polyvec_mulcache_compute_harness.c @@ -6,8 +6,8 @@ void harness(void) { - polyvec_mulcache *x; - polyvec *a; + mlk_polyvec_mulcache *x; + mlk_polyvec *a; - polyvec_mulcache_compute(x, a); + mlk_polyvec_mulcache_compute(x, a); } diff --git a/proofs/cbmc/polyvec_ntt/Makefile b/proofs/cbmc/polyvec_ntt/Makefile index ec79050d9..a812d4e86 100644 --- a/proofs/cbmc/polyvec_ntt/Makefile +++ b/proofs/cbmc/polyvec_ntt/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = polyvec_ntt_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = polyvec_ntt +PROOF_UID = mlk_polyvec_ntt DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += $(MLK_NAMESPACE)polyvec_ntt.0:4 # Largest value of MLKEM_K PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)polyvec_ntt -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_ntt +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_polyvec_ntt +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_ntt APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = polyvec_ntt +FUNCTION_NAME = mlk_polyvec_ntt # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/polyvec_ntt/polyvec_ntt_harness.c b/proofs/cbmc/polyvec_ntt/polyvec_ntt_harness.c index 11224ffb3..f4fdd025e 100644 --- a/proofs/cbmc/polyvec_ntt/polyvec_ntt_harness.c +++ b/proofs/cbmc/polyvec_ntt/polyvec_ntt_harness.c @@ -6,6 +6,6 @@ void harness(void) { - polyvec *r; - polyvec_ntt(r); + mlk_polyvec *r; + mlk_polyvec_ntt(r); } diff --git a/proofs/cbmc/polyvec_reduce/Makefile b/proofs/cbmc/polyvec_reduce/Makefile index 4d2db1e57..0b90e88ec 100644 --- a/proofs/cbmc/polyvec_reduce/Makefile +++ b/proofs/cbmc/polyvec_reduce/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = polyvec_reduce_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = polyvec_reduce +PROOF_UID = mlk_polyvec_reduce DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += $(MLK_NAMESPACE)polyvec_reduce.0:4 # Largest value of MLKEM_K PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)polyvec_reduce -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_reduce +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_polyvec_reduce +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_reduce APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)polyvec_reduce +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_polyvec_reduce # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/polyvec_reduce/polyvec_reduce_harness.c b/proofs/cbmc/polyvec_reduce/polyvec_reduce_harness.c index 34813963c..b1f9e1c01 100644 --- a/proofs/cbmc/polyvec_reduce/polyvec_reduce_harness.c +++ b/proofs/cbmc/polyvec_reduce/polyvec_reduce_harness.c @@ -6,6 +6,6 @@ void harness(void) { - polyvec *a; - polyvec_reduce(a); + mlk_polyvec *a; + mlk_polyvec_reduce(a); } diff --git a/proofs/cbmc/polyvec_tobytes/Makefile b/proofs/cbmc/polyvec_tobytes/Makefile index 32c324682..11b786f00 100644 --- a/proofs/cbmc/polyvec_tobytes/Makefile +++ b/proofs/cbmc/polyvec_tobytes/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = polyvec_tobytes_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = polyvec_tobytes +PROOF_UID = mlk_polyvec_tobytes DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += $(MLK_NAMESPACE)polyvec_tobytes.0:4 # Largest value of MLKEM_K PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)polyvec_tobytes -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_tobytes +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_polyvec_tobytes +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_tobytes APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)polyvec_tobytes +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_polyvec_tobytes # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/polyvec_tobytes/polyvec_tobytes_harness.c b/proofs/cbmc/polyvec_tobytes/polyvec_tobytes_harness.c index 2d703ff0d..19ff4f6da 100644 --- a/proofs/cbmc/polyvec_tobytes/polyvec_tobytes_harness.c +++ b/proofs/cbmc/polyvec_tobytes/polyvec_tobytes_harness.c @@ -6,7 +6,7 @@ void harness(void) { - polyvec *a; + mlk_polyvec *a; uint8_t *r; - polyvec_tobytes(r, a); + mlk_polyvec_tobytes(r, a); } diff --git a/proofs/cbmc/polyvec_tomont/Makefile b/proofs/cbmc/polyvec_tomont/Makefile index 4186d4a1d..c5bf0b06e 100644 --- a/proofs/cbmc/polyvec_tomont/Makefile +++ b/proofs/cbmc/polyvec_tomont/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = polyvec_tomont_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = polyvec_tomont +PROOF_UID = mlk_polyvec_tomont DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += $(MLK_NAMESPACE)polyvec_tomont.0:4 # Largest value of MLKEM_K PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly_k.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)polyvec_tomont -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_tomont +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_polyvec_tomont +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_tomont APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--smt2 -FUNCTION_NAME = $(MLK_NAMESPACE)polyvec_tomont +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_polyvec_tomont # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/polyvec_tomont/polyvec_tomont_harness.c b/proofs/cbmc/polyvec_tomont/polyvec_tomont_harness.c index fa717a327..ea619af3f 100644 --- a/proofs/cbmc/polyvec_tomont/polyvec_tomont_harness.c +++ b/proofs/cbmc/polyvec_tomont/polyvec_tomont_harness.c @@ -6,6 +6,6 @@ void harness(void) { - polyvec *a; - polyvec_tomont(a); + mlk_polyvec *a; + mlk_polyvec_tomont(a); } diff --git a/proofs/cbmc/proof_guide.md b/proofs/cbmc/proof_guide.md index e3e865825..a8fffd561 100644 --- a/proofs/cbmc/proof_guide.md +++ b/proofs/cbmc/proof_guide.md @@ -11,9 +11,9 @@ _unbounded_ and _modular_ proofs of type-safety and correctness properties. Our CBMC proofs confirm the absence of certain classes of undefined behaviour, such as integer overflow or out of bounds memory accesses -- for the precise list of conditions checked, see the CBMC configuration in [Makefile.common](Makefile.common). For many arithmetic functions, we additionally specify how they affect coefficient -bounds: For example, we show that the result of `poly_invntt_tomont()` has coefficients bound by +bounds: For example, we show that the result of `mlk_poly_invntt_tomont()` has coefficients bound by `MLK_INVNTT_BOUND`. Finally, some simple functions have their full functional behaviour specified: For example, the -specification of the constant-time `ct_memcmp()` shows that, functionally, it is just an ordinary `memcmp()`. +specification of the constant-time `mlk_ct_memcmp()` shows that, functionally, it is just an ordinary `memcmp()`. ## CBMC annotations @@ -56,8 +56,8 @@ also described via `memory_no_alias(...)