diff --git a/CHANGELOG.md b/CHANGELOG.md index 909b84aeb5..bdcdf08504 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added + +- [#1399](https://github.com/cryspen/libcrux/pull/1399): Add a Rust spec for SHA-3 + ### Removed - [#1391](https://github.com/cryspen/libcrux/pull/1391): Remove support for HMAC-SHA1 diff --git a/Cargo.toml b/Cargo.toml index bc88097630..7981e5e688 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -87,7 +87,7 @@ readme = "Readme.md" allow-branch = ["main"] [workspace.dependencies] -hax-lib = { version = "=0.3.6" } +hax-lib = { git = "https://github.com/cryspen/hax", branch = "integer-lemmas" } libcrux-aead = { version = "=0.0.7", path = "crates/primitives/aead" } libcrux-aesgcm = { version = "=0.0.7", path = "crates/algorithms/aesgcm" } libcrux-blake2 = { version = "=0.0.6", path = "crates/algorithms/blake2" } @@ -234,6 +234,9 @@ rand_chacha = { version = "0.10.0" } getrandom = { version = "0.4" } wasm-bindgen-test = "0.3" +[patch.crates-io] +hax-lib = { git = "https://github.com/cryspen/hax", branch = "integer-lemmas" } + [profile.release] lto = "fat" codegen-units = 1 diff --git a/crates/algorithms/sha3/Cargo.toml b/crates/algorithms/sha3/Cargo.toml index 642ec7ffc3..d45f88c98b 100644 --- a/crates/algorithms/sha3/Cargo.toml +++ b/crates/algorithms/sha3/Cargo.toml @@ -34,6 +34,7 @@ rand = "0.10" cavp = { path = "../../../cavp" } pretty_env_logger = "0.5.0" clap = { version = "4.5.39", features = ["derive"] } +hacspec_sha3 = { path = "../../../specs/sha3" } [lints.rust] unexpected_cfgs = { level = "warn", check-cfg = ['cfg(hax)', 'cfg(eurydice)'] } diff --git a/crates/algorithms/sha3/hax.sh b/crates/algorithms/sha3/hax.sh index b3572ecdb5..54c7d50884 100755 --- a/crates/algorithms/sha3/hax.sh +++ b/crates/algorithms/sha3/hax.sh @@ -1,6 +1,15 @@ #!/usr/bin/env bash set -ex +# GNU sed: system `sed` on Linux is already GNU sed; on macOS the system +# `sed` is BSD and rejects the GNU `-i` form, so we need `gsed` (Homebrew +# `gnu-sed` package) there. Detect at script start and route through $SED. +if [ "$(uname)" = "Darwin" ]; then + SED="gsed" +else + SED="sed" +fi + function extract_all() { extract crates/sys/platform \ into -i "+:** -**::x86::init::cpuid -**::x86::init::cpuid_count" \ @@ -79,14 +88,14 @@ function rename_core_models_files() { new_filename="Libcrux_core_models${filename#Core_models}" mv "$file" "$dir_path/$new_filename" done - find "$target_dir" -type f \( -name "*.fst" -o -name "*.fsti" \) -exec sed -i'' \ + find "$target_dir" -type f \( -name "*.fst" -o -name "*.fsti" \) -exec "$SED" -i \ -e 's/module Core_models/module Libcrux_core_models/g' \ {} + } function rename_core_models_uses() { local target_dir="proofs/fstar/extraction" - find "$target_dir" -type f \( -name "*.fst" -o -name "*.fsti" \) -exec sed -i'' \ + find "$target_dir" -type f \( -name "*.fst" -o -name "*.fsti" \) -exec "$SED" -i \ -e 's/Core_models\.Abstractions/Libcrux_core_models.Abstractions/g' \ -e 's/Core_models\.Core_arch/Libcrux_core_models.Core_arch/g' \ {} + diff --git a/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/EquivImplSpec.Keccakf.Generic.fst.hints b/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/EquivImplSpec.Keccakf.Generic.fst.hints new file mode 100644 index 0000000000..9c8cc3c70b --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/EquivImplSpec.Keccakf.Generic.fst.hints @@ -0,0 +1,7400 @@ +[ + "cfd0c1168d0d7254892ae6bd37ad5110", + [ + [ + "EquivImplSpec.Keccakf.Generic.lane_correctness", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Core_models.Default_interpretation_Tm_arrow_f79f443c37bb02fdda6707946d9ff7b5", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_14fb90547f351ab07ca712b900f4aa9c", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_588e8a2db4ba7484c1d6c13b569bd322", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_7c0c18ef2fc7daeb81e1f50870cc56bb", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_d245029c1ada73d7d1bf89db35ec75ad", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_fc7e65ad6336f7f6cba4ba6c5c93e81b", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.gt", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_and_not_xor_pre", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_rotate_left1_and_xor_pre", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor5_pre", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_and_rotate_pre", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_constant_pre", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_pre", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_zero_pre", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_97c1e055b7db624f230d5d2c143d20ab", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_e15422d7e08b3699e1d0be0bba6b3258", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_and_not_xor_pre", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_rotate_left1_and_xor_pre", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor5_pre", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_and_rotate_pre", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_constant_pre", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_pre", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_zero_pre", + "typing_Rust_primitives.Integers.bits", + "typing_tok_Rust_primitives.Integers.U32@tok", "unit_typing" + ], + 0, + "1c04ad7235dc5d03e40ee3fb626cebdb" + ], + [ + "EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lc_zero", + 1, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Core_models.Default_interpretation_Tm_arrow_f79f443c37bb02fdda6707946d9ff7b5", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_LessThanOrEqual", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_zero_pre", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_zero_pre", + "unit_typing" + ], + 0, + "77144c9026cdee3c11b785980937e11e" + ], + [ + "EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lc_zero", + 2, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Core_models.Default_interpretation_Tm_arrow_f79f443c37bb02fdda6707946d9ff7b5", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_LessThanOrEqual", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_zero_pre", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_zero_pre", + "unit_typing" + ], + 0, + "78c6928bda29c03ae67b4ebf3b1826b1" + ], + [ + "EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lc_xor5", + 1, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_14fb90547f351ab07ca712b900f4aa9c", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor5_pre", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor5_pre" + ], + 0, + "9ff9ece692416cc232b36608e4483e1d" + ], + [ + "EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lc_xor5", + 2, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_14fb90547f351ab07ca712b900f4aa9c", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor5_pre", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor5_pre" + ], + 0, + "54fc56da2e7c981951192ef6090a523b" + ], + [ + "EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lc_rotate_left1_and_xor", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_7c0c18ef2fc7daeb81e1f50870cc56bb", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_rotate_left1_and_xor_pre", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_rotate_left1_and_xor_pre", + "typing_Rust_primitives.Integers.bits", + "typing_tok_Rust_primitives.Integers.U32@tok" + ], + 0, + "11cbb0b8e4a12445040766f4169a67ac" + ], + [ + "EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lc_rotate_left1_and_xor", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_7c0c18ef2fc7daeb81e1f50870cc56bb", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_rotate_left1_and_xor_pre", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_rotate_left1_and_xor_pre", + "typing_Rust_primitives.Integers.bits", + "typing_tok_Rust_primitives.Integers.U32@tok" + ], + 0, + "364a2e27b5d7441ac3e244fa70188a52" + ], + [ + "EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lc_xor_and_rotate", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_588e8a2db4ba7484c1d6c13b569bd322", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.gt", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_and_rotate_pre", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_97c1e055b7db624f230d5d2c143d20ab", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_e15422d7e08b3699e1d0be0bba6b3258", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_and_rotate_pre", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "70664206ac9652e192c6d4ce89ce3977" + ], + [ + "EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lc_xor_and_rotate", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_588e8a2db4ba7484c1d6c13b569bd322", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.gt", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_and_rotate_pre", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_97c1e055b7db624f230d5d2c143d20ab", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_e15422d7e08b3699e1d0be0bba6b3258", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_and_rotate_pre", + "typing_Rust_primitives.Integers.range", + "typing_tok_Rust_primitives.Integers.I32@tok" + ], + 0, + "d0f927b227ce5755782733474f39364d" + ], + [ + "EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lc_and_not_xor", + 1, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_d245029c1ada73d7d1bf89db35ec75ad", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_and_not_xor_pre", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_and_not_xor_pre" + ], + 0, + "c67d8cc2e88e1bec8988ca63b53f6678" + ], + [ + "EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lc_and_not_xor", + 2, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_d245029c1ada73d7d1bf89db35ec75ad", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_and_not_xor_pre", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_and_not_xor_pre" + ], + 0, + "290b20e7f3eaf865f3401193bca0c109" + ], + [ + "EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lc_xor_constant", + 1, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_fc7e65ad6336f7f6cba4ba6c5c93e81b", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equation_Rust_primitives.Integers.u64", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_constant_pre", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_constant_pre" + ], + 0, + "18ff05c82610d7c5759a841704e6dea6" + ], + [ + "EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lc_xor_constant", + 2, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_fc7e65ad6336f7f6cba4ba6c5c93e81b", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equation_Rust_primitives.Integers.u64", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_constant_pre", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_constant_pre" + ], + 0, + "42fe370824481440df29d6296ef246aa" + ], + [ + "EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lc_xor", + 1, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_7c0c18ef2fc7daeb81e1f50870cc56bb", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_pre", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_pre" + ], + 0, + "288b4446fd7cf6abb9af65ee7f9dd28e" + ], + [ + "EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lc_xor", + 2, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_7c0c18ef2fc7daeb81e1f50870cc56bb", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_pre", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_pre" + ], + 0, + "f87e28c498d451830f4a6bdf000a9c8d" + ], + [ + "EquivImplSpec.Keccakf.Generic.extract_lane", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index_pre", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6af5dd912a49c5aa2d10fa9f5a5534c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "426676599c52349aabfe94449ba274ad" + ], + [ + "EquivImplSpec.Keccakf.Generic.extract_lane", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "8bfaef57333a6871469c0309620e345f" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_extract_lane_index", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "EquivImplSpec.Keccakf.Generic_interpretation_Tm_arrow_8b678892006cf2d6c10ea41e3d2d679c", + "Rust_primitives.Arrays_interpretation_Tm_arrow_0d263c675f2f6a422e85e8ffa504d5e2", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Rust_primitives.Integers.u64", + "int_inversion", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "interpretation_Tm_abs_f77d40a5bab95afb5a5de03b74ce0905", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_EquivImplSpec.Keccakf.Generic.Mklane_correctness_@lane", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_34fdf9130d622ae6fab26403fbb8e0fc", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_414b3103e63acaca337a620ee42bb932", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6af5dd912a49c5aa2d10fa9f5a5534c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_a8076bead62d5007a50ce0971afcd85d", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_eea4a7aaf0d9fd792b6bd561042bfd5e", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lane", + "typing_Rust_primitives.Arrays.createi", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.lt", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_Tm_abs_f77d40a5bab95afb5a5de03b74ce0905", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "e0cbe84bdf312dd70e19a1d58cef4c09" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_extract_lane_index", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "eb3bc6117394b5689231af5ea5ec3751" + ], + [ + "EquivImplSpec.Keccakf.Generic.lane_xor5", + 1, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_14fb90547f351ab07ca712b900f4aa9c", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor5_pre", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor5_pre" + ], + 0, + "7d88233e3fed4442dddb98c1d5218660" + ], + [ + "EquivImplSpec.Keccakf.Generic.lane_rotate_left1_and_xor", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_7c0c18ef2fc7daeb81e1f50870cc56bb", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_rotate_left1_and_xor_pre", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_rotate_left1_and_xor_pre", + "typing_Rust_primitives.Integers.bits", + "typing_tok_Rust_primitives.Integers.U32@tok" + ], + 0, + "c3f8519ba28eb27c42351bc6addc0a89" + ], + [ + "EquivImplSpec.Keccakf.Generic.lane_xor_and_rotate", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_588e8a2db4ba7484c1d6c13b569bd322", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.gt", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_and_rotate_pre", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_97c1e055b7db624f230d5d2c143d20ab", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_e15422d7e08b3699e1d0be0bba6b3258", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_and_rotate_pre", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "7d56344d048dacd03a2d13a2242f5e61" + ], + [ + "EquivImplSpec.Keccakf.Generic.lane_and_not_xor", + 1, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_d245029c1ada73d7d1bf89db35ec75ad", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_and_not_xor_pre", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_and_not_xor_pre" + ], + 0, + "10dbcbb3f284555b7204ae0fa5efe6e8" + ], + [ + "EquivImplSpec.Keccakf.Generic.lane_xor_constant", + 1, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_fc7e65ad6336f7f6cba4ba6c5c93e81b", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equation_Rust_primitives.Integers.u64", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_constant_pre", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_constant_pre" + ], + 0, + "cf8670e784a7f149dadd6ee341e37aa4" + ], + [ + "EquivImplSpec.Keccakf.Generic.lane_xor", + 1, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_7c0c18ef2fc7daeb81e1f50870cc56bb", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_pre", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_pre" + ], + 0, + "a7aeebcd17553e2641bf6eecefc83c11" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_generic", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_FStar.List.Tot.Base.length.fuel_instrumented", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Core_models.Ops.Function_interpretation_Tm_arrow_05fe4ff7055e98bccfe80fa62bb6aeaf", + "FStar.Seq.Base_pretyping_aec2ec0359b5151fd30ba679a2daadcd", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_14fb90547f351ab07ca712b900f4aa9c", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_1cea0b54efde622bbe567dae4f0b833f", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_277be3292b03d320a19b8fc80d9e10d9", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_7c0c18ef2fc7daeb81e1f50870cc56bb", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Core_models.Ops.Index.Mkt_Index", + "data_elim_FStar.Pervasives.Native.Mktuple2", + "data_elim_Libcrux_sha3.Generic_keccak.Mkt_KeccakState", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_elim_Rust_primitives.Integers.MkInt", + "data_typing_intro_FStar.Pervasives.Native.Mktuple2@tok", + "data_typing_intro_Prims.Cons@tok", + "data_typing_intro_Prims.Nil@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_FStar.Seq.Base.op_At_Bar", + "equation_Libcrux_sha3.Generic_keccak.impl_2__theta", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.f_rotate_left1_and_xor", + "equation_Libcrux_sha3.Traits.f_xor5", + "equation_Libcrux_sha3.Traits.get_ij", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mod", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Rust_primitives.Integers.usize", + "int_inversion", "int_typing", + "interpretation_Tm_abs_102f42c4ed9c78eb18badb9265620e17", + "interpretation_Tm_abs_44d78164ecd3ae1d873768fc71c8c2e4", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "interpretation_Tm_abs_f60c537567243dee9f91819830879155", + "kinding_FStar.Pervasives.Native.tuple2@tok", + "kinding_Libcrux_sha3.Generic_keccak.t_KeccakState@tok", + "lemma_FStar.Seq.Base.lemma_create_len", + "lemma_FStar.Seq.Base.lemma_index_app1", + "lemma_FStar.Seq.Base.lemma_index_app2", + "lemma_FStar.Seq.Base.lemma_index_create", + "lemma_FStar.Seq.Base.lemma_len_append", + "lemma_FStar.Seq.Base.lemma_seq_of_list_cons", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Modulus", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_rotate_left1_and_xor_pre", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor5_pre", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_1e174b8c76a3e29ed16766cf8486aae6", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_444061fd0bd0053c4f27fa233082c9ca", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_b21f98b6ca50013c6e539e770c013c08", + "refinement_interpretation_Tm_refine_c1424615841f28cac7fc34e92b7ff33c", + "refinement_interpretation_Tm_refine_c16bc1b61f58b349bf6fc1c94dcaf83b", + "refinement_interpretation_Tm_refine_c525f4bc3aa418afe0bd65cc4d0f6cd8", + "refinement_interpretation_Tm_refine_e16a4ff0a31703789cc1c1125fc4da02", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_rotate_left1_and_xor_pre", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor5_pre", + "token_correspondence_Libcrux_sha3.Traits.f_rotate_left1_and_xor", + "token_correspondence_Libcrux_sha3.Traits.f_xor5", + "typing_FStar.Pervasives.Native.__proj__Mktuple2__item___1", + "typing_FStar.Pervasives.Native.__proj__Mktuple2__item___2", + "typing_FStar.Seq.Base.create", "typing_FStar.Seq.Base.index", + "typing_FStar.Seq.Base.length", "typing_FStar.Seq.Base.op_At_Bar", + "typing_FStar.Seq.Base.seq_of_list", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_2__theta", + "typing_Libcrux_sha3.Generic_keccak.impl_3", + "typing_Libcrux_sha3.Traits.get_ij", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.lt", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.mod", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_Rust_primitives.Notations.op_String_Access", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "41f09b85997db8d71706ec8f7121d7b9" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_0_generic", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Core_models.Ops.Function_interpretation_Tm_arrow_05fe4ff7055e98bccfe80fa62bb6aeaf", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_277be3292b03d320a19b8fc80d9e10d9", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_588e8a2db4ba7484c1d6c13b569bd322", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_7c0c18ef2fc7daeb81e1f50870cc56bb", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_c43f4af19cc3c79731899455bf108032", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Core_models.Ops.Index.Mkt_Index", + "data_elim_Libcrux_sha3.Generic_keccak.Mkt_KeccakState", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_elim_Rust_primitives.Integers.MkInt", + "data_typing_intro_FStar.Pervasives.Native.Mktuple2@tok", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_Libcrux_sha3.Generic_keccak.impl_2__rho_0_", + "equation_Libcrux_sha3.Generic_keccak.impl_2__set", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.f_xor", + "equation_Libcrux_sha3.Traits.f_xor_and_rotate", + "equation_Libcrux_sha3.Traits.get_ij", + "equation_Libcrux_sha3.Traits.set_ij", "equation_Prims.nat", + "equation_Prims.pos", "equation_Rust_primitives.Arrays.length", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Arrays.t_Slice", + "equation_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.gt", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.max_usize", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sz", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Rust_primitives.Integers.usize", + "int_inversion", "int_typing", + "interpretation_Tm_abs_1eeff65ff9c3b4718cb125a4d4298f2a", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_6c724cf449e8e345fb2b9fb8cc1b6524", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "interpretation_Tm_abs_f60c537567243dee9f91819830879155", + "kinding_FStar.Pervasives.Native.tuple2@tok", + "kinding_Libcrux_sha3.Generic_keccak.t_KeccakState@tok", + "lemma_FStar.Seq.Base.lemma_index_upd1", + "lemma_FStar.Seq.Base.lemma_index_upd2", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_and_rotate_pre", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_pre", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6cba8b694d7fbf759331b42d86bb8cbd", + "refinement_interpretation_Tm_refine_719b0b6cc298b94bece7f65126216cde", + "refinement_interpretation_Tm_refine_774ba3f728d91ead8ef40be66c9802e5", + "refinement_interpretation_Tm_refine_77939974e8de44bb9a3ae869c6571119", + "refinement_interpretation_Tm_refine_93cf6a6e8722379491c94f2cfe70c712", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_97c1e055b7db624f230d5d2c143d20ab", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_c16bc1b61f58b349bf6fc1c94dcaf83b", + "refinement_interpretation_Tm_refine_d302493db5f45f7ff6b231a718224dc4", + "refinement_interpretation_Tm_refine_e16a4ff0a31703789cc1c1125fc4da02", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "refinement_interpretation_Tm_refine_fd980a4a94cc34052e6e36a3c682afca", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_and_rotate_pre", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_pre", + "token_correspondence_Libcrux_sha3.Traits.f_xor", + "token_correspondence_Libcrux_sha3.Traits.f_xor_and_rotate", + "typing_FStar.Seq.Base.index", "typing_FStar.Seq.Base.length", + "typing_FStar.Seq.Base.upd", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_2__set", + "typing_Libcrux_sha3.Generic_keccak.impl_3", + "typing_Libcrux_sha3.Traits.get_ij", + "typing_Libcrux_sha3.Traits.set_ij", "typing_Prims.pow2", + "typing_Rust_primitives.Arrays.t_Array", + "typing_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "typing_Rust_primitives.Hax.impl__index", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.lt", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_i32", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Notations.op_String_Access", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "078e07bca99fc0cd86f67856ac9a9c40" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_0_generic", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "e22a4fd24ed6dfc0bd97860bb78cb50a" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_1_generic", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Core_models.Ops.Function_interpretation_Tm_arrow_05fe4ff7055e98bccfe80fa62bb6aeaf", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_588e8a2db4ba7484c1d6c13b569bd322", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_c43f4af19cc3c79731899455bf108032", + "Prims_pretyping_ae567c2fb75be05905677af440075565", "b2t_def", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Core_models.Ops.Index.Mkt_Index", + "data_elim_Libcrux_sha3.Generic_keccak.Mkt_KeccakState", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_elim_Rust_primitives.Integers.MkInt", + "data_typing_intro_FStar.Pervasives.Native.Mktuple2@tok", + "data_typing_intro_Libcrux_sha3.Generic_keccak.Mkt_KeccakState@tok", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_Libcrux_sha3.Generic_keccak.impl_2__rho_1_", + "equation_Libcrux_sha3.Generic_keccak.impl_2__set", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.f_xor_and_rotate", + "equation_Libcrux_sha3.Traits.get_ij", + "equation_Libcrux_sha3.Traits.set_ij", "equation_Prims.nat", + "equation_Prims.pos", "equation_Rust_primitives.Arrays.length", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Arrays.t_Slice", + "equation_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.gt", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.max_usize", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sz", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "function_token_typing_Rust_primitives.Integers.usize", + "int_inversion", "int_typing", + "interpretation_Tm_abs_1eeff65ff9c3b4718cb125a4d4298f2a", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "interpretation_Tm_abs_f60c537567243dee9f91819830879155", + "kinding_FStar.Pervasives.Native.tuple2@tok", + "kinding_Libcrux_sha3.Generic_keccak.t_KeccakState@tok", + "lemma_FStar.Seq.Base.lemma_index_upd1", + "lemma_FStar.Seq.Base.lemma_index_upd2", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_and_rotate_pre", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_221edc532b512849362f091b0318b99d", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6cba8b694d7fbf759331b42d86bb8cbd", + "refinement_interpretation_Tm_refine_719b0b6cc298b94bece7f65126216cde", + "refinement_interpretation_Tm_refine_774ba3f728d91ead8ef40be66c9802e5", + "refinement_interpretation_Tm_refine_77939974e8de44bb9a3ae869c6571119", + "refinement_interpretation_Tm_refine_93cf6a6e8722379491c94f2cfe70c712", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_97c1e055b7db624f230d5d2c143d20ab", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_c16bc1b61f58b349bf6fc1c94dcaf83b", + "refinement_interpretation_Tm_refine_d302493db5f45f7ff6b231a718224dc4", + "refinement_interpretation_Tm_refine_e16a4ff0a31703789cc1c1125fc4da02", + "refinement_interpretation_Tm_refine_fd980a4a94cc34052e6e36a3c682afca", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_and_rotate_pre", + "token_correspondence_Libcrux_sha3.Traits.f_xor_and_rotate", + "typing_FStar.Pervasives.Native.__proj__Mktuple2__item___1", + "typing_FStar.Pervasives.Native.__proj__Mktuple2__item___2", + "typing_FStar.Seq.Base.length", "typing_FStar.Seq.Base.upd", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_2__set", + "typing_Libcrux_sha3.Generic_keccak.impl_3", + "typing_Libcrux_sha3.Traits.get_ij", + "typing_Libcrux_sha3.Traits.set_ij", "typing_Prims.pow2", + "typing_Rust_primitives.Arrays.t_Array", + "typing_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "typing_Rust_primitives.Hax.impl__index", + "typing_Rust_primitives.Integers.add", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_i32", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Notations.op_String_Access", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "e48b2a3df6f0ee64d5c0f44e65d2e220" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_1_generic", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "ef31a5553febda99ec8a69b4d57a63f0" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_2_generic", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_588e8a2db4ba7484c1d6c13b569bd322", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_c43f4af19cc3c79731899455bf108032", + "Prims_pretyping_ae567c2fb75be05905677af440075565", "b2t_def", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Generic_keccak.Mkt_KeccakState", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_elim_Rust_primitives.Integers.MkInt", + "data_typing_intro_FStar.Pervasives.Native.Mktuple2@tok", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_Libcrux_sha3.Generic_keccak.impl_2__rho_2_", + "equation_Libcrux_sha3.Generic_keccak.impl_2__set", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.f_xor_and_rotate", + "equation_Libcrux_sha3.Traits.get_ij", + "equation_Libcrux_sha3.Traits.set_ij", "equation_Prims.nat", + "equation_Prims.pos", "equation_Rust_primitives.Arrays.length", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Arrays.t_Slice", + "equation_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.gt", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.max_usize", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sz", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "function_token_typing_Rust_primitives.Integers.usize", + "int_inversion", "int_typing", + "interpretation_Tm_abs_1eeff65ff9c3b4718cb125a4d4298f2a", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "interpretation_Tm_abs_f60c537567243dee9f91819830879155", + "kinding_FStar.Pervasives.Native.tuple2@tok", + "kinding_Libcrux_sha3.Generic_keccak.t_KeccakState@tok", + "lemma_FStar.Seq.Base.lemma_index_upd1", + "lemma_FStar.Seq.Base.lemma_index_upd2", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_and_rotate_pre", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_221edc532b512849362f091b0318b99d", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6cba8b694d7fbf759331b42d86bb8cbd", + "refinement_interpretation_Tm_refine_719b0b6cc298b94bece7f65126216cde", + "refinement_interpretation_Tm_refine_774ba3f728d91ead8ef40be66c9802e5", + "refinement_interpretation_Tm_refine_93cf6a6e8722379491c94f2cfe70c712", + "refinement_interpretation_Tm_refine_97c1e055b7db624f230d5d2c143d20ab", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_c16bc1b61f58b349bf6fc1c94dcaf83b", + "refinement_interpretation_Tm_refine_d302493db5f45f7ff6b231a718224dc4", + "refinement_interpretation_Tm_refine_e16a4ff0a31703789cc1c1125fc4da02", + "refinement_interpretation_Tm_refine_fd980a4a94cc34052e6e36a3c682afca", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_and_rotate_pre", + "token_correspondence_Libcrux_sha3.Traits.f_xor_and_rotate", + "token_correspondence_Prims.pow2.fuel_instrumented", + "typing_FStar.Pervasives.Native.__proj__Mktuple2__item___1", + "typing_FStar.Pervasives.Native.__proj__Mktuple2__item___2", + "typing_FStar.Seq.Base.index", "typing_FStar.Seq.Base.length", + "typing_FStar.Seq.Base.upd", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_3", + "typing_Libcrux_sha3.Traits.get_ij", + "typing_Libcrux_sha3.Traits.set_ij", "typing_Prims.pow2", + "typing_Rust_primitives.Arrays.t_Array", + "typing_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "typing_Rust_primitives.Hax.impl__index", + "typing_Rust_primitives.Integers.add", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_i32", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Notations.op_String_Access", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "3db2740569f967eb9d2d2dd07d4f35b9" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_2_generic", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "07541f77bf680885dbcd515a899371f8" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_3_generic", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_588e8a2db4ba7484c1d6c13b569bd322", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_c43f4af19cc3c79731899455bf108032", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Generic_keccak.Mkt_KeccakState", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_elim_Rust_primitives.Integers.MkInt", + "data_typing_intro_FStar.Pervasives.Native.Mktuple2@tok", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_Libcrux_sha3.Generic_keccak.impl_2__rho_3_", + "equation_Libcrux_sha3.Generic_keccak.impl_2__set", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.f_xor_and_rotate", + "equation_Libcrux_sha3.Traits.get_ij", + "equation_Libcrux_sha3.Traits.set_ij", "equation_Prims.nat", + "equation_Prims.pos", "equation_Rust_primitives.Arrays.length", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Arrays.t_Slice", + "equation_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.gt", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.max_usize", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sz", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Rust_primitives.Integers.usize", + "int_inversion", "int_typing", + "interpretation_Tm_abs_1eeff65ff9c3b4718cb125a4d4298f2a", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "interpretation_Tm_abs_f60c537567243dee9f91819830879155", + "kinding_FStar.Pervasives.Native.tuple2@tok", + "kinding_Libcrux_sha3.Generic_keccak.t_KeccakState@tok", + "lemma_FStar.Seq.Base.lemma_index_upd1", + "lemma_FStar.Seq.Base.lemma_index_upd2", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_and_rotate_pre", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_221edc532b512849362f091b0318b99d", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6cba8b694d7fbf759331b42d86bb8cbd", + "refinement_interpretation_Tm_refine_719b0b6cc298b94bece7f65126216cde", + "refinement_interpretation_Tm_refine_774ba3f728d91ead8ef40be66c9802e5", + "refinement_interpretation_Tm_refine_93cf6a6e8722379491c94f2cfe70c712", + "refinement_interpretation_Tm_refine_97c1e055b7db624f230d5d2c143d20ab", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_c16bc1b61f58b349bf6fc1c94dcaf83b", + "refinement_interpretation_Tm_refine_d302493db5f45f7ff6b231a718224dc4", + "refinement_interpretation_Tm_refine_e16a4ff0a31703789cc1c1125fc4da02", + "refinement_interpretation_Tm_refine_e477cd5567f25e8e57e00f0185fa1ab0", + "refinement_interpretation_Tm_refine_fd980a4a94cc34052e6e36a3c682afca", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_and_rotate_pre", + "token_correspondence_Libcrux_sha3.Traits.f_xor_and_rotate", + "typing_FStar.Pervasives.Native.__proj__Mktuple2__item___1", + "typing_FStar.Pervasives.Native.__proj__Mktuple2__item___2", + "typing_FStar.Seq.Base.index", "typing_FStar.Seq.Base.length", + "typing_FStar.Seq.Base.upd", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_3", + "typing_Libcrux_sha3.Traits.get_ij", + "typing_Libcrux_sha3.Traits.set_ij", "typing_Prims.pow2", + "typing_Rust_primitives.Arrays.t_Array", + "typing_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "typing_Rust_primitives.Hax.impl__index", + "typing_Rust_primitives.Integers.add", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_i32", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mul", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Notations.op_String_Access", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "f42b62e5adba58220bfaef358ea45a70" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_3_generic", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "b23cb7ae0a7ce88166b9e9e1f3cd7b31" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_4_generic", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Core_models.Ops.Function_interpretation_Tm_arrow_05fe4ff7055e98bccfe80fa62bb6aeaf", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_588e8a2db4ba7484c1d6c13b569bd322", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_c43f4af19cc3c79731899455bf108032", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Core_models.Ops.Index.Mkt_Index", + "data_elim_Libcrux_sha3.Generic_keccak.Mkt_KeccakState", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_elim_Rust_primitives.Integers.MkInt", + "data_typing_intro_FStar.Pervasives.Native.Mktuple2@tok", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_Libcrux_sha3.Generic_keccak.impl_2__rho_4_", + "equation_Libcrux_sha3.Generic_keccak.impl_2__set", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.f_xor_and_rotate", + "equation_Libcrux_sha3.Traits.get_ij", + "equation_Libcrux_sha3.Traits.set_ij", "equation_Prims.nat", + "equation_Prims.pos", "equation_Rust_primitives.Arrays.length", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Arrays.t_Slice", + "equation_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.gt", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.max_usize", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sz", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Rust_primitives.Integers.usize", + "int_inversion", "int_typing", + "interpretation_Tm_abs_1eeff65ff9c3b4718cb125a4d4298f2a", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "interpretation_Tm_abs_f60c537567243dee9f91819830879155", + "kinding_FStar.Pervasives.Native.tuple2@tok", + "kinding_Libcrux_sha3.Generic_keccak.t_KeccakState@tok", + "lemma_FStar.Seq.Base.lemma_index_upd1", + "lemma_FStar.Seq.Base.lemma_index_upd2", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_and_rotate_pre", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_221edc532b512849362f091b0318b99d", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6cba8b694d7fbf759331b42d86bb8cbd", + "refinement_interpretation_Tm_refine_719b0b6cc298b94bece7f65126216cde", + "refinement_interpretation_Tm_refine_774ba3f728d91ead8ef40be66c9802e5", + "refinement_interpretation_Tm_refine_77939974e8de44bb9a3ae869c6571119", + "refinement_interpretation_Tm_refine_93cf6a6e8722379491c94f2cfe70c712", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_97c1e055b7db624f230d5d2c143d20ab", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_c16bc1b61f58b349bf6fc1c94dcaf83b", + "refinement_interpretation_Tm_refine_d302493db5f45f7ff6b231a718224dc4", + "refinement_interpretation_Tm_refine_e16a4ff0a31703789cc1c1125fc4da02", + "refinement_interpretation_Tm_refine_fd980a4a94cc34052e6e36a3c682afca", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_and_rotate_pre", + "token_correspondence_Libcrux_sha3.Traits.f_xor_and_rotate", + "typing_FStar.Pervasives.Native.__proj__Mktuple2__item___1", + "typing_FStar.Pervasives.Native.__proj__Mktuple2__item___2", + "typing_FStar.Seq.Base.index", "typing_FStar.Seq.Base.length", + "typing_FStar.Seq.Base.upd", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_2__set", + "typing_Libcrux_sha3.Generic_keccak.impl_3", + "typing_Libcrux_sha3.Traits.get_ij", + "typing_Libcrux_sha3.Traits.set_ij", "typing_Prims.pow2", + "typing_Rust_primitives.Arrays.t_Array", + "typing_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "typing_Rust_primitives.Hax.impl__index", + "typing_Rust_primitives.Integers.add", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_i32", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Notations.op_String_Access", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "8d80cc3c740041199273d76604565112" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_4_generic", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "88d5a03afc955273337141eeff61d12f" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_unfold_generic", + 1, + 0, + 1, + [ "@query", "equation_Libcrux_sha3.Generic_keccak.impl_2__rho" ], + 0, + "2a283af55ca81fc2854edb94f466e1a9" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_unfold_generic", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "82fec501e2af44e920b531c109b6d121" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_pi_0_generic", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Core_models.Ops.Function_interpretation_Tm_arrow_05fe4ff7055e98bccfe80fa62bb6aeaf", + "FStar.Seq.Base_pretyping_aec2ec0359b5151fd30ba679a2daadcd", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Core_models.Ops.Index.Mkt_Index", + "data_elim_Libcrux_sha3.Generic_keccak.Mkt_KeccakState", + "data_elim_Rust_primitives.Integers.MkInt", + "data_typing_intro_FStar.Pervasives.Native.Mktuple2@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_Libcrux_sha3.Generic_keccak.impl_2__pi_0_", + "equation_Libcrux_sha3.Generic_keccak.impl_2__set", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.get_ij", + "equation_Libcrux_sha3.Traits.set_ij", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Rust_primitives.Integers.usize", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "interpretation_Tm_abs_f60c537567243dee9f91819830879155", + "kinding_FStar.Pervasives.Native.tuple2@tok", + "kinding_Libcrux_sha3.Generic_keccak.t_KeccakState@tok", + "lemma_FStar.Seq.Base.lemma_index_upd1", + "lemma_FStar.Seq.Base.lemma_index_upd2", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6cba8b694d7fbf759331b42d86bb8cbd", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_c16bc1b61f58b349bf6fc1c94dcaf83b", + "refinement_interpretation_Tm_refine_d302493db5f45f7ff6b231a718224dc4", + "refinement_interpretation_Tm_refine_e16a4ff0a31703789cc1c1125fc4da02", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_FStar.Seq.Base.upd", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_3", + "typing_Libcrux_sha3.Traits.get_ij", + "typing_Libcrux_sha3.Traits.set_ij", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Notations.op_String_Access", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "ed54f1b91d358f606ad5a813f39e43d5" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_pi_1_generic", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Core_models.Ops.Function_interpretation_Tm_arrow_05fe4ff7055e98bccfe80fa62bb6aeaf", + "FStar.Seq.Base_pretyping_aec2ec0359b5151fd30ba679a2daadcd", + "Prims_pretyping_ae567c2fb75be05905677af440075565", "b2t_def", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Core_models.Ops.Index.Mkt_Index", + "data_elim_Libcrux_sha3.Generic_keccak.Mkt_KeccakState", + "data_elim_Rust_primitives.Integers.MkInt", + "data_typing_intro_FStar.Pervasives.Native.Mktuple2@tok", + "data_typing_intro_Rust_primitives.Integers.MkInt@tok", + "data_typing_intro_Rust_primitives.Integers.USIZE@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_Libcrux_sha3.Generic_keccak.impl_2__pi_1_", + "equation_Libcrux_sha3.Generic_keccak.impl_2__set", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.get_ij", + "equation_Libcrux_sha3.Traits.set_ij", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.length", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Arrays.t_Slice", + "equation_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.max_usize", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sz", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "function_token_typing_Rust_primitives.Integers.usize", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "interpretation_Tm_abs_f60c537567243dee9f91819830879155", + "lemma_FStar.Seq.Base.lemma_index_upd1", + "lemma_FStar.Seq.Base.lemma_index_upd2", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6cba8b694d7fbf759331b42d86bb8cbd", + "refinement_interpretation_Tm_refine_93cf6a6e8722379491c94f2cfe70c712", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_d302493db5f45f7ff6b231a718224dc4", + "refinement_interpretation_Tm_refine_fd980a4a94cc34052e6e36a3c682afca", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_FStar.Seq.Base.upd", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_3", + "typing_Libcrux_sha3.Traits.set_ij", + "typing_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "eb169fa794651647b651f0b8f3686e26" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_pi_2_generic", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Core_models.Ops.Function_interpretation_Tm_arrow_05fe4ff7055e98bccfe80fa62bb6aeaf", + "FStar.Seq.Base_pretyping_aec2ec0359b5151fd30ba679a2daadcd", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Core_models.Ops.Index.Mkt_Index", + "data_elim_Libcrux_sha3.Generic_keccak.Mkt_KeccakState", + "data_elim_Rust_primitives.Integers.MkInt", + "data_typing_intro_FStar.Pervasives.Native.Mktuple2@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_Libcrux_sha3.Generic_keccak.impl_2__pi_2_", + "equation_Libcrux_sha3.Generic_keccak.impl_2__set", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.get_ij", + "equation_Libcrux_sha3.Traits.set_ij", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.length", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Arrays.t_Slice", + "equation_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.max_usize", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sz", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Rust_primitives.Integers.usize", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "interpretation_Tm_abs_f60c537567243dee9f91819830879155", + "lemma_FStar.Seq.Base.lemma_index_upd1", + "lemma_FStar.Seq.Base.lemma_index_upd2", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6cba8b694d7fbf759331b42d86bb8cbd", + "refinement_interpretation_Tm_refine_93cf6a6e8722379491c94f2cfe70c712", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_d302493db5f45f7ff6b231a718224dc4", + "refinement_interpretation_Tm_refine_fd980a4a94cc34052e6e36a3c682afca", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_FStar.Seq.Base.upd", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_3", + "typing_Libcrux_sha3.Traits.set_ij", + "typing_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "3f70c98d891a9fd3cce0d6338f4a02e1" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_pi_3_generic", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Core_models.Ops.Function_interpretation_Tm_arrow_05fe4ff7055e98bccfe80fa62bb6aeaf", + "FStar.Seq.Base_pretyping_aec2ec0359b5151fd30ba679a2daadcd", + "Prims_pretyping_ae567c2fb75be05905677af440075565", "b2t_def", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Core_models.Ops.Index.Mkt_Index", + "data_elim_Libcrux_sha3.Generic_keccak.Mkt_KeccakState", + "data_elim_Rust_primitives.Integers.MkInt", + "data_typing_intro_FStar.Pervasives.Native.Mktuple2@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_Libcrux_sha3.Generic_keccak.impl_2__pi_3_", + "equation_Libcrux_sha3.Generic_keccak.impl_2__set", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.get_ij", + "equation_Libcrux_sha3.Traits.set_ij", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.length", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Arrays.t_Slice", + "equation_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.max_usize", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sz", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "function_token_typing_Rust_primitives.Integers.usize", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "interpretation_Tm_abs_f60c537567243dee9f91819830879155", + "lemma_FStar.Seq.Base.lemma_index_upd1", + "lemma_FStar.Seq.Base.lemma_index_upd2", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6cba8b694d7fbf759331b42d86bb8cbd", + "refinement_interpretation_Tm_refine_93cf6a6e8722379491c94f2cfe70c712", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_d302493db5f45f7ff6b231a718224dc4", + "refinement_interpretation_Tm_refine_fd980a4a94cc34052e6e36a3c682afca", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_FStar.Seq.Base.upd", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_3", + "typing_Libcrux_sha3.Traits.set_ij", + "typing_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.lt", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "4cf8f70fc40c79912ccae6c5486670f4" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_pi_4_generic", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Core_models.Ops.Function_interpretation_Tm_arrow_05fe4ff7055e98bccfe80fa62bb6aeaf", + "FStar.Seq.Base_pretyping_aec2ec0359b5151fd30ba679a2daadcd", + "Prims_pretyping_ae567c2fb75be05905677af440075565", "b2t_def", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Core_models.Ops.Index.Mkt_Index", + "data_elim_Libcrux_sha3.Generic_keccak.Mkt_KeccakState", + "data_elim_Rust_primitives.Integers.MkInt", + "data_typing_intro_FStar.Pervasives.Native.Mktuple2@tok", + "data_typing_intro_Rust_primitives.Integers.MkInt@tok", + "data_typing_intro_Rust_primitives.Integers.USIZE@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_Libcrux_sha3.Generic_keccak.impl_2__pi_4_", + "equation_Libcrux_sha3.Generic_keccak.impl_2__set", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.get_ij", + "equation_Libcrux_sha3.Traits.set_ij", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "function_token_typing_Rust_primitives.Integers.usize", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "interpretation_Tm_abs_f60c537567243dee9f91819830879155", + "kinding_FStar.Pervasives.Native.tuple2@tok", + "kinding_Libcrux_sha3.Generic_keccak.t_KeccakState@tok", + "lemma_FStar.Seq.Base.lemma_index_upd1", + "lemma_FStar.Seq.Base.lemma_index_upd2", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6cba8b694d7fbf759331b42d86bb8cbd", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_d302493db5f45f7ff6b231a718224dc4", + "refinement_interpretation_Tm_refine_e16a4ff0a31703789cc1c1125fc4da02", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_FStar.Seq.Base.upd", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_3", + "typing_Libcrux_sha3.Traits.set_ij", + "typing_Rust_primitives.Hax.impl__index", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Notations.op_String_Access", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "c0888ca94ceefc6d9cbd419db2453428" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_pi_unfold_generic", + 1, + 0, + 1, + [ "@query", "equation_Libcrux_sha3.Generic_keccak.impl_2__pi" ], + 0, + "bdb4c03457ff0d1b0a422942efbe5833" + ], + [ + "EquivImplSpec.Keccakf.Generic.spec_c", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", "int_inversion", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThan", + "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_847938addde8752e345bfeed3da70aa7", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.U64@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "66ea9d64757025d09d6c331ff2ce6772" + ], + [ + "EquivImplSpec.Keccakf.Generic.spec_c", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "3555722813e817d4963eb4a26e1a1067" + ], + [ + "EquivImplSpec.Keccakf.Generic.spec_d", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mod", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Modulus", "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_847938addde8752e345bfeed3da70aa7", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.U32@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "d1d279c951952e8e0de080620f0ab357" + ], + [ + "EquivImplSpec.Keccakf.Generic.spec_d", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "f77b6608a31cdae9ca55875aa8685eb5" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_offsets_values", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_FStar.List.Tot.Base.index.fuel_instrumented", + "@fuel_correspondence_FStar.List.Tot.Base.length.fuel_instrumented", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_FStar.Seq.Base.op_At_Bar", + "equation_Hacspec_sha3.Keccak_f.v_RHO_OFFSETS", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u32", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Rust_primitives.Integers.u32", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "l_quant_interp_b2752ceb37bb61dbf3d6d8fddf081dae", + "lemma_FStar.Seq.Base.lemma_create_len", + "lemma_FStar.Seq.Base.lemma_len_append", + "lemma_FStar.Seq.Base.lemma_seq_of_list_cons", + "lemma_FStar.Seq.Properties.lemma_seq_of_list_index", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_4aa966b05f915e7ec1e3d92a6793a1c3", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_b21f98b6ca50013c6e539e770c013c08", + "refinement_interpretation_Tm_refine_e23433c9e51173c1c32527f3f5113a53", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_FStar.Seq.Base.create", "typing_FStar.Seq.Base.index", + "typing_FStar.Seq.Base.length", "typing_FStar.Seq.Base.seq_of_list", + "typing_Hacspec_sha3.Keccak_f.v_RHO_OFFSETS", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.U32@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "70ab0fc8326c4f82b5bca5f98675f7d7" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_round_constants_equal", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_Hacspec_sha3.Keccak_f.v_ROUND_CONSTANTS", + "equation_Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS", + "equation_Prims.nat", "equation_Prims.squash", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "refinement_interpretation_Tm_refine_2de20c066034c13bf76e9c0b94f4806c", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "78739c528df004c33b4673f9f3d1cf2f" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_theta_spec", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Core_models.Ops.Function_interpretation_Tm_arrow_05fe4ff7055e98bccfe80fa62bb6aeaf", + "Hacspec_sha3.Keccak_f_interpretation_Tm_arrow_6810ffd7fedc9f5daa2182e9ac575b71", + "Hacspec_sha3.Keccak_f_interpretation_Tm_arrow_e93c7251bbd23bac703ec14f914d1fa8", + "Hacspec_sha3_interpretation_Tm_arrow_bf71e124d232d47c997d72c21e536b9a", + "Prims_pretyping_ae567c2fb75be05905677af440075565", + "Rust_primitives.Arrays_interpretation_Tm_arrow_0d263c675f2f6a422e85e8ffa504d5e2", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Core_models.Ops.Index.Mkt_Index", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.Generic.rotl_spec", + "equation_EquivImplSpec.Keccakf.Generic.spec_c", + "equation_EquivImplSpec.Keccakf.Generic.spec_d", + "equation_EquivImplSpec.Keccakf.Generic.spec_state", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Hacspec_sha3.Keccak_f.rho", + "equation_Hacspec_sha3.Keccak_f.theta", + "equation_Hacspec_sha3.Keccak_f.v_RHO_OFFSETS", + "equation_Hacspec_sha3.createi", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_u32", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mod", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sub", + "equation_Rust_primitives.Integers.u32", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.u64_inttype", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "function_token_typing_Prims.