`. Hence, a function operating on `n` me instances of `memory_no_alias(...)` in its precondition. Care has to be taken for functions where aliasing is needed. Aliasing constraints can be difficult to specify, and we -reduce it as much as possible in mlkem-native. For example, rather than having `poly_add(dst, src0, src1)` where `dst` -may overlap with `src0` or `src1`, we only have a destructive `poly_add(dst, src)` implementing `dst += src`, thereby +reduce it as much as possible in mlkem-native. For example, rather than having `mlk_poly_add(dst, src0, src1)` where `dst` +may overlap with `src0` or `src1`, we only have a destructive `mlk_poly_add(dst, src)` implementing `dst += src`, thereby avoiding the need to specify an aliasing constraint. Care also has to be taken when _invoking_ a function that has a contract with multiple `memory_no_alias(...)` clauses; @@ -401,44 +401,44 @@ make result VERBOSE=1 >log.txt and then inspect `log.txt` to see the exact sequence of commands that has been run. With that, you should be able to reproduce a failure on the command-line directly. -## Worked Example - proving poly_tobytes() +## Worked Example - proving mlk_poly_tobytes() -This section follows the recipe above, and adds actual settings, contracts and command to prove the `poly_tobytes()` function. +This section follows the recipe above, and adds actual settings, contracts and command to prove the `mlk_poly_tobytes()` function. ### Populate a proof directory -The proof directory is [proofs/cbmc/poly_tobytes](poly_tobytes). +The proof directory is [proofs/cbmc/mlk_poly_tobytes](mlk_poly_tobytes). ### Update Makefile The significant changes are: ``` HARNESS_FILE = poly_tobytes_harness -PROOF_UID = poly_tobytes +PROOF_UID = mlk_poly_tobytes PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)poly_tobytes +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_poly_tobytes USE_FUNCTION_CONTRACTS= -FUNCTION_NAME = $(MLK_NAMESPACE)poly_tobytes +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_poly_tobytes ``` -Note that `USE_FUNCTION_CONTRACTS` is left empty since `poly_tobytes()` is a leaf function that does not call any other functions at all. +Note that `USE_FUNCTION_CONTRACTS` is left empty since `mlk_poly_tobytes()` is a leaf function that does not call any other functions at all. ### Update harness function -`poly_tobytes()` has a simple API, requiring two parameters, so the harness function is: +`mlk_poly_tobytes()` has a simple API, requiring two parameters, so the harness function is: ``` void harness(void) { - poly *a; + mlk_poly *a; uint8_t *r; /* Contracts for this function are in poly.h */ - poly_tobytes(r, a); + mlk_poly_tobytes(r, a); } ``` ### Top-level contracts -The comments on `poly_tobytes()` give us a clear hint: +The comments on `mlk_poly_tobytes()` give us a clear hint: ``` * Arguments: INPUT: @@ -455,9 +455,9 @@ prototype. We can use the macros in [mlkem/cbmc.h](../../mlkem/cbmc.h) to help, thus: ``` -void poly_tobytes(uint8_t r[MLKEM_POLYBYTES], const poly *a) +void mlk_poly_tobytes(uint8_t r[MLKEM_POLYBYTES], const mlk_poly *a) __contract__( - requires(memory_no_alias(a, sizeof(poly))) + requires(memory_no_alias(a, sizeof(mlk_poly))) requires(array_bound(a->coeffs, 0, MLKEM_N, 0, (MLKEM_Q - 1))) assigns(object_whole(r))); ``` @@ -468,7 +468,7 @@ inclusive). See the macro definition in [mlkem/cbmc.h](../../mlkem/cbmc.h) for d ### Interior contracts and loop invariants -`poly_tobytes` has a single loop statement: +`mlk_poly_tobytes` has a single loop statement: ``` unsigned i; @@ -513,7 +513,7 @@ and so on for the other two statements in the loop body. With those changes, CBMC completes the proof in about 10 seconds: ``` -cd proofs/cbmc/poly_tobytes +cd proofs/cbmc/mlk_poly_tobytes make result cat logs/result.txt ``` @@ -527,12 +527,12 @@ We can also use the higher-level Python script to prove just that one function: ``` cd proofs/cbmc -MLKEM_K=3 ./run-cbmc-proofs.py --summarize -j$(nproc) -p poly_tobytes +MLKEM_K=3 ./run-cbmc-proofs.py --summarize -j$(nproc) -p mlk_poly_tobytes ``` yields ``` | Proof | Status | |--------------|---------| -| poly_tobytes | Success | +| mlk_poly_tobytes | Success | ``` diff --git a/proofs/cbmc/rej_uniform/Makefile b/proofs/cbmc/rej_uniform/Makefile index 88e70bc84..325bebb04 100644 --- a/proofs/cbmc/rej_uniform/Makefile +++ b/proofs/cbmc/rej_uniform/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = rej_uniform_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = rej_uniform +PROOF_UID = mlk_rej_uniform DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/sampling.