__cache_version_number__", + "function_token_typing_Rust_primitives.Integers.u32", + "function_token_typing_Rust_primitives.Integers.u64", + "int_inversion", "int_typing", + "interpretation_Tm_abs_156664720616b16cda2f8a5582c3f458", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_6ec269a97cc9e7124e00f9ceda15e72d", + "interpretation_Tm_abs_85d07545268a45d0cc606e35f7a0380e", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_b8b8ba41abfe34636285d67ee049435d", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "kinding_Tm_arrow_d28fde83d99b9fd411f0baa86bc882a5", + "lemma_Hacspec_sha3.createi_lemma", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Modulus", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_221edc532b512849362f091b0318b99d", + "refinement_interpretation_Tm_refine_34fdf9130d622ae6fab26403fbb8e0fc", + "refinement_interpretation_Tm_refine_414b3103e63acaca337a620ee42bb932", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6af5dd912a49c5aa2d10fa9f5a5534c2", + "refinement_interpretation_Tm_refine_847938addde8752e345bfeed3da70aa7", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_c525f4bc3aa418afe0bd65cc4d0f6cd8", + "refinement_interpretation_Tm_refine_eea4a7aaf0d9fd792b6bd561042bfd5e", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Hacspec_sha3.Keccak_f.v_RHO_OFFSETS", + "typing_Hacspec_sha3.createi", + "typing_Rust_primitives.Arrays.createi", + "typing_Rust_primitives.Hax.impl__index", + "typing_Rust_primitives.Integers.__proj__MkInt__item___0", + "typing_Rust_primitives.Integers.add", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.mod", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_Tm_abs_156664720616b16cda2f8a5582c3f458", + "typing_Tm_abs_6ec269a97cc9e7124e00f9ceda15e72d", + "typing_Tm_abs_85d07545268a45d0cc606e35f7a0380e", + "typing_Tm_abs_b8b8ba41abfe34636285d67ee049435d", + "typing_tok_Rust_primitives.Integers.U32@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "af877bdfa1cc0a48809f158348528b41" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_pi_spec", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "EquivImplSpec.Keccakf.Generic_interpretation_Tm_arrow_8b678892006cf2d6c10ea41e3d2d679c", + "Hacspec_sha3.Keccak_f_interpretation_Tm_arrow_6810ffd7fedc9f5daa2182e9ac575b71", + "Hacspec_sha3_interpretation_Tm_arrow_bf71e124d232d47c997d72c21e536b9a", + "Rust_primitives.Arrays_interpretation_Tm_arrow_0d263c675f2f6a422e85e8ffa504d5e2", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Hacspec_sha3.Keccak_f.get", + "equation_Hacspec_sha3.Keccak_f.pi", "equation_Prims.nat", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.div", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mod", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Rust_primitives.Integers.u64", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_9f09d8eb6e5725335910d11b1c54f02a", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "interpretation_Tm_abs_f6fde5dab8824093f0d8b9a9473d0bd9", + "kinding_Tm_arrow_d28fde83d99b9fd411f0baa86bc882a5", + "lemma_Hacspec_sha3.createi_lemma", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Division", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Modulus", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_34fdf9130d622ae6fab26403fbb8e0fc", + "refinement_interpretation_Tm_refine_414b3103e63acaca337a620ee42bb932", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6af5dd912a49c5aa2d10fa9f5a5534c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_a8076bead62d5007a50ce0971afcd85d", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_c525f4bc3aa418afe0bd65cc4d0f6cd8", + "refinement_interpretation_Tm_refine_eea4a7aaf0d9fd792b6bd561042bfd5e", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Rust_primitives.Arrays.createi", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.lt", + "typing_Rust_primitives.Integers.mod", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Tm_abs_9f09d8eb6e5725335910d11b1c54f02a", + "typing_Tm_abs_f6fde5dab8824093f0d8b9a9473d0bd9", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "785f8d1d688c0c12a49d8a0e89dd3dde" + ], + [ + "EquivImplSpec.Keccakf.Generic.d_matches_spec", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index_pre", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_u32", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "d94412e80b77d72b4dd57c7d22a954d8" + ], + [ + "EquivImplSpec.Keccakf.Generic.d_matches_spec", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "311ace333b246953b6c36e15b8c650b5" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_extract_lane", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Core_models.Ops.Function_interpretation_Tm_arrow_05fe4ff7055e98bccfe80fa62bb6aeaf", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_14fb90547f351ab07ca712b900f4aa9c", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_1cea0b54efde622bbe567dae4f0b833f", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_277be3292b03d320a19b8fc80d9e10d9", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_7c0c18ef2fc7daeb81e1f50870cc56bb", + "Prims_pretyping_ae567c2fb75be05905677af440075565", "b2t_def", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Core_models.Ops.Index.Mkt_Index", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_elim_Prims.Cons", "data_typing_intro_Prims.Cons@tok", + "data_typing_intro_Prims.Nil@tok", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.Generic.d_matches_spec", + "equation_EquivImplSpec.Keccakf.Generic.spec_c", + "equation_EquivImplSpec.Keccakf.Generic.spec_d", + "equation_FStar.Seq.Base.op_At_Bar", + "equation_Hacspec_sha3.Keccak_f.get", + "equation_Libcrux_sha3.Generic_keccak.impl_2__theta", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.f_rotate_left1_and_xor", + "equation_Libcrux_sha3.Traits.f_xor5", + "equation_Libcrux_sha3.Traits.get_ij", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_u32", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mod", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sub", + "equation_Rust_primitives.Integers.u64_inttype", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", + "interpretation_Tm_abs_102f42c4ed9c78eb18badb9265620e17", + "interpretation_Tm_abs_44d78164ecd3ae1d873768fc71c8c2e4", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_EquivImplSpec.Keccakf.Generic.lemma_extract_lane_index", + "lemma_FStar.Seq.Base.lemma_create_len", + "lemma_FStar.Seq.Base.lemma_len_append", + "lemma_FStar.Seq.Base.lemma_seq_of_list_cons", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Modulus", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor5_post", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor5_pre", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_1e174b8c76a3e29ed16766cf8486aae6", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6af5dd912a49c5aa2d10fa9f5a5534c2", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_b21f98b6ca50013c6e539e770c013c08", + "refinement_interpretation_Tm_refine_c16bc1b61f58b349bf6fc1c94dcaf83b", + "refinement_interpretation_Tm_refine_c525f4bc3aa418afe0bd65cc4d0f6cd8", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor5_pre", + "token_correspondence_Libcrux_sha3.Traits.f_rotate_left1_and_xor", + "token_correspondence_Libcrux_sha3.Traits.f_xor5", + "typing_FStar.Seq.Base.create", "typing_FStar.Seq.Base.index", + "typing_FStar.Seq.Base.length", "typing_FStar.Seq.Base.op_At_Bar", + "typing_FStar.Seq.Base.seq_of_list", + "typing_Libcrux_sha3.Traits.get_ij", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.mod", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "c26b728f228a1ce05eb53553ad099d56" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_0_extract_lane", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Prims_pretyping_ae567c2fb75be05905677af440075565", + "Rust_primitives_interpretation_Tm_arrow_814388202aec1fb7483132389195bf0b", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.Generic.rotl_spec", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Prims.nat", "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.cast_mod", + "equation_Rust_primitives.Integers.gt", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_u32", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.modulus", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.op_At_Percent_Dot", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u32", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.u64_inttype", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.cast", + "equation_Rust_primitives.cast_tc_integers", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4e41eaf5703de6128b17c2c81e94b989", + "interpretation_Tm_abs_9b420abd7c3e11c07b133e6053abbd21", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_EquivImplSpec.Keccakf.Generic.lemma_extract_lane_index", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Modulus", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Rust_primitives.Mkcast_tc_@cast", + "refinement_interpretation_Tm_refine_221edc532b512849362f091b0318b99d", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6af5dd912a49c5aa2d10fa9f5a5534c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_e477cd5567f25e8e57e00f0185fa1ab0", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_Rust_primitives.cast", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_2__rho_0_", + "typing_Rust_primitives.Integers.add", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.mul", + "typing_Rust_primitives.Integers.op_At_Percent_Dot", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_Tm_abs_9b420abd7c3e11c07b133e6053abbd21", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.U32@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "c62aefb57ad4e3e9b7aef9b23eec6fea" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_0_extract_lane", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "b485f205c81bea99af0d6fb92af9ea9b" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_1_extract_lane", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Prims_pretyping_ae567c2fb75be05905677af440075565", + "Rust_primitives_interpretation_Tm_arrow_814388202aec1fb7483132389195bf0b", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.Generic.rotl_spec", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Prims.nat", "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.cast_mod", + "equation_Rust_primitives.Integers.gt", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_u32", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.modulus", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.op_At_Percent_Dot", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sub", + "equation_Rust_primitives.Integers.u32", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.u64_inttype", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.cast", + "equation_Rust_primitives.cast_tc_integers", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4e41eaf5703de6128b17c2c81e94b989", + "interpretation_Tm_abs_9b420abd7c3e11c07b133e6053abbd21", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_EquivImplSpec.Keccakf.Generic.lemma_extract_lane_index", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Modulus", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Rust_primitives.Mkcast_tc_@cast", + "refinement_interpretation_Tm_refine_221edc532b512849362f091b0318b99d", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6af5dd912a49c5aa2d10fa9f5a5534c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_e477cd5567f25e8e57e00f0185fa1ab0", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_Rust_primitives.cast", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_2__rho_1_", + "typing_Rust_primitives.Integers.add", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.lt", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_i32", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.mul", + "typing_Rust_primitives.Integers.op_At_Percent_Dot", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_Tm_abs_9b420abd7c3e11c07b133e6053abbd21", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.U32@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "c3895a53c0ceab05a4a9f26e64a0fbf1" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_1_extract_lane", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "6a9f5938e3082c0ea0fda671241e6226" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_2_extract_lane", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Core_models.Ops.Function_interpretation_Tm_arrow_05fe4ff7055e98bccfe80fa62bb6aeaf", + "Prims_pretyping_ae567c2fb75be05905677af440075565", + "Rust_primitives_interpretation_Tm_arrow_814388202aec1fb7483132389195bf0b", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Core_models.Ops.Index.Mkt_Index", + "data_elim_Libcrux_sha3.Generic_keccak.Mkt_KeccakState", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.Generic.rotl_spec", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Libcrux_sha3.Generic_keccak.impl_2__set", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.get_ij", + "equation_Libcrux_sha3.Traits.set_ij", "equation_Prims.nat", + "equation_Prims.pos", "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.cast_mod", + "equation_Rust_primitives.Integers.gt", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_u32", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.modulus", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.op_At_Percent_Dot", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sub", + "equation_Rust_primitives.Integers.u32", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.u64_inttype", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "equation_Rust_primitives.cast", + "equation_Rust_primitives.cast_tc_integers", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_4e41eaf5703de6128b17c2c81e94b989", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9b420abd7c3e11c07b133e6053abbd21", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_EquivImplSpec.Keccakf.Generic.lemma_extract_lane_index", + "lemma_FStar.Seq.Base.lemma_index_upd2", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Modulus", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Rust_primitives.Mkcast_tc_@cast", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_221edc532b512849362f091b0318b99d", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6af5dd912a49c5aa2d10fa9f5a5534c2", + "refinement_interpretation_Tm_refine_6cba8b694d7fbf759331b42d86bb8cbd", + "refinement_interpretation_Tm_refine_774ba3f728d91ead8ef40be66c9802e5", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_d302493db5f45f7ff6b231a718224dc4", + "refinement_interpretation_Tm_refine_e477cd5567f25e8e57e00f0185fa1ab0", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_Rust_primitives.cast", + "typing_FStar.Seq.Base.upd", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_2__rho_2_", + "typing_Libcrux_sha3.Traits.set_ij", "typing_Prims.pow2", + "typing_Rust_primitives.Hax.impl__index", + "typing_Rust_primitives.Integers.add", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.lt", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_i32", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.mul", + "typing_Rust_primitives.Integers.op_At_Percent_Dot", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_Tm_abs_9b420abd7c3e11c07b133e6053abbd21", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.U32@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "cebf1bd9d5a496cfaf9ceab686ed8821" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_2_extract_lane", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "a03dfe28a2926698775c637dad30092c" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_3_extract_lane", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Prims_pretyping_ae567c2fb75be05905677af440075565", + "Rust_primitives_interpretation_Tm_arrow_814388202aec1fb7483132389195bf0b", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.Generic.rotl_spec", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Prims.nat", "equation_Prims.pos", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.cast_mod", + "equation_Rust_primitives.Integers.gt", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_u32", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.modulus", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.op_At_Percent_Dot", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sub", + "equation_Rust_primitives.Integers.u32", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.u64_inttype", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.cast", + "equation_Rust_primitives.cast_tc_integers", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4e41eaf5703de6128b17c2c81e94b989", + "interpretation_Tm_abs_9b420abd7c3e11c07b133e6053abbd21", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_EquivImplSpec.Keccakf.Generic.lemma_extract_lane_index", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Modulus", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Rust_primitives.Mkcast_tc_@cast", + "refinement_interpretation_Tm_refine_221edc532b512849362f091b0318b99d", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6af5dd912a49c5aa2d10fa9f5a5534c2", + "refinement_interpretation_Tm_refine_774ba3f728d91ead8ef40be66c9802e5", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_e477cd5567f25e8e57e00f0185fa1ab0", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_Rust_primitives.cast", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_2__rho_3_", + "typing_Prims.pow2", "typing_Rust_primitives.Integers.add", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.lt", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_i32", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.mul", + "typing_Rust_primitives.Integers.op_At_Percent_Dot", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_Tm_abs_9b420abd7c3e11c07b133e6053abbd21", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.U32@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "17aad30973255816e0fcfba9567215e4" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_3_extract_lane", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "51986ab0ad5cbbfe0d95625f30b5087d" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_4_extract_lane", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Core_models.Ops.Function_interpretation_Tm_arrow_05fe4ff7055e98bccfe80fa62bb6aeaf", + "Prims_pretyping_ae567c2fb75be05905677af440075565", + "Rust_primitives_interpretation_Tm_arrow_814388202aec1fb7483132389195bf0b", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Core_models.Ops.Index.Mkt_Index", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.Generic.rotl_spec", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.get_ij", "equation_Prims.nat", + "equation_Prims.pos", "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.cast_mod", + "equation_Rust_primitives.Integers.gt", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_u32", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.modulus", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.op_At_Percent_Dot", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sub", + "equation_Rust_primitives.Integers.u32", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.u64_inttype", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "equation_Rust_primitives.cast", + "equation_Rust_primitives.cast_tc_integers", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_4e41eaf5703de6128b17c2c81e94b989", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9b420abd7c3e11c07b133e6053abbd21", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_EquivImplSpec.Keccakf.Generic.lemma_extract_lane_index", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Modulus", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Rust_primitives.Mkcast_tc_@cast", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_221edc532b512849362f091b0318b99d", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6af5dd912a49c5aa2d10fa9f5a5534c2", + "refinement_interpretation_Tm_refine_774ba3f728d91ead8ef40be66c9802e5", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_d302493db5f45f7ff6b231a718224dc4", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_Rust_primitives.cast", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_2__rho_4_", + "typing_Libcrux_sha3.Traits.set_ij", "typing_Prims.pow2", + "typing_Rust_primitives.Hax.impl__index", + "typing_Rust_primitives.Integers.add", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.lt", + "typing_Rust_primitives.Integers.mk_i32", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.op_At_Percent_Dot", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_Tm_abs_9b420abd7c3e11c07b133e6053abbd21", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.U32@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "d809c2e6fed18c73f477a1c9d587bf20" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_4_extract_lane", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "834009b5c5747638ce49e9e75ccb9d0a" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_thru_1_extract_lane", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Prims.nat", "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_u32", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "int_typing", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "c9e2f9f156f3d2834a79f615e934dff7" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_thru_1_extract_lane", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "39b8934c4d6f3e5c19cb463be3c71d3a" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_thru_2_extract_lane", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Prims.nat", "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_u32", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "int_typing", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "58aac9ed017d9a5d3c8af0b7f7f69cf6" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_thru_2_extract_lane", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "5290c756cbdda59c43bc305dfad36460" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_thru_3_extract_lane", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Prims.nat", "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "int_typing", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "6343548e8e36fe05adf44cbead931da4" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_thru_3_extract_lane", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "06e693457f2e33cd37ec69704eb455d0" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_thru_4_extract_lane", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Prims.nat", "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "int_typing", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "9b2f033e5d35d1eb77425dee7fde93f1" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rho_thru_4_extract_lane", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "87b551ee6a38b7fcd857c203c6839ef2" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_row_0_to_spec", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.Generic.d_matches_spec", + "equation_EquivImplSpec.Keccakf.Generic.rotl_spec", + "equation_EquivImplSpec.Keccakf.Generic.spec_state", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Prims.nat", "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_u32", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "int_typing", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "d889f72f36c79676b1ccc2e1c52fe70a" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_row_1_to_spec", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.Generic.d_matches_spec", + "equation_EquivImplSpec.Keccakf.Generic.spec_state", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Prims.nat", "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "int_typing", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "d38c54fbcb1c43baa788e53198b9b04e" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_row_2_to_spec", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.Generic.d_matches_spec", + "equation_EquivImplSpec.Keccakf.Generic.spec_state", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Prims.nat", "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "bf374506400ba74887d53d5949f80578" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_row_3_to_spec", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.Generic.d_matches_spec", + "equation_EquivImplSpec.Keccakf.Generic.spec_state", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Prims.nat", "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "a0edfa827ed11a4f419a281a3377809f" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_row_4_to_spec", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.Generic.d_matches_spec", + "equation_EquivImplSpec.Keccakf.Generic.spec_state", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Prims.nat", "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "2c4ef8722267f6606dd215354c781b4b" + ], + [ + "EquivImplSpec.Keccakf.Generic.forall25", + 1, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "equation_Prims.nat", + "int_inversion", "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_693213d29dc5b9d0a76e3af0564654aa" + ], + 0, + "4cd0a1b1c7e374ad7e7eb71cf725f6a0" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "c15adb59b8e1c2277c67bbac71ded112" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "fd4ff9b0717ef4bb5aa06efa2603185e" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 3, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_LessThanOrEqual", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "3a9a153349f1b5d02f6ae5ceb16809bc" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 4, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_LessThanOrEqual", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "530a53ea3fe532f3760bc31563dd00d5" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 5, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Prims.pos", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_774ba3f728d91ead8ef40be66c9802e5", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Prims.pow2", "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.U64@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "39fc92921a41c59b10e73cab9cd0fbaf" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 6, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Prims.pos", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_774ba3f728d91ead8ef40be66c9802e5", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Prims.pow2", "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.U64@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "1bfa0986b86eeb67c4d03a102f176bf5" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 7, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Prims.pos", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Minus", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_774ba3f728d91ead8ef40be66c9802e5", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Prims.pow2", "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.U64@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "f05d9ba7b6620205d9ff43558328e340" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 8, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_14fb90547f351ab07ca712b900f4aa9c", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_1cea0b54efde622bbe567dae4f0b833f", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_277be3292b03d320a19b8fc80d9e10d9", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_7c0c18ef2fc7daeb81e1f50870cc56bb", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_typing_intro_Prims.Cons@tok", + "data_typing_intro_Prims.Nil@tok", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_FStar.Seq.Base.op_At_Bar", + "equation_Libcrux_sha3.Generic_keccak.impl_2__theta", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.f_rotate_left1_and_xor", + "equation_Libcrux_sha3.Traits.f_xor5", + "equation_Libcrux_sha3.Traits.get_ij", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mod", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "int_typing", + "interpretation_Tm_abs_102f42c4ed9c78eb18badb9265620e17", + "interpretation_Tm_abs_44d78164ecd3ae1d873768fc71c8c2e4", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "lemma_FStar.Seq.Base.lemma_create_len", + "lemma_FStar.Seq.Base.lemma_len_append", + "lemma_FStar.Seq.Base.lemma_seq_of_list_cons", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_LessThan", + "primitive_Prims.op_LessThanOrEqual", "primitive_Prims.op_Minus", + "primitive_Prims.op_Modulus", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_1e174b8c76a3e29ed16766cf8486aae6", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_a1a033a77e01e991845686c530b2eae9", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_b21f98b6ca50013c6e539e770c013c08", + "refinement_interpretation_Tm_refine_c16bc1b61f58b349bf6fc1c94dcaf83b", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Libcrux_sha3.Traits.f_rotate_left1_and_xor", + "token_correspondence_Libcrux_sha3.Traits.f_xor5", + "typing_FStar.Seq.Base.create", "typing_FStar.Seq.Base.index", + "typing_FStar.Seq.Base.length", "typing_FStar.Seq.Base.op_At_Bar", + "typing_FStar.Seq.Base.seq_of_list", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Traits.get_ij", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.U64@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "a6b800060e9ae40f7a395d7cdffa24b0" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 9, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_14fb90547f351ab07ca712b900f4aa9c", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_1cea0b54efde622bbe567dae4f0b833f", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_277be3292b03d320a19b8fc80d9e10d9", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_7c0c18ef2fc7daeb81e1f50870cc56bb", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_typing_intro_Prims.Cons@tok", + "data_typing_intro_Prims.Nil@tok", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_FStar.Seq.Base.op_At_Bar", + "equation_Libcrux_sha3.Generic_keccak.impl_2__theta", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.f_rotate_left1_and_xor", + "equation_Libcrux_sha3.Traits.f_xor5", + "equation_Libcrux_sha3.Traits.get_ij", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mod", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "int_typing", + "interpretation_Tm_abs_102f42c4ed9c78eb18badb9265620e17", + "interpretation_Tm_abs_44d78164ecd3ae1d873768fc71c8c2e4", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "lemma_FStar.Seq.Base.lemma_create_len", + "lemma_FStar.Seq.Base.lemma_len_append", + "lemma_FStar.Seq.Base.lemma_seq_of_list_cons", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_LessThan", + "primitive_Prims.op_LessThanOrEqual", "primitive_Prims.op_Minus", + "primitive_Prims.op_Modulus", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_1e174b8c76a3e29ed16766cf8486aae6", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_a1a033a77e01e991845686c530b2eae9", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_b21f98b6ca50013c6e539e770c013c08", + "refinement_interpretation_Tm_refine_c16bc1b61f58b349bf6fc1c94dcaf83b", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Libcrux_sha3.Traits.f_rotate_left1_and_xor", + "token_correspondence_Libcrux_sha3.Traits.f_xor5", + "typing_FStar.Seq.Base.create", "typing_FStar.Seq.Base.index", + "typing_FStar.Seq.Base.length", "typing_FStar.Seq.Base.op_At_Bar", + "typing_FStar.Seq.Base.seq_of_list", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Traits.get_ij", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.U64@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "c0992c3d6247e4985491dbe7197265b4" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 10, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.v", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_693213d29dc5b9d0a76e3af0564654aa" + ], + 0, + "3f9951222867808c83f8ac4177c50c99" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 11, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Hacspec_sha3.Keccak_f.rho", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.v", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_693213d29dc5b9d0a76e3af0564654aa", + "refinement_interpretation_Tm_refine_a64a7fce82dc45c81fc737f421cf5c8c" + ], + 0, + "a67266de43d6cef048d79b98dff3176f" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 12, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "2cf8ed95d303fc5250f3b88a96095ffd" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 13, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "f04fd7206b9073b31a846d7ecbe0527e" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 14, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "92d512f532c6bb7f11ee3886bc52e753" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 15, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "0f594a8e1b580944ac39433f897791dc" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 16, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "5cd09fee2cfc5b537b898580e2b810ae" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 17, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "1f19f76ed73414521254318a3bdaeab0" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 18, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "primitive_Prims.op_Addition", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "bfc875422228796f98e3cf1a2cd42264" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 19, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "primitive_Prims.op_Addition", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "1d526f5727ef2cb001b1fe5ec18f9bac" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 20, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "primitive_Prims.op_Addition", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "4667820824375d3d1ba69220798b09b1" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 21, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "672cb223e13075682d1813293c9920a9" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 22, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "577446a8d1d3e8919f578eda46776aaf" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 23, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "6b79bd12471381c5d8538440435edfe3" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 24, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "621fa411ac2550e639fc3d1be4d826a4" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 25, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "4336159e86b691c25780938fa2144e98" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 26, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "542e447d5510aab550f13984dad4bfac" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 27, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "5b607af5ba7ac0ca7b62fbf80b1555e8" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 28, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "1d6e4e7427604fa68c85034c2032bcf7" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 29, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "494ac41a8c1eebb3def87036c1566ebc" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 30, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "b3d86e2f26338860627ec2b209b6f067" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 31, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "9f860a71e9c3f77040e8fbe37b00eb57" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 32, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "bae32255b29e14f96bf003958703cccb" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 33, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "e621913855586b80d280f526cf746c14" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 34, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "ee77d9391a864947850188ac612f29c5" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 35, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "e9d849ac9e004aed0a56270da09ab7c7" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 36, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "eq2-interp", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.l_and", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "l_and-interp", "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "token_correspondence_Core_models.Ops.Index.f_index" + ], + 0, + "5fcb46b47115e95249f4979d07907073" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 37, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_2dfaa9f45f031c6810edf9095971c369" + ], + 0, + "7b9b933a24a822b83561919355e363cf" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 38, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Hacspec_sha3.Keccak_f.rho", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.v", "int_inversion", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_228f2245e58a1f44abcabae7ed06b22d", + "refinement_interpretation_Tm_refine_2c4aefcb29d5ed16684cd846a7d8d6c2", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_693213d29dc5b9d0a76e3af0564654aa", + "refinement_interpretation_Tm_refine_a64a7fce82dc45c81fc737f421cf5c8c" + ], + 0, + "54e56ee877df753ece917d0707f47954" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_theta_rho_to_spec", + 39, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "equation_Hacspec_sha3.Keccak_f.rho", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.u64", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "function_token_typing_Rust_primitives.Integers.u64", + "lemma_FStar.Seq.Base.lemma_eq_elim", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "refinement_interpretation_Tm_refine_10fbac36d706d326d53cacaa10313c48", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_a1a033a77e01e991845686c530b2eae9", + "refinement_interpretation_Tm_refine_a4b527bdd559a3f83a3bad9fb6d00751", + "refinement_interpretation_Tm_refine_e4f44e7fb32c6202ac39cc6db167552b", + "typing_EquivImplSpec.Keccakf.Generic.extract_lane", + "typing_Hacspec_sha3.Keccak_f.rho", + "typing_Hacspec_sha3.Keccak_f.theta", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "unit_inversion" + ], + 0, + "f6faac10a2d7edf7bbfd00178f735001" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_pi_extract_lane", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_EquivImplSpec.Keccakf.Generic.lemma_extract_lane_index", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6af5dd912a49c5aa2d10fa9f5a5534c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_2__pi", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "f82ddc62c8c49153a0f5fdeef50c758f" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_pi_to_spec", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "function_token_typing_Rust_primitives.Integers.u64", + "int_inversion", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "lemma_FStar.Seq.Base.lemma_eq_elim", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_174e5680d00601f3ad494140d84a75ce", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_693213d29dc5b9d0a76e3af0564654aa", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "acc35d435c6cb066d7fc8f9a71b51ab7" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_chi_extract_lane_aux", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.ChiFold.chi_inner_val", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.get_ij", "equation_Prims.nat", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.div", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mod", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sz", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "interpretation_Tm_abs_f60c537567243dee9f91819830879155", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Division", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Modulus", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_0e751014a8aa91cb1a772d8df912d737", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_800dc0cd384e50b6ac0557d8f188c156", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "bb4dcfabc802db67d9929937c58b75c8" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_chi_to_spec", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Hacspec_sha3.Keccak_f_interpretation_Tm_arrow_6810ffd7fedc9f5daa2182e9ac575b71", + "Hacspec_sha3_interpretation_Tm_arrow_bf71e124d232d47c997d72c21e536b9a", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Generic_keccak.Mkt_KeccakState", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Hacspec_sha3.Keccak_f.chi", + "equation_Hacspec_sha3.Keccak_f.get", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.div", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mod", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sz", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.negation_for_integers", + "equation_Rust_primitives.Notations.op_String_Access", + "equation_Rust_primitives.Notations.op_Tilde_Dot", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "function_token_typing_Rust_primitives.Integers.u64", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_6e12770ddd2256a6e162b3b613591f54", + "interpretation_Tm_abs_752dd2e4b28f1464750932b68bf87596", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_b1b7a62c391e567ba1ec3dc64493aa56", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "kinding_Tm_arrow_d28fde83d99b9fd411f0baa86bc882a5", + "lemma_EquivImplSpec.Keccakf.Generic.lemma_extract_lane_index", + "lemma_FStar.Seq.Base.lemma_eq_elim", + "lemma_Hacspec_sha3.createi_lemma", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Division", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Modulus", "primitive_Prims.op_Multiply", + "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Rust_primitives.Notations.Mknegation_tc_@op_Tilde_Dot", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_221edc532b512849362f091b0318b99d", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_693213d29dc5b9d0a76e3af0564654aa", + "refinement_interpretation_Tm_refine_6af5dd912a49c5aa2d10fa9f5a5534c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_af1c43dec8a2008759d8078127a77533", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_c525f4bc3aa418afe0bd65cc4d0f6cd8", + "refinement_interpretation_Tm_refine_d1e26932e2fa9f80a8076afa47e90e80", + "refinement_interpretation_Tm_refine_eea4a7aaf0d9fd792b6bd561042bfd5e", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_Rust_primitives.Notations.op_Tilde_Dot", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_2__chi", + "typing_Rust_primitives.Integers.__proj__MkInt__item___0", + "typing_Rust_primitives.Integers.add", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.div", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mod", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_Tm_abs_6e12770ddd2256a6e162b3b613591f54", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "b645fd362456a7de54820ef3c69f349a" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_iota_spec", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Core_models.Ops.Function_interpretation_Tm_arrow_05fe4ff7055e98bccfe80fa62bb6aeaf", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Core_models.Ops.Index.Mkt_Index", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.Generic.spec_state", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Hacspec_sha3.Keccak_f.iota", + "equation_Hacspec_sha3.Keccak_f.v_ROUND_CONSTANTS", + "equation_Prims.nat", "equation_Prims.squash", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Rust_primitives.Integers.u64", + "function_token_typing_Rust_primitives.Integers.usize", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_FStar.Seq.Base.lemma_index_upd1", + "lemma_FStar.Seq.Base.lemma_index_upd2", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_2de20c066034c13bf76e9c0b94f4806c", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6cba8b694d7fbf759331b42d86bb8cbd", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_e16a4ff0a31703789cc1c1125fc4da02", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "typing_FStar.Seq.Base.index", "typing_FStar.Seq.Base.length", + "typing_Hacspec_sha3.Keccak_f.v_ROUND_CONSTANTS", + "typing_Rust_primitives.Arrays.t_Array", + "typing_Rust_primitives.Hax.impl__index", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.logxor", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Notations.op_String_Access", + "typing_tok_Rust_primitives.Integers.U64@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "c1b8a91eae380206f2758ab4c297716f" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_iota_extract_lane", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "FStar.Seq.Base_pretyping_aec2ec0359b5151fd30ba679a2daadcd", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_889bd4c2b545afe726a9ef75bb2c4aad", + "Libcrux_sha3.Traits_interpretation_Tm_arrow_fc7e65ad6336f7f6cba4ba6c5c93e81b", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Generic_keccak.Mkt_KeccakState", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_elim_Rust_primitives.Integers.MkInt", + "data_typing_intro_FStar.Pervasives.Native.Mktuple2@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_Core_models.Slice.impl__len", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS", + "equation_Libcrux_sha3.Generic_keccak.impl_2__iota", + "equation_Libcrux_sha3.Generic_keccak.impl_2__set", + "equation_Libcrux_sha3.Generic_keccak.impl_3", + "equation_Libcrux_sha3.Traits.f_xor_constant", + "equation_Libcrux_sha3.Traits.get_ij", + "equation_Libcrux_sha3.Traits.set_ij", "equation_Prims.nat", + "equation_Prims.squash", "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sz", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "equation_Rust_primitives.Slice.slice_length", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Rust_primitives.Integers.u64", + "function_token_typing_Rust_primitives.Integers.usize", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4a07bec5c4cbf1be55632b9c0b1c19dd", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_70955cb4f9afccd4a1c9959c38bb2c40", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "interpretation_Tm_abs_f60c537567243dee9f91819830879155", + "kinding_FStar.Pervasives.Native.tuple2@tok", + "kinding_Libcrux_sha3.Generic_keccak.t_KeccakState@tok", + "lemma_EquivImplSpec.Keccakf.Generic.lemma_extract_lane_index", + "lemma_FStar.Seq.Base.lemma_index_upd1", + "lemma_FStar.Seq.Base.lemma_index_upd2", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_Core_models.Ops.Index.Mkt_Index_@f_Output", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_2", + "proj_equation_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_Output", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Libcrux_sha3.Generic_keccak.Mkt_KeccakState_@f_st", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_160fe7faad9a466b3cae8455bac5be60", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_2de20c066034c13bf76e9c0b94f4806c", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6af5dd912a49c5aa2d10fa9f5a5534c2", + "refinement_interpretation_Tm_refine_6cba8b694d7fbf759331b42d86bb8cbd", + "refinement_interpretation_Tm_refine_77939974e8de44bb9a3ae869c6571119", + "refinement_interpretation_Tm_refine_93f6c203d9fe816a13fdcc20465525c3", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_e16a4ff0a31703789cc1c1125fc4da02", + "refinement_interpretation_Tm_refine_e263604a64d343fa5112de970172906b", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_Libcrux_sha3.Traits.f_xor_constant", + "typing_FStar.Seq.Base.index", "typing_FStar.Seq.Base.length", + "typing_Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Libcrux_sha3.Generic_keccak.impl_2__iota", + "typing_Libcrux_sha3.Generic_keccak.impl_3", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_Rust_primitives.Notations.op_String_Access", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "6e2073bb09e46ee5ffbb0c0e491728fb" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_iota_to_spec", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Generic_keccak.Mkt_KeccakState", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Slice.impl__len", + "equation_EquivImplSpec.Keccakf.Generic.spec_state", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Hacspec_sha3.Keccak_f.iota", + "equation_Hacspec_sha3.Keccak_f.v_ROUND_CONSTANTS", + "equation_Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS", + "equation_Prims.nat", "equation_Prims.squash", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.Monomorphized_update_at.update_at_usize", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sz", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "equation_Rust_primitives.Slice.slice_length", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Rust_primitives.Integers.u64", + "int_inversion", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "lemma_FStar.Seq.Base.lemma_eq_elim", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThan", + "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_2de20c066034c13bf76e9c0b94f4806c", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_bab4a06717c4d9e6359190593b450e33", + "refinement_interpretation_Tm_refine_f21ae58475c7fc74d7e8a7c2eff3f408", + "token_correspondence_Core_models.Ops.Index.f_index", + "typing_Hacspec_sha3.Keccak_f.iota", + "typing_Hacspec_sha3.Keccak_f.v_ROUND_CONSTANTS", + "typing_Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "352b40b5719011c2dbda6f425fa15e49" + ], + [ + "EquivImplSpec.Keccakf.Generic.impl_one_round", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Slice.impl__len", + "equation_Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS", + "equation_Prims.nat", "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.mul", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sz", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Slice.slice_length", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Multiply", "primitive_Prims.op_Subtraction", + "proj_equation_FStar.Pervasives.Native.Mktuple2_@_1", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "1e7c6e82da4f55a8da6a4d7781978b14" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_one_round_to_spec", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_EquivImplSpec.Keccakf.Generic.impl_one_round", + "equation_EquivImplSpec.Keccakf.Generic.spec_one_round", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_one_round", + "equation_Libcrux_sha3.Generic_keccak.impl_2__theta", + "equation_Prims.nat", "equation_Prims.squash", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_1", + "projection_inverse_FStar.Pervasives.Native.Mktuple2_@_2", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_2de20c066034c13bf76e9c0b94f4806c", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "10f16e6f4aa25a462b3675654266cdd6" + ], + [ + "EquivImplSpec.Keccakf.Generic.impl_rounds", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Prims_pretyping_ae567c2fb75be05905677af440075565", + "assumption_Rust_primitives.Integers.int_t__uu___haseq", + "binder_x_2322db7733008fc85924dc96454224b2_3", + "binder_x_3a77ceb7bb6324c0d5c09dbbede3a3d5_0", + "binder_x_3a77ceb7bb6324c0d5c09dbbede3a3d5_4", "bool_inversion", + "bool_typing", "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.lte", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_LessThan", + "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@t", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok", + "well-founded-ordering-on-nat" + ], + 0, + "ff6c012a5801998d1838d32ff8661d00" + ], + [ + "EquivImplSpec.Keccakf.Generic.impl_rounds", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "16cf74799e1486ff3ec507baba3f0c1e" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rounds_to_spec", + 1, + 1, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_EquivImplSpec.Keccakf.Generic.impl_rounds.fuel_instrumented", + "@fuel_correspondence_EquivImplSpec.Keccakf.SpecRounds.spec_rounds.fuel_instrumented", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", + "@fuel_irrelevance_EquivImplSpec.Keccakf.Generic.impl_rounds.fuel_instrumented", + "@fuel_irrelevance_EquivImplSpec.Keccakf.SpecRounds.spec_rounds.fuel_instrumented", + "@fuel_irrelevance_Prims.pow2.fuel_instrumented", "@query", + "Prims_pretyping_ae567c2fb75be05905677af440075565", + "assumption_Rust_primitives.Integers.int_t__uu___haseq", "b2t_def", + "binder_x_2322db7733008fc85924dc96454224b2_4", + "binder_x_3a77ceb7bb6324c0d5c09dbbede3a3d5_0", + "binder_x_3a77ceb7bb6324c0d5c09dbbede3a3d5_5", + "binder_x_412427b8b6279710726689993a61a871_6", + "binder_x_56b3264e5151669f75e696a4afcd2612_2", + "binder_x_7cef08a7df552ba75e3143afe1d601ef_3", + "binder_x_f9b4393cc603a1faf096d292b75c2298_1", "bool_inversion", + "bool_typing", "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_EquivImplSpec.Keccakf.Generic.spec_one_round", + "equation_EquivImplSpec.Keccakf.Generic.spec_rounds", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Prims.nat", "equation_Prims.squash", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.lte", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_with_fuel_EquivImplSpec.Keccakf.Generic.impl_rounds.fuel_instrumented", + "equation_with_fuel_EquivImplSpec.Keccakf.SpecRounds.spec_rounds.fuel_instrumented", + "fuel_guarded_inversion_EquivImplSpec.Keccakf.Generic.lane_correctness", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_LessThan", + "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_2de20c066034c13bf76e9c0b94f4806c", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_5c5f398b3cff4e48d04453efca41e27d", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_EquivImplSpec.Keccakf.Generic.extract_lane", + "typing_Libcrux_sha3.Generic_keccak.__proj__Mkt_KeccakState__item__f_st", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.lte", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok", + "well-founded-ordering-on-nat" + ], + 0, + "51e389c81407f1e21f8f6cb7f10738cc" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_rounds_to_spec", + 2, + 1, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", + "@fuel_irrelevance_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Prims.squash", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_2de20c066034c13bf76e9c0b94f4806c", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "57a1d4d70fe49399c67fc38e9e8f5932" + ], + [ + "EquivImplSpec.Keccakf.Generic.keccakf_body", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "bool_inversion", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Slice.impl__len", + "equation_Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS", + "equation_Prims.nat", "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sz", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Slice.slice_length", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThan", + "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a67f66693a5b871b79c600c9e08bd454", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "5978c97d4048368c923a228c7cbf9947" + ], + [ + "EquivImplSpec.Keccakf.Generic.keccakf_fold_local", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_556c7276aa861b118cdd5a165e9e4f0e", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "bb93904dad0c82abc4e66c4f8a9f6966" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_keccakf_fold_local_is_rounds", + 1, + 1, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_EquivImplSpec.Keccakf.Generic.impl_rounds.fuel_instrumented", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", + "@fuel_correspondence_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "@fuel_irrelevance_EquivImplSpec.Keccakf.Generic.impl_rounds.fuel_instrumented", + "@fuel_irrelevance_Prims.pow2.fuel_instrumented", + "@fuel_irrelevance_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "@query", + "EquivImplSpec.Keccakf.Generic_interpretation_Tm_arrow_9ca835f93f9318018085b204d8feb75c", + "EquivImplSpec.Keccakf.Generic_interpretation_Tm_arrow_c5ab2f321f8bf4390db48c3500ddfa8c", + "Prims_pretyping_ae567c2fb75be05905677af440075565", + "Rust_primitives.Hax.Folds_interpretation_Tm_arrow_8a1b3c71b8eb003c7bfb24d380080447", + "Rust_primitives.Hax.Folds_interpretation_Tm_arrow_c8b6fefc6a1ff03b84fa2dbb43486b72", + "assumption_Rust_primitives.Integers.int_t__uu___haseq", "b2t_def", + "binder_x_2322db7733008fc85924dc96454224b2_3", + "binder_x_3a77ceb7bb6324c0d5c09dbbede3a3d5_0", + "binder_x_3a77ceb7bb6324c0d5c09dbbede3a3d5_4", + "binder_x_56b3264e5151669f75e696a4afcd2612_2", + "binder_x_f9b4393cc603a1faf096d292b75c2298_1", "bool_inversion", + "bool_typing", "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_EquivImplSpec.Keccakf.Generic.impl_one_round", + "equation_EquivImplSpec.Keccakf.Generic.keccakf_body", + "equation_EquivImplSpec.Keccakf.Generic.keccakf_fold_local", + "equation_Prims.logical", "equation_Prims.nat", + "equation_Prims.squash", "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lte", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_with_fuel_EquivImplSpec.Keccakf.Generic.impl_rounds.fuel_instrumented", + "equation_with_fuel_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "function_token_typing_Prims.l_True", "int_inversion", "int_typing", + "interpretation_Tm_abs_62b710721917bd40a1499d35a402dd44", + "interpretation_Tm_abs_70320acaa1e21c5e115fa8bb2ed5cb79", + "kinding_Libcrux_sha3.Generic_keccak.t_KeccakState@tok", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_LessThan", + "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_066b9eb21a98c28e978234780f41cd65", + "refinement_interpretation_Tm_refine_2de20c066034c13bf76e9c0b94f4806c", + "refinement_interpretation_Tm_refine_51996c5c6192f6c4d97f417a4cc27ac1", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a67f66693a5b871b79c600c9e08bd454", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_d68a8e9a56d7d58a15fd1befad9cf1e1", + "true_interp", "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.lte", + "typing_Rust_primitives.Integers.size_bits", + "typing_Tm_abs_62b710721917bd40a1499d35a402dd44", + "typing_Tm_abs_70320acaa1e21c5e115fa8bb2ed5cb79", + "typing_tok_Rust_primitives.Integers.USIZE@tok", + "well-founded-ordering-on-nat" + ], + 0, + "a60f7d28a0ea59f8dee20c1db1d3321c" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_keccakf_fold_local_is_rounds", + 2, + 1, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", + "@fuel_irrelevance_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Prims.squash", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lte", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.v", "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_2de20c066034c13bf76e9c0b94f4806c", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "afb803c63da215a09cb6f753568cadd7" + ], + [ + "EquivImplSpec.Keccakf.Generic.keccakf_body_rnat", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_273b490477cddb83cde7469c3489c55a", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "4c5617b8780da2666011f4e115e3055e" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_keccakf_body_is_one_round", + 1, + 1, + 1, + [ + "@MaxIFuel_assumption", "@query", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_EquivImplSpec.Keccakf.Generic.impl_one_round", + "equation_EquivImplSpec.Keccakf.Generic.keccakf_body", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "primitive_Prims.op_LessThan", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_a67f66693a5b871b79c600c9e08bd454" + ], + 0, + "0db72c90aec73ed656d921d08c39cda5" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_fold_range_nat_is_impl_rounds", + 1, + 1, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_EquivImplSpec.Keccakf.Generic.impl_rounds.fuel_instrumented", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", + "@fuel_correspondence_Proof_Utils.NatFold.fold_range_nat.fuel_instrumented", + "@fuel_irrelevance_EquivImplSpec.Keccakf.Generic.impl_rounds.fuel_instrumented", + "@fuel_irrelevance_Prims.pow2.fuel_instrumented", + "@fuel_irrelevance_Proof_Utils.NatFold.fold_range_nat.fuel_instrumented", + "@query", + "EquivImplSpec.Keccakf.Generic_interpretation_Tm_arrow_b5c5ddc74828dab3a9dee9844f990d11", + "Prims_pretyping_ae567c2fb75be05905677af440075565", + "Proof_Utils.NatFold_interpretation_Tm_arrow_bd1da0d284b931debe9bf450dfa59152", + "binder_x_2322db7733008fc85924dc96454224b2_3", + "binder_x_3a77ceb7bb6324c0d5c09dbbede3a3d5_0", + "binder_x_56b3264e5151669f75e696a4afcd2612_2", + "binder_x_571b8816b3de24e46424ce5f4f267c8c_4", + "binder_x_f9b4393cc603a1faf096d292b75c2298_1", "bool_inversion", + "bool_typing", "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_EquivImplSpec.Keccakf.Generic.impl_one_round", + "equation_EquivImplSpec.Keccakf.Generic.keccakf_body_rnat", + "equation_Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS", + "equation_Prims.nat", "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lte", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_with_fuel_EquivImplSpec.Keccakf.Generic.impl_rounds.fuel_instrumented", + "equation_with_fuel_Proof_Utils.NatFold.fold_range_nat.fuel_instrumented", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_EquivImplSpec.Keccakf.Generic.keccakf_body_rnat", + "function_token_typing_Prims.__cache_version_number__", + "function_token_typing_Rust_primitives.Integers.u64", + "int_inversion", "int_typing", + "kinding_Libcrux_sha3.Generic_keccak.t_KeccakState@tok", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_LessThan", + "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_0b7ef3d2b52e6501383c5d016b734f58", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_273b490477cddb83cde7469c3489c55a", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_c7f248c50d182c40aac9022fc9a66edc", + "refinement_interpretation_Tm_refine_edccc421660c61e3591d98071500d795", + "typing_FStar.Seq.Base.length", + "typing_Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok", + "well-founded-ordering-on-nat" + ], + 0, + "7608881e2a1e9526aaa25afb65ce1d69" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_fold_range_nat_is_impl_rounds", + 2, + 1, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", + "@fuel_irrelevance_Prims.pow2.fuel_instrumented", "@query", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lte", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_87965f281743ea7b491d42bf5229cba2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "1e617456a07aebb648927f4993c8bd62" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_keccakf1600_is_rounds", + 1, + 1, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", + "@fuel_irrelevance_Prims.pow2.fuel_instrumented", "@query", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Slice.impl__len", + "equation_EquivImplSpec.Keccakf.Generic.keccakf_body", + "equation_EquivImplSpec.Keccakf.Generic.keccakf_body_rnat", + "equation_Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS", + "equation_Libcrux_sha3.Generic_keccak.impl_2__keccakf1600", + "equation_Prims.nat", "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.lte", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sz", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Slice.slice_length", + "fuel_guarded_inversion_Libcrux_sha3.Generic_keccak.t_KeccakState", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.mk_int_v_lemma", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_de8fb64794f3d3be9a0d175b28ad5581", + "typing_Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "b5020a0bab82a411eba8dfc831d55388" + ], + [ + "EquivImplSpec.Keccakf.Generic.lemma_keccakf1600_to_spec", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_EquivImplSpec.Keccakf.Generic.spec_rounds", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lte", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Libcrux_sha3.Traits.t_KeccakItem", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3c519c8afa38c3c934a5bef97a712903", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "241a36d1d87e1231a3bdbc57a5b2a46e" + ] + ] +] \ No newline at end of file diff --git a/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/EquivImplSpec.Keccakf.Portable.fst.hints b/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/EquivImplSpec.Keccakf.Portable.fst.hints new file mode 100644 index 0000000000..919ba99555 --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/EquivImplSpec.Keccakf.Portable.fst.hints @@ -0,0 +1,603 @@ +[ + "b265e64410d1e999ea7c1da63218fe12", + [ + [ + "EquivImplSpec.Keccakf.Portable.portable_lc_zero", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_EquivImplSpec.Keccakf.Portable.portable_lane", + "equation_Libcrux_sha3.Simd.Portable.impl", + "equation_Libcrux_sha3.Traits.f_zero", "equation_Prims.nat", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_u64", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", + "interpretation_Tm_abs_85b579f30be9821b93e614b37bcd9b8b", + "interpretation_Tm_abs_91f62806e5548bfaf2c0bb75e41930af", + "interpretation_Tm_abs_d161c6fc3cafc427cc82b1e8a25a2f1b", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_zero_pre", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_zero", + "projection_inverse_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_zero_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_9e7b7ec534a2a9a23ec52880cc32ece2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_zero_pre", + "token_correspondence_Libcrux_sha3.Traits.f_zero", "true_interp", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "57cafffc1f99e6ee3f8f0fb7386acb32" + ], + [ + "EquivImplSpec.Keccakf.Portable.portable_lc_xor5", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_EquivImplSpec.Keccakf.Portable.portable_lane", + "equation_Libcrux_sha3.Simd.Portable.e_veor5q_u64", + "equation_Libcrux_sha3.Simd.Portable.impl", + "equation_Libcrux_sha3.Traits.f_xor5", "equation_Prims.nat", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", + "interpretation_Tm_abs_102f42c4ed9c78eb18badb9265620e17", + "interpretation_Tm_abs_9945fdcf8af2a1de74e692573d914f45", + "interpretation_Tm_abs_9b6089fd31ec3610e7a39c8960b918e0", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor5_pre", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor5", + "projection_inverse_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor5_pre", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_9e7b7ec534a2a9a23ec52880cc32ece2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor5_pre", + "token_correspondence_Libcrux_sha3.Traits.f_xor5", "true_interp", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "abe6d44c6f4013a0610c3963c79e078f" + ], + [ + "EquivImplSpec.Keccakf.Portable.portable_lc_rotate_left1_and_xor", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Prims_pretyping_ae567c2fb75be05905677af440075565", "bool_inversion", + "bool_typing", "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_EquivImplSpec.Keccakf.Portable.portable_lane", + "equation_Libcrux_sha3.Simd.Portable.e_vrax1q_u64", + "equation_Libcrux_sha3.Simd.Portable.impl", + "equation_Libcrux_sha3.Simd.Portable.rotate_left", + "equation_Libcrux_sha3.Traits.f_rotate_left1_and_xor", + "equation_Prims.nat", "equation_Prims.pos", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.cast_mod", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_u32", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.modulus", + "equation_Rust_primitives.Integers.op_At_Percent_Dot", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.sub", + "equation_Rust_primitives.Integers.u32", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.u64_inttype", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.cast", + "equation_Rust_primitives.cast_tc_integers", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", + "interpretation_Tm_abs_44d78164ecd3ae1d873768fc71c8c2e4", + "interpretation_Tm_abs_4e41eaf5703de6128b17c2c81e94b989", + "interpretation_Tm_abs_9b420abd7c3e11c07b133e6053abbd21", + "interpretation_Tm_abs_c67ffa662214ec54c707eb529398c6f5", + "interpretation_Tm_abs_e52af29d7e3dfdf63a074a1ffdcf5b27", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Modulus", "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_rotate_left1_and_xor_pre", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_rotate_left1_and_xor", + "projection_inverse_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_rotate_left1_and_xor_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_Rust_primitives.Mkcast_tc_@cast", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_774ba3f728d91ead8ef40be66c9802e5", + "refinement_interpretation_Tm_refine_9e7b7ec534a2a9a23ec52880cc32ece2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_rotate_left1_and_xor_pre", + "token_correspondence_Libcrux_sha3.Traits.f_rotate_left1_and_xor", + "token_correspondence_Rust_primitives.cast", "true_interp", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.modulus", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.U32@tok", + "typing_tok_Rust_primitives.Integers.U64@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "70406c137d03daffcccd1b1acedc7d6f" + ], + [ + "EquivImplSpec.Keccakf.Portable.portable_lc_xor_and_rotate", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Prims_pretyping_ae567c2fb75be05905677af440075565", "b2t_def", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.I32", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.I32@tok", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_EquivImplSpec.Keccakf.Portable.portable_lane", + "equation_Libcrux_sha3.Simd.Portable.e_vxarq_u64", + "equation_Libcrux_sha3.Simd.Portable.impl", + "equation_Libcrux_sha3.Simd.Portable.rotate_left", + "equation_Libcrux_sha3.Traits.f_xor_and_rotate", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.gt", + "equation_Rust_primitives.Integers.i32", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_i32", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", + "interpretation_Tm_abs_1eeff65ff9c3b4718cb125a4d4298f2a", + "interpretation_Tm_abs_1f81c164d14faa41c130347ecf560df5", + "interpretation_Tm_abs_7f3ceddca398b7c44e4939294b2a085f", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_Equality", + "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_LessThanOrEqual", "primitive_Prims.op_Minus", + "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_and_rotate_pre", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_and_rotate", + "projection_inverse_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_and_rotate_pre", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_9e7b7ec534a2a9a23ec52880cc32ece2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_e15422d7e08b3699e1d0be0bba6b3258", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_and_rotate_pre", + "token_correspondence_Libcrux_sha3.Traits.f_xor_and_rotate", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.I32@tok", + "typing_tok_Rust_primitives.Integers.U64@tok", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "71e9e35e1499826f7f5128980ec6ee3f" + ], + [ + "EquivImplSpec.Keccakf.Portable.portable_lc_and_not_xor", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_EquivImplSpec.Keccakf.Portable.portable_lane", + "equation_Libcrux_sha3.Simd.Portable.e_vbcaxq_u64", + "equation_Libcrux_sha3.Simd.Portable.impl", + "equation_Libcrux_sha3.Traits.f_and_not_xor", "equation_Prims.nat", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", + "interpretation_Tm_abs_0767e9d28e7b6dad8591a719aa2cdc30", + "interpretation_Tm_abs_39239c6131bcfc38a5c28503d85d9aa5", + "interpretation_Tm_abs_b3415a74df5b6badedff49d0e4c315f8", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_and_not_xor_pre", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_and_not_xor", + "projection_inverse_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_and_not_xor_pre", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_9e7b7ec534a2a9a23ec52880cc32ece2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_and_not_xor_pre", + "token_correspondence_Libcrux_sha3.Traits.f_and_not_xor", + "true_interp", "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "e03dbc5db3bb1a6d3f00de654c60d43e" + ], + [ + "EquivImplSpec.Keccakf.Portable.portable_lc_xor_constant", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_EquivImplSpec.Keccakf.Portable.portable_lane", + "equation_Libcrux_sha3.Simd.Portable.e_veorq_n_u64", + "equation_Libcrux_sha3.Simd.Portable.impl", + "equation_Libcrux_sha3.Traits.f_xor_constant", "equation_Prims.nat", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", + "interpretation_Tm_abs_4a07bec5c4cbf1be55632b9c0b1c19dd", + "interpretation_Tm_abs_a2b6f0a9718ad3ef32c23aa67ec84873", + "interpretation_Tm_abs_e52af29d7e3dfdf63a074a1ffdcf5b27", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_constant_pre", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_constant", + "projection_inverse_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_constant_pre", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_9e7b7ec534a2a9a23ec52880cc32ece2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_constant_pre", + "token_correspondence_Libcrux_sha3.Traits.f_xor_constant", + "true_interp", "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "03fe442e89b255e17413e549cc42dbbf" + ], + [ + "EquivImplSpec.Keccakf.Portable.portable_lc_xor", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.U64", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.U64@tok", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_EquivImplSpec.Keccakf.Portable.portable_lane", + "equation_Libcrux_sha3.Simd.Portable.impl", + "equation_Libcrux_sha3.Traits.f_xor", "equation_Prims.nat", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", + "interpretation_Tm_abs_497760c36a382f86b3f697d2044fa243", + "interpretation_Tm_abs_6c724cf449e8e345fb2b9fb8cc1b6524", + "interpretation_Tm_abs_e52af29d7e3dfdf63a074a1ffdcf5b27", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_pre", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor", + "projection_inverse_Libcrux_sha3.Traits.Mkt_KeccakItem_@f_xor_pre", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_9e7b7ec534a2a9a23ec52880cc32ece2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Libcrux_sha3.Traits.__proj__Mkt_KeccakItem__item__f_xor_pre", + "token_correspondence_Libcrux_sha3.Traits.f_xor", "true_interp", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "abf5d2633d33dfd8c9c62ed8e3ad8609" + ], + [ + "EquivImplSpec.Keccakf.Portable.lc_portable", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.v", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "2cf29ed110a261d22341fac7da4644fd" + ], + [ + "EquivImplSpec.Keccakf.Portable.lemma_extract_lane_portable_identity", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Core_models.Ops.Index.f_index", + "equation_Core_models.Ops.Index.f_index_pre", + "equation_EquivImplSpec.Keccakf.Portable.lc_portable", + "equation_EquivImplSpec.Keccakf.Portable.portable_lane", + "equation_Libcrux_sha3.Simd.Portable.impl", "equation_Prims.nat", + "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Hax.impl__index", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_Rust_primitives.Notations.op_String_Access", + "function_token_typing_Rust_primitives.Integers.u64", + "int_inversion", "int_typing", + "interpretation_Tm_abs_4ab552b3415220d2b607f7d57c958117", + "interpretation_Tm_abs_5868e62885022fbd12d9059af52f4674", + "interpretation_Tm_abs_9e51361188a25d28bb48d6a215e0ee9b", + "interpretation_Tm_abs_cae63eba7e18c3a3d84075d3995a179a", + "lemma_FStar.Seq.Base.lemma_eq_elim", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_EquivImplSpec.Keccakf.Generic.Mklane_correctness_@lane", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index", + "projection_inverse_Core_models.Ops.Index.Mkt_Index_@f_index_pre", + "projection_inverse_EquivImplSpec.Keccakf.Generic.Mklane_correctness_@lane", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_3af88438d0812e1d827db29465786d3a", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_693213d29dc5b9d0a76e3af0564654aa", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "token_correspondence_Core_models.Ops.Index.f_index", + "token_correspondence_Core_models.Ops.Index.f_index_pre", + "token_correspondence_EquivImplSpec.Keccakf.Generic.__proj__Mklane_correctness__item__lane", + "token_correspondence_EquivImplSpec.Keccakf.Portable.portable_lane", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "fd58024c13c1725449c0cc5b7906c908" + ], + [ + "EquivImplSpec.Keccakf.Portable.lemma_extract_lane_portable_identity", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "2fa1147c7065b7bb3964e48954f679ea" + ], + [ + "EquivImplSpec.Keccakf.Portable.lemma_keccakf1600_portable", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Libcrux_sha3.Traits.Mkt_KeccakItem", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Libcrux_sha3.Simd.Portable.impl", "equation_Prims.nat", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Libcrux_sha3.Simd.Portable.impl", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "89fcde65698a225bfabe0cc5f9bc6c55" + ], + [ + "EquivImplSpec.Keccakf.Portable.lemma_keccakf1600_portable", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "8da2c4cf4f3bb603b5192e2daa9d56f1" + ] + ] +] \ No newline at end of file diff --git a/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/EquivImplSpec.Keccakf.SpecRounds.fst.hints b/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/EquivImplSpec.Keccakf.SpecRounds.fst.hints new file mode 100644 index 0000000000..b131829395 --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/EquivImplSpec.Keccakf.SpecRounds.fst.hints @@ -0,0 +1,249 @@ +[ + "afc9855a38c759d630ff8d17d99a7c4c", + [ + [ + "EquivImplSpec.Keccakf.SpecRounds.spec_state", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "ce4923e4039227e2a37c9774b71f6bbf" + ], + [ + "EquivImplSpec.Keccakf.SpecRounds.spec_one_round", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "a57f7bfa4f2d05b475bada4f0e7a6959" + ], + [ + "EquivImplSpec.Keccakf.SpecRounds.spec_rounds", + 1, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Prims_pretyping_ae567c2fb75be05905677af440075565", + "assumption_Rust_primitives.Integers.int_t__uu___haseq", + "binder_x_3a77ceb7bb6324c0d5c09dbbede3a3d5_1", + "binder_x_6173fc66c0db2954367d8319920acab1_0", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.lte", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_LessThan", + "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok", + "well-founded-ordering-on-nat" + ], + 0, + "39eac20f15176d5f09eebdb7e2164dc9" + ], + [ + "EquivImplSpec.Keccakf.SpecRounds.spec_rounds", + 2, + 0, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.size_bits", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "d203dc7fe693e0e6798b9ff52b01fce4" + ], + [ + "EquivImplSpec.Keccakf.SpecRounds.lemma_keccak_f_is_rounds", + 1, + 30, + 2, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_EquivImplSpec.Keccakf.SpecRounds.spec_rounds.fuel_instrumented", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", + "@fuel_correspondence_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "@fuel_irrelevance_Prims.pow2.fuel_instrumented", "@query", + "Hacspec_sha3.Keccak_f_interpretation_Tm_arrow_6810ffd7fedc9f5daa2182e9ac575b71", + "Hacspec_sha3.Keccak_f_interpretation_Tm_arrow_7a864fbdb6dd4bcf55036cd2914f3e4c", + "Hacspec_sha3.Keccak_f_interpretation_Tm_arrow_d98c07d1b05717a33aa6ea3355704a07", + "Hacspec_sha3_interpretation_Tm_arrow_bf71e124d232d47c997d72c21e536b9a", + "Rust_primitives.Arrays_interpretation_Tm_arrow_0d263c675f2f6a422e85e8ffa504d5e2", + "Rust_primitives.Hax.Folds_interpretation_Tm_arrow_8a1b3c71b8eb003c7bfb24d380080447", + "Rust_primitives.Hax.Folds_interpretation_Tm_arrow_c8b6fefc6a1ff03b84fa2dbb43486b72", + "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_one_round", + "equation_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "equation_Hacspec_sha3.Keccak_f.chi", + "equation_Hacspec_sha3.Keccak_f.iota", + "equation_Hacspec_sha3.Keccak_f.keccak_f", + "equation_Hacspec_sha3.Keccak_f.pi", + "equation_Hacspec_sha3.Keccak_f.rho", + "equation_Hacspec_sha3.Keccak_f.theta", + "equation_Hacspec_sha3.createi", "equation_Prims.logical", + "equation_Prims.nat", "equation_Rust_primitives.Arrays.t_Array", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.lt", + "equation_Rust_primitives.Integers.lte", + "equation_Rust_primitives.Integers.max_usize", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.u64", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_with_fuel_EquivImplSpec.Keccakf.SpecRounds.spec_rounds.fuel_instrumented", + "equation_with_fuel_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_EquivImplSpec.Keccakf.SpecRounds.spec_state", + "function_token_typing_Prims.l_True", + "function_token_typing_Rust_primitives.Integers.u64", + "int_inversion", "int_typing", + "interpretation_Tm_abs_c7a42c9e2d08fd782bf7613c32495cc6", + "interpretation_Tm_abs_fec714da2f5de09f2f4136a904db729a", + "kinding_Tm_arrow_d28fde83d99b9fd411f0baa86bc882a5", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_GreaterThan", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_066b9eb21a98c28e978234780f41cd65", + "refinement_interpretation_Tm_refine_21e0277b21b9413896fa7f0b23f8625e", + "refinement_interpretation_Tm_refine_221edc532b512849362f091b0318b99d", + "refinement_interpretation_Tm_refine_414b3103e63acaca337a620ee42bb932", + "refinement_interpretation_Tm_refine_51996c5c6192f6c4d97f417a4cc27ac1", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6af5dd912a49c5aa2d10fa9f5a5534c2", + "refinement_interpretation_Tm_refine_6c47c697fcc84e50a76cc2c5fae4d1cf", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_d68a8e9a56d7d58a15fd1befad9cf1e1", + "refinement_interpretation_Tm_refine_de8fb64794f3d3be9a0d175b28ad5581", + "refinement_interpretation_Tm_refine_e39af703595e7eb2b64454d7798b53d7", + "refinement_interpretation_Tm_refine_eea4a7aaf0d9fd792b6bd561042bfd5e", + "refinement_interpretation_Tm_refine_f21ae58475c7fc74d7e8a7c2eff3f408", + "true_interp", + "typing_EquivImplSpec.Keccakf.SpecRounds.spec_one_round", + "typing_FStar.Seq.Base.length", "typing_Hacspec_sha3.Keccak_f.chi", + "typing_Hacspec_sha3.Keccak_f.iota", + "typing_Hacspec_sha3.Keccak_f.keccak_f", + "typing_Hacspec_sha3.Keccak_f.pi", + "typing_Hacspec_sha3.Keccak_f.rho", + "typing_Hacspec_sha3.Keccak_f.theta", "typing_Hacspec_sha3.createi", + "typing_Rust_primitives.Arrays.createi", + "typing_Rust_primitives.Integers.add", + "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.minint", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.mk_usize", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Tm_abs_6e12770ddd2256a6e162b3b613591f54", + "typing_Tm_abs_6ec269a97cc9e7124e00f9ceda15e72d", + "typing_Tm_abs_c7a42c9e2d08fd782bf7613c32495cc6", + "typing_Tm_abs_fec714da2f5de09f2f4136a904db729a", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "f80a8d850b6b37d5a508bb2607f78e6d" + ] + ] +] \ No newline at end of file diff --git a/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/Proof_Utils.FoldRange.fst.hints b/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/Proof_Utils.FoldRange.fst.hints new file mode 100644 index 0000000000..d06d861fd6 --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/Proof_Utils.FoldRange.fst.hints @@ -0,0 +1,89 @@ +[ + "b9ff537c1a8a1860d861e1832b1da2a5", + [ + [ + "Proof_Utils.FoldRange.lemma_fold_range_step", + 1, + 1, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "@fuel_irrelevance_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "@query", + "Proof_Utils.FoldRange_interpretation_Tm_arrow_33698dc5b2191058ab0805f4c54cd6d4", + "Proof_Utils.FoldRange_interpretation_Tm_arrow_c5997104e637778d6a1b7447da745939", + "Rust_primitives.Hax.Folds_interpretation_Tm_arrow_8a1b3c71b8eb003c7bfb24d380080447", + "Rust_primitives.Hax.Folds_interpretation_Tm_arrow_c8b6fefc6a1ff03b84fa2dbb43486b72", + "b2t_def", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.squash", "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_usize", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "equation_with_fuel_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", "int_typing", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_066b9eb21a98c28e978234780f41cd65", + "refinement_interpretation_Tm_refine_1e7d3ff6e5e7286312691ca528f40f6f", + "refinement_interpretation_Tm_refine_2de20c066034c13bf76e9c0b94f4806c", + "refinement_interpretation_Tm_refine_4f976b37a6f11355fd7b009188f8476b", + "refinement_interpretation_Tm_refine_51996c5c6192f6c4d97f417a4cc27ac1", + "refinement_interpretation_Tm_refine_6d10f7853713d9507f1ae802b7d98f50", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_c278c822ef4c8c91b70968f143a48c20", + "refinement_interpretation_Tm_refine_d68a8e9a56d7d58a15fd1befad9cf1e1", + "refinement_interpretation_Tm_refine_ef481a7ae2476286a44a20bc24f9ec1a", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "cdc9971d8b98393a1f8db0dddc979469" + ], + [ + "Proof_Utils.FoldRange.lemma_fold_range_step", + 2, + 1, + 1, + [ + "@MaxIFuel_assumption", "@query", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "data_elim_Rust_primitives.Integers.MkInt", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", "primitive_Prims.op_Addition", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_6d10f7853713d9507f1ae802b7d98f50", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0" + ], + 0, + "c54a787b7e0ea396f707b317e54a601e" + ] + ] +] \ No newline at end of file diff --git a/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/Proof_Utils.Lemmas.fst.hints b/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/Proof_Utils.Lemmas.fst.hints new file mode 100644 index 0000000000..40354f6c8e --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/Proof_Utils.Lemmas.fst.hints @@ -0,0 +1,79 @@ +[ + "53c2702cefb764ed7921bb8054c4fd14", + [ + [ + "Proof_Utils.Lemmas.lemma_rotate_left_zero", + 1, + 0, + 1, + [ + "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", "@query", + "Prims_pretyping_ae567c2fb75be05905677af440075565", + "constructor_distinct_Rust_primitives.Integers.U32", + "constructor_distinct_Rust_primitives.Integers.U64", + "equality_tok_Rust_primitives.Integers.U32@tok", + "equation_Prims.nat", "equation_Prims.pos", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.mk_u32", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.v", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_Equality", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Modulus", "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_774ba3f728d91ead8ef40be66c9802e5", + "typing_Prims.pow2", "typing_Rust_primitives.Integers.bits", + "typing_tok_Rust_primitives.Integers.U32@tok" + ], + 0, + "71c2ce510e65cdfea3cc331fb79818c7" + ], + [ + "Proof_Utils.Lemmas.lemma_index_update_at_range", + 1, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", "bool_inversion", "bool_typing", + "constructor_distinct_Rust_primitives.Integers.USIZE", + "equality_tok_Rust_primitives.Integers.USIZE@tok", + "equation_Prims.nat", "equation_Rust_primitives.Arrays.t_Slice", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.usize", + "fuel_guarded_inversion_Core_models.Ops.Range.t_Range", + "function_token_typing_Rust_primitives.Integers.usize", + "int_inversion", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThanOrEqual", + "primitive_Prims.op_LessThan", "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_fd980a4a94cc34052e6e36a3c682afca", + "refinement_interpretation_Tm_refine_fe16053d5752c4abc20b8e062d537fea", + "typing_Core_models.Ops.Range.__proj__Mkt_Range__item__f_end", + "typing_Core_models.Ops.Range.__proj__Mkt_Range__item__f_start", + "typing_FStar.Seq.Base.length", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.v", + "typing_tok_Rust_primitives.Integers.USIZE@tok" + ], + 0, + "0f597853c68398241b0891a2ef364f6c" + ] + ] +] \ No newline at end of file diff --git a/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/Proof_Utils.NatFold.fst.hints b/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/Proof_Utils.NatFold.fst.hints new file mode 100644 index 0000000000..dbe15850b0 --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/equivalence/.hints/Proof_Utils.NatFold.fst.hints @@ -0,0 +1,367 @@ +[ + "631c9f84c7cbeb95185fe4be235e80f8", + [ + [ + "Proof_Utils.NatFold.fold_nat_range", + 1, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Prims_pretyping_ae567c2fb75be05905677af440075565", + "binder_x_bb4e1c9af0265270f8e7a5f250f730e2_1", + "binder_x_bb4e1c9af0265270f8e7a5f250f730e2_2", "equation_Prims.nat", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", "primitive_Prims.op_Addition", + "primitive_Prims.op_LessThan", "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "well-founded-ordering-on-nat" + ], + 0, + "5009252912ec75b1aba8c85f7166a4e9" + ], + [ + "Proof_Utils.NatFold.fold_range_nat", + 1, + 0, + 1, + [ + "@MaxIFuel_assumption", "@query", + "Prims_pretyping_ae567c2fb75be05905677af440075565", + "binder_x_5d0400e7e64130b1f4854127a0139fff_3", + "binder_x_bb4e1c9af0265270f8e7a5f250f730e2_1", + "binder_x_bb4e1c9af0265270f8e7a5f250f730e2_2", "equation_Prims.nat", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", "primitive_Prims.op_Addition", + "primitive_Prims.op_LessThan", "primitive_Prims.op_Subtraction", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_8ed6602de5b0c2e9764cf5d3c31b16e1", + "well-founded-ordering-on-nat" + ], + 0, + "5560498fdf08a47ad59c99d8d5d114b9" + ], + [ + "Proof_Utils.NatFold.lemma_fold_range_is_nat", + 1, + 1, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Proof_Utils.NatFold.fold_nat_range.fuel_instrumented", + "@fuel_correspondence_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "@fuel_irrelevance_Proof_Utils.NatFold.fold_nat_range.fuel_instrumented", + "@fuel_irrelevance_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "@query", "Prims_pretyping_ae567c2fb75be05905677af440075565", + "Proof_Utils.NatFold_interpretation_Tm_arrow_17c775e6de93114d382f1ff863b0ca30", + "Proof_Utils.NatFold_interpretation_Tm_arrow_6e0f0d33c4aa1a11274f175b51b894ff", + "Proof_Utils.NatFold_interpretation_Tm_arrow_8a3b53d7617ef10ec82a5af55b46a69f", + "Proof_Utils.NatFold_interpretation_Tm_arrow_fecf6d2e76722d527dc99698e5590a92", + "Rust_primitives.Hax.Folds_interpretation_Tm_arrow_8a1b3c71b8eb003c7bfb24d380080447", + "Rust_primitives.Hax.Folds_interpretation_Tm_arrow_c8b6fefc6a1ff03b84fa2dbb43486b72", + "binder_x_200cea1722bd1d7c0998e4308c392e60_5", + "binder_x_293ea8b16633370d454172be0f2f43cc_7", + "binder_x_2f874de7a35407f95c94af92d9dd525b_2", + "binder_x_2f874de7a35407f95c94af92d9dd525b_3", + "binder_x_5bf0d6230ddddf736007816157114b40_6", + "binder_x_72bedba789610b355c819db7fcccbd85_1", + "binder_x_f0c148a88bc09b136355d27739a593fb_4", + "binder_x_f9b4393cc603a1faf096d292b75c2298_0", "bool_inversion", + "bool_typing", "data_elim_Rust_primitives.Integers.MkInt", + "equation_Prims.nat", "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.uinttype", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.v", + "equation_with_fuel_Proof_Utils.NatFold.fold_nat_range.fuel_instrumented", + "equation_with_fuel_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", "primitive_Prims.op_Addition", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThan", + "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_066b9eb21a98c28e978234780f41cd65", + "refinement_interpretation_Tm_refine_0ad9c12bff8ec3577ad8e5a62a95c9d6", + "refinement_interpretation_Tm_refine_0d43d7650f1ca86f59da90afc602e163", + "refinement_interpretation_Tm_refine_3c5de41c8b199a01b5d8e299d1224062", + "refinement_interpretation_Tm_refine_4f976b37a6f11355fd7b009188f8476b", + "refinement_interpretation_Tm_refine_51996c5c6192f6c4d97f417a4cc27ac1", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_5dd36c8d2b3368afc1b0b2d885bfa84e", + "refinement_interpretation_Tm_refine_a1eefd213e113f8b4d85ed2eca50691b", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_afd0449fb85161b0491093d6132093cd", + "refinement_interpretation_Tm_refine_c1424615841f28cac7fc34e92b7ff33c", + "refinement_interpretation_Tm_refine_d68a8e9a56d7d58a15fd1befad9cf1e1", + "refinement_interpretation_Tm_refine_e8c9ca07e52b89077badab099f006d55", + "typing_Proof_Utils.NatFold.fold_nat_range", + "typing_Rust_primitives.Integers.unsigned", + "well-founded-ordering-on-nat" + ], + 0, + "e4e81e9316f496413c871ddc037f6eef" + ], + [ + "Proof_Utils.NatFold.lemma_fold_range_is_nat", + 2, + 1, + 1, + [ + "@MaxIFuel_assumption", "@query", "bool_inversion", "bool_typing", + "data_elim_Rust_primitives.Integers.MkInt", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.uinttype", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "int_inversion", "primitive_Prims.op_Addition", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThanOrEqual", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_51996c5c6192f6c4d97f417a4cc27ac1", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_e8c9ca07e52b89077badab099f006d55", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.unsigned", + "typing_Rust_primitives.Integers.v" + ], + 0, + "5f45da5de176a5cd621b0d383a8ff502" + ], + [ + "Proof_Utils.NatFold.lemma_fold_range_is_range_nat", + 1, + 1, + 1, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Proof_Utils.NatFold.fold_range_nat.fuel_instrumented", + "@fuel_correspondence_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "@fuel_irrelevance_Proof_Utils.NatFold.fold_range_nat.fuel_instrumented", + "@fuel_irrelevance_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "@query", "Prims_pretyping_ae567c2fb75be05905677af440075565", + "Proof_Utils.NatFold_interpretation_Tm_arrow_0db0b440140da435d62945ad020da432", + "Proof_Utils.NatFold_interpretation_Tm_arrow_484fa2fac7529afc6103a426112bd7a5", + "Proof_Utils.NatFold_interpretation_Tm_arrow_51c5189c642b4fce99f963b08353de64", + "Proof_Utils.NatFold_interpretation_Tm_arrow_bd1da0d284b931debe9bf450dfa59152", + "Rust_primitives.Hax.Folds_interpretation_Tm_arrow_8a1b3c71b8eb003c7bfb24d380080447", + "Rust_primitives.Hax.Folds_interpretation_Tm_arrow_c8b6fefc6a1ff03b84fa2dbb43486b72", + "binder_x_011d9f19cc4cbe5081bd524771c256a7_6", + "binder_x_2f874de7a35407f95c94af92d9dd525b_2", + "binder_x_2f874de7a35407f95c94af92d9dd525b_3", + "binder_x_72bedba789610b355c819db7fcccbd85_1", + "binder_x_8c121c581e9968c873236d8687b72765_7", + "binder_x_9d3e2725fb1224b731895cc6dc9ae4b3_5", + "binder_x_f1c266ba24149147a48732a4edd70d75_8", + "binder_x_f9b4393cc603a1faf096d292b75c2298_0", + "binder_x_fc1c69bb661f88433b85899ba968c929_4", "bool_inversion", + "bool_typing", "equation_Prims.nat", + "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.uinttype", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.v", + "equation_with_fuel_Proof_Utils.NatFold.fold_range_nat.fuel_instrumented", + "equation_with_fuel_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", "primitive_Prims.op_Addition", + "primitive_Prims.op_AmpAmp", "primitive_Prims.op_LessThan", + "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_066b9eb21a98c28e978234780f41cd65", + "refinement_interpretation_Tm_refine_1e09d75af60944785302c8d7e3fdc446", + "refinement_interpretation_Tm_refine_33e3c81445c7a13f57bf54890e5ee573", + "refinement_interpretation_Tm_refine_4f976b37a6f11355fd7b009188f8476b", + "refinement_interpretation_Tm_refine_51996c5c6192f6c4d97f417a4cc27ac1", + "refinement_interpretation_Tm_refine_542f02bebeb083f968ce44c3e2e05e53", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_59266fe48f16ce0f8b3195d8e7355710", + "refinement_interpretation_Tm_refine_5cc1802f6deb75f113e9703468740bc4", + "refinement_interpretation_Tm_refine_9b999e277fcaf7790022be15680430d1", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_ba687d8fc8de2b338932603676f64eaf", + "refinement_interpretation_Tm_refine_c7f248c50d182c40aac9022fc9a66edc", + "refinement_interpretation_Tm_refine_d68a8e9a56d7d58a15fd1befad9cf1e1", + "refinement_interpretation_Tm_refine_e8c9ca07e52b89077badab099f006d55", + "refinement_interpretation_Tm_refine_edccc421660c61e3591d98071500d795", + "typing_Proof_Utils.NatFold.fold_range_nat", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.unsigned", + "typing_Rust_primitives.Integers.v", "well-founded-ordering-on-nat" + ], + 0, + "cc93ca306bee777b7adbea05e421b399" + ], + [ + "Proof_Utils.NatFold.lemma_fold_range_is_range_nat", + 2, + 1, + 1, + [ + "@MaxIFuel_assumption", "@query", "bool_inversion", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.uinttype", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_LessThanOrEqual", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_098301f6c7014da2a754561b0f9d4087", + "refinement_interpretation_Tm_refine_51996c5c6192f6c4d97f417a4cc27ac1", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_e8c9ca07e52b89077badab099f006d55", + "typing_Rust_primitives.Integers.unsigned", + "typing_Rust_primitives.Integers.v" + ], + 0, + "0c73cb64d2c8019d1a4eeb2cc0be4d0d" + ], + [ + "Proof_Utils.NatFold.lemma_fold_range_unroll_5", + 1, + 6, + 2, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", + "@fuel_correspondence_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "@fuel_irrelevance_Prims.pow2.fuel_instrumented", "@query", + "Prims_pretyping_ae567c2fb75be05905677af440075565", + "Proof_Utils.NatFold_interpretation_Tm_arrow_8ec4c9cde5966ce63c2228281224de1a", + "Proof_Utils.NatFold_interpretation_Tm_arrow_930446a170c4fb69ffae2d5cae043403", + "Rust_primitives.Hax.Folds_interpretation_Tm_arrow_8a1b3c71b8eb003c7bfb24d380080447", + "Rust_primitives.Hax.Folds_interpretation_Tm_arrow_c8b6fefc6a1ff03b84fa2dbb43486b72", + "Rust_primitives.Integers_pretyping_1eff91dc290b8194aeb15d2394025944", + "bool_inversion", "bool_typing", "equation_Prims.nat", + "equation_Prims.pos", "equation_Rust_primitives.Integers.add", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.uinttype", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.v", + "equation_with_fuel_Rust_primitives.Hax.Folds.fold_range.fuel_instrumented", + "fuel_guarded_inversion_Rust_primitives.Integers.inttype", + "function_token_typing_Prims.__cache_version_number__", + "int_inversion", "int_typing", "lemma_FStar.UInt.pow2_values", + "lemma_Rust_primitives.Integers.pow2_values", + "lemma_Rust_primitives.Integers.v_mk_int_lemma", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_GreaterThan", "primitive_Prims.op_LessThan", + "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_014b8d2df9fbdc40b1dc33c067324612", + "refinement_interpretation_Tm_refine_066b9eb21a98c28e978234780f41cd65", + "refinement_interpretation_Tm_refine_23af6b8be8c2a870e8cc3bd77ed45ab8", + "refinement_interpretation_Tm_refine_3e1bd0090e9eeafbe382597e5eaee0fd", + "refinement_interpretation_Tm_refine_4f976b37a6f11355fd7b009188f8476b", + "refinement_interpretation_Tm_refine_51996c5c6192f6c4d97f417a4cc27ac1", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_6b00cb65a6cacb2a8d5a5645293d59a5", + "refinement_interpretation_Tm_refine_774ba3f728d91ead8ef40be66c9802e5", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_a9fe3fb6c8453a5cadf567cc452dd274", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_d68a8e9a56d7d58a15fd1befad9cf1e1", + "refinement_interpretation_Tm_refine_e13e0c1adc2be5e2350c050e82905f94", + "refinement_interpretation_Tm_refine_e47dcf97dc96eacf38cb141be9013b3c", + "refinement_interpretation_Tm_refine_e8c9ca07e52b89077badab099f006d55", + "typing_Prims.pow2", "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.mk_int", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.unsigned" + ], + 0, + "789bee90bcc4c8027c85dd50d624d5ec" + ], + [ + "Proof_Utils.NatFold.lemma_fold_range_unroll_5", + 2, + 6, + 2, + [ + "@MaxFuel_assumption", "@MaxIFuel_assumption", + "@fuel_correspondence_Prims.pow2.fuel_instrumented", + "@fuel_irrelevance_Prims.pow2.fuel_instrumented", "@query", + "bool_inversion", "data_elim_Rust_primitives.Integers.MkInt", + "equation_Prims.nat", "equation_Prims.pos", + "equation_Rust_primitives.Integers.bits", + "equation_Rust_primitives.Integers.maxint", + "equation_Rust_primitives.Integers.minint", + "equation_Rust_primitives.Integers.mk_int", + "equation_Rust_primitives.Integers.range", + "equation_Rust_primitives.Integers.range_t", + "equation_Rust_primitives.Integers.uinttype", + "equation_Rust_primitives.Integers.unsigned", + "equation_Rust_primitives.Integers.v", + "fuel_guarded_inversion_Rust_primitives.Integers.int_t", + "fuel_guarded_inversion_Rust_primitives.Integers.inttype", + "int_inversion", "int_typing", "lemma_FStar.UInt.pow2_values", + "lemma_Rust_primitives.Integers.pow2_values", + "primitive_Prims.op_Addition", "primitive_Prims.op_AmpAmp", + "primitive_Prims.op_LessThanOrEqual", + "primitive_Prims.op_Subtraction", + "proj_equation_Rust_primitives.Integers.MkInt_@_0", + "projection_inverse_BoxBool_proj_0", + "projection_inverse_BoxInt_proj_0", + "projection_inverse_Rust_primitives.Integers.MkInt_@_0", + "refinement_interpretation_Tm_refine_3e1bd0090e9eeafbe382597e5eaee0fd", + "refinement_interpretation_Tm_refine_542f9d4f129664613f2483a6c88bc7c2", + "refinement_interpretation_Tm_refine_774ba3f728d91ead8ef40be66c9802e5", + "refinement_interpretation_Tm_refine_a6d4eccfb2603ce5e66d6162c32df2b0", + "refinement_interpretation_Tm_refine_b045b04f0bb15cd7c94a2ec78d3283ce", + "refinement_interpretation_Tm_refine_e8c9ca07e52b89077badab099f006d55", + "typing_Prims.pow2", "typing_Rust_primitives.Integers.bits", + "typing_Rust_primitives.Integers.range", + "typing_Rust_primitives.Integers.size_bits", + "typing_Rust_primitives.Integers.unsigned" + ], + 0, + "28644f783c34497e02ccf3b4cbf69a12" + ] + ] +] \ No newline at end of file diff --git a/crates/algorithms/sha3/proofs/fstar/equivalence/EquivImplSpec.Keccakf.ChiFold.fst b/crates/algorithms/sha3/proofs/fstar/equivalence/EquivImplSpec.Keccakf.ChiFold.fst new file mode 100644 index 0000000000..6b4d429630 --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/equivalence/EquivImplSpec.Keccakf.ChiFold.fst @@ -0,0 +1,188 @@ +module EquivImplSpec.Keccakf.ChiFold + +(** Chi-step fold-unfolding utilities for the generic keccak_f + equivalence proof. + + The extracted [Libcrux_sha3.Generic_keccak.impl_2__chi] is a 5x5 + nested [fold_range] whose body writes [f_and_not_xor] into each + cell. Direct SMT reasoning across both folds is too closure-heavy. + + This module establishes the per-position equality + + (impl_2__chi v_N #v_T ks).f_st.[k] == chi_inner_val ks (k/5) (k%5) + + Under the FIPS-native layout [get_ij(arr, i, j) = arr[5*i + j]], + flat index [k] corresponds to [(i, j) = (k/5, k%5)] (impl-side + [(i, j)] is FIPS [(y, x)]). + + The equality is proved via a loop-invariant argument on a named + [chi_unrolled] form, bridged to [impl_2__chi] by a fuel-6 + [fold_range] unroll. + + The single export [lemma_chi_val_i] is consumed by + [EquivImplSpec.Keccakf.Generic.lemma_chi_extract_lane] together with a + lane-correctness wrapper around [chi_inner_val]. *) + +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" + +open FStar.Mul +open Core_models +open Rust_primitives.Integers +open Libcrux_sha3.Generic_keccak + +(* ================================================================ + Per-position chi value: applied with [old = ks] this is what + chi writes at position (i, j). + ================================================================ *) + +let chi_inner_val + (#v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (old: t_KeccakState v_N v_T) + (i: usize{v i < 5}) (j: usize{v j < 5}) = + (Libcrux_sha3.Traits.f_and_not_xor #v_T #v_N + (old.[ i, j <: (usize & usize) ] <: v_T) + (old.[ i, ((j +! mk_usize 2) %! mk_usize 5) <: (usize & usize) ] <: v_T) + (old.[ i, ((j +! mk_usize 1) %! mk_usize 5) <: (usize & usize) ] <: v_T)) + +(* ================================================================ + Inner-loop invariant + step lemma. + ================================================================ *) + +let chi_inner_inv + (#v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (old s: t_KeccakState v_N v_T) + (i: usize{v i < 5}) (j: usize{v j <= 5}) = + (forall (ii:usize) (jj:usize). + (v ii < 5 /\ v jj < 5 /\ + (v ii < v i \/ (v ii == v i /\ v jj < v j))) ==> + s.[ ii, jj ] == chi_inner_val old ii jj) /\ + (forall (ii:usize) (jj:usize). + (v ii < 5 /\ v jj < 5 /\ + (v ii > v i \/ (v ii == v i /\ v jj >= v j))) ==> + s.[ ii,jj ] == old.[ ii,jj ]) + +#push-options "--z3rlimit 200 --split_queries always" +let chi_inner_body + (#v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (old s: t_KeccakState v_N v_T) + (i: usize{v i < 5}) (j: usize{v j < 5}) + : Pure (t_KeccakState v_N v_T) + (requires (chi_inner_inv old s i j)) + (ensures fun r -> (chi_inner_inv old r i (j +! sz 1))) = + let s' = + impl_2__set v_N #v_T s i j + (Libcrux_sha3.Traits.f_and_not_xor #v_T #v_N + (s.[ i, j <: (usize & usize) ] <: v_T) + (old.[ i, ((j +! mk_usize 2) %! mk_usize 5) <: (usize & usize) ] <: v_T) + (old.[ i, ((j +! mk_usize 1) %! mk_usize 5) <: (usize & usize) ] <: v_T)) + in + assert (s'.[ i, j <: usize & usize ] == chi_inner_val old i j); + assert (forall (ii:usize) (jj:usize). + (v ii < 5 /\ v jj < 5 /\ + (v ii < v i \/ (v ii == v i /\ v jj < v j + 1))) ==> + s'.[ ii, jj ] == chi_inner_val old ii jj); + assert (forall (ii:usize) (jj:usize). + (v ii < 5 /\ v jj < 5 /\ + (v ii > v i \/ (v ii == v i /\ v jj >= v j + 1))) ==> + s.[ ii,jj ] == old.[ ii,jj ]); + assert(chi_inner_inv old s' i (j +! sz 1)); + s' +#pop-options + +(* ================================================================ + Outer-loop invariant + body. + ================================================================ *) + +let chi_outer_inv + (#v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (old s: t_KeccakState v_N v_T) + (i: usize{v i <= 5}) = + (forall (ii:usize) (jj:usize). + (v ii < 5 /\ v jj < 5 /\ + v ii < v i) ==> + s.[ ii, jj ] == chi_inner_val old ii jj) /\ + (forall (ii:usize) (jj:usize). + (v ii < 5 /\ v jj < 5 /\ + v ii >= v i) ==> + s.[ ii,jj ] == old.[ ii,jj ]) + +let chi_outer_body + (#v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (old s: t_KeccakState v_N v_T) + (i: usize{v i < 5}) + : Pure (t_KeccakState v_N v_T) + (requires chi_outer_inv old s i) + (ensures fun r -> chi_outer_inv old r (i +! sz 1)) = + let s = chi_inner_body #v_N old s i (mk_usize 0) in + let s = chi_inner_body #v_N old s i (mk_usize 1) in + let s = chi_inner_body #v_N old s i (mk_usize 2) in + let s = chi_inner_body #v_N old s i (mk_usize 3) in + chi_inner_body #v_N old s i (mk_usize 4) + +(* ================================================================ + Fully unrolled chi with the outer postcondition. + ================================================================ *) + +#push-options "--z3rlimit 400" +let chi_unrolled + (#v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: t_KeccakState v_N v_T) + : Pure (t_KeccakState v_N v_T) + (requires True) + (ensures fun r -> chi_outer_inv ks r (sz 5)) + = + let old = ks in + let s = chi_outer_body #v_N old ks (mk_usize 0) in + let s = chi_outer_body #v_N old s (mk_usize 1) in + let s = chi_outer_body #v_N old s (mk_usize 2) in + let s = chi_outer_body #v_N old s (mk_usize 3) in + let s = chi_outer_body #v_N old s (mk_usize 4) in + s +#pop-options + +(* ================================================================ + Fold-range bridge: [impl_2__chi == chi_unrolled]. + Fuel 6 lets Z3 unfold both nested 0..5 fold_ranges step by step. + ================================================================ *) + +#push-options "--fuel 6 --ifuel 0 --z3rlimit 800" +let lemma_chi_outer_unfolds_generic + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: t_KeccakState v_N v_T) + : Lemma (impl_2__chi v_N #v_T ks == chi_unrolled #v_N #v_T ks) + = () +#pop-options + +(* ================================================================ + Top-level export: per-position equality at any flat index. + ================================================================ *) + +#push-options "--z3rlimit 400 --split_queries always" +let lemma_chi_val_i + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: t_KeccakState v_N v_T) + (k: usize{v k < 25}) + : Lemma ((impl_2__chi v_N #v_T ks).f_st.[ k <: usize ] == + chi_inner_val ks (k /! sz 5) (k %! sz 5)) + = let i = k /! sz 5 in + let j = k %! sz 5 in + assert (v i = v k / 5); + assert (v j = v k % 5); + assert (v i < 5); + assert (v j < 5); + assert (v k == 5 * v i + v j); + assert (k == sz 5 *! i +! j); + let s = chi_unrolled #v_N #v_T ks in + lemma_chi_outer_unfolds_generic v_N ks; + assert (chi_outer_inv ks s (sz 5)); + assert (s.