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)rej_uniform -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)rej_uniform_scalar +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_rej_uniform +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_rej_uniform_scalar APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = $(MLK_NAMESPACE)rej_uniform +FUNCTION_NAME = $(MLK_NAMESPACE)mlk_rej_uniform # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/rej_uniform/rej_uniform_harness.c b/proofs/cbmc/rej_uniform/rej_uniform_harness.c index 0a38d9baa..b312dbce2 100644 --- a/proofs/cbmc/rej_uniform/rej_uniform_harness.c +++ b/proofs/cbmc/rej_uniform/rej_uniform_harness.c @@ -5,8 +5,8 @@ #include #include "cbmc.h" -#define rej_uniform MLK_NAMESPACE(rej_uniform) -unsigned rej_uniform(int16_t *r, unsigned target, unsigned offset, +#define mlk_rej_uniform MLK_NAMESPACE(rej_uniform) +unsigned mlk_rej_uniform(int16_t *r, unsigned target, unsigned offset, const uint8_t *buf, unsigned buflen); void harness(void) @@ -15,5 +15,5 @@ void harness(void) int16_t *r; uint8_t *buf; - rej_uniform(r, target, offset, buf, inlen); + mlk_rej_uniform(r, target, offset, buf, inlen); } diff --git a/proofs/cbmc/rej_uniform_native/Makefile b/proofs/cbmc/rej_uniform_native/Makefile index 1fc2ee10b..601e1f295 100644 --- a/proofs/cbmc/rej_uniform_native/Makefile +++ b/proofs/cbmc/rej_uniform_native/Makefile @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/sampling.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)rej_uniform -USE_FUNCTION_CONTRACTS=rej_uniform_native $(MLK_NAMESPACE)rej_uniform_scalar +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_rej_uniform +USE_FUNCTION_CONTRACTS=rej_uniform_native $(MLK_NAMESPACE)mlk_rej_uniform_scalar APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/rej_uniform_native/rej_uniform_native_harness.c b/proofs/cbmc/rej_uniform_native/rej_uniform_native_harness.c index 0a38d9baa..b312dbce2 100644 --- a/proofs/cbmc/rej_uniform_native/rej_uniform_native_harness.c +++ b/proofs/cbmc/rej_uniform_native/rej_uniform_native_harness.c @@ -5,8 +5,8 @@ #include #include "cbmc.h" -#define rej_uniform MLK_NAMESPACE(rej_uniform) -unsigned rej_uniform(int16_t *r, unsigned target, unsigned offset, +#define mlk_rej_uniform MLK_NAMESPACE(rej_uniform) +unsigned mlk_rej_uniform(int16_t *r, unsigned target, unsigned offset, const uint8_t *buf, unsigned buflen); void harness(void) @@ -15,5 +15,5 @@ void harness(void) int16_t *r; uint8_t *buf; - rej_uniform(r, target, offset, buf, inlen); + mlk_rej_uniform(r, target, offset, buf, inlen); } diff --git a/proofs/cbmc/rej_uniform_scalar/Makefile b/proofs/cbmc/rej_uniform_scalar/Makefile index 42777a873..456337af0 100644 --- a/proofs/cbmc/rej_uniform_scalar/Makefile +++ b/proofs/cbmc/rej_uniform_scalar/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = rej_uniform_scalar_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = rej_uniform_scalar +PROOF_UID = mlk_rej_uniform_scalar DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/sampling.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)rej_uniform_scalar +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_rej_uniform_scalar USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 @@ -27,7 +27,7 @@ USE_DYNAMIC_FRAMES=1 EXTERNAL_SAT_SOLVER= CBMCFLAGS=--bitwuzla -FUNCTION_NAME = rej_uniform_scalar +FUNCTION_NAME = mlk_rej_uniform_scalar # If this proof is found to consume huge amounts of RAM, you can set the # EXPENSIVE variable. With new enough versions of the proof tools, this will diff --git a/proofs/cbmc/rej_uniform_scalar/rej_uniform_scalar_harness.c b/proofs/cbmc/rej_uniform_scalar/rej_uniform_scalar_harness.c index b075d29bd..3f5a2e2bf 100644 --- a/proofs/cbmc/rej_uniform_scalar/rej_uniform_scalar_harness.c +++ b/proofs/cbmc/rej_uniform_scalar/rej_uniform_scalar_harness.c @@ -4,8 +4,8 @@ #include "sampling.h" -#define rej_uniform_scalar MLK_NAMESPACE(rej_uniform_scalar) -unsigned rej_uniform_scalar(int16_t *r, unsigned target, unsigned offset, +#define mlk_rej_uniform_scalar MLK_NAMESPACE(rej_uniform_scalar) +unsigned mlk_rej_uniform_scalar(int16_t *r, unsigned target, unsigned offset, const uint8_t *buf, unsigned buflen); void harness(void) @@ -14,5 +14,5 @@ void harness(void) int16_t *r; uint8_t *buf; - rej_uniform_scalar(r, target, offset, buf, inlen); + mlk_rej_uniform_scalar(r, target, offset, buf, inlen); } diff --git a/proofs/cbmc/scalar_compress_d1/Makefile b/proofs/cbmc/scalar_compress_d1/Makefile index 6f229e6cf..f563be391 100644 --- a/proofs/cbmc/scalar_compress_d1/Makefile +++ b/proofs/cbmc/scalar_compress_d1/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = scalar_compress_d1_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = scalar_compress_d1 +PROOF_UID = mlk_scalar_compress_d1 DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)scalar_compress_d1 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_scalar_compress_d1 USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/scalar_compress_d1/scalar_compress_d1_harness.c b/proofs/cbmc/scalar_compress_d1/scalar_compress_d1_harness.c index f95c35491..9b0271fd3 100644 --- a/proofs/cbmc/scalar_compress_d1/scalar_compress_d1_harness.c +++ b/proofs/cbmc/scalar_compress_d1/scalar_compress_d1_harness.c @@ -9,5 +9,5 @@ void harness(void) uint16_t u; /* Contracts for this function are in compress.h */ - uint32_t d = scalar_compress_d1(u); + uint32_t d = mlk_scalar_compress_d1(u); } diff --git a/proofs/cbmc/scalar_compress_d10/Makefile b/proofs/cbmc/scalar_compress_d10/Makefile index b41599211..a44e907b0 100644 --- a/proofs/cbmc/scalar_compress_d10/Makefile +++ b/proofs/cbmc/scalar_compress_d10/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = scalar_compress_d10_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = scalar_compress_d10 +PROOF_UID = mlk_scalar_compress_d10 DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)scalar_compress_d10 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_scalar_compress_d10 USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/scalar_compress_d10/scalar_compress_d10_harness.c b/proofs/cbmc/scalar_compress_d10/scalar_compress_d10_harness.c index acf8e4adc..353a37b06 100644 --- a/proofs/cbmc/scalar_compress_d10/scalar_compress_d10_harness.c +++ b/proofs/cbmc/scalar_compress_d10/scalar_compress_d10_harness.c @@ -9,5 +9,5 @@ void harness(void) uint16_t u; /* Contracts for this function are in compress.h */ - uint32_t d = scalar_compress_d10(u); + uint32_t d = mlk_scalar_compress_d10(u); } diff --git a/proofs/cbmc/scalar_compress_d11/Makefile b/proofs/cbmc/scalar_compress_d11/Makefile index d1b9051b5..9b9466681 100644 --- a/proofs/cbmc/scalar_compress_d11/Makefile +++ b/proofs/cbmc/scalar_compress_d11/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = scalar_compress_d11_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = scalar_compress_d11 +PROOF_UID = mlk_scalar_compress_d11 DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)scalar_compress_d11 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_scalar_compress_d11 USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/scalar_compress_d11/scalar_compress_d11_harness.c b/proofs/cbmc/scalar_compress_d11/scalar_compress_d11_harness.c index 110165688..25549e3bc 100644 --- a/proofs/cbmc/scalar_compress_d11/scalar_compress_d11_harness.c +++ b/proofs/cbmc/scalar_compress_d11/scalar_compress_d11_harness.c @@ -9,5 +9,5 @@ void harness(void) uint16_t u; /* Contracts for this function are in compress.h */ - uint32_t d = scalar_compress_d11(u); + uint32_t d = mlk_scalar_compress_d11(u); } diff --git a/proofs/cbmc/scalar_compress_d4/Makefile b/proofs/cbmc/scalar_compress_d4/Makefile index 8377cd35e..f773a4bdc 100644 --- a/proofs/cbmc/scalar_compress_d4/Makefile +++ b/proofs/cbmc/scalar_compress_d4/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = scalar_compress_d4_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = scalar_compress_d4 +PROOF_UID = mlk_scalar_compress_d4 DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)scalar_compress_d4 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_scalar_compress_d4 USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/scalar_compress_d4/scalar_compress_d4_harness.c b/proofs/cbmc/scalar_compress_d4/scalar_compress_d4_harness.c index 11c03120f..6a325f5cb 100644 --- a/proofs/cbmc/scalar_compress_d4/scalar_compress_d4_harness.c +++ b/proofs/cbmc/scalar_compress_d4/scalar_compress_d4_harness.c @@ -9,5 +9,5 @@ void harness(void) uint16_t u; /* Contracts for this function are in compress.h */ - uint32_t d = scalar_compress_d4(u); + uint32_t d = mlk_scalar_compress_d4(u); } diff --git a/proofs/cbmc/scalar_compress_d5/Makefile b/proofs/cbmc/scalar_compress_d5/Makefile index fc28411dc..ebb85416b 100644 --- a/proofs/cbmc/scalar_compress_d5/Makefile +++ b/proofs/cbmc/scalar_compress_d5/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = scalar_compress_d5_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = scalar_compress_d5 +PROOF_UID = mlk_scalar_compress_d5 DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)scalar_compress_d5 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_scalar_compress_d5 USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/scalar_compress_d5/scalar_compress_d5_harness.c b/proofs/cbmc/scalar_compress_d5/scalar_compress_d5_harness.c index e583a27ca..00d7c2015 100644 --- a/proofs/cbmc/scalar_compress_d5/scalar_compress_d5_harness.c +++ b/proofs/cbmc/scalar_compress_d5/scalar_compress_d5_harness.c @@ -9,5 +9,5 @@ void harness(void) uint16_t u; /* Contracts for this function are in compress.h */ - uint32_t d = scalar_compress_d5(u); + uint32_t d = mlk_scalar_compress_d5(u); } diff --git a/proofs/cbmc/scalar_decompress_d10/Makefile b/proofs/cbmc/scalar_decompress_d10/Makefile index 37349b2e0..beeb4b2b5 100644 --- a/proofs/cbmc/scalar_decompress_d10/Makefile +++ b/proofs/cbmc/scalar_decompress_d10/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = scalar_decompress_d10_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = scalar_decompress_d10 +PROOF_UID = mlk_scalar_decompress_d10 DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)scalar_decompress_d10 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_scalar_decompress_d10 USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/scalar_decompress_d10/scalar_decompress_d10_harness.c b/proofs/cbmc/scalar_decompress_d10/scalar_decompress_d10_harness.c index b4f5d328e..655528da2 100644 --- a/proofs/cbmc/scalar_decompress_d10/scalar_decompress_d10_harness.c +++ b/proofs/cbmc/scalar_decompress_d10/scalar_decompress_d10_harness.c @@ -8,5 +8,5 @@ void harness(void) { uint32_t u; uint16_t d; - d = scalar_decompress_d10(u); + d = mlk_scalar_decompress_d10(u); } diff --git a/proofs/cbmc/scalar_decompress_d11/Makefile b/proofs/cbmc/scalar_decompress_d11/Makefile index ef8ba667d..9ceca1001 100644 --- a/proofs/cbmc/scalar_decompress_d11/Makefile +++ b/proofs/cbmc/scalar_decompress_d11/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = scalar_decompress_d11_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = scalar_decompress_d11 +PROOF_UID = mlk_scalar_decompress_d11 DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)scalar_decompress_d11 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_scalar_decompress_d11 USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/scalar_decompress_d11/scalar_decompress_d11_harness.c b/proofs/cbmc/scalar_decompress_d11/scalar_decompress_d11_harness.c index 791536191..3eed76f58 100644 --- a/proofs/cbmc/scalar_decompress_d11/scalar_decompress_d11_harness.c +++ b/proofs/cbmc/scalar_decompress_d11/scalar_decompress_d11_harness.c @@ -8,5 +8,5 @@ void harness(void) { uint32_t u; uint16_t d; - d = scalar_decompress_d11(u); + d = mlk_scalar_decompress_d11(u); } diff --git a/proofs/cbmc/scalar_decompress_d4/Makefile b/proofs/cbmc/scalar_decompress_d4/Makefile index 7159a9afa..1f2d3dc16 100644 --- a/proofs/cbmc/scalar_decompress_d4/Makefile +++ b/proofs/cbmc/scalar_decompress_d4/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = scalar_decompress_d4_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = scalar_decompress_d4 +PROOF_UID = mlk_scalar_decompress_d4 DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)scalar_decompress_d4 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_scalar_decompress_d4 USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/scalar_decompress_d4/scalar_decompress_d4_harness.c b/proofs/cbmc/scalar_decompress_d4/scalar_decompress_d4_harness.c index ba8d7eaf0..c0c9f8284 100644 --- a/proofs/cbmc/scalar_decompress_d4/scalar_decompress_d4_harness.c +++ b/proofs/cbmc/scalar_decompress_d4/scalar_decompress_d4_harness.c @@ -8,5 +8,5 @@ void harness(void) { uint32_t u; uint16_t d; - d = scalar_decompress_d4(u); + d = mlk_scalar_decompress_d4(u); } diff --git a/proofs/cbmc/scalar_decompress_d5/Makefile b/proofs/cbmc/scalar_decompress_d5/Makefile index 9f0137693..894d16d79 100644 --- a/proofs/cbmc/scalar_decompress_d5/Makefile +++ b/proofs/cbmc/scalar_decompress_d5/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = scalar_decompress_d5_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = scalar_decompress_d5 +PROOF_UID = mlk_scalar_decompress_d5 DEFINES += INCLUDES += @@ -18,7 +18,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)scalar_decompress_d5 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_scalar_decompress_d5 USE_FUNCTION_CONTRACTS= APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/scalar_decompress_d5/scalar_decompress_d5_harness.c b/proofs/cbmc/scalar_decompress_d5/scalar_decompress_d5_harness.c index b7481481c..cabffd21b 100644 --- a/proofs/cbmc/scalar_decompress_d5/scalar_decompress_d5_harness.c +++ b/proofs/cbmc/scalar_decompress_d5/scalar_decompress_d5_harness.c @@ -8,5 +8,5 @@ void harness(void) { uint32_t u; uint16_t d; - d = scalar_decompress_d5(u); + d = mlk_scalar_decompress_d5(u); } diff --git a/proofs/cbmc/scalar_signed_to_unsigned_q/Makefile b/proofs/cbmc/scalar_signed_to_unsigned_q/Makefile index 2483afb6a..fcc80134c 100644 --- a/proofs/cbmc/scalar_signed_to_unsigned_q/Makefile +++ b/proofs/cbmc/scalar_signed_to_unsigned_q/Makefile @@ -7,7 +7,7 @@ HARNESS_FILE = scalar_signed_to_unsigned_q_harness # This should be a unique identifier for this proof, and will appear on the # Litani dashboard. It can be human-readable and contain spaces if you wish. -PROOF_UID = scalar_signed_to_unsigned_q +PROOF_UID = mlk_scalar_signed_to_unsigned_q DEFINES += INCLUDES += @@ -18,8 +18,8 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/poly.c -CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)scalar_signed_to_unsigned_q -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)ct_sel_int16 $(MLK_NAMESPACE)ct_cmask_neg_i16 +CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_scalar_signed_to_unsigned_q +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_ct_sel_int16 $(MLK_NAMESPACE)mlk_ct_cmask_neg_i16 APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/scalar_signed_to_unsigned_q/scalar_signed_to_unsigned_q_harness.c b/proofs/cbmc/scalar_signed_to_unsigned_q/scalar_signed_to_unsigned_q_harness.c index b0fa91a84..f297d4af9 100644 --- a/proofs/cbmc/scalar_signed_to_unsigned_q/scalar_signed_to_unsigned_q_harness.c +++ b/proofs/cbmc/scalar_signed_to_unsigned_q/scalar_signed_to_unsigned_q_harness.c @@ -5,13 +5,13 @@ #include #include "common.h" -#define scalar_signed_to_unsigned_q MLK_NAMESPACE(scalar_signed_to_unsigned_q) -uint16_t scalar_signed_to_unsigned_q(int16_t c); +#define mlk_scalar_signed_to_unsigned_q MLK_NAMESPACE(scalar_signed_to_unsigned_q) +uint16_t mlk_scalar_signed_to_unsigned_q(int16_t c); void harness(void) { int16_t u; /* Contracts for this function are in poly.h */ - uint16_t d = scalar_signed_to_unsigned_q(u); + uint16_t d = mlk_scalar_signed_to_unsigned_q(u); } diff --git a/proofs/cbmc/sha3_256/Makefile b/proofs/cbmc/sha3_256/Makefile index ed91efda3..3bde0b5ea 100644 --- a/proofs/cbmc/sha3_256/Makefile +++ b/proofs/cbmc/sha3_256/Makefile @@ -19,7 +19,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/fips202.c CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)sha3_256 -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)keccak_absorb_once $(MLK_NAMESPACE)keccak_squeeze_once +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_keccak_absorb_once $(MLK_NAMESPACE)mlk_keccak_squeeze_once APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/sha3_512/Makefile b/proofs/cbmc/sha3_512/Makefile index d76e3a489..791ee3dda 100644 --- a/proofs/cbmc/sha3_512/Makefile +++ b/proofs/cbmc/sha3_512/Makefile @@ -19,7 +19,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/fips202.c CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)sha3_512 -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)keccak_absorb_once $(MLK_NAMESPACE)keccak_squeeze_once +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_keccak_absorb_once $(MLK_NAMESPACE)mlk_keccak_squeeze_once APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/shake128_absorb_once/Makefile b/proofs/cbmc/shake128_absorb_once/Makefile index 33e42485c..d5417709c 100644 --- a/proofs/cbmc/shake128_absorb_once/Makefile +++ b/proofs/cbmc/shake128_absorb_once/Makefile @@ -19,7 +19,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/fips202.c CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)shake128_absorb_once -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)keccak_absorb_once +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_keccak_absorb_once APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/shake128_squeezeblocks/Makefile b/proofs/cbmc/shake128_squeezeblocks/Makefile index 53fe85de0..ec4c16d95 100644 --- a/proofs/cbmc/shake128_squeezeblocks/Makefile +++ b/proofs/cbmc/shake128_squeezeblocks/Makefile @@ -19,7 +19,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/fips202.c CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)shake128_squeezeblocks -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)keccak_squeezeblocks +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_keccak_squeezeblocks APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/shake128x4_absorb_once/Makefile b/proofs/cbmc/shake128x4_absorb_once/Makefile index 63a12b0f5..3841d5488 100644 --- a/proofs/cbmc/shake128x4_absorb_once/Makefile +++ b/proofs/cbmc/shake128x4_absorb_once/Makefile @@ -19,7 +19,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/fips202x4.c CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)shake128x4_absorb_once -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)keccak_absorb_once_x4 +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_keccak_absorb_once_x4 APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/shake128x4_squeezeblocks/Makefile b/proofs/cbmc/shake128x4_squeezeblocks/Makefile index d59047c70..6f13009d4 100644 --- a/proofs/cbmc/shake128x4_squeezeblocks/Makefile +++ b/proofs/cbmc/shake128x4_squeezeblocks/Makefile @@ -19,7 +19,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/fips202x4.c CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)shake128x4_squeezeblocks -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)keccak_squeezeblocks_x4 +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_keccak_squeezeblocks_x4 APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/shake256/Makefile b/proofs/cbmc/shake256/Makefile index 75170af94..7e5515c62 100644 --- a/proofs/cbmc/shake256/Makefile +++ b/proofs/cbmc/shake256/Makefile @@ -19,7 +19,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/fips202.c CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)shake256 -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)keccak_absorb_once $(MLK_NAMESPACE)keccak_squeeze_once +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_keccak_absorb_once $(MLK_NAMESPACE)mlk_keccak_squeeze_once APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/proofs/cbmc/shake256x4/Makefile b/proofs/cbmc/shake256x4/Makefile index d7160c9c6..d29369fdc 100644 --- a/proofs/cbmc/shake256x4/Makefile +++ b/proofs/cbmc/shake256x4/Makefile @@ -19,7 +19,7 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mlkem/fips202/fips202x4.c CHECK_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)shake256x4 -USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)keccak_absorb_once_x4 $(MLK_NAMESPACE)keccak_squeezeblocks_x4 +USE_FUNCTION_CONTRACTS=$(MLK_NAMESPACE)mlk_keccak_absorb_once_x4 $(MLK_NAMESPACE)mlk_keccak_squeezeblocks_x4 APPLY_LOOP_CONTRACTS=on USE_DYNAMIC_FRAMES=1 diff --git a/scripts/autogen b/scripts/autogen index 017ca3d39..3525391bc 100755 --- a/scripts/autogen +++ b/scripts/autogen @@ -118,13 +118,13 @@ def gen_c_zeta_file(dry_run=False): yield " * Table of zeta values used in the reference NTT and inverse NTT." yield " * See autogen for details." yield " */" - yield "MLK_ALIGN const int16_t zetas[128] = {" + yield "MLK_ALIGN const int16_t mlk_zetas[128] = {" yield from map(lambda t: str(t) + ",", gen_c_zetas()) yield "};" yield "" yield "#else /* MLK_MULTILEVEL_BUILD_NO_SHARED */" yield "" - yield "MLK_EMPTY_CU(zetas)" + yield "MLK_EMPTY_CU(mlk_zetas)" yield "" yield "#endif /* MLK_MULTILEVEL_BUILD_NO_SHARED */" yield "" @@ -335,11 +335,11 @@ def gen_aarch64_fwd_ntt_zeta_file(dry_run=False): yield " * Table of zeta values used in the AArch64 forward NTT" yield " * See autogen for details." yield " */" - yield "MLK_ALIGN const int16_t aarch64_ntt_zetas_layer01234[] = {" + yield "MLK_ALIGN const int16_t mlk_aarch64_ntt_zetas_layer01234[] = {" yield from map(lambda t: str(t) + ",", gen_aarch64_fwd_ntt_zetas_layer01234()) yield "};" yield "" - yield "MLK_ALIGN const int16_t aarch64_ntt_zetas_layer56[] = {" + yield "MLK_ALIGN const int16_t mlk_aarch64_ntt_zetas_layer56[] = {" yield from map(lambda t: str(t) + ",", gen_aarch64_fwd_ntt_zetas_layer56()) yield "};" yield "" @@ -347,7 +347,7 @@ def gen_aarch64_fwd_ntt_zeta_file(dry_run=False): yield from map(lambda t: str(t) + ",", gen_aarch64_inv_ntt_zetas_layer01234()) yield "};" yield "" - yield "MLK_ALIGN const int16_t aarch64_invntt_zetas_layer56[] = {" + yield "MLK_ALIGN const int16_t mlk_aarch64_invntt_zetas_layer56[] = {" yield from map(lambda t: str(t) + ",", gen_aarch64_inv_ntt_zetas_layer56()) yield "};" yield "" @@ -416,7 +416,7 @@ def gen_aarch64_rej_uniform_table(dry_run=False): yield " * Lookup table used by rejection sampling of the public matrix." yield " * See autogen for details." yield " */" - yield "MLK_ALIGN const uint8_t rej_uniform_table[] = {" + yield "MLK_ALIGN const uint8_t mlk_rej_uniform_table[] = {" yield from map(lambda t: str(t) + ",", gen_aarch64_rej_uniform_table_rows()) yield "};" yield "" @@ -475,7 +475,7 @@ def gen_avx2_rej_uniform_table(dry_run=False): yield " * Lookup table used by rejection sampling of the public matrix." yield " * See autogen for details." yield " */" - yield "MLK_ALIGN const uint8_t rej_uniform_table[256][8] = {" + yield "MLK_ALIGN const uint8_t mlk_rej_uniform_table[256][8] = {" yield from map(lambda t: str(t) + ",", gen_avx2_rej_uniform_table_rows()) yield "};" yield "" diff --git a/test/bench_components_mlkem.c b/test/bench_components_mlkem.c index f7b46983c..5a543ada3 100644 --- a/test/bench_components_mlkem.c +++ b/test/bench_components_mlkem.c @@ -73,142 +73,142 @@ static int bench(void) BENCH("keccak-f1600-x1", KeccakF1600_StatePermute(data0)) BENCH("keccak-f1600-x4", KeccakF1600x4_StatePermute(data0)) - BENCH("poly_rej_uniform", poly_rej_uniform((poly *)data0, (uint8_t *)data1)) - BENCH("poly_rej_uniform_x4", poly_rej_uniform_x4((poly *)data0, seed)) + BENCH("mlk_poly_rej_uniform", mlk_poly_rej_uniform((mlk_poly *)data0, (uint8_t *)data1)) + BENCH("mlk_poly_rej_uniform_x4", mlk_poly_rej_uniform_x4((mlk_poly *)data0, seed)) - /* poly */ - /* poly_compress_du */ - BENCH("poly_compress_du", poly_compress_du((uint8_t *)data0, (poly *)data1)) + /* mlk_poly */ + /* mlk_poly_compress_du */ + BENCH("mlk_poly_compress_du", mlk_poly_compress_du((uint8_t *)data0, (mlk_poly *)data1)) - /* poly_decompress_du */ - BENCH("poly_decompress_du", - poly_decompress_du((poly *)data0, (uint8_t *)data1)) + /* mlk_poly_decompress_du */ + BENCH("mlk_poly_decompress_du", + mlk_poly_decompress_du((mlk_poly *)data0, (uint8_t *)data1)) - /* poly_compress_dv */ - BENCH("poly_compress_dv", poly_compress_dv((uint8_t *)data0, (poly *)data1)) + /* mlk_poly_compress_dv */ + BENCH("mlk_poly_compress_dv", mlk_poly_compress_dv((uint8_t *)data0, (mlk_poly *)data1)) - /* poly_decompress_dv */ - BENCH("poly_decompress_dv", - poly_decompress_dv((poly *)data0, (uint8_t *)data1)) + /* mlk_poly_decompress_dv */ + BENCH("mlk_poly_decompress_dv", + mlk_poly_decompress_dv((mlk_poly *)data0, (uint8_t *)data1)) - /* poly_tobytes */ - BENCH("poly_tobytes", poly_tobytes((uint8_t *)data0, (poly *)data1)) + /* mlk_poly_tobytes */ + BENCH("mlk_poly_tobytes", mlk_poly_tobytes((uint8_t *)data0, (mlk_poly *)data1)) - /* poly_frombytes */ - BENCH("poly_frombytes", poly_frombytes((poly *)data0, (uint8_t *)data1)) + /* mlk_poly_frombytes */ + BENCH("mlk_poly_frombytes", mlk_poly_frombytes((mlk_poly *)data0, (uint8_t *)data1)) - /* poly_frommsg */ - BENCH("poly_frommsg", poly_frommsg((poly *)data0, (uint8_t *)data1)) + /* mlk_poly_frommsg */ + BENCH("mlk_poly_frommsg", mlk_poly_frommsg((mlk_poly *)data0, (uint8_t *)data1)) - /* poly_tomsg */ - BENCH("poly_tomsg", poly_tomsg((uint8_t *)data0, (poly *)data1)) + /* mlk_poly_tomsg */ + BENCH("mlk_poly_tomsg", mlk_poly_tomsg((uint8_t *)data0, (mlk_poly *)data1)) - /* poly_getnoise_eta1_4x */ - BENCH("poly_getnoise_eta1_4x", - poly_getnoise_eta1_4x((poly *)data0, (poly *)data1, (poly *)data2, - (poly *)data3, (uint8_t *)data4, nonce0, nonce1, + /* mlk_poly_getnoise_eta1_4x */ + BENCH("mlk_poly_getnoise_eta1_4x", + mlk_poly_getnoise_eta1_4x((mlk_poly *)data0, (mlk_poly *)data1, (mlk_poly *)data2, + (mlk_poly *)data3, (uint8_t *)data4, nonce0, nonce1, nonce2, nonce3)) #if MLKEM_K == 2 || MLKEM_K == 4 - /* poly_getnoise_eta2 */ - BENCH("poly_getnoise_eta2", - poly_getnoise_eta2((poly *)data0, (uint8_t *)data1, nonce0)) + /* mlk_poly_getnoise_eta2 */ + BENCH("mlk_poly_getnoise_eta2", + mlk_poly_getnoise_eta2((mlk_poly *)data0, (uint8_t *)data1, nonce0)) #endif #if MLKEM_K == 2 - /* poly_getnoise_eta1122_4x */ - BENCH("poly_getnoise_eta1122_4x", - poly_getnoise_eta1122_4x((poly *)data0, (poly *)data1, (poly *)data2, - (poly *)data3, (uint8_t *)data4, nonce0, + /* mlk_poly_getnoise_eta1122_4x */ + BENCH("mlk_poly_getnoise_eta1122_4x", + mlk_poly_getnoise_eta1122_4x((mlk_poly *)data0, (mlk_poly *)data1, (mlk_poly *)data2, + (mlk_poly *)data3, (uint8_t *)data4, nonce0, nonce1, nonce2, nonce3)) #endif - /* poly_tomont */ - BENCH("poly_tomont", poly_tomont((poly *)data0)) + /* mlk_poly_tomont */ + BENCH("mlk_poly_tomont", mlk_poly_tomont((mlk_poly *)data0)) - /* poly_mulcache_compute */ - BENCH("poly_mulcache_compute", - poly_mulcache_compute((poly_mulcache *)data0, (poly *)data1)) + /* mlk_poly_mulcache_compute */ + BENCH("mlk_poly_mulcache_compute", + mlk_poly_mulcache_compute((mlk_poly_mulcache *)data0, (mlk_poly *)data1)) - /* poly_reduce */ - BENCH("poly_reduce", poly_reduce((poly *)data0)) + /* mlk_poly_reduce */ + BENCH("mlk_poly_reduce", mlk_poly_reduce((mlk_poly *)data0)) - /* poly_add */ - BENCH("poly_add", poly_add((poly *)data0, (poly *)data1)) + /* mlk_poly_add */ + BENCH("mlk_poly_add", mlk_poly_add((mlk_poly *)data0, (mlk_poly *)data1)) - /* poly_sub */ - BENCH("poly_sub", poly_sub((poly *)data0, (poly *)data1)) + /* mlk_poly_sub */ + BENCH("mlk_poly_sub", mlk_poly_sub((mlk_poly *)data0, (mlk_poly *)data1)) - /* polyvec */ - /* polyvec_compress_du */ - BENCH("polyvec_compress_du", - polyvec_compress_du((uint8_t *)data0, (polyvec *)data1)) + /* mlk_polyvec */ + /* mlk_polyvec_compress_du */ + BENCH("mlk_polyvec_compress_du", + mlk_polyvec_compress_du((uint8_t *)data0, (mlk_polyvec *)data1)) - /* polyvec_decompress_du */ - BENCH("polyvec_decompress_du", - polyvec_decompress_du((polyvec *)data0, (uint8_t *)data1)) + /* mlk_polyvec_decompress_du */ + BENCH("mlk_polyvec_decompress_du", + mlk_polyvec_decompress_du((mlk_polyvec *)data0, (uint8_t *)data1)) - /* polyvec_tobytes */ - BENCH("polyvec_tobytes", polyvec_tobytes((uint8_t *)data0, (polyvec *)data1)) + /* mlk_polyvec_tobytes */ + BENCH("mlk_polyvec_tobytes", mlk_polyvec_tobytes((uint8_t *)data0, (mlk_polyvec *)data1)) - /* polyvec_frombytes */ - BENCH("polyvec_frombytes", - polyvec_frombytes((polyvec *)data0, (uint8_t *)data1)) + /* mlk_polyvec_frombytes */ + BENCH("mlk_polyvec_frombytes", + mlk_polyvec_frombytes((mlk_polyvec *)data0, (uint8_t *)data1)) - /* polyvec_ntt */ - BENCH("polyvec_ntt", polyvec_ntt((polyvec *)data0)) + /* mlk_polyvec_ntt */ + BENCH("mlk_polyvec_ntt", mlk_polyvec_ntt((mlk_polyvec *)data0)) - /* polyvec_invntt_tomont */ - BENCH("polyvec_invntt_tomont", polyvec_invntt_tomont((polyvec *)data0)) + /* mlk_polyvec_invntt_tomont */ + BENCH("mlk_polyvec_invntt_tomont", mlk_polyvec_invntt_tomont((mlk_polyvec *)data0)) - /* polyvec_basemul_acc_montgomery_cached */ - BENCH("polyvec_basemul_acc_montgomery_cached", - polyvec_basemul_acc_montgomery_cached((poly *)data0, (polyvec *)data1, - (polyvec *)data2, - (polyvec_mulcache *)data3)) + /* mlk_polyvec_basemul_acc_montgomery_cached */ + BENCH("mlk_polyvec_basemul_acc_montgomery_cached", + mlk_polyvec_basemul_acc_montgomery_cached((mlk_poly *)data0, (mlk_polyvec *)data1, + (mlk_polyvec *)data2, + (mlk_polyvec_mulcache *)data3)) - /* polyvec_mulcache_compute */ - BENCH("polyvec_mulcache_compute", - polyvec_mulcache_compute((polyvec_mulcache *)data0, (polyvec *)data1)) + /* mlk_polyvec_mulcache_compute */ + BENCH("mlk_polyvec_mulcache_compute", + mlk_polyvec_mulcache_compute((mlk_polyvec_mulcache *)data0, (mlk_polyvec *)data1)) - /* polyvec_reduce */ - BENCH("polyvec_reduce", polyvec_reduce((polyvec *)data0)) + /* mlk_polyvec_reduce */ + BENCH("mlk_polyvec_reduce", mlk_polyvec_reduce((mlk_polyvec *)data0)) - /* polyvec_add */ - BENCH("polyvec_add", polyvec_add((polyvec *)data0, (polyvec *)data1)) + /* mlk_polyvec_add */ + BENCH("mlk_polyvec_add", mlk_polyvec_add((mlk_polyvec *)data0, (mlk_polyvec *)data1)) - /* polyvec_tomont */ - BENCH("polyvec_tomont", polyvec_tomont((polyvec *)data0)) + /* mlk_polyvec_tomont */ + BENCH("mlk_polyvec_tomont", mlk_polyvec_tomont((mlk_polyvec *)data0)) /* indcpa */ - /* gen_matrix */ - BENCH("gen_matrix", gen_matrix((polyvec *)data0, (uint8_t *)data1, 0)) + /* mlk_gen_matrix */ + BENCH("mlk_gen_matrix", mlk_gen_matrix((mlk_polyvec *)data0, (uint8_t *)data1, 0)) #if defined(MLK_ARITH_BACKEND_AARCH64_CLEAN) BENCH("ntt-clean", - ntt_asm_clean((int16_t *)data0, (int16_t *)data1, (int16_t *)data2)); + mlk_ntt_asm_clean((int16_t *)data0, (int16_t *)data1, (int16_t *)data2)); BENCH("intt-clean", - intt_asm_clean((int16_t *)data0, (int16_t *)data1, (int16_t *)data2)); - BENCH("poly-reduce-clean", poly_reduce_asm_clean((int16_t *)data0)); - BENCH("poly-tomont-clean", poly_tomont_asm_clean((int16_t *)data0)); - BENCH("poly-tobytes-clean", - poly_tobytes_asm_clean((uint8_t *)data0, (int16_t *)data1)); - BENCH("poly-mulcache-compute-clean", + mlk_intt_asm_clean((int16_t *)data0, (int16_t *)data1, (int16_t *)data2)); + BENCH("mlk_poly-reduce-clean", mlk_poly_reduce_asm_clean((int16_t *)data0)); + BENCH("mlk_poly-tomont-clean", mlk_poly_tomont_asm_clean((int16_t *)data0)); + BENCH("mlk_poly-tobytes-clean", + mlk_poly_tobytes_asm_clean((uint8_t *)data0, (int16_t *)data1)); + BENCH("mlk_poly-mulcache-compute-clean", poly_mulcache_compute_asm_clean((int16_t *)data0, (int16_t *)data1, (int16_t *)data2, (int16_t *)data3)); #if MLKEM_K == 2 - BENCH("polyvec-basemul-acc-montgomery-cached-asm-clean", + BENCH("mlk_polyvec-basemul-acc-montgomery-cached-asm-clean", polyvec_basemul_acc_montgomery_cached_asm_k2_clean( (int16_t *)data0, (int16_t *)data1, (int16_t *)data2, (int16_t *)data3)); #elif MLKEM_K == 3 - BENCH("polyvec-basemul-acc-montgomery-cached-asm-clean", + BENCH("mlk_polyvec-basemul-acc-montgomery-cached-asm-clean", polyvec_basemul_acc_montgomery_cached_asm_k3_clean( (int16_t *)data0, (int16_t *)data1, (int16_t *)data2, (int16_t *)data3)); #elif MLKEM_K == 4 - BENCH("polyvec-basemul-acc-montgomery-cached-asm-clean", + BENCH("mlk_polyvec-basemul-acc-montgomery-cached-asm-clean", polyvec_basemul_acc_montgomery_cached_asm_k4_clean( (int16_t *)data0, (int16_t *)data1, (int16_t *)data2, (int16_t *)data3)); @@ -217,26 +217,26 @@ static int bench(void) #if defined(MLK_ARITH_BACKEND_AARCH64_OPT) BENCH("ntt-opt", - ntt_asm_opt((int16_t *)data0, (int16_t *)data1, (int16_t *)data2)); + mlk_ntt_asm_opt((int16_t *)data0, (int16_t *)data1, (int16_t *)data2)); BENCH("intt-opt", - intt_asm_opt((int16_t *)data0, (int16_t *)data1, (int16_t *)data2)); - BENCH("poly-reduce-opt", poly_reduce_asm_opt((int16_t *)data0)); - BENCH("poly-tomont-opt", poly_tomont_asm_opt((int16_t *)data0)); - BENCH("poly-mulcache-compute-opt", + mlk_intt_asm_opt((int16_t *)data0, (int16_t *)data1, (int16_t *)data2)); + BENCH("mlk_poly-reduce-opt", mlk_poly_reduce_asm_opt((int16_t *)data0)); + BENCH("mlk_poly-tomont-opt", mlk_poly_tomont_asm_opt((int16_t *)data0)); + BENCH("mlk_poly-mulcache-compute-opt", poly_mulcache_compute_asm_opt((int16_t *)data0, (int16_t *)data1, (int16_t *)data2, (int16_t *)data3)); #if MLKEM_K == 2 - BENCH("polyvec-basemul-acc-montgomery-cached-asm-opt", + BENCH("mlk_polyvec-basemul-acc-montgomery-cached-asm-opt", polyvec_basemul_acc_montgomery_cached_asm_k2_opt( (int16_t *)data0, (int16_t *)data1, (int16_t *)data2, (int16_t *)data3)); #elif MLKEM_K == 3 - BENCH("polyvec-basemul-acc-montgomery-cached-asm-opt", + BENCH("mlk_polyvec-basemul-acc-montgomery-cached-asm-opt", polyvec_basemul_acc_montgomery_cached_asm_k3_opt( (int16_t *)data0, (int16_t *)data1, (int16_t *)data2, (int16_t *)data3)); #elif MLKEM_K == 4 - BENCH("polyvec-basemul-acc-montgomery-cached-asm-opt", + BENCH("mlk_polyvec-basemul-acc-montgomery-cached-asm-opt", polyvec_basemul_acc_montgomery_cached_asm_k4_opt( (int16_t *)data0, (int16_t *)data1, (int16_t *)data2, (int16_t *)data3)); diff --git a/test/test_mlkem.c b/test/test_mlkem.c index d8b739f88..68353d4d2 100644 --- a/test/test_mlkem.c +++ b/test/test_mlkem.c @@ -246,30 +246,30 @@ static int test_poly_compress_no_overflow(void) #if defined(MLK_MULTILEVEL_BUILD_WITH_SHARED) || (MLKEM_K == 2 || MLKEM_K == 3) { uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4]; - poly s; + mlk_poly s; memset((uint8_t *)&s, 0, sizeof(s)); - poly_compress_d4(r, &s); + mlk_poly_compress_d4(r, &s); } { uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4]; - poly s; + mlk_poly s; memset(r, 0, sizeof(r)); - poly_decompress_d4(&s, r); + mlk_poly_decompress_d4(&s, r); } { uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10]; - poly s; + mlk_poly s; memset((uint8_t *)&s, 0, sizeof(s)); - poly_compress_d10(r, &s); + mlk_poly_compress_d10(r, &s); } { uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10]; - poly s; + mlk_poly s; memset(r, 0, sizeof(r)); - poly_decompress_d10(&s, r); + mlk_poly_decompress_d10(&s, r); } #endif /* defined(MLK_MULTILEVEL_BUILD_WITH_SHARED) || (MLKEM_K == 2 \ || MLKEM_K == 3) */ @@ -277,30 +277,30 @@ static int test_poly_compress_no_overflow(void) #if defined(MLK_MULTILEVEL_BUILD_WITH_SHARED) || MLKEM_K == 4 { uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5]; - poly s; + mlk_poly s; memset((uint8_t *)&s, 0, sizeof(s)); - poly_compress_d5(r, &s); + mlk_poly_compress_d5(r, &s); } { uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5]; - poly s; + mlk_poly s; memset(r, 0, sizeof(r)); - poly_decompress_d5(&s, r); + mlk_poly_decompress_d5(&s, r); } { uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11]; - poly s; + mlk_poly s; memset((uint8_t *)&s, 0, sizeof(s)); - poly_compress_d11(r, &s); + mlk_poly_compress_d11(r, &s); } { uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11]; - poly s; + mlk_poly s; memset(r, 0, sizeof(r)); - poly_decompress_d11(&s, r); + mlk_poly_decompress_d11(&s, r); } #endif /* MLK_MULTILEVEL_BUILD_WITH_SHARED || MLKEM_K == 4 */