[ i,j ] == chi_inner_val ks i j); + assert (s.[ i,j ] == Libcrux_sha3.Traits.get_ij v_N s.f_st i j) +#pop-options diff --git a/crates/algorithms/sha3/proofs/fstar/equivalence/EquivImplSpec.Keccakf.Generic.fst b/crates/algorithms/sha3/proofs/fstar/equivalence/EquivImplSpec.Keccakf.Generic.fst new file mode 100644 index 0000000000..3db0b143b5 --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/equivalence/EquivImplSpec.Keccakf.Generic.fst @@ -0,0 +1,2024 @@ +module EquivImplSpec.Keccakf.Generic + +(* ================================================================ + Generic keccak_f equivalence via lane-wise `to_spec` commutativity. + + MAIN THEOREM (lemma_keccakf1600_to_spec): + + extract_lane lc (keccakf1600 v_N #v_T ks).f_st l == + keccak_f (extract_lane lc ks.f_st l) + + i.e., extracting any lane from the SIMD keccakf1600 result equals + running the scalar spec keccak_f on that lane of the input. + + ARCHITECTURE: + + 1. `lane_correctness` record — 7 hypotheses any KeccakItem backend + must satisfy (lc_xor5, lc_rotate_left1_and_xor, lc_xor_and_rotate, + lc_and_not_xor, lc_xor_constant, lc_xor, lc_zero). These say + that extracting a lane commutes with each typeclass operation. + + 2. `extract_lane lc state l` — maps `t_Array v_T 25` to + `t_Array u64 25` by applying `lc.lane` pointwise: + (extract_lane state l).[i] = lc.lane state.[i] l + + 3. Per-step commutativity lemmas — for each keccak step (theta+rho, + pi, chi, iota), prove: + extract_lane (impl_step state) l == spec_step (extract_lane state l) + + 4. Composition — chain per-step commutativity into one-round, then + induction over 24 rounds. + + PROOF STATUS: + + Proven (= ()): + - All generic impl-side lemmas (Phase 1): lemma_theta_generic, + lemma_rho_{0..4}_generic, lemma_pi_{0..4}_generic, + lemma_rho_unfold_generic, lemma_pi_unfold_generic. + These express impl results in terms of abstract KeccakItem ops. + - Operation-level lane commutativity: lane_xor5, lane_xor, etc. + (trivial wrappers around lane_correctness fields) + - One-round and multi-round composition (assuming per-step lemmas) + + Library-level lemmas (discharged via Proof_Utils.Lemmas + EquivImplSpec.Keccakf.SpecRounds): + - [Proof_Utils.Lemmas.lemma_rotate_left_zero]: rotate_left(x, 0) == x + - [Proof_Utils.Lemmas.logand_commutative]: (a &. b) == (b &. a) + - lemma_rho_offsets_values: RHO_OFFSETS array element values + - lemma_keccakf1600_is_rounds: fold_range bridge (impl side) + - lemma_keccak_f_is_rounds: fold_range bridge (spec side) + + PROOF STRATEGY for the to_spec lemmas: + + Each to_spec lemma follows the same pattern: + 1. Use the generic impl-side lemma to know what each slot contains + (e.g., lemma_rho_0_generic says r.[1] == f_xor_and_rotate ... s.[1] d.[0]) + 2. Apply lane_* helpers to convert from abstract v_T ops to scalar u64 ops + (e.g., lane_xor_and_rotate says lc.lane(f_xor_and_rotate ... a b) l == rotl(lane a l ^. lane b l, LEFT)) + 3. Use spec-side reduction (e.g., lemma_rho_theta_spec from the portable proof) + 4. Conclude with Rust_primitives.Arrays.eq_intro + + The tricky part is getting Z3 to see pointwise equality across all 25 + indices. The portable proof handles this with explicit per-index asserts; + the generic proof needs the same but with lane extraction in between. + + INSTANTIATION (future files): + - Portable (N=1, u64): lane(x,0) = x. All lc_* are `= ()`. + - NEON (N=2, uint64x2_t): lane = get_lane64, lc_* from arm64_extract.rs specs + - AVX2 (N=4, Vec256): lane = get_lane, lc_* from avx2_extract.rs specs + ================================================================ *) + +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" + +open FStar.Mul +open Core_models +open Proof_Utils.NatFold (* fold_range_nat, lemma_fold_range_is_range_nat *) +module Lemmas = Proof_Utils.Lemmas +module ChiFold = EquivImplSpec.Keccakf.ChiFold +module SpecRounds = EquivImplSpec.Keccakf.SpecRounds + +let _ = + let open Libcrux_sha3.Traits in + let open Libcrux_sha3.Simd.Portable in + () + +(* ================================================================ + Lane-correctness specification + ================================================================ *) + +noeq type lane_correctness + (v_N: usize) + (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} = { + + lane: v_T -> l:nat{l < v v_N} -> u64; + + lc_zero: (l:nat{l < v v_N}) -> + Lemma (lane (Libcrux_sha3.Traits.f_zero #v_T #v_N #inst ()) l == mk_u64 0); + + lc_xor5: (a:v_T) -> (b:v_T) -> (c:v_T) -> (d:v_T) -> (e:v_T) -> (l:nat{l < v v_N}) -> + Lemma (lane (Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst a b c d e) l == + (((lane a l ^. lane b l) ^. lane c l) ^. lane d l) ^. lane e l); + + lc_rotate_left1_and_xor: (a:v_T) -> (b:v_T) -> (l:nat{l < v v_N}) -> + Lemma (lane (Libcrux_sha3.Traits.f_rotate_left1_and_xor #v_T #v_N #inst a b) l == + lane a l ^. Core_models.Num.impl_u64__rotate_left (lane b l) (mk_u32 1)); + + lc_xor_and_rotate: (v_LEFT:i32) -> (v_RIGHT:i32) -> (a:v_T) -> (b:v_T) -> (l:nat{l < v v_N}) -> + Lemma + (requires + ((Rust_primitives.Hax.Int.from_machine v_LEFT <: Hax_lib.Int.t_Int) + + (Rust_primitives.Hax.Int.from_machine v_RIGHT <: Hax_lib.Int.t_Int)) = + (Rust_primitives.Hax.Int.from_machine (mk_i32 64) <: Hax_lib.Int.t_Int) /\ + v_RIGHT >. mk_i32 0 /\ + v_RIGHT <. mk_i32 64) + (ensures + lane (Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst v_LEFT v_RIGHT a b) l == + Core_models.Num.impl_u64__rotate_left (lane a l ^. lane b l) (cast (v_LEFT <: i32) <: u32)); + + lc_and_not_xor: (a:v_T) -> (b:v_T) -> (c:v_T) -> (l:nat{l < v v_N}) -> + Lemma (lane (Libcrux_sha3.Traits.f_and_not_xor #v_T #v_N #inst a b c) l == + lane a l ^. (lane b l &. (~. (lane c l)))); + + lc_xor_constant: (a:v_T) -> (c:u64) -> (l:nat{l < v v_N}) -> + Lemma (lane (Libcrux_sha3.Traits.f_xor_constant #v_T #v_N #inst a c) l == + lane a l ^. c); + + lc_xor: (a:v_T) -> (b:v_T) -> (l:nat{l < v v_N}) -> + Lemma (lane (Libcrux_sha3.Traits.f_xor #v_T #v_N #inst a b) l == + lane a l ^. lane b l); +} + +(* ================================================================ + extract_lane: maps SIMD state to a scalar spec state for lane l + ================================================================ *) + +[@ "opaque_to_smt"] +let extract_lane + (#v_T: Type0) (v_N: usize) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (state: t_Array v_T (mk_usize 25)) + (l: nat{l < v v_N}) + : t_Array u64 (mk_usize 25) = + Rust_primitives.Arrays.createi (mk_usize 25) (fun i -> lc.lane state.[i] l) + +let lemma_extract_lane_index + (#v_T: Type0) (v_N: usize) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (state: t_Array v_T (mk_usize 25)) + (l: nat{l < v v_N}) + (i: usize{i <. mk_usize 25}) + : Lemma + ((extract_lane v_N lc state l).[i] == lc.lane state.[i] l) + [SMTPat ((extract_lane v_N lc state l).[i])] + = assert_norm ((extract_lane v_N lc state l).[i] == lc.lane state.[i] l) + +(* Shorthand for the spec's state type *) +let spec_state = SpecRounds.spec_state + +(* Shorthand for the impl's state type *) +let impl_state (v_N: usize) (v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} = + Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T + +(* ================================================================ + Operation-level commutativity with extract_lane + + These show that applying a KeccakItem operation to SIMD elements + and then extracting a lane equals extracting lanes first and then + applying the scalar operation. Each is a direct consequence of the + corresponding lane_correctness hypothesis. + ================================================================ *) + +let lane_xor5 + (#v_T: Type0) (v_N: usize) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (a b c d e: v_T) (l: nat{l < v v_N}) + : Lemma (lc.lane (Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst a b c d e) l == + (((lc.lane a l ^. lc.lane b l) ^. lc.lane c l) ^. lc.lane d l) ^. lc.lane e l) + = lc.lc_xor5 a b c d e l + +let lane_rotate_left1_and_xor + (#v_T: Type0) (v_N: usize) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (a b: v_T) (l: nat{l < v v_N}) + : Lemma (lc.lane (Libcrux_sha3.Traits.f_rotate_left1_and_xor #v_T #v_N #inst a b) l == + lc.lane a l ^. Core_models.Num.impl_u64__rotate_left (lc.lane b l) (mk_u32 1)) + = lc.lc_rotate_left1_and_xor a b l + +let lane_xor_and_rotate + (#v_T: Type0) (v_N: usize) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (v_LEFT v_RIGHT: i32) (a b: v_T) (l: nat{l < v v_N}) + : Lemma + (requires + ((Rust_primitives.Hax.Int.from_machine v_LEFT <: Hax_lib.Int.t_Int) + + (Rust_primitives.Hax.Int.from_machine v_RIGHT <: Hax_lib.Int.t_Int)) = + (Rust_primitives.Hax.Int.from_machine (mk_i32 64) <: Hax_lib.Int.t_Int) /\ + v_RIGHT >. mk_i32 0 /\ + v_RIGHT <. mk_i32 64) + (ensures + lc.lane (Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst v_LEFT v_RIGHT a b) l == + Core_models.Num.impl_u64__rotate_left (lc.lane a l ^. lc.lane b l) (cast (v_LEFT <: i32) <: u32)) + = lc.lc_xor_and_rotate v_LEFT v_RIGHT a b l + +let lane_and_not_xor + (#v_T: Type0) (v_N: usize) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (a b c: v_T) (l: nat{l < v v_N}) + : Lemma (lc.lane (Libcrux_sha3.Traits.f_and_not_xor #v_T #v_N #inst a b c) l == + lc.lane a l ^. (lc.lane b l &. (~. (lc.lane c l)))) + = lc.lc_and_not_xor a b c l + +let lane_xor_constant + (#v_T: Type0) (v_N: usize) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (a: v_T) (c: u64) (l: nat{l < v v_N}) + : Lemma (lc.lane (Libcrux_sha3.Traits.f_xor_constant #v_T #v_N #inst a c) l == + lc.lane a l ^. c) + = lc.lc_xor_constant a c l + +let lane_xor + (#v_T: Type0) (v_N: usize) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (a b: v_T) (l: nat{l < v v_N}) + : Lemma (lc.lane (Libcrux_sha3.Traits.f_xor #v_T #v_N #inst a b) l == + lc.lane a l ^. lc.lane b l) + = lc.lc_xor a b l + +(* ================================================================ + Phase 1: Generic impl-side rho lemmas (abstract v_T) + + These capture what each array slot of the rho result contains, + expressed in terms of abstract typeclass operations. + They should be `= ()` because they depend only on array update + semantics, not on the concrete type v_T. + ================================================================ *) + +(** Abbreviation for rotate_left with i32 cast. *) +let rotl (x: u64) (n: i32) : u64 = + Core_models.Num.impl_u64__rotate_left x (cast (n <: i32) <: u32) + +(** Theta: state is unchanged, d matches column parities. + Under the FIPS-native layout [get_ij(arr, i, j) = arr[5*i + j]] with + impl [(i, j) = (y, x)], column [x] corresponds to flat indices + [x, x+5, x+10, x+15, x+20] (stride 5). *) +#push-options "--z3rlimit 100" +let lemma_theta_generic + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let ks', d = Libcrux_sha3.Generic_keccak.impl_2__theta v_N #v_T ks in + ks'.Libcrux_sha3.Generic_keccak.f_st == s /\ + d.[mk_usize 0] == Libcrux_sha3.Traits.f_rotate_left1_and_xor #v_T #v_N #inst + (Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst s.[mk_usize 4] s.[mk_usize 9] s.[mk_usize 14] s.[mk_usize 19] s.[mk_usize 24]) + (Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst s.[mk_usize 1] s.[mk_usize 6] s.[mk_usize 11] s.[mk_usize 16] s.[mk_usize 21]) /\ + d.[mk_usize 1] == Libcrux_sha3.Traits.f_rotate_left1_and_xor #v_T #v_N #inst + (Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst s.[mk_usize 0] s.[mk_usize 5] s.[mk_usize 10] s.[mk_usize 15] s.[mk_usize 20]) + (Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst s.[mk_usize 2] s.[mk_usize 7] s.[mk_usize 12] s.[mk_usize 17] s.[mk_usize 22]) /\ + d.[mk_usize 2] == Libcrux_sha3.Traits.f_rotate_left1_and_xor #v_T #v_N #inst + (Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst s.[mk_usize 1] s.[mk_usize 6] s.[mk_usize 11] s.[mk_usize 16] s.[mk_usize 21]) + (Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst s.[mk_usize 3] s.[mk_usize 8] s.[mk_usize 13] s.[mk_usize 18] s.[mk_usize 23]) /\ + d.[mk_usize 3] == Libcrux_sha3.Traits.f_rotate_left1_and_xor #v_T #v_N #inst + (Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst s.[mk_usize 2] s.[mk_usize 7] s.[mk_usize 12] s.[mk_usize 17] s.[mk_usize 22]) + (Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst s.[mk_usize 4] s.[mk_usize 9] s.[mk_usize 14] s.[mk_usize 19] s.[mk_usize 24]) /\ + d.[mk_usize 4] == Libcrux_sha3.Traits.f_rotate_left1_and_xor #v_T #v_N #inst + (Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst s.[mk_usize 3] s.[mk_usize 8] s.[mk_usize 13] s.[mk_usize 18] s.[mk_usize 23]) + (Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst s.[mk_usize 0] s.[mk_usize 5] s.[mk_usize 10] s.[mk_usize 15] s.[mk_usize 20])) + = () +#pop-options + +(** rho_0_: under FIPS-native layout, updates cells where [x=0] + (flat indices [0, 5, 10, 15, 20]); preserves the rest. + The [y=0, x=0] cell uses f_xor; the other four use f_xor_and_rotate. *) +#push-options "--z3rlimit 200" +let lemma_rho_0_generic + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (d: t_Array v_T (mk_usize 5)) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let r = (Libcrux_sha3.Generic_keccak.impl_2__rho_0_ v_N #v_T ks d) + .Libcrux_sha3.Generic_keccak.f_st in + r.[mk_usize 0] == Libcrux_sha3.Traits.f_xor #v_T #v_N #inst s.[mk_usize 0] d.[mk_usize 0] /\ + r.[mk_usize 5] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 36) (mk_i32 28) s.[mk_usize 5] d.[mk_usize 0] /\ + r.[mk_usize 10] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 3) (mk_i32 61) s.[mk_usize 10] d.[mk_usize 0] /\ + r.[mk_usize 15] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 41) (mk_i32 23) s.[mk_usize 15] d.[mk_usize 0] /\ + r.[mk_usize 20] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 18) (mk_i32 46) s.[mk_usize 20] d.[mk_usize 0] /\ + r.[mk_usize 1] == s.[mk_usize 1] /\ r.[mk_usize 2] == s.[mk_usize 2] /\ + r.[mk_usize 3] == s.[mk_usize 3] /\ r.[mk_usize 4] == s.[mk_usize 4] /\ + r.[mk_usize 6] == s.[mk_usize 6] /\ r.[mk_usize 7] == s.[mk_usize 7] /\ + r.[mk_usize 8] == s.[mk_usize 8] /\ r.[mk_usize 9] == s.[mk_usize 9] /\ + r.[mk_usize 11] == s.[mk_usize 11] /\ r.[mk_usize 12] == s.[mk_usize 12] /\ + r.[mk_usize 13] == s.[mk_usize 13] /\ r.[mk_usize 14] == s.[mk_usize 14] /\ + r.[mk_usize 16] == s.[mk_usize 16] /\ r.[mk_usize 17] == s.[mk_usize 17] /\ + r.[mk_usize 18] == s.[mk_usize 18] /\ r.[mk_usize 19] == s.[mk_usize 19] /\ + r.[mk_usize 21] == s.[mk_usize 21] /\ r.[mk_usize 22] == s.[mk_usize 22] /\ + r.[mk_usize 23] == s.[mk_usize 23] /\ r.[mk_usize 24] == s.[mk_usize 24]) + = () +#pop-options + +(** rho_1_: updates cells where [x=1] (flat [1, 6, 11, 16, 21]). *) +#push-options "--z3rlimit 200" +let lemma_rho_1_generic + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (d: t_Array v_T (mk_usize 5)) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let r = (Libcrux_sha3.Generic_keccak.impl_2__rho_1_ v_N #v_T ks d) + .Libcrux_sha3.Generic_keccak.f_st in + r.[mk_usize 1] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 1) (mk_i32 63) s.[mk_usize 1] d.[mk_usize 1] /\ + r.[mk_usize 6] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 44) (mk_i32 20) s.[mk_usize 6] d.[mk_usize 1] /\ + r.[mk_usize 11] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 10) (mk_i32 54) s.[mk_usize 11] d.[mk_usize 1] /\ + r.[mk_usize 16] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 45) (mk_i32 19) s.[mk_usize 16] d.[mk_usize 1] /\ + r.[mk_usize 21] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 2) (mk_i32 62) s.[mk_usize 21] d.[mk_usize 1] /\ + r.[mk_usize 0] == s.[mk_usize 0] /\ r.[mk_usize 2] == s.[mk_usize 2] /\ + r.[mk_usize 3] == s.[mk_usize 3] /\ r.[mk_usize 4] == s.[mk_usize 4] /\ + r.[mk_usize 5] == s.[mk_usize 5] /\ r.[mk_usize 7] == s.[mk_usize 7] /\ + r.[mk_usize 8] == s.[mk_usize 8] /\ r.[mk_usize 9] == s.[mk_usize 9] /\ + r.[mk_usize 10] == s.[mk_usize 10] /\ r.[mk_usize 12] == s.[mk_usize 12] /\ + r.[mk_usize 13] == s.[mk_usize 13] /\ r.[mk_usize 14] == s.[mk_usize 14] /\ + r.[mk_usize 15] == s.[mk_usize 15] /\ r.[mk_usize 17] == s.[mk_usize 17] /\ + r.[mk_usize 18] == s.[mk_usize 18] /\ r.[mk_usize 19] == s.[mk_usize 19] /\ + r.[mk_usize 20] == s.[mk_usize 20] /\ r.[mk_usize 22] == s.[mk_usize 22] /\ + r.[mk_usize 23] == s.[mk_usize 23] /\ r.[mk_usize 24] == s.[mk_usize 24]) + = () +#pop-options + +(** rho_2_: updates cells where [x=2] (flat [2, 7, 12, 17, 22]). *) +#push-options "--z3rlimit 200" +let lemma_rho_2_generic + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (d: t_Array v_T (mk_usize 5)) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let r = (Libcrux_sha3.Generic_keccak.impl_2__rho_2_ v_N #v_T ks d) + .Libcrux_sha3.Generic_keccak.f_st in + r.[mk_usize 2] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 62) (mk_i32 2) s.[mk_usize 2] d.[mk_usize 2] /\ + r.[mk_usize 7] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 6) (mk_i32 58) s.[mk_usize 7] d.[mk_usize 2] /\ + r.[mk_usize 12] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 43) (mk_i32 21) s.[mk_usize 12] d.[mk_usize 2] /\ + r.[mk_usize 17] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 15) (mk_i32 49) s.[mk_usize 17] d.[mk_usize 2] /\ + r.[mk_usize 22] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 61) (mk_i32 3) s.[mk_usize 22] d.[mk_usize 2] /\ + r.[mk_usize 0] == s.[mk_usize 0] /\ r.[mk_usize 1] == s.[mk_usize 1] /\ + r.[mk_usize 3] == s.[mk_usize 3] /\ r.[mk_usize 4] == s.[mk_usize 4] /\ + r.[mk_usize 5] == s.[mk_usize 5] /\ r.[mk_usize 6] == s.[mk_usize 6] /\ + r.[mk_usize 8] == s.[mk_usize 8] /\ r.[mk_usize 9] == s.[mk_usize 9] /\ + r.[mk_usize 10] == s.[mk_usize 10] /\ r.[mk_usize 11] == s.[mk_usize 11] /\ + r.[mk_usize 13] == s.[mk_usize 13] /\ r.[mk_usize 14] == s.[mk_usize 14] /\ + r.[mk_usize 15] == s.[mk_usize 15] /\ r.[mk_usize 16] == s.[mk_usize 16] /\ + r.[mk_usize 18] == s.[mk_usize 18] /\ r.[mk_usize 19] == s.[mk_usize 19] /\ + r.[mk_usize 20] == s.[mk_usize 20] /\ r.[mk_usize 21] == s.[mk_usize 21] /\ + r.[mk_usize 23] == s.[mk_usize 23] /\ r.[mk_usize 24] == s.[mk_usize 24]) + = () +#pop-options + +(** rho_3_: updates cells where [x=3] (flat [3, 8, 13, 18, 23]). *) +#push-options "--z3rlimit 200" +let lemma_rho_3_generic + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (d: t_Array v_T (mk_usize 5)) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let r = (Libcrux_sha3.Generic_keccak.impl_2__rho_3_ v_N #v_T ks d) + .Libcrux_sha3.Generic_keccak.f_st in + r.[mk_usize 3] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 28) (mk_i32 36) s.[mk_usize 3] d.[mk_usize 3] /\ + r.[mk_usize 8] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 55) (mk_i32 9) s.[mk_usize 8] d.[mk_usize 3] /\ + r.[mk_usize 13] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 25) (mk_i32 39) s.[mk_usize 13] d.[mk_usize 3] /\ + r.[mk_usize 18] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 21) (mk_i32 43) s.[mk_usize 18] d.[mk_usize 3] /\ + r.[mk_usize 23] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 56) (mk_i32 8) s.[mk_usize 23] d.[mk_usize 3] /\ + r.[mk_usize 0] == s.[mk_usize 0] /\ r.[mk_usize 1] == s.[mk_usize 1] /\ + r.[mk_usize 2] == s.[mk_usize 2] /\ r.[mk_usize 4] == s.[mk_usize 4] /\ + r.[mk_usize 5] == s.[mk_usize 5] /\ r.[mk_usize 6] == s.[mk_usize 6] /\ + r.[mk_usize 7] == s.[mk_usize 7] /\ r.[mk_usize 9] == s.[mk_usize 9] /\ + r.[mk_usize 10] == s.[mk_usize 10] /\ r.[mk_usize 11] == s.[mk_usize 11] /\ + r.[mk_usize 12] == s.[mk_usize 12] /\ r.[mk_usize 14] == s.[mk_usize 14] /\ + r.[mk_usize 15] == s.[mk_usize 15] /\ r.[mk_usize 16] == s.[mk_usize 16] /\ + r.[mk_usize 17] == s.[mk_usize 17] /\ r.[mk_usize 19] == s.[mk_usize 19] /\ + r.[mk_usize 20] == s.[mk_usize 20] /\ r.[mk_usize 21] == s.[mk_usize 21] /\ + r.[mk_usize 22] == s.[mk_usize 22] /\ r.[mk_usize 24] == s.[mk_usize 24]) + = () +#pop-options + +(** rho_4_: updates cells where [x=4] (flat [4, 9, 14, 19, 24]). *) +#push-options "--z3rlimit 200" +let lemma_rho_4_generic + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (d: t_Array v_T (mk_usize 5)) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let r = (Libcrux_sha3.Generic_keccak.impl_2__rho_4_ v_N #v_T ks d) + .Libcrux_sha3.Generic_keccak.f_st in + r.[mk_usize 4] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 27) (mk_i32 37) s.[mk_usize 4] d.[mk_usize 4] /\ + r.[mk_usize 9] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 20) (mk_i32 44) s.[mk_usize 9] d.[mk_usize 4] /\ + r.[mk_usize 14] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 39) (mk_i32 25) s.[mk_usize 14] d.[mk_usize 4] /\ + r.[mk_usize 19] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 8) (mk_i32 56) s.[mk_usize 19] d.[mk_usize 4] /\ + r.[mk_usize 24] == Libcrux_sha3.Traits.f_xor_and_rotate #v_T #v_N #inst (mk_i32 14) (mk_i32 50) s.[mk_usize 24] d.[mk_usize 4] /\ + r.[mk_usize 0] == s.[mk_usize 0] /\ r.[mk_usize 1] == s.[mk_usize 1] /\ + r.[mk_usize 2] == s.[mk_usize 2] /\ r.[mk_usize 3] == s.[mk_usize 3] /\ + r.[mk_usize 5] == s.[mk_usize 5] /\ r.[mk_usize 6] == s.[mk_usize 6] /\ + r.[mk_usize 7] == s.[mk_usize 7] /\ r.[mk_usize 8] == s.[mk_usize 8] /\ + r.[mk_usize 10] == s.[mk_usize 10] /\ r.[mk_usize 11] == s.[mk_usize 11] /\ + r.[mk_usize 12] == s.[mk_usize 12] /\ r.[mk_usize 13] == s.[mk_usize 13] /\ + r.[mk_usize 15] == s.[mk_usize 15] /\ r.[mk_usize 16] == s.[mk_usize 16] /\ + r.[mk_usize 17] == s.[mk_usize 17] /\ r.[mk_usize 18] == s.[mk_usize 18] /\ + r.[mk_usize 20] == s.[mk_usize 20] /\ r.[mk_usize 21] == s.[mk_usize 21] /\ + r.[mk_usize 22] == s.[mk_usize 22] /\ r.[mk_usize 23] == s.[mk_usize 23]) + = () +#pop-options + +(** rho unfolds to rho_0_ through rho_4_ chain. *) +#push-options "--z3rlimit 100" +let lemma_rho_unfold_generic + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (d: t_Array v_T (mk_usize 5)) + : Lemma + (let open Libcrux_sha3.Generic_keccak in + impl_2__rho v_N #v_T ks d == + (let ks0 = impl_2__rho_0_ v_N #v_T ks d in + let ks1 = impl_2__rho_1_ v_N #v_T ks0 d in + let ks2 = impl_2__rho_2_ v_N #v_T ks1 d in + let ks3 = impl_2__rho_3_ v_N #v_T ks2 d in + impl_2__rho_4_ v_N #v_T ks3 d)) + = () +#pop-options + +(* ================================================================ + Phase 1b: Generic impl-side pi lemmas (abstract v_T) + ================================================================ *) + +(** pi_0_: updates cells where [x=0] except [(0,0)] (flat [5, 10, 15, 20]). *) +#push-options "--z3rlimit 200" +let lemma_pi_0_generic + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks old: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let o = old.Libcrux_sha3.Generic_keccak.f_st in + let r = (Libcrux_sha3.Generic_keccak.impl_2__pi_0_ v_N #v_T ks old) + .Libcrux_sha3.Generic_keccak.f_st in + r.[mk_usize 5] == o.[mk_usize 3] /\ + r.[mk_usize 10] == o.[mk_usize 1] /\ + r.[mk_usize 15] == o.[mk_usize 4] /\ + r.[mk_usize 20] == o.[mk_usize 2] /\ + r.[mk_usize 0] == s.[mk_usize 0] /\ r.[mk_usize 1] == s.[mk_usize 1] /\ + r.[mk_usize 2] == s.[mk_usize 2] /\ r.[mk_usize 3] == s.[mk_usize 3] /\ + r.[mk_usize 4] == s.[mk_usize 4] /\ r.[mk_usize 6] == s.[mk_usize 6] /\ + r.[mk_usize 7] == s.[mk_usize 7] /\ r.[mk_usize 8] == s.[mk_usize 8] /\ + r.[mk_usize 9] == s.[mk_usize 9] /\ r.[mk_usize 11] == s.[mk_usize 11] /\ + r.[mk_usize 12] == s.[mk_usize 12] /\ r.[mk_usize 13] == s.[mk_usize 13] /\ + r.[mk_usize 14] == s.[mk_usize 14] /\ r.[mk_usize 16] == s.[mk_usize 16] /\ + r.[mk_usize 17] == s.[mk_usize 17] /\ r.[mk_usize 18] == s.[mk_usize 18] /\ + r.[mk_usize 19] == s.[mk_usize 19] /\ r.[mk_usize 21] == s.[mk_usize 21] /\ + r.[mk_usize 22] == s.[mk_usize 22] /\ r.[mk_usize 23] == s.[mk_usize 23] /\ + r.[mk_usize 24] == s.[mk_usize 24]) + = () +#pop-options + +(** pi_1_: updates cells where [x=1] (flat [1, 6, 11, 16, 21]). *) +#push-options "--z3rlimit 200" +let lemma_pi_1_generic + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks old: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let o = old.Libcrux_sha3.Generic_keccak.f_st in + let r = (Libcrux_sha3.Generic_keccak.impl_2__pi_1_ v_N #v_T ks old) + .Libcrux_sha3.Generic_keccak.f_st in + r.[mk_usize 1] == o.[mk_usize 6] /\ + r.[mk_usize 6] == o.[mk_usize 9] /\ + r.[mk_usize 11] == o.[mk_usize 7] /\ + r.[mk_usize 16] == o.[mk_usize 5] /\ + r.[mk_usize 21] == o.[mk_usize 8] /\ + r.[mk_usize 0] == s.[mk_usize 0] /\ r.[mk_usize 2] == s.[mk_usize 2] /\ + r.[mk_usize 3] == s.[mk_usize 3] /\ r.[mk_usize 4] == s.[mk_usize 4] /\ + r.[mk_usize 5] == s.[mk_usize 5] /\ r.[mk_usize 7] == s.[mk_usize 7] /\ + r.[mk_usize 8] == s.[mk_usize 8] /\ r.[mk_usize 9] == s.[mk_usize 9] /\ + r.[mk_usize 10] == s.[mk_usize 10] /\ r.[mk_usize 12] == s.[mk_usize 12] /\ + r.[mk_usize 13] == s.[mk_usize 13] /\ r.[mk_usize 14] == s.[mk_usize 14] /\ + r.[mk_usize 15] == s.[mk_usize 15] /\ r.[mk_usize 17] == s.[mk_usize 17] /\ + r.[mk_usize 18] == s.[mk_usize 18] /\ r.[mk_usize 19] == s.[mk_usize 19] /\ + r.[mk_usize 20] == s.[mk_usize 20] /\ r.[mk_usize 22] == s.[mk_usize 22] /\ + r.[mk_usize 23] == s.[mk_usize 23] /\ r.[mk_usize 24] == s.[mk_usize 24]) + = () +#pop-options + +(** pi_2_: updates cells where [x=2] (flat [2, 7, 12, 17, 22]). *) +#push-options "--z3rlimit 200" +let lemma_pi_2_generic + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks old: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let o = old.Libcrux_sha3.Generic_keccak.f_st in + let r = (Libcrux_sha3.Generic_keccak.impl_2__pi_2_ v_N #v_T ks old) + .Libcrux_sha3.Generic_keccak.f_st in + r.[mk_usize 2] == o.[mk_usize 12] /\ + r.[mk_usize 7] == o.[mk_usize 10] /\ + r.[mk_usize 12] == o.[mk_usize 13] /\ + r.[mk_usize 17] == o.[mk_usize 11] /\ + r.[mk_usize 22] == o.[mk_usize 14] /\ + r.[mk_usize 0] == s.[mk_usize 0] /\ r.[mk_usize 1] == s.[mk_usize 1] /\ + r.[mk_usize 3] == s.[mk_usize 3] /\ r.[mk_usize 4] == s.[mk_usize 4] /\ + r.[mk_usize 5] == s.[mk_usize 5] /\ r.[mk_usize 6] == s.[mk_usize 6] /\ + r.[mk_usize 8] == s.[mk_usize 8] /\ r.[mk_usize 9] == s.[mk_usize 9] /\ + r.[mk_usize 10] == s.[mk_usize 10] /\ r.[mk_usize 11] == s.[mk_usize 11] /\ + r.[mk_usize 13] == s.[mk_usize 13] /\ r.[mk_usize 14] == s.[mk_usize 14] /\ + r.[mk_usize 15] == s.[mk_usize 15] /\ r.[mk_usize 16] == s.[mk_usize 16] /\ + r.[mk_usize 18] == s.[mk_usize 18] /\ r.[mk_usize 19] == s.[mk_usize 19] /\ + r.[mk_usize 20] == s.[mk_usize 20] /\ r.[mk_usize 21] == s.[mk_usize 21] /\ + r.[mk_usize 23] == s.[mk_usize 23] /\ r.[mk_usize 24] == s.[mk_usize 24]) + = () +#pop-options + +(** pi_3_: updates cells where [x=3] (flat [3, 8, 13, 18, 23]). *) +#push-options "--z3rlimit 200" +let lemma_pi_3_generic + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks old: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let o = old.Libcrux_sha3.Generic_keccak.f_st in + let r = (Libcrux_sha3.Generic_keccak.impl_2__pi_3_ v_N #v_T ks old) + .Libcrux_sha3.Generic_keccak.f_st in + r.[mk_usize 3] == o.[mk_usize 18] /\ + r.[mk_usize 8] == o.[mk_usize 16] /\ + r.[mk_usize 13] == o.[mk_usize 19] /\ + r.[mk_usize 18] == o.[mk_usize 17] /\ + r.[mk_usize 23] == o.[mk_usize 15] /\ + r.[mk_usize 0] == s.[mk_usize 0] /\ r.[mk_usize 1] == s.[mk_usize 1] /\ + r.[mk_usize 2] == s.[mk_usize 2] /\ r.[mk_usize 4] == s.[mk_usize 4] /\ + r.[mk_usize 5] == s.[mk_usize 5] /\ r.[mk_usize 6] == s.[mk_usize 6] /\ + r.[mk_usize 7] == s.[mk_usize 7] /\ r.[mk_usize 9] == s.[mk_usize 9] /\ + r.[mk_usize 10] == s.[mk_usize 10] /\ r.[mk_usize 11] == s.[mk_usize 11] /\ + r.[mk_usize 12] == s.[mk_usize 12] /\ r.[mk_usize 14] == s.[mk_usize 14] /\ + r.[mk_usize 15] == s.[mk_usize 15] /\ r.[mk_usize 16] == s.[mk_usize 16] /\ + r.[mk_usize 17] == s.[mk_usize 17] /\ r.[mk_usize 19] == s.[mk_usize 19] /\ + r.[mk_usize 20] == s.[mk_usize 20] /\ r.[mk_usize 21] == s.[mk_usize 21] /\ + r.[mk_usize 22] == s.[mk_usize 22] /\ r.[mk_usize 24] == s.[mk_usize 24]) + = () +#pop-options + +(** pi_4_: updates cells where [x=4] (flat [4, 9, 14, 19, 24]). *) +#push-options "--z3rlimit 200" +let lemma_pi_4_generic + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks old: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let o = old.Libcrux_sha3.Generic_keccak.f_st in + let r = (Libcrux_sha3.Generic_keccak.impl_2__pi_4_ v_N #v_T ks old) + .Libcrux_sha3.Generic_keccak.f_st in + r.[mk_usize 4] == o.[mk_usize 24] /\ + r.[mk_usize 9] == o.[mk_usize 22] /\ + r.[mk_usize 14] == o.[mk_usize 20] /\ + r.[mk_usize 19] == o.[mk_usize 23] /\ + r.[mk_usize 24] == o.[mk_usize 21] /\ + r.[mk_usize 0] == s.[mk_usize 0] /\ r.[mk_usize 1] == s.[mk_usize 1] /\ + r.[mk_usize 2] == s.[mk_usize 2] /\ r.[mk_usize 3] == s.[mk_usize 3] /\ + r.[mk_usize 5] == s.[mk_usize 5] /\ r.[mk_usize 6] == s.[mk_usize 6] /\ + r.[mk_usize 7] == s.[mk_usize 7] /\ r.[mk_usize 8] == s.[mk_usize 8] /\ + r.[mk_usize 10] == s.[mk_usize 10] /\ r.[mk_usize 11] == s.[mk_usize 11] /\ + r.[mk_usize 12] == s.[mk_usize 12] /\ r.[mk_usize 13] == s.[mk_usize 13] /\ + r.[mk_usize 15] == s.[mk_usize 15] /\ r.[mk_usize 16] == s.[mk_usize 16] /\ + r.[mk_usize 17] == s.[mk_usize 17] /\ r.[mk_usize 18] == s.[mk_usize 18] /\ + r.[mk_usize 20] == s.[mk_usize 20] /\ r.[mk_usize 21] == s.[mk_usize 21] /\ + r.[mk_usize 22] == s.[mk_usize 22] /\ r.[mk_usize 23] == s.[mk_usize 23]) + = () +#pop-options + +(** pi unfolds to pi_0_ through pi_4_ chain. *) +#push-options "--z3rlimit 100" +let lemma_pi_unfold_generic + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + : Lemma + (let open Libcrux_sha3.Generic_keccak in + impl_2__pi v_N #v_T ks == + (let old = ks in + let ks0 = impl_2__pi_0_ v_N #v_T ks old in + let ks1 = impl_2__pi_1_ v_N #v_T ks0 old in + let ks2 = impl_2__pi_2_ v_N #v_T ks1 old in + let ks3 = impl_2__pi_3_ v_N #v_T ks2 old in + impl_2__pi_4_ v_N #v_T ks3 old)) + = () +#pop-options + +(* ================================================================ + Phase 2: Spec-side helpers (reused from the portable proof) + ================================================================ *) + +let spec_c (state: spec_state) (x: usize{x <. mk_usize 5}) : u64 = + ((((Hacspec_sha3.Keccak_f.get state x (mk_usize 0)) ^. + (Hacspec_sha3.Keccak_f.get state x (mk_usize 1))) ^. + (Hacspec_sha3.Keccak_f.get state x (mk_usize 2))) ^. + (Hacspec_sha3.Keccak_f.get state x (mk_usize 3))) ^. + (Hacspec_sha3.Keccak_f.get state x (mk_usize 4)) + +let spec_d (state: spec_state) (x: usize{x <. mk_usize 5}) : u64 = + (spec_c state ((x +! mk_usize 4) %! mk_usize 5)) ^. + (Core_models.Num.impl_u64__rotate_left + (spec_c state ((x +! mk_usize 1) %! mk_usize 5)) + (mk_u32 1)) + +(* ================================================================ + Phase 3: to_spec commutativity — theta+rho + + Goal: extract_lane lc (theta_rho impl_state) l == rho(theta(extract_lane lc impl_state l)) + + Strategy: + 1. Use generic rho lemmas to know what each slot of the impl result + contains (in terms of abstract v_T typeclass ops) + 2. Apply lane-correctness to convert to scalar u64 ops + 3. Match against spec rho(theta(...)) + ================================================================ *) + +(** Spec-side: RHO_OFFSETS values (FIPS-native layout, indexed as + RHO_OFFSETS[5*y + x]). Proved by reducing [v_RHO_OFFSETS] to the + concrete literal array, then reading off each index via a single + [assert_norm] on the concrete Seq-of-list. *) +#push-options "--z3rlimit 100" +let lemma_rho_offsets_values (_: unit) + : Lemma ( + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 0] == mk_u32 0 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 1] == mk_u32 1 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 2] == mk_u32 62 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 3] == mk_u32 28 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 4] == mk_u32 27 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 5] == mk_u32 36 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 6] == mk_u32 44 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 7] == mk_u32 6 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 8] == mk_u32 55 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 9] == mk_u32 20 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 10] == mk_u32 3 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 11] == mk_u32 10 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 12] == mk_u32 43 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 13] == mk_u32 25 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 14] == mk_u32 39 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 15] == mk_u32 41 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 16] == mk_u32 45 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 17] == mk_u32 15 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 18] == mk_u32 21 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 19] == mk_u32 8 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 20] == mk_u32 18 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 21] == mk_u32 2 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 22] == mk_u32 61 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 23] == mk_u32 56 /\ + Hacspec_sha3.Keccak_f.v_RHO_OFFSETS.[mk_usize 24] == mk_u32 14) + = let rho_list : list u32 = [ + mk_u32 0; mk_u32 1; mk_u32 62; mk_u32 28; mk_u32 27; + mk_u32 36; mk_u32 44; mk_u32 6; mk_u32 55; mk_u32 20; + mk_u32 3; mk_u32 10; mk_u32 43; mk_u32 25; mk_u32 39; + mk_u32 41; mk_u32 45; mk_u32 15; mk_u32 21; mk_u32 8; + mk_u32 18; mk_u32 2; mk_u32 61; mk_u32 56; mk_u32 14 ] + in + assert_norm(List.Tot.length rho_list == 25); + assert (forall i. Seq.index (Hacspec_sha3.Keccak_f.v_RHO_OFFSETS) i == + List.Tot.index rho_list i); + assert_norm ( List.Tot.index rho_list 0 == mk_u32 0 /\ + List.Tot.index rho_list 1 == mk_u32 1 /\ + List.Tot.index rho_list 2 == mk_u32 62 /\ + List.Tot.index rho_list 3 == mk_u32 28 /\ + List.Tot.index rho_list 4 == mk_u32 27 /\ + List.Tot.index rho_list 5 == mk_u32 36 /\ + List.Tot.index rho_list 6 == mk_u32 44 /\ + List.Tot.index rho_list 7 == mk_u32 6 /\ + List.Tot.index rho_list 8 == mk_u32 55 /\ + List.Tot.index rho_list 9 == mk_u32 20 /\ + List.Tot.index rho_list 10 == mk_u32 3 /\ + List.Tot.index rho_list 11 == mk_u32 10 /\ + List.Tot.index rho_list 12 == mk_u32 43 /\ + List.Tot.index rho_list 13 == mk_u32 25 /\ + List.Tot.index rho_list 14 == mk_u32 39 /\ + List.Tot.index rho_list 15 == mk_u32 41 /\ + List.Tot.index rho_list 16 == mk_u32 45 /\ + List.Tot.index rho_list 17 == mk_u32 15 /\ + List.Tot.index rho_list 18 == mk_u32 21 /\ + List.Tot.index rho_list 19 == mk_u32 8 /\ + List.Tot.index rho_list 20 == mk_u32 18 /\ + List.Tot.index rho_list 21 == mk_u32 2 /\ + List.Tot.index rho_list 22 == mk_u32 61 /\ + List.Tot.index rho_list 23 == mk_u32 56 /\ + List.Tot.index rho_list 24 == mk_u32 14) +#pop-options + +(** Round constants equivalence. *) +#push-options "--z3rlimit 200" +let lemma_round_constants_equal (i: usize) + : Lemma (requires i <. mk_usize 24) + (ensures Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS.[i] == + Hacspec_sha3.Keccak_f.v_ROUND_CONSTANTS.[i]) + = assert_norm (Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS == + Hacspec_sha3.Keccak_f.v_ROUND_CONSTANTS) +#pop-options + +let rotl_spec (x: u64) (n: u32) : u64 = + Core_models.Num.impl_u64__rotate_left x n + +(** Under the FIPS-native layout, theta XORs [state.[k]] with [d[k % 5]] + (column index is [k % 5], not [k / 5] as in the old transposed layout). *) +#push-options "--z3rlimit 400" +let lemma_rho_theta_spec (state: spec_state) + : Lemma + (let r = Hacspec_sha3.Keccak_f.rho (Hacspec_sha3.Keccak_f.theta state) in + r.[mk_usize 0] == rotl_spec (state.[mk_usize 0] ^. spec_d state (mk_usize 0)) (mk_u32 0) /\ + r.[mk_usize 1] == rotl_spec (state.[mk_usize 1] ^. spec_d state (mk_usize 1)) (mk_u32 1) /\ + r.[mk_usize 2] == rotl_spec (state.[mk_usize 2] ^. spec_d state (mk_usize 2)) (mk_u32 62) /\ + r.[mk_usize 3] == rotl_spec (state.[mk_usize 3] ^. spec_d state (mk_usize 3)) (mk_u32 28) /\ + r.[mk_usize 4] == rotl_spec (state.[mk_usize 4] ^. spec_d state (mk_usize 4)) (mk_u32 27) /\ + r.[mk_usize 5] == rotl_spec (state.[mk_usize 5] ^. spec_d state (mk_usize 0)) (mk_u32 36) /\ + r.[mk_usize 6] == rotl_spec (state.[mk_usize 6] ^. spec_d state (mk_usize 1)) (mk_u32 44) /\ + r.[mk_usize 7] == rotl_spec (state.[mk_usize 7] ^. spec_d state (mk_usize 2)) (mk_u32 6) /\ + r.[mk_usize 8] == rotl_spec (state.[mk_usize 8] ^. spec_d state (mk_usize 3)) (mk_u32 55) /\ + r.[mk_usize 9] == rotl_spec (state.[mk_usize 9] ^. spec_d state (mk_usize 4)) (mk_u32 20) /\ + r.[mk_usize 10] == rotl_spec (state.[mk_usize 10] ^. spec_d state (mk_usize 0)) (mk_u32 3) /\ + r.[mk_usize 11] == rotl_spec (state.[mk_usize 11] ^. spec_d state (mk_usize 1)) (mk_u32 10) /\ + r.[mk_usize 12] == rotl_spec (state.[mk_usize 12] ^. spec_d state (mk_usize 2)) (mk_u32 43) /\ + r.[mk_usize 13] == rotl_spec (state.[mk_usize 13] ^. spec_d state (mk_usize 3)) (mk_u32 25) /\ + r.[mk_usize 14] == rotl_spec (state.[mk_usize 14] ^. spec_d state (mk_usize 4)) (mk_u32 39) /\ + r.[mk_usize 15] == rotl_spec (state.[mk_usize 15] ^. spec_d state (mk_usize 0)) (mk_u32 41) /\ + r.[mk_usize 16] == rotl_spec (state.[mk_usize 16] ^. spec_d state (mk_usize 1)) (mk_u32 45) /\ + r.[mk_usize 17] == rotl_spec (state.[mk_usize 17] ^. spec_d state (mk_usize 2)) (mk_u32 15) /\ + r.[mk_usize 18] == rotl_spec (state.[mk_usize 18] ^. spec_d state (mk_usize 3)) (mk_u32 21) /\ + r.[mk_usize 19] == rotl_spec (state.[mk_usize 19] ^. spec_d state (mk_usize 4)) (mk_u32 8) /\ + r.[mk_usize 20] == rotl_spec (state.[mk_usize 20] ^. spec_d state (mk_usize 0)) (mk_u32 18) /\ + r.[mk_usize 21] == rotl_spec (state.[mk_usize 21] ^. spec_d state (mk_usize 1)) (mk_u32 2) /\ + r.[mk_usize 22] == rotl_spec (state.[mk_usize 22] ^. spec_d state (mk_usize 2)) (mk_u32 61) /\ + r.[mk_usize 23] == rotl_spec (state.[mk_usize 23] ^. spec_d state (mk_usize 3)) (mk_u32 56) /\ + r.[mk_usize 24] == rotl_spec (state.[mk_usize 24] ^. spec_d state (mk_usize 4)) (mk_u32 14)) + = lemma_rho_offsets_values (); + let ts = Hacspec_sha3.Keccak_f.theta state in + assert (ts.[mk_usize 0] == state.[mk_usize 0] ^. spec_d state (mk_usize 0)); + assert (ts.[mk_usize 1] == state.[mk_usize 1] ^. spec_d state (mk_usize 1)); + assert (ts.[mk_usize 2] == state.[mk_usize 2] ^. spec_d state (mk_usize 2)); + assert (ts.[mk_usize 3] == state.[mk_usize 3] ^. spec_d state (mk_usize 3)); + assert (ts.[mk_usize 4] == state.[mk_usize 4] ^. spec_d state (mk_usize 4)); + assert (ts.[mk_usize 5] == state.[mk_usize 5] ^. spec_d state (mk_usize 0)); + assert (ts.[mk_usize 6] == state.[mk_usize 6] ^. spec_d state (mk_usize 1)); + assert (ts.[mk_usize 7] == state.[mk_usize 7] ^. spec_d state (mk_usize 2)); + assert (ts.[mk_usize 8] == state.[mk_usize 8] ^. spec_d state (mk_usize 3)); + assert (ts.[mk_usize 9] == state.[mk_usize 9] ^. spec_d state (mk_usize 4)); + assert (ts.[mk_usize 10] == state.[mk_usize 10] ^. spec_d state (mk_usize 0)); + assert (ts.[mk_usize 11] == state.[mk_usize 11] ^. spec_d state (mk_usize 1)); + assert (ts.[mk_usize 12] == state.[mk_usize 12] ^. spec_d state (mk_usize 2)); + assert (ts.[mk_usize 13] == state.[mk_usize 13] ^. spec_d state (mk_usize 3)); + assert (ts.[mk_usize 14] == state.[mk_usize 14] ^. spec_d state (mk_usize 4)); + assert (ts.[mk_usize 15] == state.[mk_usize 15] ^. spec_d state (mk_usize 0)); + assert (ts.[mk_usize 16] == state.[mk_usize 16] ^. spec_d state (mk_usize 1)); + assert (ts.[mk_usize 17] == state.[mk_usize 17] ^. spec_d state (mk_usize 2)); + assert (ts.[mk_usize 18] == state.[mk_usize 18] ^. spec_d state (mk_usize 3)); + assert (ts.[mk_usize 19] == state.[mk_usize 19] ^. spec_d state (mk_usize 4)); + assert (ts.[mk_usize 20] == state.[mk_usize 20] ^. spec_d state (mk_usize 0)); + assert (ts.[mk_usize 21] == state.[mk_usize 21] ^. spec_d state (mk_usize 1)); + assert (ts.[mk_usize 22] == state.[mk_usize 22] ^. spec_d state (mk_usize 2)); + assert (ts.[mk_usize 23] == state.[mk_usize 23] ^. spec_d state (mk_usize 3)); + assert (ts.[mk_usize 24] == state.[mk_usize 24] ^. spec_d state (mk_usize 4)) +#pop-options + +#push-options "--z3rlimit 400" +let lemma_pi_spec (state: spec_state) + : Lemma + (let p = Hacspec_sha3.Keccak_f.pi state in + p.[mk_usize 0] == state.[mk_usize 0] /\ + p.[mk_usize 1] == state.[mk_usize 6] /\ + p.[mk_usize 2] == state.[mk_usize 12] /\ + p.[mk_usize 3] == state.[mk_usize 18] /\ + p.[mk_usize 4] == state.[mk_usize 24] /\ + p.[mk_usize 5] == state.[mk_usize 3] /\ + p.[mk_usize 6] == state.[mk_usize 9] /\ + p.[mk_usize 7] == state.[mk_usize 10] /\ + p.[mk_usize 8] == state.[mk_usize 16] /\ + p.[mk_usize 9] == state.[mk_usize 22] /\ + p.[mk_usize 10] == state.[mk_usize 1] /\ + p.[mk_usize 11] == state.[mk_usize 7] /\ + p.[mk_usize 12] == state.[mk_usize 13] /\ + p.[mk_usize 13] == state.[mk_usize 19] /\ + p.[mk_usize 14] == state.[mk_usize 20] /\ + p.[mk_usize 15] == state.[mk_usize 4] /\ + p.[mk_usize 16] == state.[mk_usize 5] /\ + p.[mk_usize 17] == state.[mk_usize 11] /\ + p.[mk_usize 18] == state.[mk_usize 17] /\ + p.[mk_usize 19] == state.[mk_usize 23] /\ + p.[mk_usize 20] == state.[mk_usize 2] /\ + p.[mk_usize 21] == state.[mk_usize 8] /\ + p.[mk_usize 22] == state.[mk_usize 14] /\ + p.[mk_usize 23] == state.[mk_usize 15] /\ + p.[mk_usize 24] == state.[mk_usize 21]) + = let p = normalize_term (Hacspec_sha3.Keccak_f.pi state) in + assert_norm (p.[mk_usize 0] == state.[mk_usize 0]); + assert_norm (p.[mk_usize 1] == state.[mk_usize 6]); + assert_norm (p.[mk_usize 2] == state.[mk_usize 12]); + assert_norm (p.[mk_usize 3] == state.[mk_usize 18]); + assert_norm (p.[mk_usize 4] == state.[mk_usize 24]); + assert_norm (p.[mk_usize 5] == state.[mk_usize 3]); + assert_norm (p.[mk_usize 6] == state.[mk_usize 9]); + assert_norm (p.[mk_usize 7] == state.[mk_usize 10]); + assert_norm (p.[mk_usize 8] == state.[mk_usize 16]); + assert_norm (p.[mk_usize 9] == state.[mk_usize 22]); + assert_norm (p.[mk_usize 10] == state.[mk_usize 1]); + assert_norm (p.[mk_usize 11] == state.[mk_usize 7]); + assert_norm (p.[mk_usize 12] == state.[mk_usize 13]); + assert_norm (p.[mk_usize 13] == state.[mk_usize 19]); + assert_norm (p.[mk_usize 14] == state.[mk_usize 20]); + assert_norm (p.[mk_usize 15] == state.[mk_usize 4]); + assert_norm (p.[mk_usize 16] == state.[mk_usize 5]); + assert_norm (p.[mk_usize 17] == state.[mk_usize 11]); + assert_norm (p.[mk_usize 18] == state.[mk_usize 17]); + assert_norm (p.[mk_usize 19] == state.[mk_usize 23]); + assert_norm (p.[mk_usize 20] == state.[mk_usize 2]); + assert_norm (p.[mk_usize 21] == state.[mk_usize 8]); + assert_norm (p.[mk_usize 22] == state.[mk_usize 14]); + assert_norm (p.[mk_usize 23] == state.[mk_usize 15]); + assert_norm (p.[mk_usize 24] == state.[mk_usize 21]) +#pop-options + +(* ================================================================ + Phase 4: to_spec commutativity for each step + + Core lemmas: extract_lane after impl step == spec step after extract_lane + ================================================================ *) + +let d_matches_spec + (#v_T: Type0) (v_N: usize) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (d: t_Array v_T (mk_usize 5)) + (state: spec_state) + (l: nat{l < v v_N}) + : Type0 = + lc.lane d.[mk_usize 0] l == spec_d state (mk_usize 0) /\ + lc.lane d.[mk_usize 1] l == spec_d state (mk_usize 1) /\ + lc.lane d.[mk_usize 2] l == spec_d state (mk_usize 2) /\ + lc.lane d.[mk_usize 3] l == spec_d state (mk_usize 3) /\ + lc.lane d.[mk_usize 4] l == spec_d state (mk_usize 4) + +#push-options "--z3rlimit 800" +let lemma_theta_extract_lane + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (l: nat{l < v v_N}) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let ks', d = Libcrux_sha3.Generic_keccak.impl_2__theta v_N #v_T ks in + let state = extract_lane v_N lc s l in + ks'.Libcrux_sha3.Generic_keccak.f_st == s /\ + d_matches_spec v_N lc d state l) + = let open Libcrux_sha3.Generic_keccak in + let s = ks.f_st in + let ks', d = impl_2__theta v_N #v_T ks in + lemma_theta_generic v_N ks; + let c0 = Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst + s.[mk_usize 0] s.[mk_usize 5] s.[mk_usize 10] s.[mk_usize 15] s.[mk_usize 20] in + let c1 = Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst + s.[mk_usize 1] s.[mk_usize 6] s.[mk_usize 11] s.[mk_usize 16] s.[mk_usize 21] in + let c2 = Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst + s.[mk_usize 2] s.[mk_usize 7] s.[mk_usize 12] s.[mk_usize 17] s.[mk_usize 22] in + let c3 = Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst + s.[mk_usize 3] s.[mk_usize 8] s.[mk_usize 13] s.[mk_usize 18] s.[mk_usize 23] in + let c4 = Libcrux_sha3.Traits.f_xor5 #v_T #v_N #inst + s.[mk_usize 4] s.[mk_usize 9] s.[mk_usize 14] s.[mk_usize 19] s.[mk_usize 24] in + lane_xor5 v_N lc s.[mk_usize 0] s.[mk_usize 5] s.[mk_usize 10] s.[mk_usize 15] s.[mk_usize 20] l; + lane_xor5 v_N lc s.[mk_usize 1] s.[mk_usize 6] s.[mk_usize 11] s.[mk_usize 16] s.[mk_usize 21] l; + lane_xor5 v_N lc s.[mk_usize 2] s.[mk_usize 7] s.[mk_usize 12] s.[mk_usize 17] s.[mk_usize 22] l; + lane_xor5 v_N lc s.[mk_usize 3] s.[mk_usize 8] s.[mk_usize 13] s.[mk_usize 18] s.[mk_usize 23] l; + lane_xor5 v_N lc s.[mk_usize 4] s.[mk_usize 9] s.[mk_usize 14] s.[mk_usize 19] s.[mk_usize 24] l; + let state = extract_lane v_N lc s l in + assert (lc.lane c0 l == spec_c state (mk_usize 0)); + assert (lc.lane c1 l == spec_c state (mk_usize 1)); + assert (lc.lane c2 l == spec_c state (mk_usize 2)); + assert (lc.lane c3 l == spec_c state (mk_usize 3)); + assert (lc.lane c4 l == spec_c state (mk_usize 4)); + lane_rotate_left1_and_xor v_N lc c4 c1 l; + lane_rotate_left1_and_xor v_N lc c0 c2 l; + lane_rotate_left1_and_xor v_N lc c1 c3 l; + lane_rotate_left1_and_xor v_N lc c2 c4 l; + lane_rotate_left1_and_xor v_N lc c3 c0 l; + assert (lc.lane d.[mk_usize 0] l == spec_d state (mk_usize 0)); + assert (lc.lane d.[mk_usize 1] l == spec_d state (mk_usize 1)); + assert (lc.lane d.[mk_usize 2] l == spec_d state (mk_usize 2)); + assert (lc.lane d.[mk_usize 3] l == spec_d state (mk_usize 3)); + assert (lc.lane d.[mk_usize 4] l == spec_d state (mk_usize 4)) +#pop-options + +#push-options "--z3rlimit 800" +let lemma_rho_0_extract_lane + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (d: t_Array v_T (mk_usize 5)) + (l: nat{l < v v_N}) + : Lemma + (let s = extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l in + let r = extract_lane v_N lc + (Libcrux_sha3.Generic_keccak.impl_2__rho_0_ v_N #v_T ks d).Libcrux_sha3.Generic_keccak.f_st l in + r.[mk_usize 0] == s.[mk_usize 0] ^. lc.lane d.[mk_usize 0] l /\ + r.[mk_usize 5] == rotl_spec (s.[mk_usize 5] ^. lc.lane d.[mk_usize 0] l) (mk_u32 36) /\ + r.[mk_usize 10] == rotl_spec (s.[mk_usize 10] ^. lc.lane d.[mk_usize 0] l) (mk_u32 3) /\ + r.[mk_usize 15] == rotl_spec (s.[mk_usize 15] ^. lc.lane d.[mk_usize 0] l) (mk_u32 41) /\ + r.[mk_usize 20] == rotl_spec (s.[mk_usize 20] ^. lc.lane d.[mk_usize 0] l) (mk_u32 18) /\ + r.[mk_usize 1] == s.[mk_usize 1] /\ r.[mk_usize 2] == s.[mk_usize 2] /\ + r.[mk_usize 3] == s.[mk_usize 3] /\ r.[mk_usize 4] == s.[mk_usize 4] /\ + r.[mk_usize 6] == s.[mk_usize 6] /\ r.[mk_usize 7] == s.[mk_usize 7] /\ + r.[mk_usize 8] == s.[mk_usize 8] /\ r.[mk_usize 9] == s.[mk_usize 9] /\ + r.[mk_usize 11] == s.[mk_usize 11] /\ r.[mk_usize 12] == s.[mk_usize 12] /\ + r.[mk_usize 13] == s.[mk_usize 13] /\ r.[mk_usize 14] == s.[mk_usize 14] /\ + r.[mk_usize 16] == s.[mk_usize 16] /\ r.[mk_usize 17] == s.[mk_usize 17] /\ + r.[mk_usize 18] == s.[mk_usize 18] /\ r.[mk_usize 19] == s.[mk_usize 19] /\ + r.[mk_usize 21] == s.[mk_usize 21] /\ r.[mk_usize 22] == s.[mk_usize 22] /\ + r.[mk_usize 23] == s.[mk_usize 23] /\ r.[mk_usize 24] == s.[mk_usize 24]) + = let open Libcrux_sha3.Generic_keccak in + lemma_rho_0_generic v_N ks d; + lane_xor v_N lc ks.f_st.[mk_usize 0] d.[mk_usize 0] l; + lane_xor_and_rotate v_N lc (mk_i32 36) (mk_i32 28) ks.f_st.[mk_usize 5] d.[mk_usize 0] l; + lane_xor_and_rotate v_N lc (mk_i32 3) (mk_i32 61) ks.f_st.[mk_usize 10] d.[mk_usize 0] l; + lane_xor_and_rotate v_N lc (mk_i32 41) (mk_i32 23) ks.f_st.[mk_usize 15] d.[mk_usize 0] l; + lane_xor_and_rotate v_N lc (mk_i32 18) (mk_i32 46) ks.f_st.[mk_usize 20] d.[mk_usize 0] l +#pop-options + +#push-options "--z3rlimit 800" +let lemma_rho_1_extract_lane + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (d: t_Array v_T (mk_usize 5)) + (l: nat{l < v v_N}) + : Lemma + (let s = extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l in + let r = extract_lane v_N lc + (Libcrux_sha3.Generic_keccak.impl_2__rho_1_ v_N #v_T ks d).Libcrux_sha3.Generic_keccak.f_st l in + r.[mk_usize 1] == rotl_spec (s.[mk_usize 1] ^. lc.lane d.[mk_usize 1] l) (mk_u32 1) /\ + r.[mk_usize 6] == rotl_spec (s.[mk_usize 6] ^. lc.lane d.[mk_usize 1] l) (mk_u32 44) /\ + r.[mk_usize 11] == rotl_spec (s.[mk_usize 11] ^. lc.lane d.[mk_usize 1] l) (mk_u32 10) /\ + r.[mk_usize 16] == rotl_spec (s.[mk_usize 16] ^. lc.lane d.[mk_usize 1] l) (mk_u32 45) /\ + r.[mk_usize 21] == rotl_spec (s.[mk_usize 21] ^. lc.lane d.[mk_usize 1] l) (mk_u32 2) /\ + r.[mk_usize 0] == s.[mk_usize 0] /\ r.[mk_usize 2] == s.[mk_usize 2] /\ + r.[mk_usize 3] == s.[mk_usize 3] /\ r.[mk_usize 4] == s.[mk_usize 4] /\ + r.[mk_usize 5] == s.[mk_usize 5] /\ r.[mk_usize 7] == s.[mk_usize 7] /\ + r.[mk_usize 8] == s.[mk_usize 8] /\ r.[mk_usize 9] == s.[mk_usize 9] /\ + r.[mk_usize 10] == s.[mk_usize 10] /\ r.[mk_usize 12] == s.[mk_usize 12] /\ + r.[mk_usize 13] == s.[mk_usize 13] /\ r.[mk_usize 14] == s.[mk_usize 14] /\ + r.[mk_usize 15] == s.[mk_usize 15] /\ r.[mk_usize 17] == s.[mk_usize 17] /\ + r.[mk_usize 18] == s.[mk_usize 18] /\ r.[mk_usize 19] == s.[mk_usize 19] /\ + r.[mk_usize 20] == s.[mk_usize 20] /\ r.[mk_usize 22] == s.[mk_usize 22] /\ + r.[mk_usize 23] == s.[mk_usize 23] /\ r.[mk_usize 24] == s.[mk_usize 24]) + = let open Libcrux_sha3.Generic_keccak in + lemma_rho_1_generic v_N ks d; + lane_xor_and_rotate v_N lc (mk_i32 1) (mk_i32 63) ks.f_st.[mk_usize 1] d.[mk_usize 1] l; + lane_xor_and_rotate v_N lc (mk_i32 44) (mk_i32 20) ks.f_st.[mk_usize 6] d.[mk_usize 1] l; + lane_xor_and_rotate v_N lc (mk_i32 10) (mk_i32 54) ks.f_st.[mk_usize 11] d.[mk_usize 1] l; + lane_xor_and_rotate v_N lc (mk_i32 45) (mk_i32 19) ks.f_st.[mk_usize 16] d.[mk_usize 1] l; + lane_xor_and_rotate v_N lc (mk_i32 2) (mk_i32 62) ks.f_st.[mk_usize 21] d.[mk_usize 1] l +#pop-options + +#push-options "--z3rlimit 800" +let lemma_rho_2_extract_lane + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (d: t_Array v_T (mk_usize 5)) + (l: nat{l < v v_N}) + : Lemma + (let s = extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l in + let r = extract_lane v_N lc + (Libcrux_sha3.Generic_keccak.impl_2__rho_2_ v_N #v_T ks d).Libcrux_sha3.Generic_keccak.f_st l in + r.[mk_usize 2] == rotl_spec (s.[mk_usize 2] ^. lc.lane d.[mk_usize 2] l) (mk_u32 62) /\ + r.[mk_usize 7] == rotl_spec (s.[mk_usize 7] ^. lc.lane d.[mk_usize 2] l) (mk_u32 6) /\ + r.[mk_usize 12] == rotl_spec (s.[mk_usize 12] ^. lc.lane d.[mk_usize 2] l) (mk_u32 43) /\ + r.[mk_usize 17] == rotl_spec (s.[mk_usize 17] ^. lc.lane d.[mk_usize 2] l) (mk_u32 15) /\ + r.[mk_usize 22] == rotl_spec (s.[mk_usize 22] ^. lc.lane d.[mk_usize 2] l) (mk_u32 61) /\ + r.[mk_usize 0] == s.[mk_usize 0] /\ r.[mk_usize 1] == s.[mk_usize 1] /\ + r.[mk_usize 3] == s.[mk_usize 3] /\ r.[mk_usize 4] == s.[mk_usize 4] /\ + r.[mk_usize 5] == s.[mk_usize 5] /\ r.[mk_usize 6] == s.[mk_usize 6] /\ + r.[mk_usize 8] == s.[mk_usize 8] /\ r.[mk_usize 9] == s.[mk_usize 9] /\ + r.[mk_usize 10] == s.[mk_usize 10] /\ r.[mk_usize 11] == s.[mk_usize 11] /\ + r.[mk_usize 13] == s.[mk_usize 13] /\ r.[mk_usize 14] == s.[mk_usize 14] /\ + r.[mk_usize 15] == s.[mk_usize 15] /\ r.[mk_usize 16] == s.[mk_usize 16] /\ + r.[mk_usize 18] == s.[mk_usize 18] /\ r.[mk_usize 19] == s.[mk_usize 19] /\ + r.[mk_usize 20] == s.[mk_usize 20] /\ r.[mk_usize 21] == s.[mk_usize 21] /\ + r.[mk_usize 23] == s.[mk_usize 23] /\ r.[mk_usize 24] == s.[mk_usize 24]) + = let open Libcrux_sha3.Generic_keccak in + lemma_rho_2_generic v_N ks d; + lane_xor_and_rotate v_N lc (mk_i32 62) (mk_i32 2) ks.f_st.[mk_usize 2] d.[mk_usize 2] l; + lane_xor_and_rotate v_N lc (mk_i32 6) (mk_i32 58) ks.f_st.[mk_usize 7] d.[mk_usize 2] l; + lane_xor_and_rotate v_N lc (mk_i32 43) (mk_i32 21) ks.f_st.[mk_usize 12] d.[mk_usize 2] l; + lane_xor_and_rotate v_N lc (mk_i32 15) (mk_i32 49) ks.f_st.[mk_usize 17] d.[mk_usize 2] l; + lane_xor_and_rotate v_N lc (mk_i32 61) (mk_i32 3) ks.f_st.[mk_usize 22] d.[mk_usize 2] l +#pop-options + +#push-options "--z3rlimit 800" +let lemma_rho_3_extract_lane + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (d: t_Array v_T (mk_usize 5)) + (l: nat{l < v v_N}) + : Lemma + (let s = extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l in + let r = extract_lane v_N lc + (Libcrux_sha3.Generic_keccak.impl_2__rho_3_ v_N #v_T ks d).Libcrux_sha3.Generic_keccak.f_st l in + r.[mk_usize 3] == rotl_spec (s.[mk_usize 3] ^. lc.lane d.[mk_usize 3] l) (mk_u32 28) /\ + r.[mk_usize 8] == rotl_spec (s.[mk_usize 8] ^. lc.lane d.[mk_usize 3] l) (mk_u32 55) /\ + r.[mk_usize 13] == rotl_spec (s.[mk_usize 13] ^. lc.lane d.[mk_usize 3] l) (mk_u32 25) /\ + r.[mk_usize 18] == rotl_spec (s.[mk_usize 18] ^. lc.lane d.[mk_usize 3] l) (mk_u32 21) /\ + r.[mk_usize 23] == rotl_spec (s.[mk_usize 23] ^. lc.lane d.[mk_usize 3] l) (mk_u32 56) /\ + r.[mk_usize 0] == s.[mk_usize 0] /\ r.[mk_usize 1] == s.[mk_usize 1] /\ + r.[mk_usize 2] == s.[mk_usize 2] /\ r.[mk_usize 4] == s.[mk_usize 4] /\ + r.[mk_usize 5] == s.[mk_usize 5] /\ r.[mk_usize 6] == s.[mk_usize 6] /\ + r.[mk_usize 7] == s.[mk_usize 7] /\ r.[mk_usize 9] == s.[mk_usize 9] /\ + r.[mk_usize 10] == s.[mk_usize 10] /\ r.[mk_usize 11] == s.[mk_usize 11] /\ + r.[mk_usize 12] == s.[mk_usize 12] /\ r.[mk_usize 14] == s.[mk_usize 14] /\ + r.[mk_usize 15] == s.[mk_usize 15] /\ r.[mk_usize 16] == s.[mk_usize 16] /\ + r.[mk_usize 17] == s.[mk_usize 17] /\ r.[mk_usize 19] == s.[mk_usize 19] /\ + r.[mk_usize 20] == s.[mk_usize 20] /\ r.[mk_usize 21] == s.[mk_usize 21] /\ + r.[mk_usize 22] == s.[mk_usize 22] /\ r.[mk_usize 24] == s.[mk_usize 24]) + = let open Libcrux_sha3.Generic_keccak in + lemma_rho_3_generic v_N ks d; + lane_xor_and_rotate v_N lc (mk_i32 28) (mk_i32 36) ks.f_st.[mk_usize 3] d.[mk_usize 3] l; + lane_xor_and_rotate v_N lc (mk_i32 55) (mk_i32 9) ks.f_st.[mk_usize 8] d.[mk_usize 3] l; + lane_xor_and_rotate v_N lc (mk_i32 25) (mk_i32 39) ks.f_st.[mk_usize 13] d.[mk_usize 3] l; + lane_xor_and_rotate v_N lc (mk_i32 21) (mk_i32 43) ks.f_st.[mk_usize 18] d.[mk_usize 3] l; + lane_xor_and_rotate v_N lc (mk_i32 56) (mk_i32 8) ks.f_st.[mk_usize 23] d.[mk_usize 3] l +#pop-options + +#push-options "--z3rlimit 800" +let lemma_rho_4_extract_lane + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (d: t_Array v_T (mk_usize 5)) + (l: nat{l < v v_N}) + : Lemma + (let s = extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l in + let r = extract_lane v_N lc + (Libcrux_sha3.Generic_keccak.impl_2__rho_4_ v_N #v_T ks d).Libcrux_sha3.Generic_keccak.f_st l in + r.[mk_usize 4] == rotl_spec (s.[mk_usize 4] ^. lc.lane d.[mk_usize 4] l) (mk_u32 27) /\ + r.[mk_usize 9] == rotl_spec (s.[mk_usize 9] ^. lc.lane d.[mk_usize 4] l) (mk_u32 20) /\ + r.[mk_usize 14] == rotl_spec (s.[mk_usize 14] ^. lc.lane d.[mk_usize 4] l) (mk_u32 39) /\ + r.[mk_usize 19] == rotl_spec (s.[mk_usize 19] ^. lc.lane d.[mk_usize 4] l) (mk_u32 8) /\ + r.[mk_usize 24] == rotl_spec (s.[mk_usize 24] ^. lc.lane d.[mk_usize 4] l) (mk_u32 14) /\ + r.[mk_usize 0] == s.[mk_usize 0] /\ r.[mk_usize 1] == s.[mk_usize 1] /\ + r.[mk_usize 2] == s.[mk_usize 2] /\ r.[mk_usize 3] == s.[mk_usize 3] /\ + r.[mk_usize 5] == s.[mk_usize 5] /\ r.[mk_usize 6] == s.[mk_usize 6] /\ + r.[mk_usize 7] == s.[mk_usize 7] /\ r.[mk_usize 8] == s.[mk_usize 8] /\ + r.[mk_usize 10] == s.[mk_usize 10] /\ r.[mk_usize 11] == s.[mk_usize 11] /\ + r.[mk_usize 12] == s.[mk_usize 12] /\ r.[mk_usize 13] == s.[mk_usize 13] /\ + r.[mk_usize 15] == s.[mk_usize 15] /\ r.[mk_usize 16] == s.[mk_usize 16] /\ + r.[mk_usize 17] == s.[mk_usize 17] /\ r.[mk_usize 18] == s.[mk_usize 18] /\ + r.[mk_usize 20] == s.[mk_usize 20] /\ r.[mk_usize 21] == s.[mk_usize 21] /\ + r.[mk_usize 22] == s.[mk_usize 22] /\ r.[mk_usize 23] == s.[mk_usize 23]) + = let open Libcrux_sha3.Generic_keccak in + lemma_rho_4_generic v_N ks d; + lane_xor_and_rotate v_N lc (mk_i32 27) (mk_i32 37) ks.f_st.[mk_usize 4] d.[mk_usize 4] l; + lane_xor_and_rotate v_N lc (mk_i32 20) (mk_i32 44) ks.f_st.[mk_usize 9] d.[mk_usize 4] l; + lane_xor_and_rotate v_N lc (mk_i32 39) (mk_i32 25) ks.f_st.[mk_usize 14] d.[mk_usize 4] l; + lane_xor_and_rotate v_N lc (mk_i32 8) (mk_i32 56) ks.f_st.[mk_usize 19] d.[mk_usize 4] l; + lane_xor_and_rotate v_N lc (mk_i32 14) (mk_i32 50) ks.f_st.[mk_usize 24] d.[mk_usize 4] l +#pop-options + +(** Cumulative rho lemmas: each [lemma_rho_thru_N_extract_lane] describes + the state after composing [rho_0_; rho_1_; ...; rho_N_] on the same + input [ks] and [d]. The final [lemma_rho_thru_4_extract_lane] gives + all 25 positions of [impl_2__rho ks d] in closed form, which lets + [lemma_theta_rho_to_spec] finish via a single [eq_intro]. *) + +#push-options "--fuel 0 --ifuel 1 --z3rlimit 1200" +let lemma_rho_thru_1_extract_lane + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (d: t_Array v_T (mk_usize 5)) + (l: nat{l < v v_N}) + : Lemma + (let s = extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l in + let ks0 = Libcrux_sha3.Generic_keccak.impl_2__rho_0_ v_N #v_T ks d in + let ks1 = Libcrux_sha3.Generic_keccak.impl_2__rho_1_ v_N #v_T ks0 d in + let r = extract_lane v_N lc ks1.Libcrux_sha3.Generic_keccak.f_st l in + (* Column 0 final *) + r.[mk_usize 0] == s.[mk_usize 0] ^. lc.lane d.[mk_usize 0] l /\ + r.[mk_usize 5] == rotl_spec (s.[mk_usize 5] ^. lc.lane d.[mk_usize 0] l) (mk_u32 36) /\ + r.[mk_usize 10] == rotl_spec (s.[mk_usize 10] ^. lc.lane d.[mk_usize 0] l) (mk_u32 3) /\ + r.[mk_usize 15] == rotl_spec (s.[mk_usize 15] ^. lc.lane d.[mk_usize 0] l) (mk_u32 41) /\ + r.[mk_usize 20] == rotl_spec (s.[mk_usize 20] ^. lc.lane d.[mk_usize 0] l) (mk_u32 18) /\ + (* Column 1 final *) + r.[mk_usize 1] == rotl_spec (s.[mk_usize 1] ^. lc.lane d.[mk_usize 1] l) (mk_u32 1) /\ + r.[mk_usize 6] == rotl_spec (s.[mk_usize 6] ^. lc.lane d.[mk_usize 1] l) (mk_u32 44) /\ + r.[mk_usize 11] == rotl_spec (s.[mk_usize 11] ^. lc.lane d.[mk_usize 1] l) (mk_u32 10) /\ + r.[mk_usize 16] == rotl_spec (s.[mk_usize 16] ^. lc.lane d.[mk_usize 1] l) (mk_u32 45) /\ + r.[mk_usize 21] == rotl_spec (s.[mk_usize 21] ^. lc.lane d.[mk_usize 1] l) (mk_u32 2) /\ + (* Columns 2, 3, 4 unchanged *) + r.[mk_usize 2] == s.[mk_usize 2] /\ r.[mk_usize 3] == s.[mk_usize 3] /\ + r.[mk_usize 4] == s.[mk_usize 4] /\ r.[mk_usize 7] == s.[mk_usize 7] /\ + r.[mk_usize 8] == s.[mk_usize 8] /\ r.[mk_usize 9] == s.[mk_usize 9] /\ + r.[mk_usize 12] == s.[mk_usize 12] /\ r.[mk_usize 13] == s.[mk_usize 13] /\ + r.[mk_usize 14] == s.[mk_usize 14] /\ r.[mk_usize 17] == s.[mk_usize 17] /\ + r.[mk_usize 18] == s.[mk_usize 18] /\ r.[mk_usize 19] == s.[mk_usize 19] /\ + r.[mk_usize 22] == s.[mk_usize 22] /\ r.[mk_usize 23] == s.[mk_usize 23] /\ + r.[mk_usize 24] == s.[mk_usize 24]) + = let ks0 = Libcrux_sha3.Generic_keccak.impl_2__rho_0_ v_N #v_T ks d in + lemma_rho_0_extract_lane v_N lc ks d l; + lemma_rho_1_extract_lane v_N lc ks0 d l +#pop-options + +#push-options "--fuel 0 --ifuel 1 --z3rlimit 1200" +let lemma_rho_thru_2_extract_lane + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (d: t_Array v_T (mk_usize 5)) + (l: nat{l < v v_N}) + : Lemma + (let s = extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l in + let ks0 = Libcrux_sha3.Generic_keccak.impl_2__rho_0_ v_N #v_T ks d in + let ks1 = Libcrux_sha3.Generic_keccak.impl_2__rho_1_ v_N #v_T ks0 d in + let ks2 = Libcrux_sha3.Generic_keccak.impl_2__rho_2_ v_N #v_T ks1 d in + let r = extract_lane v_N lc ks2.Libcrux_sha3.Generic_keccak.f_st l in + (* Column 0 final *) + r.[mk_usize 0] == s.[mk_usize 0] ^. lc.lane d.[mk_usize 0] l /\ + r.[mk_usize 5] == rotl_spec (s.[mk_usize 5] ^. lc.lane d.[mk_usize 0] l) (mk_u32 36) /\ + r.[mk_usize 10] == rotl_spec (s.[mk_usize 10] ^. lc.lane d.[mk_usize 0] l) (mk_u32 3) /\ + r.[mk_usize 15] == rotl_spec (s.[mk_usize 15] ^. lc.lane d.[mk_usize 0] l) (mk_u32 41) /\ + r.[mk_usize 20] == rotl_spec (s.[mk_usize 20] ^. lc.lane d.[mk_usize 0] l) (mk_u32 18) /\ + (* Column 1 final *) + r.[mk_usize 1] == rotl_spec (s.[mk_usize 1] ^. lc.lane d.[mk_usize 1] l) (mk_u32 1) /\ + r.[mk_usize 6] == rotl_spec (s.[mk_usize 6] ^. lc.lane d.[mk_usize 1] l) (mk_u32 44) /\ + r.[mk_usize 11] == rotl_spec (s.[mk_usize 11] ^. lc.lane d.[mk_usize 1] l) (mk_u32 10) /\ + r.[mk_usize 16] == rotl_spec (s.[mk_usize 16] ^. lc.lane d.[mk_usize 1] l) (mk_u32 45) /\ + r.[mk_usize 21] == rotl_spec (s.[mk_usize 21] ^. lc.lane d.[mk_usize 1] l) (mk_u32 2) /\ + (* Column 2 final *) + r.[mk_usize 2] == rotl_spec (s.[mk_usize 2] ^. lc.lane d.[mk_usize 2] l) (mk_u32 62) /\ + r.[mk_usize 7] == rotl_spec (s.[mk_usize 7] ^. lc.lane d.[mk_usize 2] l) (mk_u32 6) /\ + r.[mk_usize 12] == rotl_spec (s.[mk_usize 12] ^. lc.lane d.[mk_usize 2] l) (mk_u32 43) /\ + r.[mk_usize 17] == rotl_spec (s.[mk_usize 17] ^. lc.lane d.[mk_usize 2] l) (mk_u32 15) /\ + r.[mk_usize 22] == rotl_spec (s.[mk_usize 22] ^. lc.lane d.[mk_usize 2] l) (mk_u32 61) /\ + (* Columns 3, 4 unchanged *) + r.[mk_usize 3] == s.[mk_usize 3] /\ r.[mk_usize 4] == s.[mk_usize 4] /\ + r.[mk_usize 8] == s.[mk_usize 8] /\ r.[mk_usize 9] == s.[mk_usize 9] /\ + r.[mk_usize 13] == s.[mk_usize 13] /\ r.[mk_usize 14] == s.[mk_usize 14] /\ + r.[mk_usize 18] == s.[mk_usize 18] /\ r.[mk_usize 19] == s.[mk_usize 19] /\ + r.[mk_usize 23] == s.[mk_usize 23] /\ r.[mk_usize 24] == s.[mk_usize 24]) + = let ks0 = Libcrux_sha3.Generic_keccak.impl_2__rho_0_ v_N #v_T ks d in + let ks1 = Libcrux_sha3.Generic_keccak.impl_2__rho_1_ v_N #v_T ks0 d in + lemma_rho_thru_1_extract_lane v_N lc ks d l; + lemma_rho_2_extract_lane v_N lc ks1 d l +#pop-options + +#push-options "--fuel 0 --ifuel 1 --z3rlimit 1600" +let lemma_rho_thru_3_extract_lane + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (d: t_Array v_T (mk_usize 5)) + (l: nat{l < v v_N}) + : Lemma + (let s = extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l in + let ks0 = Libcrux_sha3.Generic_keccak.impl_2__rho_0_ v_N #v_T ks d in + let ks1 = Libcrux_sha3.Generic_keccak.impl_2__rho_1_ v_N #v_T ks0 d in + let ks2 = Libcrux_sha3.Generic_keccak.impl_2__rho_2_ v_N #v_T ks1 d in + let ks3 = Libcrux_sha3.Generic_keccak.impl_2__rho_3_ v_N #v_T ks2 d in + let r = extract_lane v_N lc ks3.Libcrux_sha3.Generic_keccak.f_st l in + (* Column 0 final *) + r.[mk_usize 0] == s.[mk_usize 0] ^. lc.lane d.[mk_usize 0] l /\ + r.[mk_usize 5] == rotl_spec (s.[mk_usize 5] ^. lc.lane d.[mk_usize 0] l) (mk_u32 36) /\ + r.[mk_usize 10] == rotl_spec (s.[mk_usize 10] ^. lc.lane d.[mk_usize 0] l) (mk_u32 3) /\ + r.[mk_usize 15] == rotl_spec (s.[mk_usize 15] ^. lc.lane d.[mk_usize 0] l) (mk_u32 41) /\ + r.[mk_usize 20] == rotl_spec (s.[mk_usize 20] ^. lc.lane d.[mk_usize 0] l) (mk_u32 18) /\ + (* Column 1 final *) + r.[mk_usize 1] == rotl_spec (s.[mk_usize 1] ^. lc.lane d.[mk_usize 1] l) (mk_u32 1) /\ + r.[mk_usize 6] == rotl_spec (s.[mk_usize 6] ^. lc.lane d.[mk_usize 1] l) (mk_u32 44) /\ + r.[mk_usize 11] == rotl_spec (s.[mk_usize 11] ^. lc.lane d.[mk_usize 1] l) (mk_u32 10) /\ + r.[mk_usize 16] == rotl_spec (s.[mk_usize 16] ^. lc.lane d.[mk_usize 1] l) (mk_u32 45) /\ + r.[mk_usize 21] == rotl_spec (s.[mk_usize 21] ^. lc.lane d.[mk_usize 1] l) (mk_u32 2) /\ + (* Column 2 final *) + r.[mk_usize 2] == rotl_spec (s.[mk_usize 2] ^. lc.lane d.[mk_usize 2] l) (mk_u32 62) /\ + r.[mk_usize 7] == rotl_spec (s.[mk_usize 7] ^. lc.lane d.[mk_usize 2] l) (mk_u32 6) /\ + r.[mk_usize 12] == rotl_spec (s.[mk_usize 12] ^. lc.lane d.[mk_usize 2] l) (mk_u32 43) /\ + r.[mk_usize 17] == rotl_spec (s.[mk_usize 17] ^. lc.lane d.[mk_usize 2] l) (mk_u32 15) /\ + r.[mk_usize 22] == rotl_spec (s.[mk_usize 22] ^. lc.lane d.[mk_usize 2] l) (mk_u32 61) /\ + (* Column 3 final *) + r.[mk_usize 3] == rotl_spec (s.[mk_usize 3] ^. lc.lane d.[mk_usize 3] l) (mk_u32 28) /\ + r.[mk_usize 8] == rotl_spec (s.[mk_usize 8] ^. lc.lane d.[mk_usize 3] l) (mk_u32 55) /\ + r.[mk_usize 13] == rotl_spec (s.[mk_usize 13] ^. lc.lane d.[mk_usize 3] l) (mk_u32 25) /\ + r.[mk_usize 18] == rotl_spec (s.[mk_usize 18] ^. lc.lane d.[mk_usize 3] l) (mk_u32 21) /\ + r.[mk_usize 23] == rotl_spec (s.[mk_usize 23] ^. lc.lane d.[mk_usize 3] l) (mk_u32 56) /\ + (* Column 4 unchanged *) + r.[mk_usize 4] == s.[mk_usize 4] /\ r.[mk_usize 9] == s.[mk_usize 9] /\ + r.[mk_usize 14] == s.[mk_usize 14] /\ r.[mk_usize 19] == s.[mk_usize 19] /\ + r.[mk_usize 24] == s.[mk_usize 24]) + = let ks0 = Libcrux_sha3.Generic_keccak.impl_2__rho_0_ v_N #v_T ks d in + let ks1 = Libcrux_sha3.Generic_keccak.impl_2__rho_1_ v_N #v_T ks0 d in + let ks2 = Libcrux_sha3.Generic_keccak.impl_2__rho_2_ v_N #v_T ks1 d in + lemma_rho_thru_2_extract_lane v_N lc ks d l; + lemma_rho_3_extract_lane v_N lc ks2 d l +#pop-options + +#push-options "--fuel 0 --ifuel 1 --z3rlimit 1600" +let lemma_rho_thru_4_extract_lane + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (d: t_Array v_T (mk_usize 5)) + (l: nat{l < v v_N}) + : Lemma + (let s = extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l in + let r = extract_lane v_N lc + (Libcrux_sha3.Generic_keccak.impl_2__rho v_N #v_T ks d) + .Libcrux_sha3.Generic_keccak.f_st l in + (* All 25 positions final: rotl_spec(s.[k] ^. d.[k % 5]_l, RHO_OFFSETS[k]) *) + r.[mk_usize 0] == s.[mk_usize 0] ^. lc.lane d.[mk_usize 0] l /\ + r.[mk_usize 1] == rotl_spec (s.[mk_usize 1] ^. lc.lane d.[mk_usize 1] l) (mk_u32 1) /\ + r.[mk_usize 2] == rotl_spec (s.[mk_usize 2] ^. lc.lane d.[mk_usize 2] l) (mk_u32 62) /\ + r.[mk_usize 3] == rotl_spec (s.[mk_usize 3] ^. lc.lane d.[mk_usize 3] l) (mk_u32 28) /\ + r.[mk_usize 4] == rotl_spec (s.[mk_usize 4] ^. lc.lane d.[mk_usize 4] l) (mk_u32 27) /\ + r.[mk_usize 5] == rotl_spec (s.[mk_usize 5] ^. lc.lane d.[mk_usize 0] l) (mk_u32 36) /\ + r.[mk_usize 6] == rotl_spec (s.[mk_usize 6] ^. lc.lane d.[mk_usize 1] l) (mk_u32 44) /\ + r.[mk_usize 7] == rotl_spec (s.[mk_usize 7] ^. lc.lane d.[mk_usize 2] l) (mk_u32 6) /\ + r.[mk_usize 8] == rotl_spec (s.[mk_usize 8] ^. lc.lane d.[mk_usize 3] l) (mk_u32 55) /\ + r.[mk_usize 9] == rotl_spec (s.[mk_usize 9] ^. lc.lane d.[mk_usize 4] l) (mk_u32 20) /\ + r.[mk_usize 10] == rotl_spec (s.[mk_usize 10] ^. lc.lane d.[mk_usize 0] l) (mk_u32 3) /\ + r.[mk_usize 11] == rotl_spec (s.[mk_usize 11] ^. lc.lane d.[mk_usize 1] l) (mk_u32 10) /\ + r.[mk_usize 12] == rotl_spec (s.[mk_usize 12] ^. lc.lane d.[mk_usize 2] l) (mk_u32 43) /\ + r.[mk_usize 13] == rotl_spec (s.[mk_usize 13] ^. lc.lane d.[mk_usize 3] l) (mk_u32 25) /\ + r.[mk_usize 14] == rotl_spec (s.[mk_usize 14] ^. lc.lane d.[mk_usize 4] l) (mk_u32 39) /\ + r.[mk_usize 15] == rotl_spec (s.[mk_usize 15] ^. lc.lane d.[mk_usize 0] l) (mk_u32 41) /\ + r.[mk_usize 16] == rotl_spec (s.[mk_usize 16] ^. lc.lane d.[mk_usize 1] l) (mk_u32 45) /\ + r.[mk_usize 17] == rotl_spec (s.[mk_usize 17] ^. lc.lane d.[mk_usize 2] l) (mk_u32 15) /\ + r.[mk_usize 18] == rotl_spec (s.[mk_usize 18] ^. lc.lane d.[mk_usize 3] l) (mk_u32 21) /\ + r.[mk_usize 19] == rotl_spec (s.[mk_usize 19] ^. lc.lane d.[mk_usize 4] l) (mk_u32 8) /\ + r.[mk_usize 20] == rotl_spec (s.[mk_usize 20] ^. lc.lane d.[mk_usize 0] l) (mk_u32 18) /\ + r.[mk_usize 21] == rotl_spec (s.[mk_usize 21] ^. lc.lane d.[mk_usize 1] l) (mk_u32 2) /\ + r.[mk_usize 22] == rotl_spec (s.[mk_usize 22] ^. lc.lane d.[mk_usize 2] l) (mk_u32 61) /\ + r.[mk_usize 23] == rotl_spec (s.[mk_usize 23] ^. lc.lane d.[mk_usize 3] l) (mk_u32 56) /\ + r.[mk_usize 24] == rotl_spec (s.[mk_usize 24] ^. lc.lane d.[mk_usize 4] l) (mk_u32 14)) + = let ks0 = Libcrux_sha3.Generic_keccak.impl_2__rho_0_ v_N #v_T ks d in + let ks1 = Libcrux_sha3.Generic_keccak.impl_2__rho_1_ v_N #v_T ks0 d in + let ks2 = Libcrux_sha3.Generic_keccak.impl_2__rho_2_ v_N #v_T ks1 d in + let ks3 = Libcrux_sha3.Generic_keccak.impl_2__rho_3_ v_N #v_T ks2 d in + lemma_rho_unfold_generic v_N ks d; + lemma_rho_thru_3_extract_lane v_N lc ks d l; + lemma_rho_4_extract_lane v_N lc ks3 d l +#pop-options + +(** Theta+Rho commutativity: + extract_lane lc (rho(theta(ks))).f_st l == rho(theta(extract_lane lc ks.f_st l)) + + The cumulative [lemma_rho_thru_4_extract_lane] carries all 25 positions + of [impl_2__rho ks' d] in closed form. Combined with [lemma_theta_extract_lane] + (which shows [ks'.f_st == s] and [d_matches_spec]) and [lemma_rho_theta_spec] + (spec-side 25-position result with matching offsets), the goal reduces to + pointwise equality + [eq_intro]. *) + +(* Theta+Rho commutativity (factored as 5 row-helpers + a dispatcher). + + The cumulative [lemma_rho_thru_4_extract_lane] supplies all 25 impl-side + per-index equalities; [lemma_rho_theta_spec] supplies the matching 25 + spec-side ones; [lemma_theta_extract_lane] bridges the two via + [d_matches_spec]. The remaining work is just lifting 25 in-scope + pointwise equalities to a forall for [eq_intro]. + + Prior attempts that fed all 25 asserts to a single [eq_intro] timed out + on the forall-precondition consolidation (see proof_milestones.md + Note A). The fix is to split the post into 5 row-shaped 5-conjunct + sub-goals (each closes monolithically) and assemble with a 5-way + case-split on [i / 5]. *) + +#push-options "--fuel 0 --ifuel 1 --z3rlimit 400" +let lemma_theta_rho_row_0_to_spec + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (l: nat{l < v v_N}) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let ks', d = Libcrux_sha3.Generic_keccak.impl_2__theta v_N #v_T ks in + let ks'' = Libcrux_sha3.Generic_keccak.impl_2__rho v_N #v_T ks' d in + let lhs = extract_lane v_N lc ks''.Libcrux_sha3.Generic_keccak.f_st l in + let rhs = Hacspec_sha3.Keccak_f.rho + (Hacspec_sha3.Keccak_f.theta (extract_lane v_N lc s l)) in + lhs.[mk_usize 0] == rhs.[mk_usize 0] /\ + lhs.[mk_usize 1] == rhs.[mk_usize 1] /\ + lhs.[mk_usize 2] == rhs.[mk_usize 2] /\ + lhs.[mk_usize 3] == rhs.[mk_usize 3] /\ + lhs.[mk_usize 4] == rhs.[mk_usize 4]) + = let open Libcrux_sha3.Generic_keccak in + let s = ks.f_st in + let ks', d = impl_2__theta v_N #v_T ks in + let state = extract_lane v_N lc s l in + lemma_theta_extract_lane v_N lc ks l; + lemma_rho_thru_4_extract_lane v_N lc ks' d l; + lemma_rho_theta_spec state; + Lemmas.lemma_rotate_left_zero (state.[mk_usize 0] ^. spec_d state (mk_usize 0)) +#pop-options + +#push-options "--fuel 0 --ifuel 1 --z3rlimit 400" +let lemma_theta_rho_row_1_to_spec + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (l: nat{l < v v_N}) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let ks', d = Libcrux_sha3.Generic_keccak.impl_2__theta v_N #v_T ks in + let ks'' = Libcrux_sha3.Generic_keccak.impl_2__rho v_N #v_T ks' d in + let lhs = extract_lane v_N lc ks''.Libcrux_sha3.Generic_keccak.f_st l in + let rhs = Hacspec_sha3.Keccak_f.rho + (Hacspec_sha3.Keccak_f.theta (extract_lane v_N lc s l)) in + lhs.[mk_usize 5] == rhs.[mk_usize 5] /\ + lhs.[mk_usize 6] == rhs.[mk_usize 6] /\ + lhs.[mk_usize 7] == rhs.[mk_usize 7] /\ + lhs.[mk_usize 8] == rhs.[mk_usize 8] /\ + lhs.[mk_usize 9] == rhs.[mk_usize 9]) + = let open Libcrux_sha3.Generic_keccak in + let s = ks.f_st in + let ks', d = impl_2__theta v_N #v_T ks in + let state = extract_lane v_N lc s l in + lemma_theta_extract_lane v_N lc ks l; + lemma_rho_thru_4_extract_lane v_N lc ks' d l; + lemma_rho_theta_spec state +#pop-options + +#push-options "--fuel 0 --ifuel 1 --z3rlimit 400" +let lemma_theta_rho_row_2_to_spec + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (l: nat{l < v v_N}) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let ks', d = Libcrux_sha3.Generic_keccak.impl_2__theta v_N #v_T ks in + let ks'' = Libcrux_sha3.Generic_keccak.impl_2__rho v_N #v_T ks' d in + let lhs = extract_lane v_N lc ks''.Libcrux_sha3.Generic_keccak.f_st l in + let rhs = Hacspec_sha3.Keccak_f.rho + (Hacspec_sha3.Keccak_f.theta (extract_lane v_N lc s l)) in + lhs.[mk_usize 10] == rhs.[mk_usize 10] /\ + lhs.[mk_usize 11] == rhs.[mk_usize 11] /\ + lhs.[mk_usize 12] == rhs.[mk_usize 12] /\ + lhs.[mk_usize 13] == rhs.[mk_usize 13] /\ + lhs.[mk_usize 14] == rhs.[mk_usize 14]) + = let open Libcrux_sha3.Generic_keccak in + let s = ks.f_st in + let ks', d = impl_2__theta v_N #v_T ks in + let state = extract_lane v_N lc s l in + lemma_theta_extract_lane v_N lc ks l; + lemma_rho_thru_4_extract_lane v_N lc ks' d l; + lemma_rho_theta_spec state +#pop-options + +#push-options "--fuel 0 --ifuel 1 --z3rlimit 400" +let lemma_theta_rho_row_3_to_spec + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (l: nat{l < v v_N}) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let ks', d = Libcrux_sha3.Generic_keccak.impl_2__theta v_N #v_T ks in + let ks'' = Libcrux_sha3.Generic_keccak.impl_2__rho v_N #v_T ks' d in + let lhs = extract_lane v_N lc ks''.Libcrux_sha3.Generic_keccak.f_st l in + let rhs = Hacspec_sha3.Keccak_f.rho + (Hacspec_sha3.Keccak_f.theta (extract_lane v_N lc s l)) in + lhs.[mk_usize 15] == rhs.[mk_usize 15] /\ + lhs.[mk_usize 16] == rhs.[mk_usize 16] /\ + lhs.[mk_usize 17] == rhs.[mk_usize 17] /\ + lhs.[mk_usize 18] == rhs.[mk_usize 18] /\ + lhs.[mk_usize 19] == rhs.[mk_usize 19]) + = let open Libcrux_sha3.Generic_keccak in + let s = ks.f_st in + let ks', d = impl_2__theta v_N #v_T ks in + let state = extract_lane v_N lc s l in + lemma_theta_extract_lane v_N lc ks l; + lemma_rho_thru_4_extract_lane v_N lc ks' d l; + lemma_rho_theta_spec state +#pop-options + +#push-options "--fuel 0 --ifuel 1 --z3rlimit 400" +let lemma_theta_rho_row_4_to_spec + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (l: nat{l < v v_N}) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let ks', d = Libcrux_sha3.Generic_keccak.impl_2__theta v_N #v_T ks in + let ks'' = Libcrux_sha3.Generic_keccak.impl_2__rho v_N #v_T ks' d in + let lhs = extract_lane v_N lc ks''.Libcrux_sha3.Generic_keccak.f_st l in + let rhs = Hacspec_sha3.Keccak_f.rho + (Hacspec_sha3.Keccak_f.theta (extract_lane v_N lc s l)) in + lhs.[mk_usize 20] == rhs.[mk_usize 20] /\ + lhs.[mk_usize 21] == rhs.[mk_usize 21] /\ + lhs.[mk_usize 22] == rhs.[mk_usize 22] /\ + lhs.[mk_usize 23] == rhs.[mk_usize 23] /\ + lhs.[mk_usize 24] == rhs.[mk_usize 24]) + = let open Libcrux_sha3.Generic_keccak in + let s = ks.f_st in + let ks', d = impl_2__theta v_N #v_T ks in + let state = extract_lane v_N lc s l in + lemma_theta_extract_lane v_N lc ks l; + lemma_rho_thru_4_extract_lane v_N lc ks' d l; + lemma_rho_theta_spec state +#pop-options + +let forall25 (p:(i:nat{i < 25} -> Type0)): + Lemma (requires (p 0 /\ p 1 /\ p 2 /\ p 3 /\ p 4 /\ + p 5 /\ p 6 /\ p 7 /\ p 8 /\ p 9 /\ + p 10 /\ p 11 /\ p 12 /\ p 13 /\ p 14 /\ + p 15 /\ p 16 /\ p 17 /\ p 18 /\ p 19 /\ + p 20 /\ p 21 /\ p 22 /\ p 23 /\ p 24)) + (ensures (forall (i:nat{i < 25}). p i)) = () + +#push-options "--fuel 0 --ifuel 1 --z3rlimit 200 --split_queries always" +let lemma_theta_rho_to_spec + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (l: nat{l < v v_N}) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let ks', d = Libcrux_sha3.Generic_keccak.impl_2__theta v_N #v_T ks in + let ks'' = Libcrux_sha3.Generic_keccak.impl_2__rho v_N #v_T ks' d in + extract_lane v_N lc ks''.Libcrux_sha3.Generic_keccak.f_st l == + Hacspec_sha3.Keccak_f.rho (Hacspec_sha3.Keccak_f.theta (extract_lane v_N lc s l))) + = lemma_theta_rho_row_0_to_spec v_N lc ks l; + lemma_theta_rho_row_1_to_spec v_N lc ks l; + lemma_theta_rho_row_2_to_spec v_N lc ks l; + lemma_theta_rho_row_3_to_spec v_N lc ks l; + lemma_theta_rho_row_4_to_spec v_N lc ks l; + let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let ks', d = Libcrux_sha3.Generic_keccak.impl_2__theta v_N #v_T ks in + let ks'' = Libcrux_sha3.Generic_keccak.impl_2__rho v_N #v_T ks' d in + let lhs = extract_lane v_N lc ks''.Libcrux_sha3.Generic_keccak.f_st l in + let rhs = Hacspec_sha3.Keccak_f.rho (Hacspec_sha3.Keccak_f.theta (extract_lane v_N lc s l)) in + forall25 (fun i -> Seq.index lhs i == Seq.index rhs i); + eq_intro lhs rhs +#pop-options + +(** Pi extract_lane: states all 25 indices of pi result at u64 level. + Chains the 5 sub-step generics + SMTPat conversion to extract_lane. + Pi is a pure permutation: r.[k] == state.[pi_perm(k)]. *) + +#push-options "--z3rlimit 1200" +let lemma_pi_extract_lane + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (l: nat{l < v v_N}) + : Lemma + (let state = extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l in + let r = extract_lane v_N lc + (Libcrux_sha3.Generic_keccak.impl_2__pi v_N #v_T ks) + .Libcrux_sha3.Generic_keccak.f_st l in + r.[mk_usize 0] == state.[mk_usize 0] /\ + r.[mk_usize 1] == state.[mk_usize 6] /\ + r.[mk_usize 2] == state.[mk_usize 12] /\ + r.[mk_usize 3] == state.[mk_usize 18] /\ + r.[mk_usize 4] == state.[mk_usize 24] /\ + r.[mk_usize 5] == state.[mk_usize 3] /\ + r.[mk_usize 6] == state.[mk_usize 9] /\ + r.[mk_usize 7] == state.[mk_usize 10] /\ + r.[mk_usize 8] == state.[mk_usize 16] /\ + r.[mk_usize 9] == state.[mk_usize 22] /\ + r.[mk_usize 10] == state.[mk_usize 1] /\ + r.[mk_usize 11] == state.[mk_usize 7] /\ + r.[mk_usize 12] == state.[mk_usize 13] /\ + r.[mk_usize 13] == state.[mk_usize 19] /\ + r.[mk_usize 14] == state.[mk_usize 20] /\ + r.[mk_usize 15] == state.[mk_usize 4] /\ + r.[mk_usize 16] == state.[mk_usize 5] /\ + r.[mk_usize 17] == state.[mk_usize 11] /\ + r.[mk_usize 18] == state.[mk_usize 17] /\ + r.[mk_usize 19] == state.[mk_usize 23] /\ + r.[mk_usize 20] == state.[mk_usize 2] /\ + r.[mk_usize 21] == state.[mk_usize 8] /\ + r.[mk_usize 22] == state.[mk_usize 14] /\ + r.[mk_usize 23] == state.[mk_usize 15] /\ + r.[mk_usize 24] == state.[mk_usize 21]) + = let open Libcrux_sha3.Generic_keccak in + let old = ks in + let ks0 = impl_2__pi_0_ v_N #v_T ks old in + lemma_pi_0_generic v_N ks old; + let ks1 = impl_2__pi_1_ v_N #v_T ks0 old in + lemma_pi_1_generic v_N ks0 old; + let ks2 = impl_2__pi_2_ v_N #v_T ks1 old in + lemma_pi_2_generic v_N ks1 old; + let ks3 = impl_2__pi_3_ v_N #v_T ks2 old in + lemma_pi_3_generic v_N ks2 old; + let ks4 = impl_2__pi_4_ v_N #v_T ks3 old in + lemma_pi_4_generic v_N ks3 old; + lemma_pi_unfold_generic v_N ks +#pop-options + +(** Pi commutativity: + extract_lane lc (pi(ks)).f_st l == pi(extract_lane lc ks.f_st l) + + lemma_pi_extract_lane provides u64-level facts via extract_lane, + lemma_pi_spec provides the spec side, eq_intro closes. *) + +#push-options "--z3rlimit 800" +let lemma_pi_to_spec + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (l: nat{l < v v_N}) + : Lemma + (extract_lane v_N lc + (Libcrux_sha3.Generic_keccak.impl_2__pi v_N #v_T ks) + .Libcrux_sha3.Generic_keccak.f_st l == + Hacspec_sha3.Keccak_f.pi (extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l)) + = let open Libcrux_sha3.Generic_keccak in + lemma_pi_extract_lane v_N lc ks l; + let state = extract_lane v_N lc ks.f_st l in + lemma_pi_spec state; + let lhs = extract_lane v_N lc (impl_2__pi v_N #v_T ks).f_st l in + let rhs = Hacspec_sha3.Keccak_f.pi state in + forall25 (fun i -> Seq.index lhs i == Seq.index rhs i); + Rust_primitives.Arrays.eq_intro lhs rhs +#pop-options + +(** Chi extract_lane: states all 25 indices of chi result at u64 level. + + Strategy: + 1. [ChiFold.lemma_chi_val_i] gives, for any flat index [k < 25]: + (impl_2__chi v_N #v_T ks).f_st.[k] == chi_inner_val ks (k/5) (k%5) + Under the FIPS-native layout [get_ij(arr, i, j) = arr[5*i + j]], + flat index [k] corresponds to impl-[(i, j) = (k/5, k%5)] which + is FIPS [(y, x) = (k/5, k%5)], i.e. [x = k%5, y = k/5]. + [chi_inner_val] is a transparent [let] that unfolds to + [f_and_not_xor] of three indices along the [x] axis at fixed [y]. + 2. [lane_and_not_xor] (operation-level commutativity above) lifts + that equality through [lc.lane]. + 3. [logand_commutative] swaps `(b &. ~.c)` to `(~.c &. b)` to + match the spec orientation. *) + +#push-options "--fuel 0 --ifuel 1 --z3rlimit 400" +let lemma_chi_extract_lane_aux + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (l: nat{l < v v_N}) + (k: usize{v k < 25}) + : Lemma + (let s = ks.Libcrux_sha3.Generic_keccak.f_st in + let i = k /! sz 5 in + let j = k %! sz 5 in + lc.lane (Libcrux_sha3.Generic_keccak.impl_2__chi v_N #v_T ks) + .Libcrux_sha3.Generic_keccak.f_st.[k] l == + lc.lane s.[k] l ^. + ((~. (lc.lane s.[ (mk_usize 5 *! i) +! ((j +! mk_usize 1) %! mk_usize 5) ] l)) &. + lc.lane s.[ (mk_usize 5 *! i) +! ((j +! mk_usize 2) %! mk_usize 5) ] l)) + = let i = k /! sz 5 in + let j = k %! sz 5 in + let s = ks.Libcrux_sha3.Generic_keccak.f_st in + assert (k == sz 5 *! i +! j); + ChiFold.lemma_chi_val_i v_N #v_T ks k; + lane_and_not_xor v_N lc + (ks.[ i, j <: (usize & usize) ] <: v_T) + (ks.[ i, ((j +! mk_usize 2) %! mk_usize 5) <: (usize & usize) ] <: v_T) + (ks.[ i, ((j +! mk_usize 1) %! mk_usize 5) <: (usize & usize) ] <: v_T) + l; + Lemmas.logand_commutative + (lc.lane s.[ (mk_usize 5 *! i) +! ((j +! mk_usize 2) %! mk_usize 5) ] l) + (~. (lc.lane s.[ (mk_usize 5 *! i) +! ((j +! mk_usize 1) %! mk_usize 5) ] l)) +#pop-options + +(** Chi commutativity: + extract_lane lc (chi(ks)).f_st l == chi(extract_lane lc ks.f_st l) + + Direct pointwise proof: [lemma_chi_extract_lane_aux] gives the + per-index equality at the u64 level, and [Hacspec_sha3.createi_lemma] + is an SMTPat that unfolds [(chi state).[k]] on the spec side. We + introduce the universal pointwise fact via [Classical.forall_intro] + and conclude with array extensionality. *) + +#push-options "--fuel 0 --ifuel 1 --z3rlimit 400" +let lemma_chi_to_spec + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (l: nat{l < v v_N}) + : Lemma + (extract_lane v_N lc + (Libcrux_sha3.Generic_keccak.impl_2__chi v_N #v_T ks) + .Libcrux_sha3.Generic_keccak.f_st l == + Hacspec_sha3.Keccak_f.chi (extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l)) + = let open Libcrux_sha3.Generic_keccak in + let lhs = extract_lane v_N lc (impl_2__chi v_N #v_T ks).f_st l in + let state = extract_lane v_N lc ks.f_st l in + let rhs = Hacspec_sha3.Keccak_f.chi state in + let aux (i: nat{i < 25}) : Lemma (Seq.index lhs i == Seq.index rhs i) = + let k : usize = mk_usize i in + assert (v k == i); + lemma_chi_extract_lane_aux v_N #v_T lc ks l k; + assert (lhs.[k] == rhs.[k]); + assert (lhs.[k] == Seq.index lhs i); + assert (rhs.[k] == Seq.index rhs i) + in + Classical.forall_intro aux; + Rust_primitives.Arrays.eq_intro lhs rhs +#pop-options + +(** Iota spec-side: unfold iota at each index. + Index 0: state[0] ^. RC[round]. Indices 1-24: unchanged. *) + +let lemma_iota_spec (state: spec_state) (round: usize) + : Lemma + (requires round <. mk_usize 24) + (ensures + (let r = Hacspec_sha3.Keccak_f.iota state round in + r.[mk_usize 0] == (state.[mk_usize 0] <: u64) ^. (Hacspec_sha3.Keccak_f.v_ROUND_CONSTANTS.[round] <: u64) /\ + r.[mk_usize 1] == state.[mk_usize 1] /\ + r.[mk_usize 2] == state.[mk_usize 2] /\ + r.[mk_usize 3] == state.[mk_usize 3] /\ + r.[mk_usize 4] == state.[mk_usize 4] /\ + r.[mk_usize 5] == state.[mk_usize 5] /\ + r.[mk_usize 6] == state.[mk_usize 6] /\ + r.[mk_usize 7] == state.[mk_usize 7] /\ + r.[mk_usize 8] == state.[mk_usize 8] /\ + r.[mk_usize 9] == state.[mk_usize 9] /\ + r.[mk_usize 10] == state.[mk_usize 10] /\ + r.[mk_usize 11] == state.[mk_usize 11] /\ + r.[mk_usize 12] == state.[mk_usize 12] /\ + r.[mk_usize 13] == state.[mk_usize 13] /\ + r.[mk_usize 14] == state.[mk_usize 14] /\ + r.[mk_usize 15] == state.[mk_usize 15] /\ + r.[mk_usize 16] == state.[mk_usize 16] /\ + r.[mk_usize 17] == state.[mk_usize 17] /\ + r.[mk_usize 18] == state.[mk_usize 18] /\ + r.[mk_usize 19] == state.[mk_usize 19] /\ + r.[mk_usize 20] == state.[mk_usize 20] /\ + r.[mk_usize 21] == state.[mk_usize 21] /\ + r.[mk_usize 22] == state.[mk_usize 22] /\ + r.[mk_usize 23] == state.[mk_usize 23] /\ + r.[mk_usize 24] == state.[mk_usize 24])) + = () + +(** Iota extract_lane: only index 0 changes (via lane_xor_constant), + indices 1-24 are preserved. *) + +let lemma_iota_extract_lane + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (round: usize) + (l: nat{l < v v_N}) + : Lemma + (requires round <. mk_usize 24) + (ensures + (let state = extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l in + let r = extract_lane v_N lc + (Libcrux_sha3.Generic_keccak.impl_2__iota v_N #v_T ks round) + .Libcrux_sha3.Generic_keccak.f_st l in + r.[mk_usize 0] == (state.[mk_usize 0] <: u64) ^. + (Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS.[round] <: u64) /\ + r.[mk_usize 1] == state.[mk_usize 1] /\ + r.[mk_usize 2] == state.[mk_usize 2] /\ + r.[mk_usize 3] == state.[mk_usize 3] /\ + r.[mk_usize 4] == state.[mk_usize 4] /\ + r.[mk_usize 5] == state.[mk_usize 5] /\ + r.[mk_usize 6] == state.[mk_usize 6] /\ + r.[mk_usize 7] == state.[mk_usize 7] /\ + r.[mk_usize 8] == state.[mk_usize 8] /\ + r.[mk_usize 9] == state.[mk_usize 9] /\ + r.[mk_usize 10] == state.[mk_usize 10] /\ + r.[mk_usize 11] == state.[mk_usize 11] /\ + r.[mk_usize 12] == state.[mk_usize 12] /\ + r.[mk_usize 13] == state.[mk_usize 13] /\ + r.[mk_usize 14] == state.[mk_usize 14] /\ + r.[mk_usize 15] == state.[mk_usize 15] /\ + r.[mk_usize 16] == state.[mk_usize 16] /\ + r.[mk_usize 17] == state.[mk_usize 17] /\ + r.[mk_usize 18] == state.[mk_usize 18] /\ + r.[mk_usize 19] == state.[mk_usize 19] /\ + r.[mk_usize 20] == state.[mk_usize 20] /\ + r.[mk_usize 21] == state.[mk_usize 21] /\ + r.[mk_usize 22] == state.[mk_usize 22] /\ + r.[mk_usize 23] == state.[mk_usize 23] /\ + r.[mk_usize 24] == state.[mk_usize 24])) + = lane_xor_constant v_N lc + ks.Libcrux_sha3.Generic_keccak.f_st.[mk_usize 0] + (Libcrux_sha3.Generic_keccak.Constants.v_ROUNDCONSTANTS.[round]) + l + +(** Iota commutativity: + extract_lane lc (iota(ks, round)).f_st l == iota(extract_lane lc ks.f_st l, round) + + lemma_iota_extract_lane provides u64-level facts via extract_lane, + lemma_iota_spec provides the spec side, eq_intro closes. *) + +#push-options "--z3rlimit 200" +let lemma_iota_to_spec + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (round: usize) + (l: nat{l < v v_N}) + : Lemma + (requires round <. mk_usize 24) + (ensures + extract_lane v_N lc + (Libcrux_sha3.Generic_keccak.impl_2__iota v_N #v_T ks round) + .Libcrux_sha3.Generic_keccak.f_st l == + Hacspec_sha3.Keccak_f.iota (extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l) round) + = let open Libcrux_sha3.Generic_keccak in + let state = extract_lane v_N lc ks.f_st l in + lemma_round_constants_equal round; + lemma_iota_extract_lane v_N lc ks round l; + lemma_iota_spec state round; + Rust_primitives.Arrays.eq_intro + (extract_lane v_N lc (impl_2__iota v_N #v_T ks round).f_st l) + (Hacspec_sha3.Keccak_f.iota state round) +#pop-options + +(* ================================================================ + Phase 5: One-round and full keccakf1600 commutativity + ================================================================ *) + +let impl_one_round + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (i: usize) + : Pure (Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (requires i <. mk_usize 24) (fun _ -> True) = + let open Libcrux_sha3.Generic_keccak in + let tmp0, t = impl_2__theta v_N #v_T ks in + let ks1 = impl_2__rho v_N #v_T tmp0 t in + let ks2 = impl_2__pi v_N #v_T ks1 in + let ks3 = impl_2__chi v_N #v_T ks2 in + impl_2__iota v_N #v_T ks3 i + +let spec_one_round = SpecRounds.spec_one_round + +(** One-round commutativity: composition of per-step commutativity. *) +#push-options "--z3rlimit 200" +let lemma_one_round_to_spec + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (round: usize) + (l: nat{l < v v_N}) + : Lemma + (requires round <. mk_usize 24) + (ensures + extract_lane v_N lc (impl_one_round v_N ks round) + .Libcrux_sha3.Generic_keccak.f_st l == + spec_one_round (extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l) round) + = let open Libcrux_sha3.Generic_keccak in + let s = ks.f_st in + let ks', d = impl_2__theta v_N #v_T ks in + let ks1 = impl_2__rho v_N #v_T ks' d in + lemma_theta_rho_to_spec v_N lc ks l; + let spec_after_rho = Hacspec_sha3.Keccak_f.rho (Hacspec_sha3.Keccak_f.theta (extract_lane v_N lc s l)) in + assert (extract_lane v_N lc ks1.f_st l == spec_after_rho); + let ks2 = impl_2__pi v_N #v_T ks1 in + lemma_pi_to_spec v_N lc ks1 l; + let spec_after_pi = Hacspec_sha3.Keccak_f.pi spec_after_rho in + assert (extract_lane v_N lc ks2.f_st l == spec_after_pi); + let ks3 = impl_2__chi v_N #v_T ks2 in + lemma_chi_to_spec v_N lc ks2 l; + let spec_after_chi = Hacspec_sha3.Keccak_f.chi spec_after_pi in + assert (extract_lane v_N lc ks3.f_st l == spec_after_chi); + lemma_iota_to_spec v_N lc ks3 round l +#pop-options + +(** Recursive helpers for multi-round iteration. *) +let rec impl_rounds + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (r: usize) + : Pure (Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (requires r <=. mk_usize 24) (fun _ -> True) + (decreases (v (mk_usize 24) - v r)) = + if r =. mk_usize 24 then ks + else impl_rounds v_N (impl_one_round v_N ks r) (r +! mk_usize 1) + +let spec_rounds = SpecRounds.spec_rounds + +(** Induction: impl_rounds and spec_rounds commute with extract_lane. *) +#push-options "--fuel 1 --z3rlimit 200" +let rec lemma_rounds_to_spec + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (r: usize) + (l: nat{l < v v_N}) + : Lemma + (requires r <=. mk_usize 24) + (ensures + extract_lane v_N lc (impl_rounds v_N ks r).Libcrux_sha3.Generic_keccak.f_st l == + spec_rounds (extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l) r) + (decreases (v (mk_usize 24) - v r)) + = if r =. mk_usize 24 then () + else begin + lemma_one_round_to_spec v_N lc ks r l; + lemma_rounds_to_spec v_N lc (impl_one_round v_N ks r) (r +! mk_usize 1) l + end +#pop-options + +(** Named fold body — matches the extracted lambda body in impl_2__keccakf1600 + (modulo identity let-bindings that normalize away). *) +let keccakf_body + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (self: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (i: usize{v i < 24}) + : Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T = + let open Libcrux_sha3.Generic_keccak in + let (tmp0: t_KeccakState v_N v_T), (out: t_Array v_T (mk_usize 5)) = + impl_2__theta v_N #v_T self + in + let self: t_KeccakState v_N v_T = tmp0 in + let t: t_Array v_T (mk_usize 5) = out in + let self: t_KeccakState v_N v_T = impl_2__rho v_N #v_T self t in + let self: t_KeccakState v_N v_T = impl_2__pi v_N #v_T self in + let self: t_KeccakState v_N v_T = impl_2__chi v_N #v_T self in + let self: t_KeccakState v_N v_T = impl_2__iota v_N #v_T self i in + self + +(** Fold wrapper with local bindings — amenable to lemma_fold_range_step. *) +let keccakf_fold_local + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (i: usize{v i <= 24}) + : Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T = + let inv (_: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) (_: usize) : Type0 = True in + let f (self: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (j: usize{v j < 24}) : Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T = + keccakf_body v_N self j + in + Rust_primitives.Hax.Folds.fold_range i (mk_usize 24) inv ks f + +(** Recursive bridge: keccakf_fold_local == impl_rounds. *) +#push-options "--fuel 1 --z3rlimit 200" +let rec lemma_keccakf_fold_local_is_rounds + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (i: usize) + : Lemma + (requires i <=. mk_usize 24) + (ensures keccakf_fold_local v_N ks i == impl_rounds v_N ks i) + (decreases (v (mk_usize 24) - v i)) + = if i =. mk_usize 24 then () + else begin + let inv (_: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) (_: usize) : Type0 = True in + let f (self: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (j: usize{v j < 24}) : Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T = + keccakf_body v_N self j + in + Proof_Utils.FoldRange.lemma_fold_range_step i (mk_usize 24) inv ks f; + lemma_keccakf_fold_local_is_rounds v_N (f ks i) (i +! mk_usize 1) + end +#pop-options + +(** Nat-indexed body matching [keccakf_body] (lifted to nat index). *) +let keccakf_body_rnat + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (self: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (j: nat{0 <= j /\ j < 24}) + : Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T = + keccakf_body v_N #v_T self (mk_usize j) + +(** [keccakf_body] equals [impl_one_round]. Both unfold to the same + sequence of theta/rho/pi/chi/iota calls; extractor's extra identity + let-bindings in [keccakf_body] normalize away via zeta/iota. *) +#push-options "--fuel 1 --ifuel 1 --z3rlimit 200" +let lemma_keccakf_body_is_one_round + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (i: usize{v i < 24}) + : Lemma (keccakf_body v_N #v_T ks i == impl_one_round v_N #v_T ks i) + = () +#pop-options + +(** Inductive bridge: the [fold_range_nat] iteration of [keccakf_body_rnat] + equals [impl_rounds]. *) +#push-options "--fuel 1 --ifuel 1 --z3rlimit 400" +let rec lemma_fold_range_nat_is_impl_rounds + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (i: nat{0 <= i /\ i <= 24}) + : Lemma + (ensures fold_range_nat 0 24 i ks (keccakf_body_rnat v_N #v_T) == + impl_rounds v_N #v_T ks (mk_usize i)) + (decreases 24 - i) + = if i = 24 then () + else begin + lemma_keccakf_body_is_one_round v_N #v_T ks (mk_usize i); + lemma_fold_range_nat_is_impl_rounds v_N #v_T + (keccakf_body_rnat v_N #v_T ks i) (i + 1) + end +#pop-options + +(** Bridge lemma: the extracted [impl_2__keccakf1600] (a refined [fold_range] + with inline lambda body) equals the recursive [impl_rounds] helper. + + Two-step proof: + (A) Apply [lemma_fold_range_is_range_nat] with the SAME inline lambdas + the extractor produces — F* matches syntactically. This rewrites + the refined [fold_range] as [fold_range_nat 0 24 0 ks body_rnat]. + (B) Apply [lemma_fold_range_nat_is_impl_rounds] to relate the + nat-indexed fold to [impl_rounds]. *) +#push-options "--fuel 1 --ifuel 1 --z3rlimit 400" +let lemma_keccakf1600_is_rounds + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + : Lemma (Libcrux_sha3.Generic_keccak.impl_2__keccakf1600 v_N #v_T ks == + impl_rounds v_N ks (mk_usize 0)) + = + (* (A) Rewrite the extracted fold_range as a fold_range_nat via the + bridge. Inline lambdas must match the extractor's shape verbatim. *) + lemma_fold_range_is_range_nat + #(Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) #USIZE + (mk_usize 0) (mk_usize 24) (mk_usize 0) + (fun self temp_1_ -> + let self: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T = self in + let _: usize = temp_1_ in + true) + ks + (fun self i -> + let self: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T = self in + let i: usize = i in + let (tmp0: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T), + (out: t_Array v_T (mk_usize 5)) = + Libcrux_sha3.Generic_keccak.impl_2__theta v_N #v_T self + in + let self: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T = tmp0 in + let t: t_Array v_T (mk_usize 5) = out in + let self: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T = + Libcrux_sha3.Generic_keccak.impl_2__rho v_N #v_T self t in + let self: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T = + Libcrux_sha3.Generic_keccak.impl_2__pi v_N #v_T self in + let self: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T = + Libcrux_sha3.Generic_keccak.impl_2__chi v_N #v_T self in + let self: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T = + Libcrux_sha3.Generic_keccak.impl_2__iota v_N #v_T self i in + self) + (keccakf_body_rnat v_N #v_T) + (fun acc i -> ()); (* pointwise: both sides β-reduce to keccakf_body v_N acc i *) + (* (B) Relate the nat-fold to impl_rounds. *) + lemma_fold_range_nat_is_impl_rounds v_N #v_T ks 0 +#pop-options + +(** Bridge: spec's [keccak_f] equals [spec_rounds]. Re-exported from + [EquivImplSpec.Keccakf.SpecRounds] which isolates the fragile [fuel 25] + setting from the surrounding SMT context here. *) +let lemma_keccak_f_is_rounds = SpecRounds.lemma_keccak_f_is_rounds + +(* ================================================================ + MAIN THEOREM: Generic keccak_f lane-wise equivalence. + + For any KeccakItem implementation satisfying lane_correctness, + extracting lane l from keccakf1600 equals running the scalar + keccak_f on lane l of the input. + ================================================================ *) + +let lemma_keccakf1600_to_spec + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (l: nat{l < v v_N}) + : Lemma + (extract_lane v_N lc + (Libcrux_sha3.Generic_keccak.impl_2__keccakf1600 v_N #v_T ks) + .Libcrux_sha3.Generic_keccak.f_st l == + Hacspec_sha3.Keccak_f.keccak_f + (extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l)) + = lemma_keccakf1600_is_rounds v_N ks; + lemma_keccak_f_is_rounds (extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l); + lemma_rounds_to_spec v_N lc ks (mk_usize 0) l diff --git a/crates/algorithms/sha3/proofs/fstar/equivalence/EquivImplSpec.Keccakf.Portable.fst b/crates/algorithms/sha3/proofs/fstar/equivalence/EquivImplSpec.Keccakf.Portable.fst new file mode 100644 index 0000000000..920c9b0fb8 --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/equivalence/EquivImplSpec.Keccakf.Portable.fst @@ -0,0 +1,156 @@ +module EquivImplSpec.Keccakf.Portable + +(* ================================================================ + Portable (N=1, v_T=u64) instantiation of the generic keccak_f + equivalence proof. + + This module constructs the 7-field [lane_correctness] record for + [Libcrux_sha3.Simd.Portable.impl] and derives the concrete theorem + + (keccakf1600 ks).f_st == keccak_f ks.f_st + + directly from [EquivImplSpec.Keccakf.Generic.lemma_keccakf1600_to_spec] + by exploiting that [extract_lane] is the identity when v_N = 1. + + All 7 [lc_*] lemmas are trivial (= ()) because the portable + [KeccakItem u64 1] instance's methods are definitionally the scalar + u64 operations the spec uses. + ================================================================ *) + +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" + +open FStar.Mul +open Core_models + +module G = EquivImplSpec.Keccakf.Generic + +(* Bring the Portable typeclass instance into scope so + t_KeccakItem u64 (mk_usize 1) resolves to Libcrux_sha3.Simd.Portable.impl. *) +let _ = + let open Libcrux_sha3.Traits in + let open Libcrux_sha3.Simd.Portable in + () + +(* ================================================================ + Portable lane extraction + + For N=1, a SIMD element of type u64 has a single lane which is + the element itself. + ================================================================ *) + +let portable_lane (x: u64) (l: nat{l < 1}) : u64 = x + +(* ================================================================ + Lane-correctness field proofs + + Each lemma is `= ()` because the portable [f_*] method is defined + in terms of [e_*] helpers that are themselves the scalar u64 + operation. + ================================================================ *) + +let portable_lc_zero (l: nat{l < 1}) + : Lemma (portable_lane (Libcrux_sha3.Traits.f_zero #u64 #(mk_usize 1) + #FStar.Tactics.Typeclasses.solve ()) l == mk_u64 0) + = () + +let portable_lc_xor5 (a b c d e: u64) (l: nat{l < 1}) + : Lemma (portable_lane (Libcrux_sha3.Traits.f_xor5 #u64 #(mk_usize 1) + #FStar.Tactics.Typeclasses.solve a b c d e) l == + (((portable_lane a l ^. portable_lane b l) ^. portable_lane c l) + ^. portable_lane d l) ^. portable_lane e l) + = () + +let portable_lc_rotate_left1_and_xor (a b: u64) (l: nat{l < 1}) + : Lemma (portable_lane (Libcrux_sha3.Traits.f_rotate_left1_and_xor #u64 + #(mk_usize 1) #FStar.Tactics.Typeclasses.solve a b) l == + portable_lane a l ^. + Core_models.Num.impl_u64__rotate_left (portable_lane b l) (mk_u32 1)) + = () + +let portable_lc_xor_and_rotate (v_LEFT v_RIGHT: i32) (a b: u64) (l: nat{l < 1}) + : Lemma + (requires + ((Rust_primitives.Hax.Int.from_machine v_LEFT <: Hax_lib.Int.t_Int) + + (Rust_primitives.Hax.Int.from_machine v_RIGHT <: Hax_lib.Int.t_Int)) = + (Rust_primitives.Hax.Int.from_machine (mk_i32 64) <: Hax_lib.Int.t_Int) /\ + v_RIGHT >. mk_i32 0 /\ + v_RIGHT <. mk_i32 64) + (ensures + portable_lane (Libcrux_sha3.Traits.f_xor_and_rotate #u64 #(mk_usize 1) + #FStar.Tactics.Typeclasses.solve v_LEFT v_RIGHT a b) l == + Core_models.Num.impl_u64__rotate_left + (portable_lane a l ^. portable_lane b l) (cast (v_LEFT <: i32) <: u32)) + = () + +let portable_lc_and_not_xor (a b c: u64) (l: nat{l < 1}) + : Lemma (portable_lane (Libcrux_sha3.Traits.f_and_not_xor #u64 #(mk_usize 1) + #FStar.Tactics.Typeclasses.solve a b c) l == + portable_lane a l ^. (portable_lane b l &. (~. (portable_lane c l)))) + = () + +let portable_lc_xor_constant (a: u64) (c: u64) (l: nat{l < 1}) + : Lemma (portable_lane (Libcrux_sha3.Traits.f_xor_constant #u64 #(mk_usize 1) + #FStar.Tactics.Typeclasses.solve a c) l == + portable_lane a l ^. c) + = () + +let portable_lc_xor (a b: u64) (l: nat{l < 1}) + : Lemma (portable_lane (Libcrux_sha3.Traits.f_xor #u64 #(mk_usize 1) + #FStar.Tactics.Typeclasses.solve a b) l == + portable_lane a l ^. portable_lane b l) + = () + +(* ================================================================ + Assemble the [lane_correctness] record + ================================================================ *) + +let lc_portable : G.lane_correctness (mk_usize 1) #u64 = + { + lane = portable_lane; + lc_zero = portable_lc_zero; + lc_xor5 = portable_lc_xor5; + lc_rotate_left1_and_xor = portable_lc_rotate_left1_and_xor; + lc_xor_and_rotate = portable_lc_xor_and_rotate; + lc_and_not_xor = portable_lc_and_not_xor; + lc_xor_constant = portable_lc_xor_constant; + lc_xor = portable_lc_xor; + } + +(* ================================================================ + For N=1, [extract_lane] is the identity on the state array. + ================================================================ *) + +let lemma_extract_lane_portable_identity + (state: t_Array u64 (mk_usize 25)) + : Lemma (G.extract_lane (mk_usize 1) lc_portable state 0 == state) + = let lhs = G.extract_lane (mk_usize 1) lc_portable state 0 in + let aux (i: nat{i < 25}) : Lemma (Seq.index lhs i == Seq.index state i) = + let k: usize = mk_usize i in + assert (v k == i); + G.lemma_extract_lane_index (mk_usize 1) lc_portable state 0 k; + assert (lhs.[k] == lc_portable.lane state.[k] 0); + assert (lc_portable.lane state.[k] 0 == state.[k]) + in + Classical.forall_intro aux; + Rust_primitives.Arrays.eq_intro lhs state + +(* ================================================================ + MAIN THEOREM: portable keccakf1600 ≡ spec keccak_f + + Derived from [lemma_keccakf1600_to_spec] at v_N = 1, lane = 0, + using the identity lemma above to collapse [extract_lane] on both + sides. + ================================================================ *) + +let lemma_keccakf1600_portable + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState (mk_usize 1) u64) + : Lemma + ((Libcrux_sha3.Generic_keccak.impl_2__keccakf1600 (mk_usize 1) #u64 ks) + .Libcrux_sha3.Generic_keccak.f_st == + Hacspec_sha3.Keccak_f.keccak_f ks.Libcrux_sha3.Generic_keccak.f_st) + = let state = ks.Libcrux_sha3.Generic_keccak.f_st in + let ks_out = Libcrux_sha3.Generic_keccak.impl_2__keccakf1600 (mk_usize 1) #u64 ks in + let out_state = ks_out.Libcrux_sha3.Generic_keccak.f_st in + G.lemma_keccakf1600_to_spec (mk_usize 1) lc_portable ks 0; + lemma_extract_lane_portable_identity state; + lemma_extract_lane_portable_identity out_state diff --git a/crates/algorithms/sha3/proofs/fstar/equivalence/EquivImplSpec.Keccakf.SpecRounds.fst b/crates/algorithms/sha3/proofs/fstar/equivalence/EquivImplSpec.Keccakf.SpecRounds.fst new file mode 100644 index 0000000000..d1af2cad30 --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/equivalence/EquivImplSpec.Keccakf.SpecRounds.fst @@ -0,0 +1,50 @@ +module EquivImplSpec.Keccakf.SpecRounds + +(** Spec-side recursive round iteration and the [keccak_f == spec_rounds] + bridge. + + [Hacspec_sha3.Keccak_f.keccak_f] is defined as a [fold_range 0 24] + over a spec-only one-round body (theta∘rho∘pi∘chi∘iota). We re-express + the same iteration recursively as [spec_rounds], and prove the two + are equal in a single SMT query at [--fuel 30 --ifuel 2] — enough + fuel to unroll both the [fold_range] (24 steps) and [spec_rounds] + (24 steps). + + This fuel setting is fragile to perturbations in the surrounding + SMT context, so the lemma is isolated in this small module — its + only dependency is [Hacspec_sha3.Keccak_f]. The consumer + (Generic.fst) imports this module qualified as [SpecRounds]. *) + +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" + +open FStar.Mul +open Core_models +open Rust_primitives.Integers + +let spec_state = t_Array u64 (mk_usize 25) + +let spec_one_round (state: spec_state) (i: usize) + : Pure spec_state (requires i <. mk_usize 24) (fun _ -> True) = + Hacspec_sha3.Keccak_f.iota + (Hacspec_sha3.Keccak_f.chi + (Hacspec_sha3.Keccak_f.pi + (Hacspec_sha3.Keccak_f.rho + (Hacspec_sha3.Keccak_f.theta state)))) + i + +let rec spec_rounds (state: spec_state) (r: usize) + : Pure spec_state + (requires r <=. mk_usize 24) (fun _ -> True) + (decreases (v (mk_usize 24) - v r)) = + if r =. mk_usize 24 then state + else spec_rounds (spec_one_round state r) (r +! mk_usize 1) + +(** Bridge: the spec's top-level [keccak_f] equals [spec_rounds] from 0. + Both sides unroll 24 times under [--fuel 30]; SMT closes the + resulting literal equality directly. *) +#push-options "--fuel 30 --ifuel 2 --z3rlimit 400" +let lemma_keccak_f_is_rounds (state: spec_state) + : Lemma (Hacspec_sha3.Keccak_f.keccak_f state == + spec_rounds state (mk_usize 0)) + = () +#pop-options diff --git a/crates/algorithms/sha3/proofs/fstar/equivalence/Makefile b/crates/algorithms/sha3/proofs/fstar/equivalence/Makefile new file mode 100644 index 0000000000..a8717ffb21 --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/equivalence/Makefile @@ -0,0 +1,26 @@ +FSTAR_INCLUDE_DIRS_EXTRA += \ + $(shell git rev-parse --show-toplevel)/fstar-helpers/fstar-bitvec \ + $(shell git rev-parse --show-toplevel)/libcrux-intrinsics/proofs/fstar/extraction \ + ../stubs \ + ../extraction + +# Portable keccakf1600 equivalence proofs. +# (Platform variants and sponge-level proofs ship in follow-up PRs.) +ROOTS = \ + Proof_Utils.Lemmas.fst \ + Proof_Utils.NatFold.fst \ + Proof_Utils.FoldRange.fst \ + EquivImplSpec.Keccakf.ChiFold.fst \ + EquivImplSpec.Keccakf.SpecRounds.fst \ + EquivImplSpec.Keccakf.Generic.fst \ + EquivImplSpec.Keccakf.Portable.fst + +FSTAR_EXT_FLAGS = --ext context_pruning + +# SMT replay hints are tracked alongside the proofs so fresh checkouts +# replay them rather than re-searching Z3 (the heavy lemma_chi_outer_unfolds_generic +# query is reproducible but slow without hints — minutes vs seconds). +HINT_DIR = $(shell pwd)/.hints +ENABLE_HINTS = --use_hints --record_hints + +include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base diff --git a/crates/algorithms/sha3/proofs/fstar/equivalence/Proof_Utils.FoldRange.fst b/crates/algorithms/sha3/proofs/fstar/equivalence/Proof_Utils.FoldRange.fst new file mode 100644 index 0000000000..ecd46bc3cc --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/equivalence/Proof_Utils.FoldRange.fst @@ -0,0 +1,26 @@ +module Proof_Utils.FoldRange + +(** One-step unfolding of [Rust_primitives.Hax.Folds.fold_range]: peel off + the first iteration. Layout-independent utility lemma, extracted here + so it can be shared between [EquivImplSpec.Keccakf.Generic] and the + [EquivImplSpec.Keccakf] top-level module without creating a dependency + cycle. *) + +#set-options "--fuel 1 --ifuel 1 --z3rlimit 50" + +open FStar.Mul +open Core_models +open Rust_primitives.Integers + +let lemma_fold_range_step + (#acc_t: Type0) + (start end_: usize) + (inv: acc_t -> (i:usize{Rust_primitives.Hax.Folds.fold_range_wf_index start end_ false (v i)}) -> Type0) + (init: acc_t {~(Rust_primitives.Hax.Folds.range_empty start end_) ==> inv init start}) + (f: (acc:acc_t -> i:usize {v i <= v end_ /\ Rust_primitives.Hax.Folds.fold_range_wf_index start end_ true (v i) /\ inv acc i} + -> acc':acc_t {(inv acc' (mk_int (v i + 1)))})) + : Lemma + (requires v start < v end_) + (ensures Rust_primitives.Hax.Folds.fold_range start end_ inv init f == + Rust_primitives.Hax.Folds.fold_range (start +! mk_usize 1) end_ inv (f init start) f) + = () diff --git a/crates/algorithms/sha3/proofs/fstar/equivalence/Proof_Utils.Lemmas.fst b/crates/algorithms/sha3/proofs/fstar/equivalence/Proof_Utils.Lemmas.fst new file mode 100644 index 0000000000..55968214a4 --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/equivalence/Proof_Utils.Lemmas.fst @@ -0,0 +1,48 @@ +module Proof_Utils.Lemmas + +(** Library-level lemmas that bridge to upstream hax-lib / + core-models proofs. As of 2026-04-25, the underlying lemmas + have been added to hax-lib's [Rust_primitives.Integers] and + companion [Rust_primitives.Hax.Monomorphized_update_at_Lemmas] + (cryspen/hax integer-lemmas branch); this file now wraps those + upstream lemmas. *) + +#set-options "--fuel 0 --ifuel 1 --z3rlimit 50" + +open FStar.Mul +open Core_models +open Rust_primitives.Integers + +(** Bitwise AND commutativity. *) +let logand_commutative (#t: inttype) (a b: int_t t) + : Lemma ((a &. b) == (b &. a)) + = Rust_primitives.Integers.logand_commutative a b + +(** [rotate_left(x, 0) == x]. Now provable since + [Core_models.Num.impl_u64__rotate_left] is concretely defined as + a delegation to [rotate_left_u] with the [n mod 64 == 0] + case being the identity (cryspen/hax integer-lemmas branch). *) +let lemma_rotate_left_zero (x: u64) + : Lemma (Core_models.Num.impl_u64__rotate_left x (mk_u32 0) == x) + = () + +(* Update at Range Indexing Property *) +(* This is a more useful spec than the one in Monomorphized_update_at *) +let lemma_index_update_at_range #t (s:t_Slice t) (i:Core_models.Ops.Range.t_Range usize) (x:t_Slice t): + Lemma + (requires + v i.f_start >= 0 /\ v i.f_start <= Seq.length s /\ + v i.f_end <= Seq.length s /\ + Seq.length x == v i.f_end - v i.f_start) + (ensures ( + let open Core_models.Ops.Range in + let out = Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x in + Seq.length out == Seq.length s /\ + (forall (j:nat). if j < v i.f_start then + Seq.index out j == Seq.index s j + else if j >= v i.f_start && j < v i.f_end then + Seq.index out j == Seq.index x (j - v i.f_start) + else if j >= v i.f_end && j < Seq.length out then + Seq.index out j == Seq.index s j + else True))) = + Rust_primitives.Hax.Monomorphized_update_at_Lemmas.lemma_index_update_at_range s i x diff --git a/crates/algorithms/sha3/proofs/fstar/equivalence/Proof_Utils.NatFold.fst b/crates/algorithms/sha3/proofs/fstar/equivalence/Proof_Utils.NatFold.fst new file mode 100644 index 0000000000..e3e9fd5952 --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/equivalence/Proof_Utils.NatFold.fst @@ -0,0 +1,184 @@ +module Proof_Utils.NatFold + +(** Utility module for bridging refined [Rust_primitives.Hax.Folds.fold_range] + calls (as produced by hax extraction) to nat-indexed folds, which SMT + can reason about without closure-equality friction. + + ---------------------------------------------------------------- + Background + ---------------------------------------------------------------- + + Hax extracts Rust `for i in start..end { body }` loops as refined + [Rust_primitives.Hax.Folds.fold_range] calls, typically as inline + lambdas whose argument type carries a [fold_range_wf_index start end_] + refinement. Two such folds can be propositionally equal yet fail to + unify under SMT because F*'s encoding of closures does not identify + α/β/η-equivalent inline lambdas whose refinement types differ only + syntactically. + + Earlier attempts to discharge these equalities via the standard + [fold_range_ext] form ran into the same wall: the pointwise + hypothesis of [fold_range_ext] is a ∀-quantified closure equality, + which SMT cannot prove for hax-extracted lambdas. + + ---------------------------------------------------------------- + Solution + ---------------------------------------------------------------- + + Convert the refined [fold_range] to a *nat-indexed* fold by providing + a plain-nat body [g] that agrees pointwise with the refined body [f]. + Crucially, the pointwise equality is supplied as a *Lemma argument*, + not a ∀-quantified hypothesis — so F* can discharge it at each call + site individually (usually with [()] when both bodies β-reduce to the + same expression). + + Two nat-fold shapes are provided: + + - [fold_nat_range]: body type is [j:nat{j < end_}]. Simplest form; + forces the body to be total on [0, end_). + + - [fold_range_nat]: fixed [start]/[end_], explicit iteration counter + [i], body type is [j:nat{start <= j /\ j < end_}]. The body's + refinement mirrors [fold_range_wf_index] directly, which is useful + when the body is meaningfully partial over the window. + + Each shape has a corresponding bridge lemma: + [lemma_fold_range_is_nat] and [lemma_fold_range_is_range_nat]. + + ---------------------------------------------------------------- + Usage pattern + ---------------------------------------------------------------- + + 1. Define a nat-indexed body [g] matching the extractor's inline lambda. + 2. Call the bridge lemma with inline lambdas for [inv]/[f] matching + the fold_range target's syntactic shape. + 3. Discharge the [pointwise] Lemma with [(fun acc i -> ())] when both + bodies β-reduce to the same expression. + 4. Either: + - Unfold [fold_nat_range] / [fold_range_nat] via [T.norm] + + [T.smt ()] for concrete small bounds; or + - Relate the nat-fold to a recursive helper via structural + induction. + + See [EquivImplSpec.Keccakf.Generic.lemma_keccakf1600_is_rounds] for + a real-world application. *) + +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" + +open FStar.Mul +open Core_models +open Rust_primitives.Integers + +(** Nat-indexed fold. Body is total over [[0, end_)]. *) +let rec fold_nat_range + (#acc_t: Type0) + (start end_: nat) + (init: acc_t) + (f: acc_t -> (i: nat{i < end_}) -> acc_t) + : Tot acc_t (decreases end_ - start) + = if start < end_ + then fold_nat_range (start + 1) end_ (f init start) f + else init + +(** Nat-indexed fold with fixed start/end and an explicit iteration counter. + The body is defined on [[start, end_)], mirroring + [Rust_primitives.Hax.Folds.fold_range_wf_index start end_]. *) +let rec fold_range_nat + (#acc_t: Type0) + (start end_: nat) + (i: nat{start <= i /\ i <= end_}) + (acc: acc_t) + (f: acc_t -> (j: nat{start <= j /\ j < end_}) -> acc_t) + : Tot acc_t (decreases end_ - i) + = if i < end_ + then fold_range_nat start end_ (i + 1) (f acc i) f + else acc + +(** Bridge: refined [fold_range start end_ inv init f] equals + [fold_nat_range (v start) (v end_) init g] whenever [f] and [g] agree + pointwise on the iteration domain. + + The [pointwise] argument is a Lemma — supplied at the call site — not a + ∀-hypothesis, so the closure-equality problem that blocks + [fold_range_ext] does not arise. *) +#push-options "--fuel 1 --ifuel 1 --z3rlimit 200" +let rec lemma_fold_range_is_nat + (#acc_t: Type0) (#u: uinttype) + (start end_: int_t u) + (inv: acc_t -> (i:int_t u{Rust_primitives.Hax.Folds.fold_range_wf_index start end_ false (v i)}) -> Type0) + (init: acc_t {~(Rust_primitives.Hax.Folds.range_empty start end_) ==> inv init start}) + (f: (acc:acc_t -> i:int_t u {v i <= v end_ /\ Rust_primitives.Hax.Folds.fold_range_wf_index start end_ true (v i) /\ inv acc i} + -> acc':acc_t {inv acc' (mk_int (v i + 1))})) + (g: acc_t -> (i: nat{i < v end_}) -> acc_t) + (pointwise: + (acc: acc_t) + -> (i: int_t u {v i <= v end_ /\ Rust_primitives.Hax.Folds.fold_range_wf_index start end_ true (v i) /\ inv acc i}) + -> Lemma (f acc i == g acc (v i))) + : Lemma (ensures Rust_primitives.Hax.Folds.fold_range start end_ inv init f == + fold_nat_range (v start) (v end_) init g) + (decreases v end_ - v start) + = if v start < v end_ + then begin + pointwise init start; + lemma_fold_range_is_nat + (start +! mk_int 1) end_ inv (f init start) f g + (fun acc i -> pointwise acc i) + end + else () +#pop-options + +(** Bridge: refined [fold_range i end_ inv acc f] equals + [fold_range_nat (v start) (v end_) (v i) acc g] whenever [f] and [g] + agree pointwise on [[start, end_)]. + + Unlike [lemma_fold_range_is_nat], [start] and [end_] stay fixed across + recursion — only [i] advances. This keeps the body's refinement + [fold_range_wf_index start end_] constant, which can simplify the + pointwise proof when the body uses [j - start], [j - i], modular + arithmetic, etc. *) +#push-options "--fuel 1 --ifuel 1 --z3rlimit 200" +let rec lemma_fold_range_is_range_nat + (#acc_t: Type0) (#u: uinttype) + (start end_: int_t u) + (i: int_t u {v start <= v i /\ v i <= v end_}) + (inv: acc_t -> (j:int_t u{Rust_primitives.Hax.Folds.fold_range_wf_index i end_ false (v j)}) -> Type0) + (acc: acc_t {~(Rust_primitives.Hax.Folds.range_empty i end_) ==> inv acc i}) + (f: (a:acc_t -> j:int_t u {v j <= v end_ /\ Rust_primitives.Hax.Folds.fold_range_wf_index i end_ true (v j) /\ inv a j} + -> a':acc_t {inv a' (mk_int (v j + 1))})) + (g: acc_t -> (j: nat{v start <= j /\ j < v end_}) -> acc_t) + (pointwise: + (a: acc_t) + -> (j: int_t u {v j <= v end_ /\ Rust_primitives.Hax.Folds.fold_range_wf_index i end_ true (v j) /\ inv a j}) + -> Lemma (f a j == g a (v j))) + : Lemma (ensures Rust_primitives.Hax.Folds.fold_range i end_ inv acc f == + fold_range_nat (v start) (v end_) (v i) acc g) + (decreases v end_ - v i) + = if v i < v end_ + then begin + pointwise acc i; + lemma_fold_range_is_range_nat + start end_ (i +! mk_int 1) inv (f acc i) f g + (fun a j -> pointwise a j) + end + else () +#pop-options + +(** Direct unrolling of a [fold_range 0 5]: the fold equals five sequential + applications of the body. + + Useful when the body is a refined inline lambda that would be painful + to bridge via [lemma_fold_range_is_nat] / [lemma_fold_range_is_range_nat]. + Instead, specialize [f] to the extracted lambda: F* β-reduces each + application, yielding a direct expression the SMT can chain through + with a small fuel budget. *) +#push-options "--fuel 6 --ifuel 2 --z3rlimit 200" +let lemma_fold_range_unroll_5 + (#acc_t: Type0) (#u: uinttype) + (inv: acc_t -> (i:int_t u{Rust_primitives.Hax.Folds.fold_range_wf_index (mk_int #u 0) (mk_int #u 5) false (v i)}) -> Type0) + (init: acc_t {inv init (mk_int #u 0)}) + (f: (acc:acc_t -> i:int_t u {v i <= 5 /\ Rust_primitives.Hax.Folds.fold_range_wf_index (mk_int #u 0) (mk_int #u 5) true (v i) /\ inv acc i} + -> acc':acc_t {inv acc' (mk_int #u (v i + 1))})) + : Lemma (Rust_primitives.Hax.Folds.fold_range #acc_t #u (mk_int #u 0) (mk_int #u 5) inv init f == + f (f (f (f (f init (mk_int #u 0)) (mk_int #u 1)) (mk_int #u 2)) (mk_int #u 3)) (mk_int #u 4)) + = () +#pop-options diff --git a/crates/algorithms/sha3/proofs/fstar/equivalence/README.md b/crates/algorithms/sha3/proofs/fstar/equivalence/README.md new file mode 100644 index 0000000000..05bde82972 --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/equivalence/README.md @@ -0,0 +1,161 @@ +# Portable keccakf1600 ↔ Hacspec equivalence proofs + +F\* proofs that the libcrux SHA-3 **portable** keccakf1600 permutation +(`Libcrux_sha3.Generic_keccak.impl_2__keccakf1600` instantiated at `N=1, T=u64`) +agrees with the Hacspec specification (`Hacspec_sha3.Keccak_f.keccak_f`) on +every input state. + +## Top-level theorems + +The portable instantiation: + +```fstar +val lemma_keccakf1600_portable + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState (mk_usize 1) u64) + : Lemma + ((Libcrux_sha3.Generic_keccak.impl_2__keccakf1600 (mk_usize 1) #u64 ks) + .Libcrux_sha3.Generic_keccak.f_st == + Hacspec_sha3.Keccak_f.keccak_f ks.Libcrux_sha3.Generic_keccak.f_st) +``` + +(Source: `EquivImplSpec.Keccakf.Portable.fst`.) + +The generic theorem, parametric over any `KeccakItem` backend that supplies +a `lane_correctness` record: + +```fstar +val lemma_keccakf1600_to_spec + (v_N: usize) (#v_T: Type0) + {| inst: Libcrux_sha3.Traits.t_KeccakItem v_T v_N |} + (lc: lane_correctness v_N #v_T) + (ks: Libcrux_sha3.Generic_keccak.t_KeccakState v_N v_T) + (l: nat{l < v v_N}) + : Lemma + (extract_lane v_N lc + (Libcrux_sha3.Generic_keccak.impl_2__keccakf1600 v_N #v_T ks) + .Libcrux_sha3.Generic_keccak.f_st l == + Hacspec_sha3.Keccak_f.keccak_f + (extract_lane v_N lc ks.Libcrux_sha3.Generic_keccak.f_st l)) +``` + +(Source: `EquivImplSpec.Keccakf.Generic.fst`.) + +The generic theorem is the reusable boundary: future Arm64 (Neon) and +AVX2 PRs only need to populate a `lane_correctness` record at their +respective `(N=2, T=uint64x2_t)` and `(N=4, T=__m256i)` to inherit the +keccakf1600 ↔ spec equivalence. + +## Scope + +PR-2 establishes two distinct claims: + +### Panic-freedom (Spec + Implementation) + +Both the Hacspec SHA-3 specification and the libcrux SHA-3 implementation +panic-free typecheck under hax → F\*. That is: every `requires` precondition +is sufficient to discharge any panic-introducing operation in the body +(slice indexing, integer overflow, `unwrap`, etc.) — no runtime panics +are reachable from any Rust call site that satisfies the documented +preconditions. + +| Module | Status | +| --- | --- | +| `Hacspec_sha3.{Keccak_f, Sha3, Sponge}` (spec) | Panic-free typecheck | +| `Libcrux_sha3.{lib, traits, proof_utils, simd.portable}` (generic / portable utilities) | Panic-free typecheck | +| `Libcrux_sha3.Generic_keccak.{Constants, Portable, Xof}` (sponge + state) | Panic-free typecheck | +| `Libcrux_sha3.Portable.{Incremental.*}` (top-level portable API + XOF wrappers) | Panic-free typecheck | + +This claim covers the entire portable surface — including the sponge +layer, XOF API, and SHA-3/SHAKE digest wrappers — even though no +equivalence theorem about them is proven yet. + +### Implementation ↔ Spec correctness + +The portable `keccakf1600` permutation is proven to compute exactly the +same value as the Hacspec specification on every input state. + +| Layer | Status in this PR | +| --- | --- | +| Portable keccakf1600 ↔ `Hacspec_sha3.Keccak_f.keccak_f` | **Proven** (`lemma_keccakf1600_portable`) | +| Generic-over-`T` keccakf1600 ↔ spec | **Proven** (`lemma_keccakf1600_to_spec`, parametric on `lane_correctness`) | +| Sponge layer (absorb / squeeze / XOF) ↔ `Hacspec_sha3.Sponge.*` | Out of scope; ships separately | +| Top-level digest API (`sha3_*`, `shake*`) ↔ `Hacspec_sha3.Sha3.*` | Out of scope; depends on sponge equivalence | +| Arm64 Neon backend ↔ spec | Out of scope; ships separately | +| AVX2 backend ↔ spec | Out of scope; ships separately | + +## Modules + +| File | Purpose | +| --- | --- | +| `EquivImplSpec.Keccakf.Generic.fst` | 2024 LoC, ~72 lemmas — `lane_correctness` boundary, per-step `theta`/`rho`/`pi`/`chi`/`iota` extract-lane lemmas, and `lemma_keccakf1600_to_spec`. | +| `EquivImplSpec.Keccakf.Portable.fst` | Instantiates `Generic` for `(N=1, T=u64)` (all 7 `lane_correctness` fields by reflexivity) and exports `lemma_keccakf1600_portable`. | +| `EquivImplSpec.Keccakf.ChiFold.fst` | Per-position equality lemma chaining the impl's chi unrolled form to the spec's `chi_inner_val`. | +| `EquivImplSpec.Keccakf.SpecRounds.fst` | Spec-side iteration helper: `lemma_keccak_f_is_rounds`. | +| `Proof_Utils.NatFold.fst` | Reusable lemmas about natural-number folds over ranges. | +| `Proof_Utils.FoldRange.fst` | Single step lemma for `fold_range` chunk decomposition. | +| `Proof_Utils.Lemmas.fst` | Thin wrappers around upstream hax-lib lemmas (`logand_commutative`, `lemma_rotate_left_zero`, `lemma_index_update_at_range`). | + +The `../stubs/Spec.Utils.{fst,fsti}` workaround keeps a small surface of +the cross-crate `Libcrux_intrinsics.Avx2_extract.fsti` references resolved +without pulling in libcrux-ml-kem's full `Spec.Utils`. + +## Dependencies + +- **hax-lib**: pinned to the `cryspen/hax:integer-lemmas` branch (workspace + `Cargo.toml`). Several `Proof_Utils.Lemmas` wrappers cite upstream lemmas + that today live only on that branch; an upstream PR is in flight to merge + these into hax main, after which the pin will move to a tagged release. +- **Spec**: the Hacspec SHA-3 specification at `specs/sha3/`, extracted to + `Hacspec_sha3.{Keccak_f, Sponge, Sha3}` modules. + +## Building + +From the crate root, with the workspace's `fstar-helpers/Makefile.base` set up: + +```sh +make -C proofs/fstar/equivalence +``` + +Or, equivalently, via the wrapper script: + +```sh +bash hax.sh prove # extraction + sponge-and-above panic-free typecheck +make -C proofs/fstar/equivalence # equivalence proofs +``` + +A cold-cache full build of the seven equivalence ROOTs takes roughly +**7–8 minutes** on a 12-thread laptop with `JOBS=2`; the panic-free +typecheck of sponge-and-above takes another **~90 seconds**. + +Per-module verification times (cold cache, no hint replay): + +| Module | Wall time | Notes | +| --- | --- | --- | +| `EquivImplSpec.Keccakf.Generic` | ~175 s | 72 lemmas; rho/theta/pi extract-lane, `lemma_keccakf1600_to_spec`. | +| `EquivImplSpec.Keccakf.ChiFold` | ~127 s | dominated by `lemma_chi_outer_unfolds_generic` (one query at fuel=6, rlimit=800, ~108 s). | +| `EquivImplSpec.Keccakf.SpecRounds` | ~3 s | spec-side `fold_range` bridge. | +| `EquivImplSpec.Keccakf.Portable` | <1 s | `lane_correctness` instantiation by reflexivity. | +| `Proof_Utils.{NatFold, FoldRange, Lemmas}` | <1 s combined | thin upstream-lemma wrappers. | + +Hint files (`*.hints`) are recorded under the workspace +`.fstar-cache/hints/` directory after the first successful build; F\* +replays them on subsequent runs and the wall time drops to seconds. + +## Verification status + +The crate ships a `proofs/generate_verification_status.sh` helper that +classifies each Rust function by its proof tier (lax / unverified / +panic-free / math / bounds / hacspec) and writes a Markdown table to +`proofs/verification_status.md`. Run it any time after re-extraction: + +```sh +bash proofs/generate_verification_status.sh --config proofs/verification_status.config.json --root . +``` + +## Future work (out of scope for this PR) + +- Sponge-level equivalence: `EquivImplSpec.Sponge.{Generic, Portable}.*` + (load_block / store_block / absorb / squeeze ↔ spec). +- Arm64 (Neon) `lane_correctness` instance; AVX2 `lane_correctness` instance. +- Top-level digest API equivalence (`sha3_224`, `sha3_256`, `shake128`, + `shake256`, …) once the sponge layer is proven. diff --git a/crates/algorithms/sha3/proofs/fstar/stubs/Spec.Utils.fst b/crates/algorithms/sha3/proofs/fstar/stubs/Spec.Utils.fst new file mode 100644 index 0000000000..afd61d8fa1 --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/stubs/Spec.Utils.fst @@ -0,0 +1,4 @@ +module Spec.Utils +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" + +let mul_mod (x y: i16) : i16 = x *. y diff --git a/crates/algorithms/sha3/proofs/fstar/stubs/Spec.Utils.fsti b/crates/algorithms/sha3/proofs/fstar/stubs/Spec.Utils.fsti new file mode 100644 index 0000000000..738f7af87a --- /dev/null +++ b/crates/algorithms/sha3/proofs/fstar/stubs/Spec.Utils.fsti @@ -0,0 +1,31 @@ +module Spec.Utils +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" + +/// Minimal stub re-exporting the small surface of Spec.Utils that +/// `Libcrux_intrinsics.Avx2_extract.fsti` references. The real +/// definitions live in `libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fsti`, +/// but the SHA-3 proofs do not exercise those intrinsics, so a stub +/// keeps the typecheck self-contained. +/// +/// All functions are total wrappers around `Seq.init` so that signatures +/// in `Avx2_extract.fsti` resolve. + +open Rust_primitives + +let create #a (len: usize) (c: a) : t_Array a len = + Seq.create (v len) c + +let create16 #a (v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15: a) + : t_Array a (sz 16) = + let l = [v0; v1; v2; v3; v4; v5; v6; v7; v8; v9; v10; v11; v12; v13; v14; v15] in + assert_norm (List.Tot.length l == 16); + Seq.seq_of_list l + +let map2 #a #b #c #len (f: a -> b -> c) (x: t_Array a len) (y: t_Array b len) + : t_Array c len = + Seq.init (v len) (fun i -> f (Seq.index x i) (Seq.index y i)) + +let map_array #a #b #len (f: a -> b) (s: t_Array a len) : t_Array b len = + Seq.init (v len) (fun i -> f (Seq.index s i)) + +val mul_mod (x y: i16) : i16 diff --git a/crates/algorithms/sha3/proofs/generate_verification_status.py b/crates/algorithms/sha3/proofs/generate_verification_status.py new file mode 100755 index 0000000000..4c187d74b2 --- /dev/null +++ b/crates/algorithms/sha3/proofs/generate_verification_status.py @@ -0,0 +1,907 @@ +#!/usr/bin/env python3 +"""Generate per-crate verification_status.md from Rust source annotations and the F* Makefile. + +Reusable across libcrux-ml-kem, libcrux-ml-dsa, libcrux-sha3 via a JSON config file +(verification_status.config.json) that sits next to the per-crate Makefile. + +Classification (highest tier wins; in order from worst to best): + - lax: module in ADMIT_MODULES, OR fn has #[hax_lib::fstar::verification_status(lax)], + OR fn has #[hax_lib::fstar::options("--admit_smt_queries true")] pragma, + OR fn body has an inline admit at non-terminal position. + - panic_free: not lax, AND (verification_status(panic_free) + OR no #[ensures(...)] annotation + OR a single TERMINAL inline admit). + - correct: not lax, has a non-trivial ensures (matches range/spec patterns), and no body admit. + +CLI: + generate_verification_status.py [--root PATH] [--config PATH] [--output PATH] + [--diff PREV CURR] [--all-body-admits-lax] +""" + +import argparse +import json +import os +import re +import sys + +DEFAULT_ML_KEM_CONFIG = { + "crate_name": "ML-KEM", + "src_dir": "src", + "makefile": "proofs/fstar/extraction/Makefile", + "extraction_dir": "proofs/fstar/extraction", + "output": "proofs/verification_status.md", + "admit_module_prefix": "Libcrux_ml_kem.", + "spec_patterns": [ + r"Hacspec_ml_kem\.", + r"Spec\.Utils\.v_G", r"Spec\.Utils\.v_H", r"Spec\.Utils\.v_PRF", + r"to_spec_poly_t", r"to_spec_vector_t", r"to_spec_matrix_t", + r"Traits\.Spec\.\w+_post", + ], + "range_patterns": [ + r"is_i16b", r"is_bounded_poly", r"is_bounded_vector", + r"\bbounded\b", r"is_intb", r"is_i32b", + ], + "modules": [ + {"category": "Generic", "display": "constant_time_ops", "paths": ["constant_time_ops"]}, + {"category": "Generic", "display": "hash_functions", "paths": ["hash_functions"]}, + {"category": "Generic", "display": "ind_cpa", "paths": ["ind_cpa"]}, + {"category": "Generic", "display": "ind_cca", "paths": ["ind_cca"]}, + {"category": "Generic", "display": "instantiations", + "paths": ["ind_cca/instantiations", "ind_cca/instantiations/avx2"]}, + {"category": "Generic", "display": "multiplexing", + "paths": ["ind_cca/multiplexing", "ind_cca/incremental/multiplexing"]}, + {"category": "Generic", "display": "polynomial", "paths": ["polynomial"]}, + {"category": "Generic", "display": "invert_ntt", "paths": ["invert_ntt"]}, + {"category": "Generic", "display": "ntt", "paths": ["ntt"]}, + {"category": "Generic", "display": "mlkem*", + "paths": ["mlkem", "mlkem512", "mlkem768", "mlkem1024"]}, + {"category": "Generic", "display": "matrix", "paths": ["matrix"]}, + {"category": "Generic", "display": "serialize", "paths": ["serialize"]}, + {"category": "Generic", "display": "sampling", "paths": ["sampling"]}, + {"category": "Portable", "display": "arithmetic", "paths": ["vector/portable/arithmetic"]}, + {"category": "Portable", "display": "ntt", "paths": ["vector/portable/ntt"]}, + {"category": "Portable", "display": "serialize", "paths": ["vector/portable/serialize"]}, + {"category": "Portable", "display": "compress", "paths": ["vector/portable/compress"]}, + {"category": "Portable", "display": "sampling", "paths": ["vector/portable/sampling"]}, + {"category": "Portable", "display": "vector", "paths": ["vector/portable"]}, + {"category": "Avx2", "display": "arithmetic", "paths": ["vector/avx2/arithmetic"]}, + {"category": "Avx2", "display": "ntt", "paths": ["vector/avx2/ntt"]}, + {"category": "Avx2", "display": "serialize", "paths": ["vector/avx2/serialize"]}, + {"category": "Avx2", "display": "compress", "paths": ["vector/avx2/compress"]}, + {"category": "Avx2", "display": "sampling", "paths": ["vector/avx2/sampling"]}, + {"category": "Avx2", "display": "vector", "paths": ["vector/avx2"]}, + {"category": "Neon", "display": "arithmetic", "paths": ["vector/neon/arithmetic"]}, + {"category": "Neon", "display": "ntt", "paths": ["vector/neon/ntt"]}, + {"category": "Neon", "display": "compress", "paths": ["vector/neon/compress"]}, + {"category": "Neon", "display": "serialize", "paths": ["vector/neon/serialize"]}, + {"category": "Neon", "display": "sampling", "paths": ["vector/neon/sampling"]}, + ], +} + + +# ============================================================================ +# Text scanning utilities +# ============================================================================ + +def find_matching_bracket(text, start, open_ch="[", close_ch="]"): + """From position `start` (which should point AT the open bracket), + find the position after the matching close bracket. + Skips raw strings r#"..."# and regular strings "...". + Returns (end_pos, substring) or (-1, "") if not found.""" + depth = 0 + i = start + while i < len(text): + if text[i:i+3] == 'r#"': + end = text.find('"#', i + 3) + if end == -1: + return -1, "" + i = end + 2 + continue + if text[i] == '"': + i += 1 + while i < len(text) and text[i] != '"': + if text[i] == '\\': + i += 1 + i += 1 + i += 1 + continue + if text[i:i+2] == '//' and (i < 2 or text[i-1] != '*'): + nl = text.find('\n', i) + if nl == -1: + break + i = nl + 1 + continue + if text[i:i+2] == '/*': + end = text.find('*/', i + 2) + if end == -1: + break + i = end + 2 + continue + if text[i] == open_ch: + depth += 1 + elif text[i] == close_ch: + depth -= 1 + if depth == 0: + return i + 1, text[start:i + 1] + i += 1 + return -1, "" + + +# ============================================================================ +# Config loading +# ============================================================================ + +def load_config(config_path, root): + """Load JSON config from disk. Falls back to root/proofs/verification_status.config.json, + then to the baked-in ML-KEM default.""" + if config_path: + with open(config_path) as f: + return json.load(f) + fallback = os.path.join(root, "proofs", "verification_status.config.json") + if os.path.isfile(fallback): + with open(fallback) as f: + return json.load(f) + return DEFAULT_ML_KEM_CONFIG + + +# ============================================================================ +# ADMIT_MODULES parsing +# ============================================================================ + +def _parse_makefile_var(makefile_path, var_name, prefix): + """Generic helper: read a Makefile variable that lists `prefix`-prefixed + module names (one per line, possibly continued with `\\`), and return them + as a set of `src/.rs` paths. + + Mirrors `list_extracted_modules`'s name-mangling treatment: strips a single + trailing `_` from each segment (hax appends it to F* identifiers ending in + a digit).""" + if not os.path.isfile(makefile_path): + return set() + paths = set() + in_var = False + with open(makefile_path) as f: + for line in f: + if line.startswith(var_name): + in_var = True + if in_var: + for token in line.split(): + if token.startswith(prefix): + mod = token[len(prefix):] + mod = mod.removesuffix(".fst").removesuffix(".fsti") + segments = [s.rstrip('_') for s in mod.split('.')] + path = '/'.join(s.lower() for s in segments) + paths.add(f"src/{path}.rs") + if not line.rstrip().endswith("\\"): + in_var = False + return paths + + +def parse_admit_modules(makefile_path, prefix, extracted_paths=None): + """Read the F* extraction Makefile and return the set of source paths + classified as admitted. + + Two Makefile patterns are supported: + 1. Explicit `ADMIT_MODULES = ...` list (e.g. ml-kem). Direct read. + 2. Inverted list: `VERIFIED_MODULES = ...` plus + `ADMIT_MODULES = $(filter-out ${VERIFIED_OR_SLOW_MODULES}, $(wildcard *.fst))` + (e.g. ml-dsa). Admit = `extracted_paths` − `VERIFIED_MODULES` − `SLOW_MODULES`. + Caller must supply `extracted_paths` for this case to work. + """ + explicit = _parse_makefile_var(makefile_path, "ADMIT_MODULES", prefix) + verified = _parse_makefile_var(makefile_path, "VERIFIED_MODULES", prefix) + if verified and extracted_paths is not None: + slow = _parse_makefile_var(makefile_path, "SLOW_MODULES", prefix) + return extracted_paths - verified - slow + return explicit + + +def list_extracted_modules(extraction_dir, prefix, src_dir=None): + """Scan the F* extraction directory and return the set of `src/.rs` + paths covered by an extracted F* module (.fst or .fsti). + + Coverage rules: + * Direct: `Libcrux_.Foo.Bar.fst` → `src/foo/bar.rs`. + * Trailing-underscore mangling: hax appends `_` to F* segments whose + Rust identifier ends in a digit (e.g. `Ml_dsa_44_`). We strip a + single trailing `_` from each segment when reverse-mapping. + * Ancestor coverage: if `Libcrux_.Foo.Bar.Baz.fst` exists and + `src/foo/bar.rs` is a real file (e.g. parent module that uses a + hax macro to generate per-variant submodules), `src/foo/bar.rs` is + also marked extracted. Requires `src_dir` to be passed. + + A Rust module that ends up NOT in this set was filtered out of the + extraction via `-i -::**` in hax.py and is unverified.""" + if not os.path.isdir(extraction_dir): + return set() + extracted = set() + for fname in os.listdir(extraction_dir): + if not fname.startswith(prefix): + continue + if not (fname.endswith('.fst') or fname.endswith('.fsti')): + continue + mod = fname[len(prefix):] + mod = mod.removesuffix('.fsti').removesuffix('.fst') + # Bare crate-name file (e.g. `Libcrux_sha3.fst`) — hax extracts + # `src/lib.rs` to the prefix-only `.fst`/`.fsti`. After stripping + # the trailing dot from the prefix and the suffix, what remains + # is the bare suffix string `fst`/`fsti` with no leading dot for + # `removesuffix('.fst')` to bite. Map it to `src/lib.rs`. + if mod in ('fst', 'fsti'): + extracted.add('src/lib.rs') + continue + # Strip trailing-underscore mangling per-segment. + segments = [s.rstrip('_') for s in mod.split('.')] + # Direct mapping + leaf = '/'.join(s.lower() for s in segments) + extracted.add(f"src/{leaf}.rs") + # Ancestor coverage: walk up the segment list, register parent + # `.rs` files that actually exist on disk. + if src_dir is not None: + for n in range(len(segments) - 1, 0, -1): + anc = '/'.join(s.lower() for s in segments[:n]) + anc_path = os.path.join(src_dir, f"{anc}.rs") + if os.path.isfile(anc_path): + extracted.add(f"src/{anc}.rs") + return extracted + + +# ============================================================================ +# Per-file parser +# ============================================================================ + +FN_RE = re.compile( + r"^\s*(pub(\([a-z]+\))?\s+)?(const\s+)?(async\s+)?(unsafe\s+)?fn\s" +) +# Non-fn item declarations — cause us to clear pending attributes so they +# don't drift onto a fn that appears later. We do NOT apply per-fn attributes +# (verification_status / opaque / options-pragma) to these. +NON_FN_ITEM_RE = re.compile( + r"^\s*(pub(\([a-z]+\))?\s+)?" + r"(unsafe\s+)?" + r"(struct|enum|union|type|impl|trait|mod|static|const)\s" +) +VSTATUS_RE = re.compile(r"verification_status\((lax|panic_free)\)") +ADMIT_PRAGMA_RE = re.compile(r"--admit_smt_queries\s+true") +INLINE_ADMIT_RE = re.compile(r"\badmit\s*\(\s*\)|admit_smt_queries\s+true") +# `#[hax_lib::opaque]` (without args, no `_to_smt` suffix) — applied only to fns. +# `\b` word-boundary won't match inside `opaque_to_smt` because `_` is a word char, +# so this regex correctly excludes that variant. +OPAQUE_ATTR_RE = re.compile(r"\bhax_lib::opaque\b") + + +def classify_ensures(text, spec_re, range_re): + """Return the highest proof tier reached by an ensures annotation: + - 'hacspec': ensures cites the high-level mathematical spec (Spec.MLKEM/MLDSA/...). + - 'bounds': ensures uses range/interval predicates (is_i16b, is_bounded_*, ...). + - 'math': ensures present but doesn't match spec or bounds patterns + (proves SOME non-trivial property, but neither a bound nor spec equivalence). + """ + if spec_re.search(text): + return "hacspec" + if range_re.search(text): + return "bounds" + return "math" + + +def _strip_fstar_comments(content): + """Remove F* line/block comments from a fstar!() macro's content so we don't + false-match `admit ()` text inside an explanatory comment.""" + # F* line comments: // ... + content = re.sub(r'//[^\n]*', '', content) + # F* block comments: (* ... *) — non-greedy, multi-line. + content = re.sub(r'\(\*.*?\*\)', '', content, flags=re.DOTALL) + return content + + +def has_body_admit(text, body_open_pos, body_close_pos): + """Return True if the function body contains an inline admit inside a + hax_lib::fstar! block. F* comments inside the macro are stripped first.""" + macro_re = re.compile(r"\b(?:hax_lib::)?fstar\s*!\s*\(") + for m in macro_re.finditer(text, body_open_pos, body_close_pos): + paren_pos = m.end() - 1 # position of `(` + end_paren, content = find_matching_bracket(text, paren_pos, '(', ')') + if end_paren <= 0: + continue + cleaned = _strip_fstar_comments(content) + if INLINE_ADMIT_RE.search(cleaned): + return True + return False + + +def _find_fn_body_brace(text, fn_start): + """Find the position of the function-body opening `{` after `fn_start`. + Skips angle-brackets `<>` and parens `()` for generics and params. + Returns position of `{`, or None if a `;` (bare signature) or EOF is reached first.""" + angle_depth = 0 + paren_depth = 0 + i = fn_start + while i < len(text): + if text[i:i+3] == 'r#"': + end = text.find('"#', i + 3) + if end == -1: + return None + i = end + 2 + continue + if text[i] == '"': + i += 1 + while i < len(text) and text[i] != '"': + if text[i] == '\\': + i += 1 + i += 1 + i += 1 + continue + if text[i:i+2] == '//': + nl = text.find('\n', i) + if nl == -1: + return None + i = nl + 1 + continue + if text[i:i+2] == '/*': + end = text.find('*/', i + 2) + if end == -1: + return None + i = end + 2 + continue + c = text[i] + if c == '<': + angle_depth += 1 + elif c == '>': + if angle_depth > 0: + angle_depth -= 1 + elif c == '(': + paren_depth += 1 + elif c == ')': + if paren_depth > 0: + paren_depth -= 1 + elif c == '{' and angle_depth == 0 and paren_depth == 0: + return i + elif c == ';' and angle_depth == 0 and paren_depth == 0: + return None # bare signature, no body + i += 1 + return None + + +def parse_file(filepath, spec_re, range_re): + """Parse a Rust source file, returning a list of per-function dicts: + { 'line': int, 'vstatus': 'lax'|'panic_free'|None, + 'ensures_level': 'spec'|'range'|'panic_free'|None, + 'body_admit': bool } + Body admits (options-pragma OR inline `admit ()`) all classify as lax.""" + with open(filepath) as f: + text = f.read() + lines = text.split('\n') + line_offsets = [] + offset = 0 + for line in lines: + line_offsets.append(offset) + offset += len(line) + 1 + + functions = [] + pending_vstatus = None + pending_options_admit = False + pending_opaque = False + ensures_text = "" + skip_until = 0 + + def reset_pending(): + nonlocal pending_vstatus, pending_options_admit, pending_opaque, ensures_text + pending_vstatus = None + pending_options_admit = False + pending_opaque = False + ensures_text = "" + + for lineno, line in enumerate(lines): + line_start = line_offsets[lineno] + stripped = line.rstrip() + + if line_start < skip_until: + continue + + # Skip fstar::before(...) and fstar::after(...) blocks (their content + # may contain admits or ensures-keywords inside F* lemma bodies). + skipped = False + for skip_pat in ['fstar::before(', 'fstar::after(']: + idx = stripped.find(skip_pat) + if idx >= 0: + paren_pos = line_start + idx + len(skip_pat) - 1 + end_pos, _ = find_matching_bracket(text, paren_pos, '(', ')') + if end_pos > 0: + skip_until = end_pos + skipped = True + break + if skipped: + continue + + # `#[hax_lib::opaque]` attribute (function-only — see NON_FN_ITEM_RE handling). + # Detected separately because it's a standalone-bracket attribute with no args. + opaque_match = re.search(r'#\[hax_lib::opaque\]', stripped) + if opaque_match: + pending_opaque = True + continue + + # verification_status attribute + m = VSTATUS_RE.search(stripped) + if m: + pending_vstatus = m.group(1) + continue + + # options pragma — check for --admit_smt_queries true + if 'fstar::options' in stripped: + attr_start = stripped.find('#[') + if attr_start >= 0: + attr_bracket_pos = line_start + attr_start + 1 + end_pos, attr_text = find_matching_bracket(text, attr_bracket_pos, '[', ']') + if end_pos > 0: + if ADMIT_PRAGMA_RE.search(attr_text): + pending_options_admit = True + skip_until = end_pos + continue + + # ensures attribute + ensures_match = re.search(r'#\[(hax_lib::)?ensures\(', stripped) + if ensures_match: + if re.match(r"\s*//", stripped): + continue + hash_bracket = stripped.find('#[', ensures_match.start()) + if hash_bracket == -1: + hash_bracket = ensures_match.start() + attr_bracket_pos = line_start + hash_bracket + 1 + end_pos, attr_text = find_matching_bracket(text, attr_bracket_pos, '[', ']') + if end_pos > 0: + ensures_text = attr_text + skip_until = end_pos + continue + + # function definition — check BEFORE NON_FN_ITEM_RE so `const fn` / + # `async fn` aren't mistaken for `const` / non-fn items. + if FN_RE.match(stripped): + ensures_level = classify_ensures(ensures_text, spec_re, range_re) if ensures_text else None + + body_admit = False + if pending_options_admit: + body_admit = True + else: + fn_brace = _find_fn_body_brace(text, line_start) + if fn_brace is not None: + body_close, _ = find_matching_bracket(text, fn_brace, '{', '}') + if body_close > 0: + body_admit = has_body_admit(text, fn_brace, body_close) + + # `#[hax_lib::opaque]` is a function-only marker meaning the body + # is intentionally hidden from F* — equivalent to lax. + functions.append({ + 'line': lineno + 1, + 'vstatus': pending_vstatus, + 'ensures_level': ensures_level, + 'body_admit': body_admit, + 'opaque': pending_opaque, + }) + + reset_pending() + continue + + # Non-fn item — clear pending fn-only attributes so they don't drift + # onto the next fn we encounter. + if NON_FN_ITEM_RE.match(stripped): + reset_pending() + + return functions + + +# ============================================================================ +# Accounting +# ============================================================================ + +def compute_module_stats(funcs, in_admit_module, is_unverified): + """Per-module classification accounting. + + Each function is classified at exactly ONE proof tier (highest wins): + - lax : admitted (vstatus=lax, body admit, options-pragma admit, opaque) + - unverified : Rust module has no F* extraction (filtered out by hax) + - hacspec : ensures matches spec_patterns (cites high-level mathematical spec) + - bounds : ensures matches range_patterns (bounds/interval predicates only) + - math : ensures present but matches neither pattern (some non-trivial property) + - panic_free : no ensures at all, or vstatus=panic_free explicitly + + The `panic_safe` aggregate = panic_free + math + bounds + hacspec + (everything proven free of panics). + """ + base = { + 'total': len(funcs), + 'lax': 0, 'unverified': 0, + 'panic_free': 0, 'math': 0, 'bounds': 0, 'hacspec': 0, + 'body_admit_sites': [], + } + if is_unverified: + base['unverified'] = len(funcs) + return base + if in_admit_module: + base['lax'] = len(funcs) + return base + + body_admit_sites = [] + + for fn in funcs: + is_lax = fn['vstatus'] == 'lax' or fn['body_admit'] or fn.get('opaque', False) + if is_lax: + base['lax'] += 1 + if fn['body_admit']: + body_admit_sites.append(fn['line']) + continue + + # vstatus=panic_free or no ensures → panic_free (lowest verified tier) + if fn['vstatus'] == 'panic_free' or fn['ensures_level'] is None: + base['panic_free'] += 1 + continue + + # has ensures — classify by tier (hacspec > bounds > math) + lvl = fn['ensures_level'] + if lvl == 'hacspec': + base['hacspec'] += 1 + elif lvl == 'bounds': + base['bounds'] += 1 + else: # 'math' or unknown + base['math'] += 1 + + base['body_admit_sites'] = body_admit_sites + return base + + +# ============================================================================ +# Output: status Markdown +# ============================================================================ + +PREAMBLE = """# {crate} Verification Status + +This file is auto-generated by `proofs/generate_verification_status.py`. + +Each function is classified at exactly one proof tier (highest wins): + +- **Lax**: module in `ADMIT_MODULES`, OR fn has `#[hax_lib::fstar::verification_status(lax)]`, + OR `#[hax_lib::fstar::options("--admit_smt_queries true")]`, OR `#[hax_lib::opaque]` + (body hidden from F\\*; distinct from F\\*'s `opaque_to_smt`), OR an inline `admit ()` + in the body. +- **Unverified**: Rust module not extracted to F\\* at all (filtered out by hax via + `-i -::**`). Worse than lax — no proof of any kind. +- **Panic-free**: proven free of panics (and obeying preconditions), no further proof: + fn has `verification_status(panic_free)` or has no `#[ensures(...)]` annotation. +- **Math**: has an `#[ensures(...)]` annotation that proves SOME non-trivial property, + but doesn't match the bounds or hacspec patterns. +- **Bounds**: ensures uses range/interval predicates (e.g. `is_i16b`, `is_bounded_*`). +- **Hacspec**: ensures cites the high-level mathematical specification (e.g. `Spec.MLKEM.*`). + +The "Panic-safe" aggregate (sometimes useful for headline numbers) = Panic-free + Math ++ Bounds + Hacspec — i.e., total minus lax minus unverified. + +""" + + +def write_status_md(rows, crate_name, output_path, + body_admit_sites_by_module, unverified_paths_seen, + module_counts_by_display=None): + """`module_counts_by_display` maps display-name → number of underlying .rs files + (e.g., 'mlkem*' → 4). Used for per-row 'Modules' count + category subtotals.""" + if module_counts_by_display is None: + module_counts_by_display = {} + + # Group rows by category to compute subtotals + grouped = [] # list of (category, [data_rows]) + current_cat = None + bucket = [] + for row in rows: + if row is None: + continue + cat = row[0] + if cat: # new category header inline (the row carries _Category_) + if bucket: + grouped.append((current_cat, bucket)) + current_cat = cat.replace('_', '').strip() + bucket = [row] + else: + bucket.append(row) + if bucket: + grouped.append((current_cat, bucket)) + + with open(output_path, 'w') as f: + f.write(PREAMBLE.format(crate=crate_name)) + # Columns: Category | File | Mods | Fns | Lax | Unv | PF | Math | Bounds | Hacspec + f.write( + f"| {'Category':<10} | {'File':<17} | {'Mods':>4} | {'Fns':>3} " + f"| {'Lax':>3} | {'Unv':>3} | {'PF':>3} | {'Math':>4} | {'Bounds':>6} | {'Hacspec':>7} |\n" + ) + f.write( + f"| {'-'*10} | {'-'*17} | {'-'*4:>4} | {'---':>3} " + f"| {'---':>3} | {'---':>3} | {'---':>3} | {'-'*4:>4} | {'-'*6:>6} | {'-'*7:>7} |\n" + ) + + cat_totals = [] # for the per-category summary at the end + for cat_idx, (cat_label, cat_rows) in enumerate(grouped): + sub_total = sub_lax = sub_unv = sub_pf = sub_math = sub_bounds = sub_hacspec = sub_mods = 0 + for row in cat_rows: + cat_display, display, total, lax, unv, pf, math, bounds, hacspec = row + mods = module_counts_by_display.get(display, 1) + sub_mods += mods + sub_total += total; sub_lax += lax; sub_unv += unv + sub_pf += pf; sub_math += math; sub_bounds += bounds; sub_hacspec += hacspec + f.write( + f"| {cat_display:<10} | {display:<17} | {mods:>4} | {total:>3} " + f"| {lax:>3} | {unv if unv else '':>3} | {pf:>3} | {math:>4} | {bounds:>6} | {hacspec:>7} |\n" + ) + # Per-category subtotal row + f.write( + f"| {'':10} | {'**'+cat_label+' total**':<17} " + f"| {'**'+str(sub_mods)+'**':>4} | {'**'+str(sub_total)+'**':>3} " + f"| {'**'+str(sub_lax)+'**':>3} | {('**'+str(sub_unv)+'**') if sub_unv else '':>3} " + f"| {'**'+str(sub_pf)+'**':>3} | {'**'+str(sub_math)+'**':>4} " + f"| {'**'+str(sub_bounds)+'**':>6} | {'**'+str(sub_hacspec)+'**':>7} |\n" + ) + cat_totals.append((cat_label, sub_mods, sub_total, sub_lax, sub_unv, sub_pf, sub_math, sub_bounds, sub_hacspec)) + if cat_idx < len(grouped) - 1: + f.write( + f"| {'':10} | {'':17} | {'':>4} | {'':>3} " + f"| {'':>3} | {'':>3} | {'':>3} | {'':>4} | {'':>6} | {'':>7} |\n" + ) + + total_fns = sum(r[2] for r in rows if r is not None) + total_lax = sum(r[3] for r in rows if r is not None) + total_unv = sum(r[4] for r in rows if r is not None) + total_pf = sum(r[5] for r in rows if r is not None) + total_math = sum(r[6] for r in rows if r is not None) + total_bounds = sum(r[7] for r in rows if r is not None) + total_hacspec = sum(r[8] for r in rows if r is not None) + total_safe = total_pf + total_math + total_bounds + total_hacspec + total_mods = sum(c[1] for c in cat_totals) + + f.write("\n## Summary\n\n") + if total_fns: + def pct(n): + return f"({n*100/total_fns:.1f}%)" + f.write(f"- **Total modules**: {total_mods}\n") + f.write(f"- **Total functions**: {total_fns}\n") + f.write(f"- **Lax** (admitted): {total_lax} {pct(total_lax)}\n") + f.write(f"- **Unverified** (not extracted): {total_unv} {pct(total_unv)}\n") + f.write(f"- **Panic-safe** (PF + Math + Bounds + Hacspec): {total_safe} {pct(total_safe)}\n") + f.write(f" - Panic-free only (no further proof): {total_pf} {pct(total_pf)}\n") + f.write(f" - Math (non-trivial ensures, no bounds/spec match): {total_math} {pct(total_math)}\n") + f.write(f" - Bounds (range/interval ensures): {total_bounds} {pct(total_bounds)}\n") + f.write(f" - Hacspec (cites high-level spec): {total_hacspec} {pct(total_hacspec)}\n") + else: + f.write("- (no functions found — check config paths)\n") + + if cat_totals: + f.write("\n### Modules per category\n\n") + f.write(f"| {'Category':<12} | {'Modules':>7} | {'Fns':>4} | {'Lax':>3} | {'Unv':>3} | {'PF':>3} | {'Math':>4} | {'Bounds':>6} | {'Hacspec':>7} |\n") + f.write(f"| {'-'*12} | {'-'*7} | {'-'*4} | {'-'*3} | {'-'*3} | {'-'*3} | {'-'*4} | {'-'*6} | {'-'*7} |\n") + for label, mods, tot, lax, unv, pf, math, bounds, hacspec in cat_totals: + f.write(f"| {label:<12} | {mods:>7} | {tot:>4} | {lax:>3} | {unv:>3} | {pf:>3} | {math:>4} | {bounds:>6} | {hacspec:>7} |\n") + + if unverified_paths_seen: + f.write("\n## Unverified Rust modules (not extracted to F\\*)\n\n") + f.write("These Rust modules have no corresponding F\\* file in the extraction " + "directory — they were filtered out by hax (`-i -::**` in `hax.py`) " + "and are unverified at any tier.\n\n") + f.write(f"| {'Module':<30} | {'Path':<40} | {'Fns':>3} |\n") + f.write(f"| {'-'*30} | {'-'*40} | {'-'*3} |\n") + for label, path, n in unverified_paths_seen: + f.write(f"| {label:<30} | {path:<40} | {n:>3} |\n") + + if body_admit_sites_by_module: + f.write("\n## Body-admit sites (audit)\n\n") + f.write("Functions classified as lax due to `admit ()` (or `--admit_smt_queries true`) " + "inside their body. Auditable so the script's classification decisions are traceable.\n\n") + f.write(f"| {'Module':<25} | {'Line':>5} |\n") + f.write(f"| {'-'*25} | {'-'*5} |\n") + for module_label, sites in body_admit_sites_by_module: + for line in sites: + f.write(f"| {module_label:<25} | {line:>5} |\n") + + +# ============================================================================ +# Diff mode +# ============================================================================ + +# Match a status row with 10 columns: cat | display | mods | fns | lax | unv | pf | math | bounds | hacspec +# Subtotal rows wrap their numbers in `**...**` (markdown bold) so `\d+` won't match them. +DIFF_TABLE_RE = re.compile( + r"^\| \s*([^|]*?)\s*\| \s*([^|]+?)\s*\| \s*(\d+)\s*" + r"\| \s*(\d+)\s*" + r"\| \s*(\d+)\s*\| \s*(\d*)\s*\| \s*(\d+)\s*" + r"\| \s*(\d+)\s*\| \s*(\d+)\s*\| \s*(\d+)\s*\|\s*$", + re.MULTILINE, +) + + +def parse_status_md(path): + """Parse a verification_status.md table. + Returns dict[(category, display)] = (mods, total, lax, unv, pf, math, bounds, hacspec).""" + with open(path) as f: + text = f.read() + rows = {} + current_category = "" + for m in DIFF_TABLE_RE.finditer(text): + cat = m.group(1).strip() + display = m.group(2).strip() + try: + mods = int(m.group(3)) + total = int(m.group(4)) + lax = int(m.group(5)) + unv = int(m.group(6)) if m.group(6) else 0 + pf = int(m.group(7)) + math = int(m.group(8)) + bounds = int(m.group(9)) + hacspec = int(m.group(10)) + except ValueError: + continue + if cat: + cleaned = cat.replace('_', '').strip() + if cleaned: + current_category = cleaned + if not current_category: + continue + rows[(current_category, display)] = (mods, total, lax, unv, pf, math, bounds, hacspec) + return rows + + +def write_diff_md(prev_path, curr_path, output_path, prev_label, curr_label): + prev = parse_status_md(prev_path) + curr = parse_status_md(curr_path) + + ordered_keys = [] + seen = set() + for src in (curr, prev): + for k in src: + if k not in seen: + ordered_keys.append(k) + seen.add(k) + + def delta(a, b): + d = b - a + return f"{d:+d}" if d else " " + + with open(output_path, 'w') as f: + f.write(f"# Verification Status Diff — `{prev_label}` → `{curr_label}`\n\n") + f.write(f"Comparison of `{prev_path}` against `{curr_path}`. " + f"Each per-tier column is shown as `prev→curr (Δ)`.\n\n") + f.write(f"| {'Category':<10} | {'File':<17} | {'Fns':>9} " + f"| {'Lax':>9} | {'Unv':>9} | {'PF':>9} | {'Math':>9} | {'Bounds':>9} | {'Hacspec':>9} |\n") + f.write(f"| {'-'*10} | {'-'*17} | {'-'*9} " + f"| {'-'*9} | {'-'*9} | {'-'*9} | {'-'*9} | {'-'*9} | {'-'*9} |\n") + last_cat = "" + sums = {k: [0, 0] for k in ('total', 'lax', 'unv', 'pf', 'math', 'bounds', 'hacspec')} + + def cell(prev_n, curr_n): + d = curr_n - prev_n + sign = f"{d:+d}" if d else "·" + return f"{prev_n}→{curr_n} {sign}" + + for k in ordered_keys: + cat, display = k + p = prev.get(k, (0, 0, 0, 0, 0, 0, 0, 0)) + c = curr.get(k, (0, 0, 0, 0, 0, 0, 0, 0)) + pmods, pt, plax, punv, ppf, pmath, pb, ph = p + cmods, ct, clax, cunv, cpf, cmath, cb, ch = c + cat_show = f"_{cat}_" if cat != last_cat else "" + last_cat = cat + f.write(f"| {cat_show:<10} | {display:<17} | {cell(pt, ct):>9} " + f"| {cell(plax, clax):>9} | {cell(punv, cunv):>9} | {cell(ppf, cpf):>9} " + f"| {cell(pmath, cmath):>9} | {cell(pb, cb):>9} | {cell(ph, ch):>9} |\n") + for key, pv, cv in ( + ('total', pt, ct), ('lax', plax, clax), ('unv', punv, cunv), + ('pf', ppf, cpf), ('math', pmath, cmath), + ('bounds', pb, cb), ('hacspec', ph, ch), + ): + sums[key][0] += pv + sums[key][1] += cv + + f.write("\n## Aggregate\n\n") + for label, key in ( + ('Functions', 'total'), ('Lax', 'lax'), ('Unverified', 'unv'), + ('Panic-free only', 'pf'), ('Math', 'math'), + ('Bounds', 'bounds'), ('Hacspec', 'hacspec'), + ): + a, b = sums[key] + f.write(f"- {label}: {a} → {b} ({b - a:+d})\n") + safe_prev = sums['pf'][0] + sums['math'][0] + sums['bounds'][0] + sums['hacspec'][0] + safe_curr = sums['pf'][1] + sums['math'][1] + sums['bounds'][1] + sums['hacspec'][1] + f.write(f"- **Panic-safe (PF+Math+Bounds+Hacspec)**: {safe_prev} → {safe_curr} ({safe_curr-safe_prev:+d})\n") + + +# ============================================================================ +# Main +# ============================================================================ + +def main(): + parser = argparse.ArgumentParser(description=__doc__.split('\n')[0]) + parser.add_argument('--root', default=None, + help="Crate root (default: parent of script's directory)") + parser.add_argument('--config', default=None, + help='Path to verification_status.config.json (default: /proofs/verification_status.config.json or baked-in ML-KEM)') + parser.add_argument('--output', default=None, + help='Output Markdown path') + parser.add_argument('--diff', nargs=2, metavar=('PREV', 'CURR'), + help='Diff mode: write a comparison table of two verification_status.md files') + parser.add_argument('--diff-label-prev', default='prev') + parser.add_argument('--diff-label-curr', default='curr') + args = parser.parse_args() + + if args.diff: + prev, curr = args.diff + out = args.output or 'verification_status_diff.md' + write_diff_md(prev, curr, out, args.diff_label_prev, args.diff_label_curr) + print(f"Generated diff at {out}") + return + + script_dir = os.path.dirname(os.path.abspath(__file__)) + root = os.path.abspath(args.root) if args.root else os.path.dirname(script_dir) + config = load_config(args.config, root) + + src_dir = os.path.join(root, config['src_dir']) + makefile = os.path.join(root, config['makefile']) + extraction_dir = os.path.join(root, config.get('extraction_dir', + 'proofs/fstar/extraction')) + output = args.output or os.path.join(root, config['output']) + + spec_re = re.compile('|'.join(config['spec_patterns'])) + range_re = re.compile('|'.join(config['range_patterns'])) + + extracted_paths = list_extracted_modules(extraction_dir, config['admit_module_prefix'], src_dir) + admit_paths = parse_admit_modules(makefile, config['admit_module_prefix'], extracted_paths) + + rows = [] + body_admit_sites_by_module = [] + unverified_paths_seen = [] + module_counts_by_display = {} # display name → number of underlying source files + prev_category = "" + + for module in config['modules']: + category = module['category'] + display = module['display'] + paths = module['paths'] + + agg = {'total': 0, 'lax': 0, 'unverified': 0, + 'panic_free': 0, 'math': 0, 'bounds': 0, 'hacspec': 0} + all_body_admits = [] + files_present = 0 + + for p in paths: + filepath = os.path.join(src_dir, f"{p}.rs") + if not os.path.isfile(filepath): + continue + files_present += 1 + rel = f"src/{p}.rs" + funcs = parse_file(filepath, spec_re, range_re) + # If we have an extraction dir, a Rust module not present there is unverified. + is_unverified = bool(extracted_paths) and rel not in extracted_paths + stats = compute_module_stats(funcs, rel in admit_paths, is_unverified) + for k in ('total', 'lax', 'unverified', 'panic_free', 'math', 'bounds', 'hacspec'): + agg[k] += stats[k] + for line in stats['body_admit_sites']: + all_body_admits.append((rel, line)) + if is_unverified and stats['total'] > 0: + unverified_paths_seen.append((f"{category}/{display}", rel, stats['total'])) + + cat_display = "" + if category != prev_category: + if prev_category: + rows.append(None) + cat_display = f"_{category}_" + prev_category = category + + rows.append((cat_display, display, + agg['total'], agg['lax'], agg['unverified'], + agg['panic_free'], agg['math'], agg['bounds'], agg['hacspec'])) + module_counts_by_display[display] = files_present + + if all_body_admits: + label = f"{category}/{display}" + body_admit_sites_by_module.append((label, [line for (_, line) in all_body_admits])) + + write_status_md(rows, config['crate_name'], output, + body_admit_sites_by_module, unverified_paths_seen, + module_counts_by_display) + print(f"Generated {output}") + + +if __name__ == "__main__": + main() diff --git a/crates/algorithms/sha3/proofs/generate_verification_status.sh b/crates/algorithms/sha3/proofs/generate_verification_status.sh new file mode 100755 index 0000000000..ee9c8fedc2 --- /dev/null +++ b/crates/algorithms/sha3/proofs/generate_verification_status.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +# Generate proofs/verification_status.md from Rust source annotations and Makefile ADMIT list. +# Run from the libcrux-ml-kem directory. + +set -euo pipefail + +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +exec python3 "$SCRIPT_DIR/generate_verification_status.py" "$@" diff --git a/crates/algorithms/sha3/proofs/verification_status.config.json b/crates/algorithms/sha3/proofs/verification_status.config.json new file mode 100644 index 0000000000..35343831bd --- /dev/null +++ b/crates/algorithms/sha3/proofs/verification_status.config.json @@ -0,0 +1,38 @@ +{ + "crate_name": "SHA-3", + "src_dir": "src", + "makefile": "proofs/fstar/extraction/Makefile", + "extraction_dir": "proofs/fstar/extraction", + "output": "proofs/verification_status.md", + "admit_module_prefix": "Libcrux_sha3.", + "spec_patterns": [ + "Hacspec_sha3\\.", + "Spec\\.SHA3\\.", + "Spec\\.Keccak\\.", + "to_spec_state", + "Traits\\.Specs?\\.\\w+_post" + ], + "range_patterns": [ + "is_intb", "is_i32b", "is_u8b", "is_bounded", + "\\bbounded\\b" + ], + "modules": [ + {"category": "Generic", "display": "lib", "paths": ["lib"]}, + {"category": "Generic", "display": "traits", "paths": ["traits"]}, + {"category": "Generic", "display": "proof_utils", "paths": ["proof_utils"]}, + {"category": "Generic", "display": "impl_digest_trait", "paths": ["impl_digest_trait"]}, + {"category": "Generic", "display": "simd (top)", "paths": ["simd"]}, + {"category": "Generic", "display": "generic_keccak (top)", "paths": ["generic_keccak"]}, + {"category": "Generic", "display": "generic_keccak/constants", "paths": ["generic_keccak/constants"]}, + {"category": "Generic", "display": "generic_keccak/xof", "paths": ["generic_keccak/xof"]}, + {"category": "Portable", "display": "generic_keccak", "paths": ["generic_keccak/portable"]}, + {"category": "Portable", "display": "portable", "paths": ["portable"]}, + {"category": "Portable", "display": "simd", "paths": ["simd/portable"]}, + {"category": "Avx2", "display": "generic_keccak", "paths": ["generic_keccak/simd256"]}, + {"category": "Avx2", "display": "avx2", "paths": ["avx2"]}, + {"category": "Avx2", "display": "simd", "paths": ["simd/avx2"]}, + {"category": "Neon", "display": "generic_keccak", "paths": ["generic_keccak/simd128"]}, + {"category": "Neon", "display": "neon", "paths": ["neon"]}, + {"category": "Neon", "display": "simd", "paths": ["simd/arm64"]} + ] +} diff --git a/crates/algorithms/sha3/proofs/verification_status.md b/crates/algorithms/sha3/proofs/verification_status.md new file mode 100644 index 0000000000..3f836377f8 --- /dev/null +++ b/crates/algorithms/sha3/proofs/verification_status.md @@ -0,0 +1,83 @@ +# SHA-3 Verification Status + +This file is auto-generated by `proofs/generate_verification_status.py`. + +Each function is classified at exactly one proof tier (highest wins): + +- **Lax**: module in `ADMIT_MODULES`, OR fn has `#[hax_lib::fstar::verification_status(lax)]`, + OR `#[hax_lib::fstar::options("--admit_smt_queries true")]`, OR `#[hax_lib::opaque]` + (body hidden from F\*; distinct from F\*'s `opaque_to_smt`), OR an inline `admit ()` + in the body. +- **Unverified**: Rust module not extracted to F\* at all (filtered out by hax via + `-i -::**`). Worse than lax — no proof of any kind. +- **Panic-free**: proven free of panics (and obeying preconditions), no further proof: + fn has `verification_status(panic_free)` or has no `#[ensures(...)]` annotation. +- **Math**: has an `#[ensures(...)]` annotation that proves SOME non-trivial property, + but doesn't match the bounds or hacspec patterns. +- **Bounds**: ensures uses range/interval predicates (e.g. `is_i16b`, `is_bounded_*`). +- **Hacspec**: ensures cites the high-level mathematical specification (e.g. `Spec.MLKEM.*`). + +The "Panic-safe" aggregate (sometimes useful for headline numbers) = Panic-free + Math ++ Bounds + Hacspec — i.e., total minus lax minus unverified. + +| Category | File | Mods | Fns | Lax | Unv | PF | Math | Bounds | Hacspec | +| ---------- | ----------------- | ---- | --- | --- | --- | --- | ---- | ------ | ------- | +| _Generic_ | lib | 1 | 16 | 0 | | 16 | 0 | 0 | 0 | +| | traits | 1 | 14 | 0 | | 13 | 1 | 0 | 0 | +| | proof_utils | 1 | 5 | 0 | | 5 | 0 | 0 | 0 | +| | impl_digest_trait | 1 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | +| | simd (top) | 1 | 0 | 0 | | 0 | 0 | 0 | 0 | +| | generic_keccak (top) | 1 | 50 | 0 | | 50 | 0 | 0 | 0 | +| | generic_keccak/constants | 1 | 0 | 0 | | 0 | 0 | 0 | 0 | +| | generic_keccak/xof | 1 | 8 | 0 | | 2 | 6 | 0 | 0 | +| | **Generic total** | **8** | **94** | **0** | **1** | **86** | **7** | **0** | **0** | +| | | | | | | | | | | +| _Portable_ | generic_keccak | 1 | 5 | 0 | | 0 | 5 | 0 | 0 | +| | portable | 1 | 27 | 0 | | 14 | 13 | 0 | 0 | +| | simd | 1 | 19 | 0 | | 17 | 2 | 0 | 0 | +| | **Portable total** | **3** | **51** | **0** | | **31** | **20** | **0** | **0** | +| | | | | | | | | | | +| _Avx2_ | generic_keccak | 1 | 5 | 0 | 5 | 0 | 0 | 0 | 0 | +| | avx2 | 1 | 9 | 0 | 9 | 0 | 0 | 0 | 0 | +| | simd | 1 | 19 | 0 | 19 | 0 | 0 | 0 | 0 | +| | **Avx2 total** | **3** | **33** | **0** | **33** | **0** | **0** | **0** | **0** | +| | | | | | | | | | | +| _Neon_ | generic_keccak | 1 | 5 | 0 | 5 | 0 | 0 | 0 | 0 | +| | neon | 1 | 15 | 0 | 15 | 0 | 0 | 0 | 0 | +| | simd | 1 | 18 | 0 | 18 | 0 | 0 | 0 | 0 | +| | **Neon total** | **3** | **38** | **0** | **38** | **0** | **0** | **0** | **0** | + +## Summary + +- **Total modules**: 17 +- **Total functions**: 216 +- **Lax** (admitted): 0 (0.0%) +- **Unverified** (not extracted): 72 (33.3%) +- **Panic-safe** (PF + Math + Bounds + Hacspec): 144 (66.7%) + - Panic-free only (no further proof): 117 (54.2%) + - Math (non-trivial ensures, no bounds/spec match): 27 (12.5%) + - Bounds (range/interval ensures): 0 (0.0%) + - Hacspec (cites high-level spec): 0 (0.0%) + +### Modules per category + +| Category | Modules | Fns | Lax | Unv | PF | Math | Bounds | Hacspec | +| ------------ | ------- | ---- | --- | --- | --- | ---- | ------ | ------- | +| Generic | 8 | 94 | 0 | 1 | 86 | 7 | 0 | 0 | +| Portable | 3 | 51 | 0 | 0 | 31 | 20 | 0 | 0 | +| Avx2 | 3 | 33 | 0 | 33 | 0 | 0 | 0 | 0 | +| Neon | 3 | 38 | 0 | 38 | 0 | 0 | 0 | 0 | + +## Unverified Rust modules (not extracted to F\*) + +These Rust modules have no corresponding F\* file in the extraction directory — they were filtered out by hax (`-i -::**` in `hax.py`) and are unverified at any tier. + +| Module | Path | Fns | +| ------------------------------ | ---------------------------------------- | --- | +| Generic/impl_digest_trait | src/impl_digest_trait.rs | 1 | +| Avx2/generic_keccak | src/generic_keccak/simd256.rs | 5 | +| Avx2/avx2 | src/avx2.rs | 9 | +| Avx2/simd | src/simd/avx2.rs | 19 | +| Neon/generic_keccak | src/generic_keccak/simd128.rs | 5 | +| Neon/neon | src/neon.rs | 15 | +| Neon/simd | src/simd/arm64.rs | 18 | diff --git a/crates/algorithms/sha3/src/generic_keccak.rs b/crates/algorithms/sha3/src/generic_keccak.rs index a87a6adadf..eb1b9f029f 100644 --- a/crates/algorithms/sha3/src/generic_keccak.rs +++ b/crates/algorithms/sha3/src/generic_keccak.rs @@ -15,7 +15,7 @@ use hax_lib::{constructors::from_bool, int::ToInt}; pub(crate) mod xof; /// Constants in SHA3. -mod constants; +pub(crate) mod constants; use constants::*; /// Simd128 specific implementations. @@ -308,3 +308,368 @@ impl> Index<(usize, usize)> for KeccakState KeccakState<1, u64> { + KeccakState { st } + } + + /// Non-trivial test state: keccak-f applied to state where lane 0 = 1. + fn test_state() -> [u64; 25] { + let mut st = [0u64; 25]; + st[0] = 1; + spec_kf::keccak_f(st) + } + + // -- Layer 1: Constants -- + + #[test] + fn round_constants_match() { + assert_eq!(ROUNDCONSTANTS, spec_kf::ROUND_CONSTANTS); + } + + // -- Layer 2: Permutation steps -- + + #[test] + fn theta_rho_matches_spec() { + for &st in &[[0u64; 25], test_state()] { + let mut s = wrap(st); + let t = s.theta(); + s.rho(t); + assert_eq!(s.st, spec_kf::rho(spec_kf::theta(st))); + } + } + + #[test] + fn pi_matches_spec() { + let st = test_state(); + let mut s = wrap(st); + s.pi(); + assert_eq!(s.st, spec_kf::pi(st)); + } + + #[test] + fn chi_matches_spec() { + let st = test_state(); + let mut s = wrap(st); + s.chi(); + assert_eq!(s.st, spec_kf::chi(st)); + } + + #[test] + fn iota_matches_spec() { + for round in 0..24 { + let st = test_state(); + let mut s = wrap(st); + s.iota(round); + assert_eq!(s.st, spec_kf::iota(st, round)); + } + } + + #[test] + fn keccak_f_matches_spec() { + for &st in &[[0u64; 25], test_state()] { + let mut s = wrap(st); + s.keccakf1600(); + assert_eq!(s.st, spec_kf::keccak_f(st)); + } + } + + #[test] + fn single_round_matches_spec() { + let st = test_state(); + let spec = spec_kf::iota( + spec_kf::chi(spec_kf::pi(spec_kf::rho(spec_kf::theta(st)))), + 0, + ); + let mut s = wrap(st); + let t = s.theta(); + s.rho(t); + s.pi(); + s.chi(); + s.iota(0); + assert_eq!(s.st, spec); + } + + // -- Layer 3: Sponge helpers -- + + #[test] + fn load_block_matches_spec() { + let block = [0xABu8; 200]; + let mut impl_st = [0u64; 25]; + crate::simd::portable::load_block::<136>(&mut impl_st, &block, 0); + let spec_st = spec_sponge::xor_block_into_state([0u64; 25], &block, 136); + assert_eq!(impl_st, spec_st); + } + + #[test] + fn load_block_with_offset() { + let mut data = [0u8; 400]; + for (i, b) in data.iter_mut().enumerate() { + *b = (i & 0xFF) as u8; + } + let mut impl_st = [0u64; 25]; + crate::simd::portable::load_block::<136>(&mut impl_st, &data, 136); + let spec_st = spec_sponge::xor_block_into_state([0u64; 25], &data[136..272], 136); + assert_eq!(impl_st, spec_st); + } + + #[test] + fn store_block_matches_spec() { + let state = test_state(); + let mut impl_out = [0u8; 200]; + crate::simd::portable::store_block::<136>(&state, &mut impl_out, 0, 136); + let mut spec_out = [0u8; 200]; + spec_out = spec_sponge::squeeze_state(&state, spec_out, 0, 136); + assert_eq!(impl_out[..136], spec_out[..136]); + } + + #[test] + fn load_last_matches_spec_padding() { + // Test various last-block sizes for SHA3-256 (rate=136, delim=0x06) + let rate = 136usize; + for len in [0, 1, 7, 8, 9, 15, 16, 17, 64, 100, 135] { + let mut msg = [0u8; 135]; + for i in 0..len { + msg[i] = (i & 0xFF) as u8; + } + let mut impl_st = [0u64; 25]; + crate::simd::portable::load_last::<136, 0x06>(&mut impl_st, &msg[..len], 0, len); + + let mut last_block = [0u8; 200]; + last_block[..len].copy_from_slice(&msg[..len]); + last_block[len] = 0x06; + last_block[rate - 1] |= 0x80; + let spec_st = spec_sponge::xor_block_into_state([0u64; 25], &last_block, rate); + assert_eq!(impl_st, spec_st, "load_last mismatch at len={len}"); + } + } + + #[test] + fn load_block_all_rates() { + // Test load_block for every rate used by SHA3/SHAKE variants + let data = [0xCDu8; 200]; + macro_rules! test_rate { + ($rate:expr) => { + let mut impl_st = [0u64; 25]; + crate::simd::portable::load_block::<$rate>(&mut impl_st, &data, 0); + let spec_st = spec_sponge::xor_block_into_state([0u64; 25], &data, $rate); + assert_eq!(impl_st, spec_st, "load_block mismatch at rate={}", $rate); + }; + } + test_rate!(72); // SHA3-512 + test_rate!(104); // SHA3-384 + test_rate!(136); // SHA3-256 / SHAKE256 + test_rate!(144); // SHA3-224 + test_rate!(168); // SHAKE128 + } + + #[test] + fn store_block_partial_len() { + // Test squeeze with various lengths (not just the full rate) + let state = test_state(); + for &len in &[8, 16, 64, 72, 104, 136] { + let mut impl_out = [0u8; 200]; + crate::simd::portable::store_block::<136>(&state, &mut impl_out, 0, len); + let mut spec_out = [0u8; 200]; + spec_out = spec_sponge::squeeze_state(&state, spec_out, 0, len); + assert_eq!( + impl_out[..len], + spec_out[..len], + "store_block mismatch at len={len}" + ); + } + } + + #[test] + fn store_block_with_offset() { + let state = test_state(); + let len = 72; + let offset = 64; + let mut impl_out = [0u8; 200]; + crate::simd::portable::store_block::<136>(&state, &mut impl_out, offset, len); + let mut spec_out = [0u8; 200]; + spec_out = spec_sponge::squeeze_state(&state, spec_out, offset, len); + assert_eq!( + impl_out[offset..offset + len], + spec_out[offset..offset + len] + ); + } +} + +/// NEON to_spec tests: verify that each permutation step on KeccakState<2, uint64x2_t> +/// operates lane-wise, i.e. extracting lane l from the SIMD result equals the scalar +/// spec step applied to lane l of the input. This validates the `to_spec` commutativity +/// property that the F* generalization proof is built on. +#[cfg(all(test, feature = "simd128"))] +mod neon_to_spec_tests { + use super::*; + use hacspec_sha3::keccak_f as spec_kf; + use libcrux_intrinsics::arm64::*; + + /// Extract lane `l` (0 or 1) from a KeccakState<2, uint64x2_t> → [u64; 25] + fn extract_lane(state: &KeccakState<2, _uint64x2_t>, lane: usize) -> [u64; 25] { + assert!(lane < 2); + let mut out = [0u64; 25]; + for i in 0..25 { + let mut tmp = [0u64; 2]; + _vst1q_u64(&mut tmp, state.st[i]); + out[i] = tmp[lane]; + } + out + } + + /// to_spec: KeccakState<2, uint64x2_t> → [[u64; 25]; 2] + fn to_spec(state: &KeccakState<2, _uint64x2_t>) -> [[u64; 25]; 2] { + [extract_lane(state, 0), extract_lane(state, 1)] + } + + /// Pack two scalar [u64; 25] states into a KeccakState<2, uint64x2_t> + fn from_spec(lanes: [[u64; 25]; 2]) -> KeccakState<2, _uint64x2_t> { + let mut st = [_vdupq_n_u64(0); 25]; + for i in 0..25 { + let arr = [lanes[0][i], lanes[1][i]]; + st[i] = _vld1q_u64(&arr); + } + KeccakState { st } + } + + /// Two distinct non-trivial test states for packing into lanes. + fn test_states() -> [[u64; 25]; 2] { + let mut st0 = [0u64; 25]; + st0[0] = 1; + let st0 = spec_kf::keccak_f(st0); + + let mut st1 = [0u64; 25]; + st1[0] = 0xDEAD_BEEF_CAFE_BABEu64; + let st1 = spec_kf::keccak_f(st1); + + [st0, st1] + } + + #[test] + fn to_spec_roundtrip() { + let lanes = test_states(); + let packed = from_spec(lanes); + let extracted = to_spec(&packed); + assert_eq!(extracted, lanes, "to_spec(from_spec(x)) != x"); + } + + #[test] + fn neon_theta_rho_to_spec() { + let lanes = test_states(); + let mut s = from_spec(lanes); + let t = s.theta(); + s.rho(t); + let result = to_spec(&s); + for l in 0..2 { + let spec = spec_kf::rho(spec_kf::theta(lanes[l])); + assert_eq!(result[l], spec, "theta+rho mismatch on lane {l}"); + } + } + + #[test] + fn neon_pi_to_spec() { + let lanes = test_states(); + let mut s = from_spec(lanes); + s.pi(); + let result = to_spec(&s); + for l in 0..2 { + let spec = spec_kf::pi(lanes[l]); + assert_eq!(result[l], spec, "pi mismatch on lane {l}"); + } + } + + #[test] + fn neon_chi_to_spec() { + let lanes = test_states(); + let mut s = from_spec(lanes); + s.chi(); + let result = to_spec(&s); + for l in 0..2 { + let spec = spec_kf::chi(lanes[l]); + assert_eq!(result[l], spec, "chi mismatch on lane {l}"); + } + } + + #[test] + fn neon_iota_to_spec() { + for round in 0..24 { + let lanes = test_states(); + let mut s = from_spec(lanes); + s.iota(round); + let result = to_spec(&s); + for l in 0..2 { + let spec = spec_kf::iota(lanes[l], round); + assert_eq!(result[l], spec, "iota mismatch on lane {l}, round {round}"); + } + } + } + + #[test] + fn neon_single_round_to_spec() { + let lanes = test_states(); + let mut s = from_spec(lanes); + let t = s.theta(); + s.rho(t); + s.pi(); + s.chi(); + s.iota(0); + let result = to_spec(&s); + for l in 0..2 { + let spec = spec_kf::iota( + spec_kf::chi(spec_kf::pi(spec_kf::rho(spec_kf::theta(lanes[l])))), + 0, + ); + assert_eq!(result[l], spec, "single round mismatch on lane {l}"); + } + } + + #[test] + fn neon_keccakf1600_to_spec() { + let lanes = test_states(); + let mut s = from_spec(lanes); + s.keccakf1600(); + let result = to_spec(&s); + for l in 0..2 { + let spec = spec_kf::keccak_f(lanes[l]); + assert_eq!(result[l], spec, "keccakf1600 mismatch on lane {l}"); + } + } + + #[test] + fn neon_keccakf1600_zero_state() { + let lanes = [[0u64; 25]; 2]; + let mut s = from_spec(lanes); + s.keccakf1600(); + let result = to_spec(&s); + let spec = spec_kf::keccak_f([0u64; 25]); + for l in 0..2 { + assert_eq!( + result[l], spec, + "keccakf1600 zero-state mismatch on lane {l}" + ); + } + } + + #[test] + fn neon_keccakf1600_iterated() { + // Apply keccakf1600 multiple times; verify lanes stay independent + let mut lanes = test_states(); + let mut s = from_spec(lanes); + for _ in 0..5 { + s.keccakf1600(); + lanes[0] = spec_kf::keccak_f(lanes[0]); + lanes[1] = spec_kf::keccak_f(lanes[1]); + let result = to_spec(&s); + assert_eq!(result[0], lanes[0], "iterated keccakf1600 lane 0 diverged"); + assert_eq!(result[1], lanes[1], "iterated keccakf1600 lane 1 diverged"); + } + } +} diff --git a/crates/algorithms/sha3/src/generic_keccak/xof.rs b/crates/algorithms/sha3/src/generic_keccak/xof.rs index 08deb593da..acbca583c1 100644 --- a/crates/algorithms/sha3/src/generic_keccak/xof.rs +++ b/crates/algorithms/sha3/src/generic_keccak/xof.rs @@ -37,22 +37,7 @@ pub(crate) struct KeccakXofState< sponge: bool, } -/// Note: This function exists to work around a hax bug where `core::array::from_fn` -/// is extracted with an incorrect explicit type parameter `#(usize -> t_Slice u8)` -/// instead of using the typeclass-based implicit parameter `#v_F` from -/// `Core_models.Array.from_fn`. -/// See: https://github.com/cryspen/hax/issues/1920 #[inline(always)] -#[hax_lib::fstar::replace( - "let buf_to_slices - (v_PARALLEL_LANES v_RATE: usize) - (buf: t_Array (t_Array u8 v_RATE) v_PARALLEL_LANES) - : t_Array (t_Slice u8) v_PARALLEL_LANES = - Core_models.Array.from_fn #(t_Slice u8) - v_PARALLEL_LANES - (fun i -> Core_models.Array.impl_23__as_slice #u8 v_RATE (buf.[ i ])) -" -)] fn buf_to_slices( buf: &[[u8; RATE]; PARALLEL_LANES], ) -> [&[u8]; PARALLEL_LANES] { diff --git a/crates/algorithms/sha3/src/traits.rs b/crates/algorithms/sha3/src/traits.rs index 99b9328d0b..2d2876dbb3 100644 --- a/crates/algorithms/sha3/src/traits.rs +++ b/crates/algorithms/sha3/src/traits.rs @@ -9,7 +9,7 @@ use crate::proof_utils::{slices_same_len, valid_rate}; #[hax_lib::requires(i < 5 && j < 5)] #[inline(always)] pub(crate) fn get_ij>(arr: &[T; 25], i: usize, j: usize) -> &T { - &arr[5 * j + i] + &arr[5 * i + j] } #[hax_lib::requires(i < 5 && j < 5)] @@ -20,7 +20,7 @@ pub(crate) fn set_ij>( j: usize, value: T, ) { - arr[5 * j + i] = value; + arr[5 * i + j] = value; } /// A Keccak Item for multiplexing arithmetic implementations. diff --git a/crates/algorithms/sha3/tests/cross_spec.rs b/crates/algorithms/sha3/tests/cross_spec.rs new file mode 100644 index 0000000000..33f225c012 --- /dev/null +++ b/crates/algorithms/sha3/tests/cross_spec.rs @@ -0,0 +1,456 @@ +/// Cross-spec tests: verify top-level SHA-3 / SHAKE functions against the +/// hacspec specification. Lower-level tests (permutation steps, sponge +/// helpers) live as unit tests inside `src/generic_keccak.rs`. + +/// Generate test inputs at boundary sizes around the given rate. +/// Returns empty, 1 byte, sub-rate, rate-1, rate, rate+1, 2*rate-1, 2*rate, +/// 2*rate+1, and a large multi-block input. +fn boundary_inputs(rate: usize) -> Vec> { + [ + 0, + 1, + 8, + rate / 2, + rate - 1, + rate, + rate + 1, + 2 * rate - 1, + 2 * rate, + 2 * rate + 1, + 5 * rate + 7, + ] + .into_iter() + .map(|len| (0..len).map(|i| (i & 0xFF) as u8).collect()) + .collect() +} + +// ========================================================================= +// SHA3 hash functions — boundary input sizes for each rate +// ========================================================================= + +#[test] +fn sha3_224_boundary() { + // rate = 144 + for input in boundary_inputs(144) { + let spec = hacspec_sha3::sha3_224(&input); + let mut out = [0u8; 28]; + libcrux_sha3::portable::sha224(&mut out, &input); + assert_eq!(out, spec, "sha3_224 mismatch at len {}", input.len()); + } +} + +#[test] +fn sha3_256_boundary() { + // rate = 136 + for input in boundary_inputs(136) { + let spec = hacspec_sha3::sha3_256(&input); + let mut out = [0u8; 32]; + libcrux_sha3::portable::sha256(&mut out, &input); + assert_eq!(out, spec, "sha3_256 mismatch at len {}", input.len()); + } +} + +#[test] +fn sha3_384_boundary() { + // rate = 104 + for input in boundary_inputs(104) { + let spec = hacspec_sha3::sha3_384(&input); + let mut out = [0u8; 48]; + libcrux_sha3::portable::sha384(&mut out, &input); + assert_eq!(out, spec, "sha3_384 mismatch at len {}", input.len()); + } +} + +#[test] +fn sha3_512_boundary() { + // rate = 72 + for input in boundary_inputs(72) { + let spec = hacspec_sha3::sha3_512(&input); + let mut out = [0u8; 64]; + libcrux_sha3::portable::sha512(&mut out, &input); + assert_eq!(out, spec, "sha3_512 mismatch at len {}", input.len()); + } +} + +// ========================================================================= +// SHAKE XOFs — boundary input sizes AND boundary output sizes +// ========================================================================= + +#[test] +fn shake128_boundary_inputs() { + // rate = 168 + for input in boundary_inputs(168) { + let spec = hacspec_sha3::shake128::<64>(&input); + let mut out = [0u8; 64]; + libcrux_sha3::portable::shake128(&mut out, &input); + assert_eq!(out, spec, "shake128 input mismatch at len {}", input.len()); + } +} + +#[test] +fn shake256_boundary_inputs() { + // rate = 136 + for input in boundary_inputs(136) { + let spec = hacspec_sha3::shake256::<64>(&input); + let mut out = [0u8; 64]; + libcrux_sha3::portable::shake256(&mut out, &input); + assert_eq!(out, spec, "shake256 input mismatch at len {}", input.len()); + } +} + +#[test] +fn shake128_boundary_outputs() { + let input = b"boundary output test"; + let rate = 168; + let spec_long = hacspec_sha3::shake128::<1024>(input); + // Test output lengths around the rate boundary (squeeze multi-block) + for &out_len in &[ + 1, + 8, + rate / 2, + rate - 1, + rate, + rate + 1, + 2 * rate, + 3 * rate + 7, + ] { + let mut out = [0u8; 1024]; + libcrux_sha3::portable::shake128(&mut out[..out_len], input); + assert_eq!( + out[..out_len], + spec_long[..out_len], + "shake128 output mismatch at out_len {out_len}" + ); + } +} + +#[test] +fn shake256_boundary_outputs() { + let input = b"boundary output test"; + let rate = 136; + let spec_long = hacspec_sha3::shake256::<1024>(input); + for &out_len in &[ + 1, + 8, + rate / 2, + rate - 1, + rate, + rate + 1, + 2 * rate, + 3 * rate + 7, + ] { + let mut out = [0u8; 1024]; + libcrux_sha3::portable::shake256(&mut out[..out_len], input); + assert_eq!( + out[..out_len], + spec_long[..out_len], + "shake256 output mismatch at out_len {out_len}" + ); + } +} + +// ========================================================================= +// Squeeze structure — exercises the three branches of the split squeeze +// (output_blocks == 0 / rem == 0 / rem != 0), the F* proof's structural +// claim in Phase 16. See specs/sha3/src/sponge.rs keccak(). +// ========================================================================= + +/// For a given SHAKE rate, pick output lengths that fall into each of the +/// three structural branches. +fn squeeze_structure_lengths(rate: usize) -> Vec<(usize, &'static str)> { + vec![ + // output_blocks == 0 (output_len < rate) + (1, "zero-blocks: len=1"), + (rate / 2, "zero-blocks: len=rate/2"), + (rate - 1, "zero-blocks: len=rate-1"), + // output_blocks >= 1, output_rem == 0 (exact multiple of rate) + (rate, "exact: len=rate"), + (2 * rate, "exact: len=2*rate"), + (3 * rate, "exact: len=3*rate"), + // output_blocks >= 1, output_rem != 0 (multiple + nonzero remainder) + (rate + 1, "rem: len=rate+1"), + (2 * rate + 7, "rem: len=2*rate+7"), + (3 * rate + (rate - 1), "rem: len=3*rate+rate-1"), + ] +} + +#[test] +fn shake128_squeeze_structure() { + let input = b"squeeze structure test"; + let rate = 168; + // Spec call emits the longest output; slice to compare for each case. + let spec_long = hacspec_sha3::shake128::<2048>(input); + for (out_len, label) in squeeze_structure_lengths(rate) { + assert!(out_len <= 2048); + let mut out = [0u8; 2048]; + libcrux_sha3::portable::shake128(&mut out[..out_len], input); + assert_eq!( + out[..out_len], + spec_long[..out_len], + "shake128 structure mismatch ({label})" + ); + } +} + +#[test] +fn shake256_squeeze_structure() { + let input = b"squeeze structure test"; + let rate = 136; + let spec_long = hacspec_sha3::shake256::<2048>(input); + for (out_len, label) in squeeze_structure_lengths(rate) { + assert!(out_len <= 2048); + let mut out = [0u8; 2048]; + libcrux_sha3::portable::shake256(&mut out[..out_len], input); + assert_eq!( + out[..out_len], + spec_long[..out_len], + "shake256 structure mismatch ({label})" + ); + } +} + +// ========================================================================= +// EMA variants match return variants +// ========================================================================= + +#[test] +fn ema_variants_match_return_variants() { + let input = b"test ema vs return"; + + let ret = libcrux_sha3::sha224(input); + let mut ema = [0u8; 28]; + libcrux_sha3::sha224_ema(&mut ema, input); + assert_eq!(ret, ema, "sha224"); + + let ret = libcrux_sha3::sha256(input); + let mut ema = [0u8; 32]; + libcrux_sha3::sha256_ema(&mut ema, input); + assert_eq!(ret, ema, "sha256"); + + let ret = libcrux_sha3::sha384(input); + let mut ema = [0u8; 48]; + libcrux_sha3::sha384_ema(&mut ema, input); + assert_eq!(ret, ema, "sha384"); + + let ret = libcrux_sha3::sha512(input); + let mut ema = [0u8; 64]; + libcrux_sha3::sha512_ema(&mut ema, input); + assert_eq!(ret, ema, "sha512"); + + let ret = libcrux_sha3::shake128::<64>(input); + let mut ema = [0u8; 64]; + libcrux_sha3::shake128_ema(&mut ema, input); + assert_eq!(ret, ema, "shake128"); + + let ret = libcrux_sha3::shake256::<64>(input); + let mut ema = [0u8; 64]; + libcrux_sha3::shake256_ema(&mut ema, input); + assert_eq!(ret, ema, "shake256"); +} + +// ========================================================================= +// Generic hash dispatch +// ========================================================================= + +#[test] +fn hash_dispatch_matches_direct() { + let input = b"dispatch test"; + assert_eq!( + libcrux_sha3::hash::<28>(libcrux_sha3::Algorithm::Sha224, input), + libcrux_sha3::sha224(input) + ); + assert_eq!( + libcrux_sha3::hash::<32>(libcrux_sha3::Algorithm::Sha256, input), + libcrux_sha3::sha256(input) + ); + assert_eq!( + libcrux_sha3::hash::<48>(libcrux_sha3::Algorithm::Sha384, input), + libcrux_sha3::sha384(input) + ); + assert_eq!( + libcrux_sha3::hash::<64>(libcrux_sha3::Algorithm::Sha512, input), + libcrux_sha3::sha512(input) + ); +} + +// ========================================================================= +// NEON (simd128) — cross-spec for all hash functions +// ========================================================================= + +#[cfg(feature = "simd128")] +mod neon_cross_spec { + use super::boundary_inputs; + + #[test] + fn sha3_224_boundary() { + for input in boundary_inputs(144) { + let spec = hacspec_sha3::sha3_224(&input); + let mut out = [0u8; 28]; + libcrux_sha3::neon::sha224(&mut out, &input); + assert_eq!(out, spec, "neon sha3_224 mismatch at len {}", input.len()); + } + } + + #[test] + fn sha3_256_boundary() { + for input in boundary_inputs(136) { + let spec = hacspec_sha3::sha3_256(&input); + let mut out = [0u8; 32]; + libcrux_sha3::neon::sha256(&mut out, &input); + assert_eq!(out, spec, "neon sha3_256 mismatch at len {}", input.len()); + } + } + + #[test] + fn sha3_384_boundary() { + for input in boundary_inputs(104) { + let spec = hacspec_sha3::sha3_384(&input); + let mut out = [0u8; 48]; + libcrux_sha3::neon::sha384(&mut out, &input); + assert_eq!(out, spec, "neon sha3_384 mismatch at len {}", input.len()); + } + } + + #[test] + fn sha3_512_boundary() { + for input in boundary_inputs(72) { + let spec = hacspec_sha3::sha3_512(&input); + let mut out = [0u8; 64]; + libcrux_sha3::neon::sha512(&mut out, &input); + assert_eq!(out, spec, "neon sha3_512 mismatch at len {}", input.len()); + } + } + + #[test] + fn shake128_boundary() { + for input in boundary_inputs(168) { + let spec = hacspec_sha3::shake128::<64>(&input); + let mut out = [0u8; 64]; + libcrux_sha3::neon::shake128(&mut out, &input); + assert_eq!(out, spec, "neon shake128 mismatch at len {}", input.len()); + } + } + + #[test] + fn shake256_boundary() { + for input in boundary_inputs(136) { + let spec = hacspec_sha3::shake256::<64>(&input); + let mut out = [0u8; 64]; + libcrux_sha3::neon::shake256(&mut out, &input); + assert_eq!(out, spec, "neon shake256 mismatch at len {}", input.len()); + } + } + + #[test] + fn neon_x2_shake256_matches_spec() { + for input in boundary_inputs(136) { + let spec = hacspec_sha3::shake256::<64>(&input); + let mut out0 = [0u8; 64]; + let mut out1 = [0u8; 64]; + libcrux_sha3::neon::x2::shake256(&input, &input, &mut out0, &mut out1); + assert_eq!( + out0, + spec, + "neon x2 shake256 lane0 mismatch at len {}", + input.len() + ); + assert_eq!( + out1, + spec, + "neon x2 shake256 lane1 mismatch at len {}", + input.len() + ); + } + } +} + +// ========================================================================= +// AVX2 (simd256) — cross-spec via x4 incremental API +// ========================================================================= + +#[cfg(feature = "simd256")] +mod avx2_cross_spec { + #[test] + fn avx2_x4_shake256_matches_spec() { + let inputs: [&[u8]; 4] = [b"alpha", b"beta!", b"gamma", b"delta"]; + let mut state = libcrux_sha3::avx2::x4::incremental::init(); + libcrux_sha3::avx2::x4::incremental::shake256_absorb_final( + &mut state, inputs[0], inputs[1], inputs[2], inputs[3], + ); + let mut out0 = [0u8; 136]; + let mut out1 = [0u8; 136]; + let mut out2 = [0u8; 136]; + let mut out3 = [0u8; 136]; + libcrux_sha3::avx2::x4::incremental::shake256_squeeze_first_block( + &mut state, &mut out0, &mut out1, &mut out2, &mut out3, + ); + for (i, (out, input)) in [out0, out1, out2, out3] + .iter() + .zip(inputs.iter()) + .enumerate() + { + let spec = hacspec_sha3::shake256::<136>(input); + assert_eq!(&out[..], &spec[..], "avx2 x4 shake256 lane {i} mismatch"); + } + } + + #[test] + fn avx2_x4_shake128_matches_spec() { + let inputs: [&[u8]; 4] = [b"oneone", b"twotwo", b"three!", b"four!!"]; + let mut state = libcrux_sha3::avx2::x4::incremental::init(); + libcrux_sha3::avx2::x4::incremental::shake128_absorb_final( + &mut state, inputs[0], inputs[1], inputs[2], inputs[3], + ); + // Squeeze 3 blocks (3 * 168 = 504 bytes) + let mut out0 = [0u8; 504]; + let mut out1 = [0u8; 504]; + let mut out2 = [0u8; 504]; + let mut out3 = [0u8; 504]; + libcrux_sha3::avx2::x4::incremental::shake128_squeeze_first_three_blocks( + &mut state, &mut out0, &mut out1, &mut out2, &mut out3, + ); + for (i, (out, input)) in [out0, out1, out2, out3] + .iter() + .zip(inputs.iter()) + .enumerate() + { + let spec = hacspec_sha3::shake128::<504>(input); + assert_eq!(&out[..], &spec[..], "avx2 x4 shake128 lane {i} mismatch"); + } + } + + #[test] + fn avx2_x4_shake256_multi_squeeze_matches_spec() { + let input = b"multi-squeeze test"; + let spec = hacspec_sha3::shake256::<408>(input); + + let mut state = libcrux_sha3::avx2::x4::incremental::init(); + libcrux_sha3::avx2::x4::incremental::shake256_absorb_final( + &mut state, input, input, input, input, + ); + + // First block: 136 bytes + let mut b1 = [0u8; 136]; + let mut d1 = [0u8; 136]; + let mut d2 = [0u8; 136]; + let mut d3 = [0u8; 136]; + libcrux_sha3::avx2::x4::incremental::shake256_squeeze_first_block( + &mut state, &mut b1, &mut d1, &mut d2, &mut d3, + ); + assert_eq!(&b1[..], &spec[..136], "first block"); + + // Second block: 136 bytes + let mut b2 = [0u8; 136]; + libcrux_sha3::avx2::x4::incremental::shake256_squeeze_next_block( + &mut state, &mut b2, &mut d1, &mut d2, &mut d3, + ); + assert_eq!(&b2[..], &spec[136..272], "second block"); + + // Third block: 136 bytes + let mut b3 = [0u8; 136]; + libcrux_sha3::avx2::x4::incremental::shake256_squeeze_next_block( + &mut state, &mut b3, &mut d1, &mut d2, &mut d3, + ); + assert_eq!(&b3[..], &spec[272..408], "third block"); + } +} diff --git a/specs/Cargo.toml b/specs/Cargo.toml index 55874e074e..3eb1eb2b77 100644 --- a/specs/Cargo.toml +++ b/specs/Cargo.toml @@ -1,3 +1,3 @@ [workspace] -members = ["hacspec-lib", "kyber"] +members = ["hacspec-lib", "kyber", "sha3"] resolver = "2" diff --git a/specs/sha3/.gitignore b/specs/sha3/.gitignore new file mode 100644 index 0000000000..ea8c4bf7f3 --- /dev/null +++ b/specs/sha3/.gitignore @@ -0,0 +1 @@ +/target diff --git a/specs/sha3/Cargo.toml b/specs/sha3/Cargo.toml new file mode 100644 index 0000000000..bbbb52e8c3 --- /dev/null +++ b/specs/sha3/Cargo.toml @@ -0,0 +1,15 @@ +[package] +name = "hacspec_sha3" +version = "0.1.0" +edition = "2021" + +[dependencies] +hax-lib = { git = "https://github.com/cryspen/hax", branch = "integer-lemmas" } + +[dev-dependencies] +hex = "0.4.3" +proptest = "1.2.0" +libcrux-sha3 = { path = "../../crates/algorithms/sha3" } + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(hax)'] } diff --git a/specs/sha3/NIST.FIPS.202.pdf b/specs/sha3/NIST.FIPS.202.pdf new file mode 100644 index 0000000000..deb8de5e58 Binary files /dev/null and b/specs/sha3/NIST.FIPS.202.pdf differ diff --git a/specs/sha3/hax.sh b/specs/sha3/hax.sh new file mode 100755 index 0000000000..1490f89c0f --- /dev/null +++ b/specs/sha3/hax.sh @@ -0,0 +1,182 @@ +#!/usr/bin/env bash +set -ex + +function extract_all() { + extract specs/sha3 \ + into -i "+**" \ + fstar --z3rlimit 80 +} + +function extract_all_lean() { + extract_to_lean specs/sha3 \ + into -i "+**" \ + lean + + patch_lean_extractions +} + +function prove() { + case "$1" in + --admit) + shift 1 + export OTHERFLAGS="--admit_smt_queries true";; + *);; + esac + go_to "specs/sha3" + JOBS="${JOBS:-$(nproc --all)}" + JOBS="${JOBS:-4}" + make -C proofs/fstar/extraction -j $JOBS "$@" +} + +function init_vars() { + SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + SCRIPT_NAME="$(basename "${BASH_SOURCE[0]}")" + SCRIPT_PATH="${SCRIPT_DIR}/${SCRIPT_NAME}" + + if [ -t 1 ]; then + BLUE='\033[34m' + GREEN='\033[32m' + BOLD='\033[1m' + RESET='\033[0m' + else + BLUE='' + GREEN='' + BOLD='' + RESET='' + fi +} + +function go_to() { + ROOT="$SCRIPT_DIR/../.." + cd "$ROOT" + cd "$1" +} + +function msg() { + echo -e "$1[$SCRIPT_NAME]$RESET $2" +} + +function extract() { + TARGET="$1" + shift 1 + + msg "$BLUE" "extract ${BOLD}$TARGET${RESET}" + go_to "$TARGET" + cargo hax "$@" || { + msg "$RED" "extract extraction failed for ${BOLD}$TARGET${RESET}" + exit 1 + } +} + +function extract_to_lean() { + TARGET="$1" + shift 1 + + msg "$BLUE" "extract (lean) ${BOLD}$TARGET${RESET}" + go_to "$TARGET" + cargo hax "$@" || { + msg "$BLUE" "hax reported warnings for ${BOLD}$TARGET${RESET} (continuing)" + } +} + +function patch_lean_extractions() { + go_to "specs/sha3" + local sha3="proofs/lean/extraction/hacspec_sha3.lean" + + # Add Stubs import. + sed -i '' '/^import Hax$/a\ +import Stubs' "$sha3" + + # Replace all generated proof tactics with sorry. + sed -i '' 's/by hax_construct_pure <;> bv_decide/by sorry/g' "$sha3" + sed -i '' 's/by hax_mvcgen \[[^]]*\] <;> bv_decide/by sorry/g' "$sha3" + sed -i '' 's/by hax_construct_pure <;> rfl/by sorry/g' "$sha3" + + # squeeze_state: the output parameter is RustSlice u8 but update_at_usize + # is only defined for RustArray. Rename the slice calls to update_at_usize_slice. + # Inside squeeze_state, `output` is a RustSlice, so all update_at_usize on it + # need the slice variant. + python3 -c " +import re, sys +t = open(sys.argv[1]).read() +# In squeeze_state, update_at_usize is called on 'output' which is a RustSlice. +# The Hax library only defines update_at_usize for RustArray, so we rename +# these calls to the slice-specific version defined in Stubs.lean. +# We match inside the squeeze_state definition (between 'def squeeze_state' and +# the next 'end' or 'def') and replace all occurrences. +def patch_squeeze(m): + body = m.group(0) + return body.replace( + 'rust_primitives.hax.monomorphized_update_at.update_at_usize', + 'rust_primitives.hax.monomorphized_update_at.update_at_usize_slice') +t = re.sub( + r'def squeeze_state.*?(?=\nset_option|\ndef )', + patch_squeeze, + t, flags=re.DOTALL) +open(sys.argv[1],'w').write(t) +" "$sha3" + + # Remove sorry'd @[hax_spec] definitions that block mvcgen from using + # our proven @[spec] triples. The hax-generated specs have + # `ensures := fun _ => pure True` which is uninformative. + python3 -c " +import re, sys +t = open(sys.argv[1]).read() +# Remove all @[hax_spec] attributes — the generated specs have sorry proofs +# and block mvcgen from using our proven @[spec] triples. +t = t.replace('@[hax_spec]', '-- @[hax_spec] -- removed by patch') +open(sys.argv[1],'w').write(t) +" "$sha3" + + # Remove broken createi definition (our Stubs.lean provides it). + python3 -c " +import re, sys +t = open(sys.argv[1]).read() +t = re.sub( + r'-- Utility function to create.*?end hacspec_sha3', + 'end hacspec_sha3', + t, flags=re.DOTALL) +open(sys.argv[1],'w').write(t) +" "$sha3" +} + +function help() { + echo "Hacspec SHA3 script to extract Rust to F* and Lean via hax." + echo "" + echo "Usage: $0 [COMMAND]" + echo "" + echo "Commands:" + echo "" + grep '[#]>' "$SCRIPT_PATH" | sed 's/[)] #[>]/\t/g' + echo "" +} + +function cli() { + if [ -z "$1" ]; then + help + exit 1 + fi + + case "$1" in + --help) #> Show help message + help;; + extract) #> Extract the F* code for the proofs. + extract_all + msg "$GREEN" "done" + ;; + extract_lean) #> Extract Lean code for the proofs. + extract_all_lean + msg "$GREEN" "done" + ;; + prove) #> Run F*. This typechecks the extracted code. To lax-typecheck use --admit. + shift 1 + prove "$@";; + *) + echo "Invalid option: $1" + help + exit 1;; + esac +} + +init_vars +cli "$@" diff --git a/specs/sha3/proofs/fstar/extraction/Hacspec_sha3.Keccak_f.fst b/specs/sha3/proofs/fstar/extraction/Hacspec_sha3.Keccak_f.fst new file mode 100644 index 0000000000..513716ce7a --- /dev/null +++ b/specs/sha3/proofs/fstar/extraction/Hacspec_sha3.Keccak_f.fst @@ -0,0 +1,162 @@ +module Hacspec_sha3.Keccak_f +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +open FStar.Mul +open Core_models + +/// Read lane `A[x, y]`. +let get (state: t_Array u64 (mk_usize 25)) (x y: usize) + : Prims.Pure u64 (requires x <. mk_usize 5 && y <. mk_usize 5) (fun _ -> Prims.l_True) = + state.[ (mk_usize 5 *! y <: usize) +! x <: usize ] + +/// Round constants `RC[ir]` for `ir = 0..23` — FIPS 202, Algorithm 5. +let v_ROUND_CONSTANTS: t_Array u64 (mk_usize 24) = + let list = + [ + mk_u64 1; mk_u64 32898; mk_u64 9223372036854808714; mk_u64 9223372039002292224; mk_u64 32907; + mk_u64 2147483649; mk_u64 9223372039002292353; mk_u64 9223372036854808585; mk_u64 138; + mk_u64 136; mk_u64 2147516425; mk_u64 2147483658; mk_u64 2147516555; + mk_u64 9223372036854775947; mk_u64 9223372036854808713; mk_u64 9223372036854808579; + mk_u64 9223372036854808578; mk_u64 9223372036854775936; mk_u64 32778; + mk_u64 9223372039002259466; mk_u64 9223372039002292353; mk_u64 9223372036854808704; + mk_u64 2147483649; mk_u64 9223372039002292232 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 24); + Rust_primitives.Hax.array_of_list 24 list + +/// Rotation offsets for ρ step — FIPS 202, Algorithm 2 / Table 2. +/// Indexed as `RHO_OFFSETS[5*y + x]`. +let v_RHO_OFFSETS: t_Array u32 (mk_usize 25) = + let list = + [ + mk_u32 0; mk_u32 1; mk_u32 62; mk_u32 28; mk_u32 27; mk_u32 36; mk_u32 44; mk_u32 6; mk_u32 55; + mk_u32 20; mk_u32 3; mk_u32 10; mk_u32 43; mk_u32 25; mk_u32 39; mk_u32 41; mk_u32 45; + mk_u32 15; mk_u32 21; mk_u32 8; mk_u32 18; mk_u32 2; mk_u32 61; mk_u32 56; mk_u32 14 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 25); + Rust_primitives.Hax.array_of_list 25 list + +/// θ step — FIPS 202, Algorithm 1. +/// C[x] = A[x,0] ⊕ A[x,1] ⊕ A[x,2] ⊕ A[x,3] ⊕ A[x,4] +/// D[x] = C[x−1 mod 5] ⊕ rot(C[x+1 mod 5], 1) +/// A′[x,y] = A[x,y] ⊕ D[x] +let theta (state: t_Array u64 (mk_usize 25)) : t_Array u64 (mk_usize 25) = + let (c: t_Array u64 (mk_usize 5)):t_Array u64 (mk_usize 5) = + Hacspec_sha3.createi #u64 + (mk_usize 5) + #(usize -> u64) + (fun x -> + let x:usize = x in + ((((get state x (mk_usize 0) <: u64) ^. (get state x (mk_usize 1) <: u64) <: u64) ^. + (get state x (mk_usize 2) <: u64) + <: + u64) ^. + (get state x (mk_usize 3) <: u64) + <: + u64) ^. + (get state x (mk_usize 4) <: u64) + <: + u64) + in + let (d: t_Array u64 (mk_usize 5)):t_Array u64 (mk_usize 5) = + Hacspec_sha3.createi #u64 + (mk_usize 5) + #(usize -> u64) + (fun x -> + let x:usize = x in + (c.[ (x +! mk_usize 4 <: usize) %! mk_usize 5 <: usize ] <: u64) ^. + (Core_models.Num.impl_u64__rotate_left (c.[ (x +! mk_usize 1 <: usize) %! mk_usize 5 + <: + usize ] + <: + u64) + (mk_u32 1) + <: + u64) + <: + u64) + in + Hacspec_sha3.createi #u64 + (mk_usize 25) + #(usize -> u64) + (fun idx -> + let idx:usize = idx in + (state.[ idx ] <: u64) ^. (d.[ idx %! mk_usize 5 <: usize ] <: u64) <: u64) + +/// ρ step — FIPS 202, Algorithm 2. +/// A′[x,y] = rot(A[x,y], offset(x,y)) +let rho (state: t_Array u64 (mk_usize 25)) : t_Array u64 (mk_usize 25) = + Hacspec_sha3.createi #u64 + (mk_usize 25) + #(usize -> u64) + (fun idx -> + let idx:usize = idx in + Core_models.Num.impl_u64__rotate_left (state.[ idx ] <: u64) (v_RHO_OFFSETS.[ idx ] <: u32) + <: + u64) + +/// π step — FIPS 202, Algorithm 3. +/// A′[x,y] = A[(x + 3y) mod 5, x] +let pi (state: t_Array u64 (mk_usize 25)) : t_Array u64 (mk_usize 25) = + Hacspec_sha3.createi #u64 + (mk_usize 25) + #(usize -> u64) + (fun idx -> + let idx:usize = idx in + let y:usize = idx /! mk_usize 5 in + let x:usize = idx %! mk_usize 5 in + get state ((x +! (mk_usize 3 *! y <: usize) <: usize) %! mk_usize 5 <: usize) x) + +/// χ step — FIPS 202, Algorithm 4. +/// A′[x,y] = A[x,y] ⊕ (¬A[(x+1) mod 5, y] ∧ A[(x+2) mod 5, y]) +let chi (state: t_Array u64 (mk_usize 25)) : t_Array u64 (mk_usize 25) = + Hacspec_sha3.createi #u64 + (mk_usize 25) + #(usize -> u64) + (fun idx -> + let idx:usize = idx in + let y:usize = idx /! mk_usize 5 in + let x:usize = idx %! mk_usize 5 in + (get state x y <: u64) ^. + ((~.(get state ((x +! mk_usize 1 <: usize) %! mk_usize 5 <: usize) y <: u64) <: u64) &. + (get state ((x +! mk_usize 2 <: usize) %! mk_usize 5 <: usize) y <: u64) + <: + u64)) + +/// ι step — FIPS 202, Algorithm 6. +/// A′[0,0] = A[0,0] ⊕ RC[ir] +let iota (state: t_Array u64 (mk_usize 25)) (round: usize) + : Prims.Pure (t_Array u64 (mk_usize 25)) (requires round <. mk_usize 24) (fun _ -> Prims.l_True) = + let state:t_Array u64 (mk_usize 25) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state + (mk_usize 0) + ((state.[ mk_usize 0 ] <: u64) ^. (v_ROUND_CONSTANTS.[ round ] <: u64) <: u64) + in + state + +/// Keccak-f[1600] permutation — FIPS 202, Algorithm 7. +/// Rnd(A, ir) = ι(χ(π(ρ(θ(A)))), ir) +let keccak_f (state: t_Array u64 (mk_usize 25)) : t_Array u64 (mk_usize 25) = + let state:t_Array u64 (mk_usize 25) = + Rust_primitives.Hax.Folds.fold_range (mk_usize 0) + (mk_usize 24) + (fun state temp_1_ -> + let state:t_Array u64 (mk_usize 25) = state in + let _:usize = temp_1_ in + true) + state + (fun state round -> + let state:t_Array u64 (mk_usize 25) = state in + let round:usize = round in + iota (chi (pi (rho (theta state <: t_Array u64 (mk_usize 25)) <: t_Array u64 (mk_usize 25) + ) + <: + t_Array u64 (mk_usize 25)) + <: + t_Array u64 (mk_usize 25)) + round + <: + t_Array u64 (mk_usize 25)) + in + state diff --git a/specs/sha3/proofs/fstar/extraction/Hacspec_sha3.Sha3.fst b/specs/sha3/proofs/fstar/extraction/Hacspec_sha3.Sha3.fst new file mode 100644 index 0000000000..026e00f0f3 --- /dev/null +++ b/specs/sha3/proofs/fstar/extraction/Hacspec_sha3.Sha3.fst @@ -0,0 +1,56 @@ +module Hacspec_sha3.Sha3 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +open FStar.Mul +open Core_models + +let v_SHA3_224_RATE: usize = mk_usize 144 + +let v_SHA3_256_RATE: usize = mk_usize 136 + +let v_SHA3_384_RATE: usize = mk_usize 104 + +let v_SHA3_512_RATE: usize = mk_usize 72 + +let v_SHAKE128_RATE: usize = mk_usize 168 + +let v_SHAKE256_RATE: usize = mk_usize 136 + +/// SHA-3 domain separation byte (0x06 = 0b0110: two-bit suffix "01" + first bit of pad10*1). +let v_SHA3_DELIM: u8 = mk_u8 6 + +/// SHAKE domain separation byte (0x1F = 0b11111: four-bit suffix "1111" + first bit of pad10*1). +let v_SHAKE_DELIM: u8 = mk_u8 31 + +/// SHA3-224 — FIPS 202, Section 6.1. +let sha3_224_ (message: t_Slice u8) : t_Array u8 (mk_usize 28) = + Hacspec_sha3.Sponge.keccak (mk_usize 28) v_SHA3_224_RATE v_SHA3_DELIM message + +/// SHA3-256 — FIPS 202, Section 6.1. +let sha3_256_ (message: t_Slice u8) : t_Array u8 (mk_usize 32) = + Hacspec_sha3.Sponge.keccak (mk_usize 32) v_SHA3_256_RATE v_SHA3_DELIM message + +/// SHA3-384 — FIPS 202, Section 6.1. +let sha3_384_ (message: t_Slice u8) : t_Array u8 (mk_usize 48) = + Hacspec_sha3.Sponge.keccak (mk_usize 48) v_SHA3_384_RATE v_SHA3_DELIM message + +/// SHA3-512 — FIPS 202, Section 6.1. +let sha3_512_ (message: t_Slice u8) : t_Array u8 (mk_usize 64) = + Hacspec_sha3.Sponge.keccak (mk_usize 64) v_SHA3_512_RATE v_SHA3_DELIM message + +/// SHAKE128 — FIPS 202, Section 6.2. +/// FIPS 202 places no upper bound on the output length `N`. +/// The `N < usize::MAX - 200` precondition is a Rust implementation artifact +/// to prevent arithmetic overflow during squeeze-loop bound computation. +let shake128 (v_N: usize) (message: t_Slice u8) + : Prims.Pure (t_Array u8 v_N) + (requires v_N <. (Core_models.Num.impl_usize__MAX -! mk_usize 200 <: usize)) + (fun _ -> Prims.l_True) = Hacspec_sha3.Sponge.keccak v_N v_SHAKE128_RATE v_SHAKE_DELIM message + +/// SHAKE256 — FIPS 202, Section 6.2. +/// FIPS 202 places no upper bound on the output length `N`. +/// The `N < usize::MAX - 200` precondition is a Rust implementation artifact +/// to prevent arithmetic overflow during squeeze-loop bound computation. +let shake256 (v_N: usize) (message: t_Slice u8) + : Prims.Pure (t_Array u8 v_N) + (requires v_N <. (Core_models.Num.impl_usize__MAX -! mk_usize 200 <: usize)) + (fun _ -> Prims.l_True) = Hacspec_sha3.Sponge.keccak v_N v_SHAKE256_RATE v_SHAKE_DELIM message diff --git a/specs/sha3/proofs/fstar/extraction/Hacspec_sha3.Sponge.fst b/specs/sha3/proofs/fstar/extraction/Hacspec_sha3.Sponge.fst new file mode 100644 index 0000000000..48d7dc8bf5 --- /dev/null +++ b/specs/sha3/proofs/fstar/extraction/Hacspec_sha3.Sponge.fst @@ -0,0 +1,296 @@ +module Hacspec_sha3.Sponge +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +open FStar.Mul +open Core_models + +/// XOR a block of message bytes into the state (little-endian, lane-interleaved). +/// Corresponds to the `S ⊕ (Pi || 0^c)` step of Algorithm 8. +let xor_block_into_state (state: t_Array u64 (mk_usize 25)) (block: t_Slice u8) (rate: usize) + : Prims.Pure (t_Array u64 (mk_usize 25)) + (requires + rate <=. mk_usize 200 && (rate %! mk_usize 8 <: usize) =. mk_usize 0 && + (Core_models.Slice.impl__len #u8 block <: usize) >=. rate) + (fun _ -> Prims.l_True) = + Hacspec_sha3.createi #u64 + (mk_usize 25) + #(usize -> u64) + (fun i -> + let i:usize = i in + if i <. (rate /! mk_usize 8 <: usize) <: bool + then + (state.[ i ] <: u64) ^. + (Core_models.Num.impl_u64__from_le_bytes (Core_models.Result.impl__unwrap #(t_Array u8 + (mk_usize 8)) + #Core_models.Array.t_TryFromSliceError + (Core_models.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (mk_usize 8)) + #FStar.Tactics.Typeclasses.solve + (block.[ { + Core_models.Ops.Range.f_start = mk_usize 8 *! i <: usize; + Core_models.Ops.Range.f_end + = + (mk_usize 8 *! i <: usize) +! mk_usize 8 <: usize + } + <: + Core_models.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core_models.Result.t_Result (t_Array u8 (mk_usize 8)) + Core_models.Array.t_TryFromSliceError) + <: + t_Array u8 (mk_usize 8)) + <: + u64) + <: + u64 + else state.[ i ] <: u64) + +/// Extract `len` bytes from the rate portion of the state (little-endian, lane-interleaved). +/// Corresponds to `Trunc_r(S)` in Algorithm 8. +let squeeze_state + (v_OUTPUT_LEN: usize) + (state: t_Array u64 (mk_usize 25)) + (output: t_Array u8 v_OUTPUT_LEN) + (out_offset len: usize) + : Prims.Pure (t_Array u8 v_OUTPUT_LEN) + (requires + len <=. mk_usize 200 && + (Core_models.Slice.impl__len #u8 (output <: t_Slice u8) <: usize) >=. len && + out_offset <=. + ((Core_models.Slice.impl__len #u8 (output <: t_Slice u8) <: usize) -! len <: usize)) + (fun _ -> Prims.l_True) = + let (bytes: t_Array u8 (mk_usize 200)):t_Array u8 (mk_usize 200) = + Hacspec_sha3.createi #u8 + (mk_usize 200) + #(usize -> u8) + (fun i -> + let i:usize = i in + (Core_models.Num.impl_u64__to_le_bytes (state.[ i /! mk_usize 8 <: usize ] <: u64) + <: + t_Array u8 (mk_usize 8)).[ i %! mk_usize 8 <: usize ] + <: + u8) + in + let output:t_Array u8 v_OUTPUT_LEN = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range output + ({ + Core_models.Ops.Range.f_start = out_offset; + Core_models.Ops.Range.f_end = out_offset +! len <: usize + } + <: + Core_models.Ops.Range.t_Range usize) + (Core_models.Slice.impl__copy_from_slice #u8 + (output.[ { + Core_models.Ops.Range.f_start = out_offset; + Core_models.Ops.Range.f_end = out_offset +! len <: usize + } + <: + Core_models.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (bytes.[ { Core_models.Ops.Range.f_start = mk_usize 0; Core_models.Ops.Range.f_end = len } + <: + Core_models.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) + in + output + +/// Absorb one full block: XOR it into the state, then apply Keccak-f. +/// Corresponds to one iteration of the absorb loop in Algorithm 8 (step 6). +let absorb_block (state: t_Array u64 (mk_usize 25)) (block: t_Slice u8) (rate: usize) + : Prims.Pure (t_Array u64 (mk_usize 25)) + (requires + rate <=. mk_usize 200 && (rate %! mk_usize 8 <: usize) =. mk_usize 0 && + (Core_models.Slice.impl__len #u8 block <: usize) =. rate) + (fun _ -> Prims.l_True) = + let state:t_Array u64 (mk_usize 25) = xor_block_into_state state block rate in + Hacspec_sha3.Keccak_f.keccak_f state + +/// Build the padded last block: copy remaining message bytes, add the +/// domain-separation byte `delim`, and set the final bit of pad10*1. +/// Returns a `rate`-byte buffer ready to be absorbed via `xor_block_into_state`. +let pad_last_block (message: t_Slice u8) (msg_offset remaining rate: usize) (delim: u8) + : Prims.Pure (t_Array u8 (mk_usize 200)) + (requires + rate >. mk_usize 0 && rate <=. mk_usize 200 && (rate %! mk_usize 8 <: usize) =. mk_usize 0 && + remaining <. rate && + msg_offset <=. (Core_models.Slice.impl__len #u8 message <: usize) && + remaining <=. ((Core_models.Slice.impl__len #u8 message <: usize) -! msg_offset <: usize)) + (fun _ -> Prims.l_True) = + let buffer:t_Array u8 (mk_usize 200) = Rust_primitives.Hax.repeat (mk_u8 0) (mk_usize 200) in + let buffer:t_Array u8 (mk_usize 200) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range buffer + ({ Core_models.Ops.Range.f_start = mk_usize 0; Core_models.Ops.Range.f_end = remaining } + <: + Core_models.Ops.Range.t_Range usize) + (Core_models.Slice.impl__copy_from_slice #u8 + (buffer.[ { + Core_models.Ops.Range.f_start = mk_usize 0; + Core_models.Ops.Range.f_end = remaining + } + <: + Core_models.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (message.[ { + Core_models.Ops.Range.f_start = msg_offset; + Core_models.Ops.Range.f_end = msg_offset +! remaining <: usize + } + <: + Core_models.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) + in + let buffer:t_Array u8 (mk_usize 200) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize buffer remaining delim + in + let buffer:t_Array u8 (mk_usize 200) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize buffer + (rate -! mk_usize 1 <: usize) + ((buffer.[ rate -! mk_usize 1 <: usize ] <: u8) |. mk_u8 128 <: u8) + in + buffer + +/// Absorb the final (possibly partial) block: pad it, XOR into state, and +/// apply Keccak-f. +/// Combines `pad_last_block` + `absorb_block`. +let absorb_final + (state: t_Array u64 (mk_usize 25)) + (message: t_Slice u8) + (msg_offset remaining rate: usize) + (delim: u8) + : Prims.Pure (t_Array u64 (mk_usize 25)) + (requires + rate >. mk_usize 0 && rate <=. mk_usize 200 && (rate %! mk_usize 8 <: usize) =. mk_usize 0 && + remaining <. rate && + msg_offset <=. (Core_models.Slice.impl__len #u8 message <: usize) && + remaining <=. ((Core_models.Slice.impl__len #u8 message <: usize) -! msg_offset <: usize)) + (fun _ -> Prims.l_True) = + let block:t_Array u8 (mk_usize 200) = pad_last_block message msg_offset remaining rate delim in + absorb_block state + (block.[ { Core_models.Ops.Range.f_start = mk_usize 0; Core_models.Ops.Range.f_end = rate } + <: + Core_models.Ops.Range.t_Range usize ] + <: + t_Slice u8) + rate + +/// Recursively absorb the remaining bytes of `message`: peel off one full +/// `rate`-byte block, XOR it into the state, apply Keccak-f, then recurse on +/// the tail slice. Once fewer than `rate` bytes remain, pad and absorb the +/// partial final block. +let rec absorb_rec (state: t_Array u64 (mk_usize 25)) (rate: usize) (delim: u8) (message: t_Slice u8) + : Prims.Pure (t_Array u64 (mk_usize 25)) + (requires + rate >. mk_usize 0 && rate <=. mk_usize 200 && (rate %! mk_usize 8 <: usize) =. mk_usize 0) + (fun _ -> Prims.l_True) + (decreases + (Rust_primitives.Hax.Int.from_machine (Core_models.Slice.impl__len #u8 message <: usize) + <: + Hax_lib.Int.t_Int)) = + if (Core_models.Slice.impl__len #u8 message <: usize) <. rate + then + absorb_final state + message + (mk_usize 0) + (Core_models.Slice.impl__len #u8 message <: usize) + rate + delim + else + let state:t_Array u64 (mk_usize 25) = + absorb_block state + (message.[ { + Core_models.Ops.Range.f_start = mk_usize 0; + Core_models.Ops.Range.f_end = rate + } + <: + Core_models.Ops.Range.t_Range usize ] + <: + t_Slice u8) + rate + in + absorb_rec state + rate + delim + (message.[ { Core_models.Ops.Range.f_start = rate } <: Core_models.Ops.Range.t_RangeFrom usize + ] + <: + t_Slice u8) + +/// Apply Keccak-f to `state` exactly `n` times. +let rec iterate_keccak_f (n: usize) (state: t_Array u64 (mk_usize 25)) + : Prims.Tot (t_Array u64 (mk_usize 25)) + (decreases (Rust_primitives.Hax.Int.from_machine n <: Hax_lib.Int.t_Int)) = + if n =. mk_usize 0 + then state + else + Hacspec_sha3.Keccak_f.keccak_f (iterate_keccak_f (n -! mk_usize 1 <: usize) state + <: + t_Array u64 (mk_usize 25)) + +/// Absorb phase of the Keccak sponge (FIPS 202, Algorithm 8, step 6 combined +/// with the pad10*1 padding of Algorithm 9). +/// Splits `message` into `rate`-byte blocks, XORing each into the state and +/// applying Keccak-f. The final partial block is padded with the domain +/// separation byte `delim` and the pad10*1 terminator `0x80` before being +/// absorbed. +let absorb (rate: usize) (delim: u8) (message: t_Slice u8) + : Prims.Pure (t_Array u64 (mk_usize 25)) + (requires + rate >. mk_usize 0 && rate <=. mk_usize 200 && (rate %! mk_usize 8 <: usize) =. mk_usize 0) + (fun _ -> Prims.l_True) = + absorb_rec (Rust_primitives.Hax.repeat (mk_u64 0) (mk_usize 25) <: t_Array u64 (mk_usize 25)) + rate + delim + message + +/// Squeeze phase of the Keccak sponge (FIPS 202, Algorithm 8, steps 8–9). +/// Extracts `OUTPUT_LEN` bytes from `state`, applying Keccak-f between each +/// `rate`-byte block of output. +/// Byteform definition: byte at position `k` lives in block `b = k / rate` +/// (or the trailing partial block if `b == OUTPUT_LEN / rate`); within a +/// block the offset is `j = k - b * rate`; the value is the `(j mod 8)`-th +/// little-endian byte of `iterate_keccak_f(b, state)`\'s lane `(j / 8)`. +/// Equivalent to FIPS-202 Algorithm 8: for each full block apply keccak_f +/// and extract `rate` bytes; the trailing partial block uses one more +/// keccak_f before extracting `OUTPUT_LEN mod rate` bytes. +let squeeze (v_OUTPUT_LEN: usize) (state: t_Array u64 (mk_usize 25)) (rate: usize) + : Prims.Pure (t_Array u8 v_OUTPUT_LEN) + (requires + rate >. mk_usize 0 && rate <=. mk_usize 200 && (rate %! mk_usize 8 <: usize) =. mk_usize 0 && + v_OUTPUT_LEN <. (Core_models.Num.impl_usize__MAX -! mk_usize 200 <: usize)) + (fun _ -> Prims.l_True) = + Hacspec_sha3.createi #u8 + v_OUTPUT_LEN + #(usize -> u8) + (fun k -> + let k:usize = k in + let b:usize = k /! rate in + let j:usize = k -! (b *! rate <: usize) in + let state_b:t_Array u64 (mk_usize 25) = iterate_keccak_f b state in + (Core_models.Num.impl_u64__to_le_bytes (state_b.[ j /! mk_usize 8 <: usize ] <: u64) + <: + t_Array u8 (mk_usize 8)).[ j %! mk_usize 8 <: usize ]) + +/// Keccak sponge — FIPS 202, Algorithm 8 combined with pad10*1 (Algorithm 9). +/// 1. Absorb: split `message` into `rate`-byte blocks, XOR each into the +/// state, and apply Keccak-f. The final partial block is padded with +/// the domain separation byte `delim` and the pad10*1 terminator `0x80`. +/// 2. Squeeze: extract `OUTPUT_LEN` bytes from the state, applying +/// Keccak-f between each `rate`-byte block of output. +/// The `OUTPUT_LEN < usize::MAX - 200` precondition is a Rust implementation +/// artifact to prevent arithmetic overflow; FIPS 202 places no upper bound +/// on the output length. +let keccak (v_OUTPUT_LEN rate: usize) (delim: u8) (message: t_Slice u8) + : Prims.Pure (t_Array u8 v_OUTPUT_LEN) + (requires + rate >. mk_usize 0 && rate <=. mk_usize 200 && (rate %! mk_usize 8 <: usize) =. mk_usize 0 && + v_OUTPUT_LEN <. (Core_models.Num.impl_usize__MAX -! mk_usize 200 <: usize)) + (fun _ -> Prims.l_True) = + squeeze v_OUTPUT_LEN (absorb rate delim message <: t_Array u64 (mk_usize 25)) rate diff --git a/specs/sha3/proofs/fstar/extraction/Hacspec_sha3.fst b/specs/sha3/proofs/fstar/extraction/Hacspec_sha3.fst new file mode 100644 index 0000000000..d10fb8317a --- /dev/null +++ b/specs/sha3/proofs/fstar/extraction/Hacspec_sha3.fst @@ -0,0 +1,23 @@ +module Hacspec_sha3 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +open FStar.Mul +open Core_models + +[@@ "opaque_to_smt"] +let createi + (#v_T: Type0) + (v_N: usize) + (#v_F: Type0) + (f: (x:usize{x <. v_N}) -> v_T) + : t_Array v_T v_N + = Rust_primitives.Arrays.createi v_N f + +let createi_lemma + (#v_T: Type0) + (v_N: usize) + (#v_F: Type0) + (f: (x:usize{x <. v_N}) -> v_T) + (i: usize{i <. v_N}) + : Lemma (Seq.index (createi #v_T v_N #v_F f) (v i) == f i) + [SMTPat (Seq.index (createi #v_T v_N #v_F f) (v i))] + = reveal_opaque (`%createi) (createi #v_T v_N #v_F f) diff --git a/specs/sha3/proofs/fstar/extraction/Makefile b/specs/sha3/proofs/fstar/extraction/Makefile new file mode 100644 index 0000000000..8481b05ca9 --- /dev/null +++ b/specs/sha3/proofs/fstar/extraction/Makefile @@ -0,0 +1,7 @@ +# Verify the four root spec modules. +ROOTS = Hacspec_sha3.fst \ + Hacspec_sha3.Keccak_f.fst \ + Hacspec_sha3.Sha3.fst \ + Hacspec_sha3.Sponge.fst + +include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base diff --git a/specs/sha3/src/keccak_f.rs b/specs/sha3/src/keccak_f.rs new file mode 100644 index 0000000000..1eb038bae6 --- /dev/null +++ b/specs/sha3/src/keccak_f.rs @@ -0,0 +1,156 @@ +/// Keccak-f[1600] permutation — FIPS 202, Section 3.3. +/// +/// The state is a 5×5 array of 64-bit lanes stored as a flat `[u64; 25]`. +/// Lane `A[x, y]` maps to flat index `5*y + x`, matching the natural +/// flat indexing induced by FIPS 202 §3.1.2 (`A[x, y, z] = S[w(5y + x) + z]`) +/// and the Keccak reference implementation. +use crate::createi; + +/// Keccak-f[1600] state: 5×5 lanes of 64-bit words. +/// Keccak state type, exposed for cross-crate verification. +pub type State = [u64; 25]; + +/// Read lane `A[x, y]`. +#[inline] +#[hax_lib::requires(x < 5 && y < 5)] +pub fn get(state: &State, x: usize, y: usize) -> u64 { + state[5 * y + x] +} + +// ========================================================================= +// Constants — FIPS 202, Section 3.3 / Algorithm 5 +// ========================================================================= + +/// Round constants `RC[ir]` for `ir = 0..23` — FIPS 202, Algorithm 5. +pub const ROUND_CONSTANTS: [u64; 24] = [ + 0x0000_0000_0000_0001, + 0x0000_0000_0000_8082, + 0x8000_0000_0000_808A, + 0x8000_0000_8000_8000, + 0x0000_0000_0000_808B, + 0x0000_0000_8000_0001, + 0x8000_0000_8000_8081, + 0x8000_0000_0000_8009, + 0x0000_0000_0000_008A, + 0x0000_0000_0000_0088, + 0x0000_0000_8000_8009, + 0x0000_0000_8000_000A, + 0x0000_0000_8000_808B, + 0x8000_0000_0000_008B, + 0x8000_0000_0000_8089, + 0x8000_0000_0000_8003, + 0x8000_0000_0000_8002, + 0x8000_0000_0000_0080, + 0x0000_0000_0000_800A, + 0x8000_0000_8000_000A, + 0x8000_0000_8000_8081, + 0x8000_0000_0000_8080, + 0x0000_0000_8000_0001, + 0x8000_0000_8000_8008, +]; + +/// Rotation offsets for ρ step — FIPS 202, Algorithm 2 / Table 2. +/// +/// Indexed as `RHO_OFFSETS[5*y + x]`. +pub const RHO_OFFSETS: [u32; 25] = [ + // x=0 x=1 x=2 x=3 x=4 + 0, 1, 62, 28, 27, // y = 0 + 36, 44, 6, 55, 20, // y = 1 + 3, 10, 43, 25, 39, // y = 2 + 41, 45, 15, 21, 8, // y = 3 + 18, 2, 61, 56, 14, // y = 4 +]; + +// ========================================================================= +// The five step mappings — FIPS 202, Algorithms 1–6 +// ========================================================================= + +/// θ step — FIPS 202, Algorithm 1. +/// +/// C[x] = A[x,0] ⊕ A[x,1] ⊕ A[x,2] ⊕ A[x,3] ⊕ A[x,4] +/// D[x] = C[x−1 mod 5] ⊕ rot(C[x+1 mod 5], 1) +/// A′[x,y] = A[x,y] ⊕ D[x] +pub fn theta(state: State) -> State { + let c: [u64; 5] = createi(|x| { + get(&state, x, 0) + ^ get(&state, x, 1) + ^ get(&state, x, 2) + ^ get(&state, x, 3) + ^ get(&state, x, 4) + }); + let d: [u64; 5] = createi(|x| c[(x + 4) % 5] ^ c[(x + 1) % 5].rotate_left(1)); + createi(|idx| state[idx] ^ d[idx % 5]) +} + +/// ρ step — FIPS 202, Algorithm 2. +/// +/// A′[x,y] = rot(A[x,y], offset(x,y)) +pub fn rho(state: State) -> State { + createi(|idx| state[idx].rotate_left(RHO_OFFSETS[idx])) +} + +/// π step — FIPS 202, Algorithm 3. +/// +/// A′[x,y] = A[(x + 3y) mod 5, x] +pub fn pi(state: State) -> State { + createi(|idx| { + let y = idx / 5; + let x = idx % 5; + get(&state, (x + 3 * y) % 5, x) + }) +} + +/// χ step — FIPS 202, Algorithm 4. +/// +/// A′[x,y] = A[x,y] ⊕ (¬A[(x+1) mod 5, y] ∧ A[(x+2) mod 5, y]) +pub fn chi(state: State) -> State { + createi(|idx| { + let y = idx / 5; + let x = idx % 5; + get(&state, x, y) ^ (!get(&state, (x + 1) % 5, y) & get(&state, (x + 2) % 5, y)) + }) +} + +/// ι step — FIPS 202, Algorithm 6. +/// +/// A′[0,0] = A[0,0] ⊕ RC[ir] +#[hax_lib::requires(round < 24)] +pub fn iota(mut state: State, round: usize) -> State { + state[0] ^= ROUND_CONSTANTS[round]; + state +} + +// ========================================================================= +// Keccak-f[1600] — FIPS 202, Algorithm 7 +// ========================================================================= + +/// Keccak-f[1600] permutation — FIPS 202, Algorithm 7. +/// +/// Rnd(A, ir) = ι(χ(π(ρ(θ(A)))), ir) +pub fn keccak_f(mut state: State) -> State { + for round in 0..24 { + state = iota(chi(pi(rho(theta(state)))), round); + } + state +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn keccak_f_all_zeros() { + // Known answer: after Keccak-f on the all-zero state, lane (0,0) has + // a specific value that serves as a sanity check. + let state = [0u64; 25]; + let result = keccak_f(state); + assert_eq!(result[0], 0xF1258F7940E1DDE7); + } + + #[test] + fn keccak_f_all_ones() { + let state = [0xFFFFFFFFFFFFFFFFu64; 25]; + let result = keccak_f(state); + assert_ne!(result, state); + } +} diff --git a/specs/sha3/src/lib.rs b/specs/sha3/src/lib.rs new file mode 100644 index 0000000000..4a0b69d7fc --- /dev/null +++ b/specs/sha3/src/lib.rs @@ -0,0 +1,35 @@ +/// Keccak-f[1600] permutation — exposed for cross-spec testing. +pub mod keccak_f; +mod sha3; +/// Sponge construction — exposed for cross-spec testing. +pub mod sponge; + +/// Utility function to create an array of size `N` by applying a function `f` to each index. +#[hax_lib::fstar::replace( + r#" +[@@ "opaque_to_smt"] +let createi + (#v_T: Type0) + (v_N: usize) + (#v_F: Type0) + (f: (x:usize{x <. v_N}) -> v_T) + : t_Array v_T v_N + = Rust_primitives.Arrays.createi v_N f + +let createi_lemma + (#v_T: Type0) + (v_N: usize) + (#v_F: Type0) + (f: (x:usize{x <. v_N}) -> v_T) + (i: usize{i <. v_N}) + : Lemma (Seq.index (createi #v_T v_N #v_F f) (v i) == f i) + [SMTPat (Seq.index (createi #v_T v_N #v_F f) (v i))] + = reveal_opaque (`%createi) (createi #v_T v_N #v_F f) +"# +)] +pub(crate) fn createi T>(f: F) -> [T; N] { + core::array::from_fn(f) +} + +pub use keccak_f::State; +pub use sha3::{sha3_224, sha3_256, sha3_384, sha3_512, shake128, shake256}; diff --git a/specs/sha3/src/sha3.rs b/specs/sha3/src/sha3.rs new file mode 100644 index 0000000000..f6fe13fdfc --- /dev/null +++ b/specs/sha3/src/sha3.rs @@ -0,0 +1,149 @@ +/// SHA-3 and SHAKE functions — FIPS 202, Section 6. +use crate::sponge::keccak; + +// Rate constants in bytes: rate = (1600 - 2*capacity) / 8 +const SHA3_224_RATE: usize = 144; // capacity = 448 +const SHA3_256_RATE: usize = 136; // capacity = 512 +const SHA3_384_RATE: usize = 104; // capacity = 768 +const SHA3_512_RATE: usize = 72; // capacity = 1024 +const SHAKE128_RATE: usize = 168; // capacity = 256 +const SHAKE256_RATE: usize = 136; // capacity = 512 + +/// SHA-3 domain separation byte (0x06 = 0b0110: two-bit suffix "01" + first bit of pad10*1). +const SHA3_DELIM: u8 = 0x06; +/// SHAKE domain separation byte (0x1F = 0b11111: four-bit suffix "1111" + first bit of pad10*1). +const SHAKE_DELIM: u8 = 0x1F; + +/// SHA3-224 — FIPS 202, Section 6.1. +pub fn sha3_224(message: &[u8]) -> [u8; 28] { + keccak::<28>(SHA3_224_RATE, SHA3_DELIM, message) +} + +/// SHA3-256 — FIPS 202, Section 6.1. +pub fn sha3_256(message: &[u8]) -> [u8; 32] { + keccak::<32>(SHA3_256_RATE, SHA3_DELIM, message) +} + +/// SHA3-384 — FIPS 202, Section 6.1. +pub fn sha3_384(message: &[u8]) -> [u8; 48] { + keccak::<48>(SHA3_384_RATE, SHA3_DELIM, message) +} + +/// SHA3-512 — FIPS 202, Section 6.1. +pub fn sha3_512(message: &[u8]) -> [u8; 64] { + keccak::<64>(SHA3_512_RATE, SHA3_DELIM, message) +} + +/// SHAKE128 — FIPS 202, Section 6.2. +/// +/// FIPS 202 places no upper bound on the output length `N`. +/// The `N < usize::MAX - 200` precondition is a Rust implementation artifact +/// to prevent arithmetic overflow during squeeze-loop bound computation. +#[hax_lib::requires(N < usize::MAX - 200)] +pub fn shake128(message: &[u8]) -> [u8; N] { + keccak::(SHAKE128_RATE, SHAKE_DELIM, message) +} + +/// SHAKE256 — FIPS 202, Section 6.2. +/// +/// FIPS 202 places no upper bound on the output length `N`. +/// The `N < usize::MAX - 200` precondition is a Rust implementation artifact +/// to prevent arithmetic overflow during squeeze-loop bound computation. +#[hax_lib::requires(N < usize::MAX - 200)] +pub fn shake256(message: &[u8]) -> [u8; N] { + keccak::(SHAKE256_RATE, SHAKE_DELIM, message) +} + +#[cfg(test)] +mod tests { + use super::*; + + // SHA3-256("") known answer + #[test] + fn sha3_256_empty() { + let expected: [u8; 32] = [ + 0xa7, 0xff, 0xc6, 0xf8, 0xbf, 0x1e, 0xd7, 0x66, 0x51, 0xc1, 0x47, 0x56, 0xa0, 0x61, + 0xd6, 0x62, 0xf5, 0x80, 0xff, 0x4d, 0xe4, 0x3b, 0x49, 0xfa, 0x82, 0xd8, 0x0a, 0x4b, + 0x80, 0xf8, 0x43, 0x4a, + ]; + assert_eq!(sha3_256(b""), expected); + } + + // SHA3-256("abc") + #[test] + fn sha3_256_abc() { + let expected: [u8; 32] = [ + 0x3a, 0x98, 0x5d, 0xa7, 0x4f, 0xe2, 0x25, 0xb2, 0x04, 0x5c, 0x17, 0x2d, 0x6b, 0xd3, + 0x90, 0xbd, 0x85, 0x5f, 0x08, 0x6e, 0x3e, 0x9d, 0x52, 0x5b, 0x46, 0xbf, 0xe2, 0x45, + 0x11, 0x43, 0x15, 0x32, + ]; + assert_eq!(sha3_256(b"abc"), expected); + } + + // SHA3-224("") + #[test] + fn sha3_224_empty() { + let expected: [u8; 28] = [ + 0x6b, 0x4e, 0x03, 0x42, 0x36, 0x67, 0xdb, 0xb7, 0x3b, 0x6e, 0x15, 0x45, 0x4f, 0x0e, + 0xb1, 0xab, 0xd4, 0x59, 0x7f, 0x9a, 0x1b, 0x07, 0x8e, 0x3f, 0x5b, 0x5a, 0x6b, 0xc7, + ]; + assert_eq!(sha3_224(b""), expected); + } + + // SHA3-384("") + #[test] + fn sha3_384_empty() { + let expected: [u8; 48] = [ + 0x0c, 0x63, 0xa7, 0x5b, 0x84, 0x5e, 0x4f, 0x7d, 0x01, 0x10, 0x7d, 0x85, 0x2e, 0x4c, + 0x24, 0x85, 0xc5, 0x1a, 0x50, 0xaa, 0xaa, 0x94, 0xfc, 0x61, 0x99, 0x5e, 0x71, 0xbb, + 0xee, 0x98, 0x3a, 0x2a, 0xc3, 0x71, 0x38, 0x31, 0x26, 0x4a, 0xdb, 0x47, 0xfb, 0x6b, + 0xd1, 0xe0, 0x58, 0xd5, 0xf0, 0x04, + ]; + assert_eq!(sha3_384(b""), expected); + } + + // SHA3-512("") + #[test] + fn sha3_512_empty() { + let expected: [u8; 64] = [ + 0xa6, 0x9f, 0x73, 0xcc, 0xa2, 0x3a, 0x9a, 0xc5, 0xc8, 0xb5, 0x67, 0xdc, 0x18, 0x5a, + 0x75, 0x6e, 0x97, 0xc9, 0x82, 0x16, 0x4f, 0xe2, 0x58, 0x59, 0xe0, 0xd1, 0xdc, 0xc1, + 0x47, 0x5c, 0x80, 0xa6, 0x15, 0xb2, 0x12, 0x3a, 0xf1, 0xf5, 0xf9, 0x4c, 0x11, 0xe3, + 0xe9, 0x40, 0x2c, 0x3a, 0xc5, 0x58, 0xf5, 0x00, 0x19, 0x9d, 0x95, 0xb6, 0xd3, 0xe3, + 0x01, 0x75, 0x85, 0x86, 0x28, 0x1d, 0xcd, 0x26, + ]; + assert_eq!(sha3_512(b""), expected); + } + + // SHAKE128("", 32 bytes) + #[test] + fn shake128_empty_32() { + let expected: [u8; 32] = [ + 0x7f, 0x9c, 0x2b, 0xa4, 0xe8, 0x8f, 0x82, 0x7d, 0x61, 0x60, 0x45, 0x50, 0x76, 0x05, + 0x85, 0x3e, 0xd7, 0x3b, 0x80, 0x93, 0xf6, 0xef, 0xbc, 0x88, 0xeb, 0x1a, 0x6e, 0xac, + 0xfa, 0x66, 0xef, 0x26, + ]; + assert_eq!(shake128::<32>(b""), expected); + } + + // SHAKE256("", 32 bytes) + #[test] + fn shake256_empty_32() { + let expected: [u8; 32] = [ + 0x46, 0xb9, 0xdd, 0x2b, 0x0b, 0xa8, 0x8d, 0x13, 0x23, 0x3b, 0x3f, 0xeb, 0x74, 0x3e, + 0xeb, 0x24, 0x3f, 0xcd, 0x52, 0xea, 0x62, 0xb8, 0x1b, 0x82, 0xb5, 0x0c, 0x27, 0x64, + 0x6e, 0xd5, 0x76, 0x2f, + ]; + assert_eq!(shake256::<32>(b""), expected); + } + + // SHA3-256("abc") via NIST + #[test] + fn sha3_224_abc() { + let expected: [u8; 28] = [ + 0xe6, 0x42, 0x82, 0x4c, 0x3f, 0x8c, 0xf2, 0x4a, 0xd0, 0x92, 0x34, 0xee, 0x7d, 0x3c, + 0x76, 0x6f, 0xc9, 0xa3, 0xa5, 0x16, 0x8d, 0x0c, 0x94, 0xad, 0x73, 0xb4, 0x6f, 0xdf, + ]; + assert_eq!(sha3_224(b"abc"), expected); + } +} diff --git a/specs/sha3/src/sponge.rs b/specs/sha3/src/sponge.rs new file mode 100644 index 0000000000..5692ec9137 --- /dev/null +++ b/specs/sha3/src/sponge.rs @@ -0,0 +1,165 @@ +/// Sponge construction — FIPS 202, Algorithm 8 (KECCAK[c]) +/// with pad10*1 padding — FIPS 202, Algorithm 9. +/// +/// With the state stored as `state[5·y + x]` (FIPS 202 §3.1.2), byte-lane +/// `l` lives directly at `state[l]`, so no lane-index permutation is +/// needed here. +use crate::createi; +use crate::keccak_f::{keccak_f, State}; + +#[cfg(hax)] +use hax_lib::int::*; + +/// XOR a block of message bytes into the state (little-endian, lane-interleaved). +/// +/// Corresponds to the `S ⊕ (Pi || 0^c)` step of Algorithm 8. +#[hax_lib::requires(rate <= 200 && rate % 8 == 0 && block.len() >= rate)] +pub fn xor_block_into_state(state: State, block: &[u8], rate: usize) -> State { + createi(|i| { + if i < rate / 8 { + // The slice is exactly 8 bytes (since `i < rate / 8` and + // `block.len() >= rate`), so `try_into::<[u8; 8]>` cannot fail. + state[i] ^ u64::from_le_bytes(block[8 * i..8 * i + 8].try_into().unwrap()) + } else { + state[i] + } + }) +} + +/// Extract `len` bytes from the rate portion of the state (little-endian, lane-interleaved). +/// +/// Corresponds to `Trunc_r(S)` in Algorithm 8. +#[hax_lib::requires(len <= 200 && output.len() >= len && out_offset <= output.len() - len)] +pub fn squeeze_state( + state: &State, + mut output: [u8; OUTPUT_LEN], + out_offset: usize, + len: usize, +) -> [u8; OUTPUT_LEN] { + let bytes: [u8; 200] = createi(|i| state[i / 8].to_le_bytes()[i % 8]); + output[out_offset..out_offset + len].copy_from_slice(&bytes[0..len]); + output +} + +/// Absorb one full block: XOR it into the state, then apply Keccak-f. +/// +/// Corresponds to one iteration of the absorb loop in Algorithm 8 (step 6). +#[hax_lib::requires(rate <= 200 && rate % 8 == 0 && block.len() == rate)] +pub fn absorb_block(state: State, block: &[u8], rate: usize) -> State { + let state = xor_block_into_state(state, block, rate); + keccak_f(state) +} + +/// Build the padded last block: copy remaining message bytes, add the +/// domain-separation byte `delim`, and set the final bit of pad10*1. +/// +/// Returns a `rate`-byte buffer ready to be absorbed via `xor_block_into_state`. +#[hax_lib::requires(rate > 0 && rate <= 200 && rate % 8 == 0 && remaining < rate + && msg_offset <= message.len() && remaining <= message.len() - msg_offset)] +pub fn pad_last_block( + message: &[u8], + msg_offset: usize, + remaining: usize, + rate: usize, + delim: u8, +) -> [u8; 200] { + let mut buffer = [0u8; 200]; + buffer[0..remaining].copy_from_slice(&message[msg_offset..msg_offset + remaining]); + buffer[remaining] = delim; + buffer[rate - 1] = buffer[rate - 1] | 0x80; + buffer +} + +/// Absorb the final (possibly partial) block: pad it, XOR into state, and +/// apply Keccak-f. +/// +/// Combines `pad_last_block` + `absorb_block`. +#[hax_lib::requires(rate > 0 && rate <= 200 && rate % 8 == 0 && remaining < rate + && msg_offset <= message.len() && remaining <= message.len() - msg_offset)] +pub fn absorb_final( + state: State, + message: &[u8], + msg_offset: usize, + remaining: usize, + rate: usize, + delim: u8, +) -> State { + let block = pad_last_block(message, msg_offset, remaining, rate, delim); + absorb_block(state, &block[0..rate], rate) +} + +/// Recursively absorb the remaining bytes of `message`: peel off one full +/// `rate`-byte block, XOR it into the state, apply Keccak-f, then recurse on +/// the tail slice. Once fewer than `rate` bytes remain, pad and absorb the +/// partial final block. +#[hax_lib::requires(rate > 0 && rate <= 200 && rate % 8 == 0)] +#[hax_lib::decreases(message.len().to_int())] +pub fn absorb_rec(state: State, rate: usize, delim: u8, message: &[u8]) -> State { + if message.len() < rate { + absorb_final(state, message, 0, message.len(), rate, delim) + } else { + let state = absorb_block(state, &message[0..rate], rate); + absorb_rec(state, rate, delim, &message[rate..]) + } +} + +/// Absorb phase of the Keccak sponge (FIPS 202, Algorithm 8, step 6 combined +/// with the pad10*1 padding of Algorithm 9). +/// +/// Splits `message` into `rate`-byte blocks, XORing each into the state and +/// applying Keccak-f. The final partial block is padded with the domain +/// separation byte `delim` and the pad10*1 terminator `0x80` before being +/// absorbed. +#[hax_lib::requires(rate > 0 && rate <= 200 && rate % 8 == 0)] +pub fn absorb(rate: usize, delim: u8, message: &[u8]) -> State { + absorb_rec([0u64; 25], rate, delim, message) +} + +/// Apply Keccak-f to `state` exactly `n` times. +#[hax_lib::decreases(n.to_int())] +pub fn iterate_keccak_f(n: usize, state: State) -> State { + if n == 0 { + state + } else { + keccak_f(iterate_keccak_f(n - 1, state)) + } +} + +/// Squeeze phase of the Keccak sponge (FIPS 202, Algorithm 8, steps 8–9). +/// +/// Extracts `OUTPUT_LEN` bytes from `state`, applying Keccak-f between each +/// `rate`-byte block of output. +/// +/// Byteform definition: byte at position `k` lives in block `b = k / rate` +/// (or the trailing partial block if `b == OUTPUT_LEN / rate`); within a +/// block the offset is `j = k - b * rate`; the value is the `(j mod 8)`-th +/// little-endian byte of `iterate_keccak_f(b, state)`'s lane `(j / 8)`. +/// +/// Equivalent to FIPS-202 Algorithm 8: for each full block apply keccak_f +/// and extract `rate` bytes; the trailing partial block uses one more +/// keccak_f before extracting `OUTPUT_LEN mod rate` bytes. +#[hax_lib::requires(rate > 0 && rate <= 200 && rate % 8 == 0 && OUTPUT_LEN < usize::MAX - 200)] +pub fn squeeze(state: State, rate: usize) -> [u8; OUTPUT_LEN] { + createi(|k| { + let b = k / rate; + let j = k - b * rate; + let state_b = iterate_keccak_f(b, state); + state_b[j / 8].to_le_bytes()[j % 8] + }) +} + +/// Keccak sponge — FIPS 202, Algorithm 8 combined with pad10*1 (Algorithm 9). +/// +/// 1. Absorb: split `message` into `rate`-byte blocks, XOR each into the +/// state, and apply Keccak-f. The final partial block is padded with +/// the domain separation byte `delim` and the pad10*1 terminator `0x80`. +/// 2. Squeeze: extract `OUTPUT_LEN` bytes from the state, applying +/// Keccak-f between each `rate`-byte block of output. +/// +/// The `OUTPUT_LEN < usize::MAX - 200` precondition is a Rust implementation +/// artifact to prevent arithmetic overflow; FIPS 202 places no upper bound +/// on the output length. +#[hax_lib::requires(rate > 0 && rate <= 200 && rate % 8 == 0 && OUTPUT_LEN < usize::MAX - 200)] +pub fn keccak(rate: usize, delim: u8, message: &[u8]) -> [u8; OUTPUT_LEN] { + squeeze(absorb(rate, delim, message), rate) +} diff --git a/specs/sha3/tests/cavp.rs b/specs/sha3/tests/cavp.rs new file mode 100644 index 0000000000..0e047b3811 --- /dev/null +++ b/specs/sha3/tests/cavp.rs @@ -0,0 +1,281 @@ +/// CAVP (Cryptographic Algorithm Validation Program) tests. +/// Ported from ../../crates/algorithms/sha3/tests/cavp.rs +/// +/// Reads NIST .rsp test vector files and validates our SHA-3/SHAKE implementation +/// against each test case. +use hacspec_sha3::*; +use std::fs; +use std::path::Path; + +// --------------------------------------------------------------------------- +// Simple .rsp file parser (replaces the external `cavp` crate dependency) +// --------------------------------------------------------------------------- + +struct Sha3TestCase { + msg_length_bits: usize, + msg: Vec, + digest: Vec, +} + +fn parse_sha3_rsp(path: &Path) -> Vec { + let content = fs::read_to_string(path) + .unwrap_or_else(|e| panic!("failed to read {}: {e}", path.display())); + let mut tests = Vec::new(); + let mut len: usize = 0; + let mut msg: Vec = Vec::new(); + + for line in content.lines() { + let line = line.trim(); + if line.is_empty() || line.starts_with('#') || line.starts_with('[') { + continue; + } + if let Some(val) = line.strip_prefix("Len = ") { + len = val.trim().parse().unwrap(); + } else if let Some(val) = line.strip_prefix("Msg = ") { + msg = hex::decode(val.trim()).unwrap(); + } else if let Some(val) = line.strip_prefix("MD = ") { + let digest = hex::decode(val.trim()).unwrap(); + tests.push(Sha3TestCase { + msg_length_bits: len, + msg: msg.clone(), + digest, + }); + } + } + tests +} + +struct ShakeTestCase { + msg_length_bits: usize, + msg: Vec, + output: Vec, +} + +fn parse_shake_rsp(path: &Path) -> Vec { + let content = fs::read_to_string(path) + .unwrap_or_else(|e| panic!("failed to read {}: {e}", path.display())); + let mut tests = Vec::new(); + let mut len: usize = 0; + let mut msg: Vec = Vec::new(); + + for line in content.lines() { + let line = line.trim(); + if line.is_empty() || line.starts_with('#') || line.starts_with('[') { + continue; + } + if let Some(val) = line.strip_prefix("Len = ") { + len = val.trim().parse().unwrap(); + } else if let Some(val) = line.strip_prefix("Msg = ") { + msg = hex::decode(val.trim()).unwrap(); + } else if let Some(val) = line.strip_prefix("Output = ") { + let output = hex::decode(val.trim()).unwrap(); + tests.push(ShakeTestCase { + msg_length_bits: len, + msg: msg.clone(), + output, + }); + } + } + tests +} + +struct ShakeVariableOutTestCase { + msg: Vec, + output: Vec, +} + +fn parse_shake_variable_out_rsp(path: &Path) -> (usize, Vec) { + let content = fs::read_to_string(path) + .unwrap_or_else(|e| panic!("failed to read {}: {e}", path.display())); + let mut tests = Vec::new(); + let mut input_length_bits: usize = 0; + let mut msg: Vec = Vec::new(); + + for line in content.lines() { + let line = line.trim(); + if line.is_empty() || line.starts_with('#') { + continue; + } + // Parse header fields like [Input Length = 128] + if line.starts_with('[') && line.ends_with(']') { + let inner = &line[1..line.len() - 1]; + if let Some(val) = inner.strip_prefix("Input Length = ") { + input_length_bits = val.trim().parse().unwrap(); + } + continue; + } + if line.starts_with("COUNT") || line.starts_with("Outputlen") { + // We don't need these — output length is implicit in the expected output + continue; + } + if let Some(val) = line.strip_prefix("Msg = ") { + msg = hex::decode(val.trim()).unwrap(); + } else if let Some(val) = line.strip_prefix("Output = ") { + let output = hex::decode(val.trim()).unwrap(); + tests.push(ShakeVariableOutTestCase { + msg: msg.clone(), + output, + }); + } + } + (input_length_bits, tests) +} + +// --------------------------------------------------------------------------- +// Path to the test vector files (shared with reference implementation) +// --------------------------------------------------------------------------- + +fn tv_path(name: &str) -> std::path::PathBuf { + // From specs/sha3/ to crates/algorithms/sha3/tests/tv/ + Path::new(env!("CARGO_MANIFEST_DIR")) + .join("../../crates/algorithms/sha3/tests/tv") + .join(name) +} + +// --------------------------------------------------------------------------- +// SHA3 CAVP tests +// --------------------------------------------------------------------------- + +macro_rules! sha3_cavp_test { + ($name:ident, $file:expr, $hash_fn:ident, $digest_len:expr) => { + #[test] + fn $name() { + let tests = parse_sha3_rsp(&tv_path($file)); + assert!(!tests.is_empty(), "no test cases found"); + for (i, tc) in tests.iter().enumerate() { + let msg = &tc.msg[..tc.msg_length_bits / 8]; + let digest = $hash_fn(msg); + assert_eq!( + &digest[..], + &tc.digest[..], + "test case {i} failed (msg_len={} bits)", + tc.msg_length_bits + ); + } + } + }; +} + +sha3_cavp_test!(sha3_224_short_msg, "SHA3_224ShortMsg.rsp", sha3_224, 28); +sha3_cavp_test!(sha3_224_long_msg, "SHA3_224LongMsg.rsp", sha3_224, 28); +sha3_cavp_test!(sha3_256_short_msg, "SHA3_256ShortMsg.rsp", sha3_256, 32); +sha3_cavp_test!(sha3_256_long_msg, "SHA3_256LongMsg.rsp", sha3_256, 32); +sha3_cavp_test!(sha3_384_short_msg, "SHA3_384ShortMsg.rsp", sha3_384, 48); +sha3_cavp_test!(sha3_384_long_msg, "SHA3_384LongMsg.rsp", sha3_384, 48); +sha3_cavp_test!(sha3_512_short_msg, "SHA3_512ShortMsg.rsp", sha3_512, 64); +sha3_cavp_test!(sha3_512_long_msg, "SHA3_512LongMsg.rsp", sha3_512, 64); + +// --------------------------------------------------------------------------- +// SHAKE CAVP tests (short/long message, fixed output length) +// --------------------------------------------------------------------------- + +// SHAKE128 ShortMsg/LongMsg: [Outputlen = 128] → 16 bytes +#[test] +fn shake128_short_msg() { + let tests = parse_shake_rsp(&tv_path("SHAKE128ShortMsg.rsp")); + assert!(!tests.is_empty()); + for (i, tc) in tests.iter().enumerate() { + let msg = &tc.msg[..tc.msg_length_bits / 8]; + let digest = shake128::<16>(msg); + assert_eq!( + &digest[..], + &tc.output[..], + "test case {i} failed (msg_len={} bits)", + tc.msg_length_bits + ); + } +} + +#[test] +fn shake128_long_msg() { + let tests = parse_shake_rsp(&tv_path("SHAKE128LongMsg.rsp")); + assert!(!tests.is_empty()); + for (i, tc) in tests.iter().enumerate() { + let msg = &tc.msg[..tc.msg_length_bits / 8]; + let digest = shake128::<16>(msg); + assert_eq!( + &digest[..], + &tc.output[..], + "test case {i} failed (msg_len={} bits)", + tc.msg_length_bits + ); + } +} + +// SHAKE256 ShortMsg/LongMsg: [Outputlen = 256] → 32 bytes +#[test] +fn shake256_short_msg() { + let tests = parse_shake_rsp(&tv_path("SHAKE256ShortMsg.rsp")); + assert!(!tests.is_empty()); + for (i, tc) in tests.iter().enumerate() { + let msg = &tc.msg[..tc.msg_length_bits / 8]; + let digest = shake256::<32>(msg); + assert_eq!( + &digest[..], + &tc.output[..], + "test case {i} failed (msg_len={} bits)", + tc.msg_length_bits + ); + } +} + +#[test] +fn shake256_long_msg() { + let tests = parse_shake_rsp(&tv_path("SHAKE256LongMsg.rsp")); + assert!(!tests.is_empty()); + for (i, tc) in tests.iter().enumerate() { + let msg = &tc.msg[..tc.msg_length_bits / 8]; + let digest = shake256::<32>(msg); + assert_eq!( + &digest[..], + &tc.output[..], + "test case {i} failed (msg_len={} bits)", + tc.msg_length_bits + ); + } +} + +// --------------------------------------------------------------------------- +// SHAKE Variable Output Length CAVP tests +// +// These tests have variable output lengths per test case. Since our API uses +// const generics, we compute a max-size output and compare the prefix. +// SHAKE is an XOF so the first N bytes of shake(msg, K) match shake(msg, N) +// for any K >= N. +// --------------------------------------------------------------------------- + +// SHAKE128 VariableOut: max output = 1120 bits = 140 bytes +#[test] +fn shake128_variable_out() { + let (input_length_bits, tests) = + parse_shake_variable_out_rsp(&tv_path("SHAKE128VariableOut.rsp")); + assert!(!tests.is_empty()); + for (i, tc) in tests.iter().enumerate() { + let msg = &tc.msg[..input_length_bits / 8]; + let full_output = shake128::<140>(msg); + let expected_len = tc.output.len(); + assert_eq!( + &full_output[..expected_len], + &tc.output[..], + "test case {i} failed (output_len={expected_len} bytes)", + ); + } +} + +// SHAKE256 VariableOut: max output = 2000 bits = 250 bytes +#[test] +fn shake256_variable_out() { + let (input_length_bits, tests) = + parse_shake_variable_out_rsp(&tv_path("SHAKE256VariableOut.rsp")); + assert!(!tests.is_empty()); + for (i, tc) in tests.iter().enumerate() { + let msg = &tc.msg[..input_length_bits / 8]; + let full_output = shake256::<250>(msg); + let expected_len = tc.output.len(); + assert_eq!( + &full_output[..expected_len], + &tc.output[..], + "test case {i} failed (output_len={expected_len} bytes)", + ); + } +} diff --git a/specs/sha3/tests/compare_ref.rs b/specs/sha3/tests/compare_ref.rs new file mode 100644 index 0000000000..f187a12704 --- /dev/null +++ b/specs/sha3/tests/compare_ref.rs @@ -0,0 +1,29 @@ +/// Compare our SHA3 implementation against the reference libcrux-sha3 crate. + +#[test] +fn sha3_256_vs_reference() { + let mut ref_digest = [0u8; 32]; + libcrux_sha3::portable::sha256(&mut ref_digest, b""); + let our_digest = hacspec_sha3::sha3_256(b""); + assert_eq!(ref_digest, our_digest); +} + +#[test] +fn shake128_abc_vs_reference() { + let mut ref_out = [0u8; 32]; + libcrux_sha3::portable::shake128(&mut ref_out, b"abc"); + let our_out = hacspec_sha3::shake128::<32>(b"abc"); + eprintln!("SHAKE128 ref: {:02x?}", ref_out.to_vec()); + eprintln!("SHAKE128 our: {:02x?}", our_out.to_vec()); + assert_eq!(ref_out, our_out); +} + +#[test] +fn shake256_abc_vs_reference() { + let mut ref_out = [0u8; 32]; + libcrux_sha3::portable::shake256(&mut ref_out, b"abc"); + let our_out = hacspec_sha3::shake256::<32>(b"abc"); + eprintln!("SHAKE256 ref: {:02x?}", ref_out.to_vec()); + eprintln!("SHAKE256 our: {:02x?}", our_out.to_vec()); + assert_eq!(ref_out, our_out); +} diff --git a/specs/sha3/tests/nist_vectors.rs b/specs/sha3/tests/nist_vectors.rs new file mode 100644 index 0000000000..67d6c5a1f8 --- /dev/null +++ b/specs/sha3/tests/nist_vectors.rs @@ -0,0 +1,206 @@ +use hacspec_sha3::*; + +/// Helper to decode a hex string to a byte vector. +fn hex_to_bytes(s: &str) -> Vec { + hex::decode(s).expect("valid hex") +} + +// ============================================================ +// SHA3-224 NIST vectors +// ============================================================ + +#[test] +fn sha3_224_empty() { + let expected = hex_to_bytes("6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7"); + assert_eq!(sha3_224(b"").to_vec(), expected); +} + +#[test] +fn sha3_224_abc() { + let expected = hex_to_bytes("e642824c3f8cf24ad09234ee7d3c766fc9a3a5168d0c94ad73b46fdf"); + assert_eq!(sha3_224(b"abc").to_vec(), expected); +} + +#[test] +fn sha3_224_448bit() { + // "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" + let msg = b"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"; + let expected = hex_to_bytes("8a24108b154ada21c9fd5574494479ba5c7e7ab76ef264ead0fcce33"); + assert_eq!(sha3_224(msg).to_vec(), expected); +} + +// ============================================================ +// SHA3-256 NIST vectors +// ============================================================ + +#[test] +fn sha3_256_empty() { + let expected = hex_to_bytes("a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a"); + assert_eq!(sha3_256(b"").to_vec(), expected); +} + +#[test] +fn sha3_256_abc() { + let expected = hex_to_bytes("3a985da74fe225b2045c172d6bd390bd855f086e3e9d525b46bfe24511431532"); + assert_eq!(sha3_256(b"abc").to_vec(), expected); +} + +#[test] +fn sha3_256_448bit() { + let msg = b"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"; + let expected = hex_to_bytes("41c0dba2a9d6240849100376a8235e2c82e1b9998a999e21db32dd97496d3376"); + assert_eq!(sha3_256(msg).to_vec(), expected); +} + +#[test] +fn sha3_256_896bit() { + // "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" + let msg = b"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"; + let expected = hex_to_bytes("916f6061fe879741ca6469b43971dfdb28b1a32dc36cb3254e812be27aad1d18"); + assert_eq!(sha3_256(msg).to_vec(), expected); +} + +// ============================================================ +// SHA3-384 NIST vectors +// ============================================================ + +#[test] +fn sha3_384_empty() { + let expected = hex_to_bytes( + "0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3713831264adb47fb6bd1e058d5f004", + ); + assert_eq!(sha3_384(b"").to_vec(), expected); +} + +#[test] +fn sha3_384_abc() { + let expected = hex_to_bytes( + "ec01498288516fc926459f58e2c6ad8df9b473cb0fc08c2596da7cf0e49be4b298d88cea927ac7f539f1edf228376d25", + ); + assert_eq!(sha3_384(b"abc").to_vec(), expected); +} + +// ============================================================ +// SHA3-512 NIST vectors +// ============================================================ + +#[test] +fn sha3_512_empty() { + let expected = hex_to_bytes( + "a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26", + ); + assert_eq!(sha3_512(b"").to_vec(), expected); +} + +#[test] +fn sha3_512_abc() { + let expected = hex_to_bytes( + "b751850b1a57168a5693cd924b6b096e08f621827444f70d884f5d0240d2712e10e116e9192af3c91a7ec57647e3934057340b4cf408d5a56592f8274eec53f0", + ); + assert_eq!(sha3_512(b"abc").to_vec(), expected); +} + +// ============================================================ +// SHAKE128 NIST vectors +// ============================================================ + +#[test] +fn shake128_empty_32() { + let expected = hex_to_bytes("7f9c2ba4e88f827d616045507605853ed73b8093f6efbc88eb1a6eacfa66ef26"); + assert_eq!(shake128::<32>(b"").to_vec(), expected); +} + +#[test] +fn shake128_abc_32() { + let expected = hex_to_bytes("5881092dd818bf5cf8a3ddb793fbcba74097d5c526a6d35f97b83351940f2cc8"); + assert_eq!(shake128::<32>(b"abc").to_vec(), expected); +} + +// ============================================================ +// SHAKE256 NIST vectors +// ============================================================ + +#[test] +fn shake256_empty_32() { + let expected = hex_to_bytes("46b9dd2b0ba88d13233b3feb743eeb243fcd52ea62b81b82b50c27646ed5762f"); + assert_eq!(shake256::<32>(b"").to_vec(), expected); +} + +#[test] +fn shake256_abc_32() { + let expected = hex_to_bytes("483366601360a8771c6863080cc4114d8db44530f8f1e1ee4f94ea37e78b5739"); + assert_eq!(shake256::<32>(b"abc").to_vec(), expected); +} + +// ============================================================ +// SHAKE with longer output (squeeze multiple blocks) +// ============================================================ + +#[test] +fn shake256_empty_64() { + let expected = hex_to_bytes( + "46b9dd2b0ba88d13233b3feb743eeb243fcd52ea62b81b82b50c27646ed5762fd75dc4ddd8c0f200cb05019d67b592f6fc821c49479ab48640292eacb3b7c4be", + ); + assert_eq!(shake256::<64>(b"").to_vec(), expected); +} + +// ============================================================ +// Padding boundary tests +// ============================================================ + +#[test] +fn sha3_256_rate_minus_1() { + // Message of length rate-1 = 135 bytes: padding fits in the last byte + let msg = vec![0xABu8; 135]; + let result = sha3_256(&msg); + assert_eq!(result.len(), 32); +} + +#[test] +fn sha3_256_exact_rate() { + // Message of length rate = 136 bytes: forces an extra block for padding + let msg = vec![0xABu8; 136]; + let result = sha3_256(&msg); + assert_eq!(result.len(), 32); +} + +#[test] +fn sha3_256_rate_plus_1() { + // Message of length rate+1 = 137 bytes + let msg = vec![0xABu8; 137]; + let result = sha3_256(&msg); + assert_eq!(result.len(), 32); +} + +// ============================================================ +// Proptest: determinism and output length +// ============================================================ + +use proptest::prelude::*; + +proptest! { + #[test] + fn sha3_256_deterministic(msg in proptest::collection::vec(any::(), 0..512)) { + let h1 = sha3_256(&msg); + let h2 = sha3_256(&msg); + prop_assert_eq!(h1, h2); + } + + #[test] + fn sha3_512_output_length(msg in proptest::collection::vec(any::(), 0..512)) { + let h = sha3_512(&msg); + prop_assert_eq!(h.len(), 64); + } + + #[test] + fn shake128_output_length(msg in proptest::collection::vec(any::(), 0..256)) { + let h = shake128::<16>(&msg); + prop_assert_eq!(h.len(), 16); + } + + #[test] + fn shake256_output_length(msg in proptest::collection::vec(any::(), 0..256)) { + let h = shake256::<48>(&msg); + prop_assert_eq!(h.len(), 48); + } +} diff --git a/specs/sha3/tests/portable.rs b/specs/sha3/tests/portable.rs new file mode 100644 index 0000000000..5a18c96b79 --- /dev/null +++ b/specs/sha3/tests/portable.rs @@ -0,0 +1,176 @@ +/// Tests ported from ../../crates/algorithms/sha3/tests/portable.rs +/// Tests the spec against the same hardcoded test vectors used by the reference implementation. +mod test_vectors; + +use hacspec_sha3::*; + +const DIGEST_LEN: usize = 42; +const STRING_LEN: usize = DIGEST_LEN * 2; + +#[test] +fn test_sha3_224() { + assert_eq!( + hex::encode(sha3_224(test_vectors::EMPTY)), + test_vectors::sha3_224::EMPTY + ); + assert_eq!( + hex::encode(sha3_224(test_vectors::HELLO)), + test_vectors::sha3_224::HELLO + ); + assert_eq!( + hex::encode(sha3_224(test_vectors::STAR0)), + test_vectors::sha3_224::STAR0 + ); +} + +#[test] +fn test_sha3_256() { + assert_eq!( + hex::encode(sha3_256(test_vectors::EMPTY)), + test_vectors::sha3_256::EMPTY + ); + assert_eq!( + hex::encode(sha3_256(test_vectors::HELLO)), + test_vectors::sha3_256::HELLO + ); + assert_eq!( + hex::encode(sha3_256(test_vectors::STAR0)), + test_vectors::sha3_256::STAR0 + ); +} + +#[test] +fn test_sha3_384() { + assert_eq!( + hex::encode(sha3_384(test_vectors::EMPTY)), + test_vectors::sha3_384::EMPTY + ); + assert_eq!( + hex::encode(sha3_384(test_vectors::HELLO)), + test_vectors::sha3_384::HELLO + ); + assert_eq!( + hex::encode(sha3_384(test_vectors::STAR0)), + test_vectors::sha3_384::STAR0 + ); +} + +#[test] +fn test_sha3_512() { + assert_eq!( + hex::encode(sha3_512(test_vectors::EMPTY)), + test_vectors::sha3_512::EMPTY + ); + assert_eq!( + hex::encode(sha3_512(test_vectors::HELLO)), + test_vectors::sha3_512::HELLO + ); + assert_eq!( + hex::encode(sha3_512(test_vectors::STAR0)), + test_vectors::sha3_512::STAR0 + ); +} + +#[test] +fn test_shake128() { + // Test with 42-byte output (DIGEST_LEN) + let digest = shake128::(test_vectors::EMPTY); + assert_eq!( + hex::encode(digest), + &test_vectors::shake128::EMPTY_FIVE_BLOCKS[..STRING_LEN] + ); + + let digest = shake128::(test_vectors::HELLO); + assert_eq!( + hex::encode(digest), + &test_vectors::shake128::HELLO_FIVE_BLOCKS[..STRING_LEN] + ); + + // Test with 53-byte output + let digest = shake128::<53>(test_vectors::STAR0); + assert_eq!( + hex::encode(digest), + test_vectors::shake128::STAR0_FIVE_BLOCKS[..53 * 2] + ); +} + +#[test] +fn test_shake256() { + // Test with 42-byte output (DIGEST_LEN) + let digest = shake256::(test_vectors::EMPTY); + assert_eq!( + hex::encode(digest), + &test_vectors::shake256::EMPTY_FIVE_BLOCKS[..STRING_LEN] + ); + + let digest = shake256::(test_vectors::HELLO); + assert_eq!( + hex::encode(digest), + &test_vectors::shake256::HELLO_FIVE_BLOCKS[..STRING_LEN] + ); + + // Test with 71-byte output + let digest = shake256::<71>(test_vectors::STAR0); + assert_eq!( + hex::encode(digest), + test_vectors::shake256::STAR0_FIVE_BLOCKS[..71 * 2] + ); +} + +// Multi-block squeeze tests: verify we produce the full 5-block outputs correctly. + +#[test] +fn shake128_five_blocks_empty() { + // 5 blocks of SHAKE128 = 5 * 168 = 840 bytes + let digest = shake128::<840>(test_vectors::EMPTY); + assert_eq!( + hex::encode(digest), + test_vectors::shake128::EMPTY_FIVE_BLOCKS + ); +} + +#[test] +fn shake128_five_blocks_hello() { + let digest = shake128::<840>(test_vectors::HELLO); + assert_eq!( + hex::encode(digest), + test_vectors::shake128::HELLO_FIVE_BLOCKS + ); +} + +#[test] +fn shake128_five_blocks_star0() { + let digest = shake128::<840>(test_vectors::STAR0); + assert_eq!( + hex::encode(digest), + test_vectors::shake128::STAR0_FIVE_BLOCKS + ); +} + +#[test] +fn shake256_five_blocks_empty() { + // 5 blocks of SHAKE256 = 5 * 136 = 680 bytes + let digest = shake256::<680>(test_vectors::EMPTY); + assert_eq!( + hex::encode(digest), + test_vectors::shake256::EMPTY_FIVE_BLOCKS + ); +} + +#[test] +fn shake256_five_blocks_hello() { + let digest = shake256::<680>(test_vectors::HELLO); + assert_eq!( + hex::encode(digest), + test_vectors::shake256::HELLO_FIVE_BLOCKS + ); +} + +#[test] +fn shake256_five_blocks_star0() { + let digest = shake256::<680>(test_vectors::STAR0); + assert_eq!( + hex::encode(digest), + test_vectors::shake256::STAR0_FIVE_BLOCKS + ); +} diff --git a/specs/sha3/tests/sponge_decomposition.rs b/specs/sha3/tests/sponge_decomposition.rs new file mode 100644 index 0000000000..e5cdd46493 --- /dev/null +++ b/specs/sha3/tests/sponge_decomposition.rs @@ -0,0 +1,41 @@ +//! Pins down `keccak == squeeze ∘ absorb`, exercised across the +//! SHA-3 / SHAKE rates and delimiters. + +use hacspec_sha3::sponge::{absorb, keccak, squeeze}; + +fn check(rate: usize, delim: u8, msg: &[u8]) { + let via_keccak = keccak::(rate, delim, msg); + let via_split = squeeze::(absorb(rate, delim, msg), rate); + assert_eq!( + via_keccak, + via_split, + "keccak != squeeze(absorb) for rate={rate}, delim={delim:#x}, msg.len()={}", + msg.len() + ); +} + +#[test] +fn keccak_equals_squeeze_of_absorb() { + let empty: [u8; 0] = []; + let short = b"hello world"; + let long: Vec = (0u8..200).collect(); + + // SHA3-224: rate=144, delim=0x06, out=28 + check::<28>(144, 0x06, &empty); + check::<28>(144, 0x06, short); + check::<28>(144, 0x06, &long); + // SHA3-256: rate=136, delim=0x06, out=32 + check::<32>(136, 0x06, &empty); + check::<32>(136, 0x06, short); + check::<32>(136, 0x06, &long); + // SHA3-384: rate=104, delim=0x06, out=48 + check::<48>(104, 0x06, short); + // SHA3-512: rate=72, delim=0x06, out=64 + check::<64>(72, 0x06, short); + // SHAKE128: rate=168, delim=0x1f — short and long output exercise the squeeze loop. + check::<16>(168, 0x1f, short); + check::<200>(168, 0x1f, short); + // SHAKE256: rate=136, delim=0x1f. + check::<64>(136, 0x1f, short); + check::<300>(136, 0x1f, short); +} diff --git a/specs/sha3/tests/test_vectors.rs b/specs/sha3/tests/test_vectors.rs new file mode 100644 index 0000000000..b061375150 --- /dev/null +++ b/specs/sha3/tests/test_vectors.rs @@ -0,0 +1,202 @@ +#![allow(dead_code)] + +/// Hardcoded test vectors from ../../crates/algorithms/sha3/tests/test_vectors.rs + +pub const EMPTY: &[u8] = b""; +pub const HELLO: &[u8] = b"Hello, World!"; +pub const STAR0: &[u8] = b"These are not the droids you are looking for."; + +pub mod sha3_224 { + pub const HELLO: &str = "853048fb8b11462b6100385633c0cc8dcdc6e2b8e376c28102bc84f2"; + pub const EMPTY: &str = "6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7"; + pub const STAR0: &str = "4d2185f4c559133687b9248f141f0a2b14189dd3e10f63146520bc17"; +} + +pub mod sha3_256 { + pub const HELLO: &str = "1af17a664e3fa8e419b8ba05c2a173169df76162a5a286e0c405b460d478f7ef"; + pub const EMPTY: &str = "a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a"; + pub const STAR0: &str = "f4c623a5f35162ff830afdfea24dfb35ef03a7ef67ff3e35736b9b08ee60401f"; +} + +pub mod sha3_384 { + pub const HELLO: &str = "aa9ad8a49f31d2ddcabbb7010a1566417cff803fef50eba239558826f872e468c5\ + 743e7f026b0a8e5b2d7a1cc465cdbe"; + pub const EMPTY: &str = "0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3\ + 713831264adb47fb6bd1e058d5f004"; + pub const STAR0: &str = "b26e8b9b49ed07dcece0359ff5a59c801da66fef6e5bfb\ + bd9b2a1c9a425fb599778b2cc278d09e2c3d800727f99ed3c5"; +} + +pub mod sha3_512 { + pub const HELLO: &str = "38e05c33d7b067127f217d8c856e554fcff09c9320b8a5979ce2ff5d95dd27ba35\ + d1fba50c562dfd1d6cc48bc9c5baa4390894418cc942d968f97bcb659419ed"; + pub const EMPTY: &str = "a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615\ + b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26"; + pub const STAR0: &str = "02c3dbe6d722fe92cb8d50be2afbc67c3fda1c34ef69605829ce61398a67a39c92\ + f5c8f8f2abc026efc977de11418d87e25a7fefff54117d8350701642a9d983"; +} + +pub mod shake128 { + pub const EMPTY_FIVE_BLOCKS: &str = + "7f9c2ba4e88f827d616045507605853ed73b8093f6efbc88eb1a6eacfa66ef263\ + cb1eea988004b93103cfb0aeefd2a686e01fa4a58e8a3639ca8a1e3f9ae5\ + 7e235b8cc873c23dc62b8d260169afa2f75ab916a58d974918835d25e6a4\ + 35085b2badfd6dfaac359a5efbb7bcc4b59d538df9a04302e10c8bc1cbf1\ + a0b3a5120ea17cda7cfad765f5623474d368ccca8af0007cd9f5e4c849f1\ + 67a580b14aabdefaee7eef47cb0fca9767be1fda69419dfb927e9df07348\ + b196691abaeb580b32def58538b8d23f87732ea63b02b4fa0f4873360e28\ + 41928cd60dd4cee8cc0d4c922a96188d032675c8ac850933c7aff1533b94\ + c834adbb69c6115bad4692d8619f90b0cdf8a7b9c264029ac185b70b83f2\ + 801f2f4b3f70c593ea3aeeb613a7f1b1de33fd75081f592305f2e4526edc\ + 09631b10958f464d889f31ba010250fda7f1368ec2967fc84ef2ae9aff26\ + 8e0b1700affc6820b523a3d917135f2dff2ee06bfe72b3124721d4a26c04\ + e53a75e30e73a7a9c4a95d91c55d495e9f51dd0b5e9d83c6d5e8ce803aa6\ + 2b8d654db53d09b8dcff273cdfeb573fad8bcd45578bec2e770d01efde86\ + e721a3f7c6cce275dabe6e2143f1af18da7efddc4c7b70b5e345db93cc93\ + 6bea323491ccb38a388f546a9ff00dd4e1300b9b2153d2041d205b443e41\ + b45a653f2a5c4492c1add544512dda2529833462b71a41a45be97290b6f4\ + cffda2cf990051634a4b1edf6114fb49083c1fa3b302ee097f051266be69\ + dc716fdeef91b0d4ab2de525550bf80dc8a684bc3b5a4d46b7efae7afdc6\ + 292988dc9acae03f8634486c1abe2781aae4c02f3460d2cd4e6a463a2ba9\ + 562ee623cf0e9f82ab4d0b5c9d040a269366479dff0038abfaf2e0ff21f3\ + 6968972e3f104ddcbe1eb831a87c213162e29b34adfa564d121e9f6e7729\ + f4203fc5c6c22fa7a7350afddb620923a4a129b8acb19ea10f818c30e3b5\ + b1c571fa79e57ee304388316a02fcd93a0d8ee02bb85701ee4ff097534b5\ + 02c1b12fbb95c8ccb2f548921d99cc7c9fe17ac991b675e631144423eef7\ + a5869168da63d1f4c21f650c02923bfd396ca6a5db541068624cbc5ffe20\ + 8c0d1a74e1a29618d0bb60036f5249abfa88898e393718d6efab05bb4127\ + 9efcd4c5a0cc837ccfc22be4f725c081f6aa090749dba7077bae8d4"; + pub const HELLO_FIVE_BLOCKS: &str = + "2bf5e6dee6079fad604f573194ba8426bd4d30eb13e8ba2edae70e529b570cbdd\ + 588f2c5dd4e465dfbafaa7c5634249c8929dc04165a9edb26be19ce03619\ + 6d178454d03b738b0d6b40013954208e40214908a8d388f9a9d997e2e381\ + f571dec1dfa816df96e3cb635e99a8d7d072fac7b7664d45a7a43b258cbe\ + 290a4c735977a9a8e9c363564f2e13c80f1e3611907a09756a7ba87e07f5\ + 4856489d2edae1634afed8503ab6561d79b0fbb64f75a9822335c2fc7017\ + 8114b4460c979a22c78c4890c611b0cf5091f2ac4aff35d190832a36bc61\ + 9f0e66fcb7c32044293207c15a686bd1f5f2a314147a583454826fd43874\ + 7784cf715e13008adf597dcd3cd87f633dc8a80bbd6a18bdd02551697d8c\ + 66009961645875c8ad37c2fbc81c7727cbb99dcd8fba52e91a6a8580c284\ + 6430a629a150492a3a2d93bf93c8b704e0a05fa891bdf8aee78f646cd06e\ + 357acf909982e864375059076fe2079ddcc4227a479ff6cb72eec7a4fca4\ + edf94c014c9f725d9704afbb265e611f705c696e6e02cf166007c0cd7d93\ + 50901033d4f26fa74b13f9a40515756753c56412c1662c3e1d118df42f41\ + 780ba028b6a650a3cef7a7fe07f0f2f18f33a08fe21b55d0a6effc6dd3dc\ + 753e1c2686ca428863731ce17cfd06ae7396cfbc5cbe05745fd89e822469\ + b459e1266d7c0b96ac63d61de57710afef99ab06329c5809a9f47f914e1a\ + ff52f0883a6be14ed361af6cdb6e5146eac04fb704ade9154f94d88807c9\ + 8d4aea95f6f25e6e71cded62cfcc7cd2fd0c7a29b3e9c284282fa4744004\ + b98902ce6ae90e2d310a1c71227ca7602a4a8f7d44eda895ef2c85280e4c\ + 1d35f351761ca598ec19fdee75feb5a44368600f735e6b17d8d6000570b4\ + b35940b18334835d06d2537f398c0d04fd354fa100840f865ba2b30818c5\ + f56ed7af478cd0be37b3e3486257bf2c092f9477c16b1918d15c33c7bce0\ + 63440699b0a3407570f9076abf19f33aaee83d5fa2abdc81e9380df2b2d6\ + 5511dfce21bd969dc69a99aa5bdc1cbf0c7410f9f5da0f6403243562accb\ + c99fc734804563770d518c27aa3f9e2714d8e945b4df71d5c4d6b6d91e2f\ + 981ff84e260e2011618bbd3d59ec07948eee3de448b8916d19fda8152f55\ + 78108506cdb5b8103956dc80c789085c0af06483a9892e4b1ff0d97"; + pub const STAR0_FIVE_BLOCKS: &str = + "19a693b556a7aa5b5a239997e20d1c0dae5233837d52030e619d3802af2b7b55d\ + e2bc9db3830c62ca978ac113a6f7314af6273228a0d4548fa05f3b7c72bd\ + 49aefabdd3589a85d6aebbf4005cfe8deecb80bf339264717a01368ad080\ + 50283faf1e6812ef68568da0881abf55762779b690688b6e80d7e7b023eb\ + 743f7a3ee7fa2ac0a243d379f4f27aacce86527355293d951c60ffbe2931\ + 75ceb60c61dfbbd92d9fb4870b5c3b4abb757de17a4bd004aa36b264e0ef\ + 38f8bd28edb53466276e5c13eec85ad8fc936dc99531fe622d7a4d517e56\ + 7d167cbf2ba78e12a00d7487b81cffa2a4553f93fbf3cbde8a33f357b95b\ + 96a0ff98f303de8aba84afa9bd67f578a4f713e22f226d5d7bb549066b9c\ + 6cf8130c7928e5da1ef2e1713677995a81a9f3daae3dbe5394a4ada0c777\ + 80dd227ba0ad6ee62f23f50e176c594a277c542fcd5a554ad51668d5101c\ + f9842ce3e8787ac31eeceecb6d6bb9c8abbfe7f670595ffacaeb42650aa3\ + 37a5629aad894ac27b2799c1d591f2270650e42875a177a360cbb70e692e\ + f35f692abb85e8a637a05ceced3420049e555b42cae2a54dcde2edd84d5e\ + b38eb2c4fe75b1e70b5a4c7771806f85f8dcdad3a409e9efb6e3eb3cfe11\ + 869ebd9b028c91aeb08a54dad85b155435f85405dbb8b4888469263d4e42\ + bcf58bf5e3e430dfe26e2873da14a00e8e805aea5f0ecbd5457147c4dae1\ + a80bc29b0ea326d735176f289419710fe3adfb1b8eb3fa40cc658577a99f\ + 4382bd6b2a5527991ad66d578f596cc559a12f43b928b1006db5fa651ad4\ + e7c035454238065b95fd5cf24326a78a103075bbffb8ea12c131143c147c\ + 4807160a007aa328936735fa0ef7a6456b92ec6a3ceb2be23904ac8a53c4\ + bc3064d6724a921d3270dbdb81542ee2d4b005ea0e90a001c929a418976a\ + 4d2285b6f1e2ca8c61e75c55c6801b3ea0a6dee6b91182d98c3068b507cf\ + 1929197a51949234796aefb0d8a19571dc7121275103f390183a3bbf5086\ + 1da01df2b5ba459918580a67653557deae86122e0c88fe0ac68a7d96614e\ + 2f7b6c644cffe83c17ccddcdc3e420cd695d8266eeb3f62e674d3697eefe\ + 1e0c3a380e02a0afb8321280cbf2b9e699ae7c24aa69bd311dbba554e0d3\ + 02e7b0ba906e326c3190d6f48827a1e6970cc74c3b50d6816bd57c3"; +} + +pub mod shake256 { + pub const EMPTY_FIVE_BLOCKS: &str = + "46b9dd2b0ba88d13233b3feb743eeb243fcd52ea62b81b82b50c27646ed5762fd\ + 75dc4ddd8c0f200cb05019d67b592f6fc821c49479ab48640292eacb3b7c\ + 4be141e96616fb13957692cc7edd0b45ae3dc07223c8e92937bef84bc0ea\ + b862853349ec75546f58fb7c2775c38462c5010d846c185c15111e595522\ + a6bcd16cf86f3d122109e3b1fdd943b6aec468a2d621a7c06c6a957c62b5\ + 4dafc3be87567d677231395f6147293b68ceab7a9e0c58d864e8efde4e1b\ + 9a46cbe854713672f5caaae314ed9083dab4b099f8e300f01b8650f1f4b1\ + d8fcf3f3cb53fb8e9eb2ea203bdc970f50ae55428a91f7f53ac266b28419\ + c3778a15fd248d339ede785fb7f5a1aaa96d313eacc890936c173cdcd0fa\ + b882c45755feb3aed96d477ff96390bf9a66d1368b208e21f7c10d04a3db\ + d4e360633e5db4b602601c14cea737db3dcf722632cc77851cbdde2aaf0a\ + 33a07b373445df490cc8fc1e4160ff118378f11f0477de055a81a9eda57a\ + 4a2cfb0c83929d310912f729ec6cfa36c6ac6a75837143045d791cc85eff\ + 5b21932f23861bcf23a52b5da67eaf7baae0f5fb1369db78f3ac45f8c4ac\ + 5671d85735cdddb09d2b1e34a1fc066ff4a162cb263d6541274ae2fcc865\ + f618abe27c124cd8b074ccd516301b91875824d09958f341ef274bdab0ba\ + e316339894304e35877b0c28a9b1fd166c796b9cc258a064a8f57e27f2a5\ + b8d548a728c9444ecb879adc19de0c1b8587de3e73e15d3ce2db7c9fa7b5\ + 8ffc0e87251773faf3e8f3e3cf1d4dfa723afd4da9097cb3c866acbefab2\ + c4e85e1918990ff93e0656b5f75b08729c60e6a9d7352b9efd2e33e3d1ba\ + 6e6d89edfa671266ece6be7bb5ac948b737e41590abe138ce1869c086801\ + 62f08863d174e77e07a9ddb33b57de04c443a5bd77c42036871aae789336\ + 2b27015b84b4139f0e313579b4ef5f6b642"; + pub const HELLO_FIVE_BLOCKS: &str = + "b3be97bfd978833a65588ceae8a34cf59e95585af62063e6b89d0789f372424e8\ + b0d1be4f21b40ce5a83a438473271e0661854f02d431db74e6904d6c347d\ + 757a33b44f18e740bd119782f48b0ac4ee1fa2dee4c5018ee2f186d0ff94\ + d1cece111e29a6bbd0972cb8574b5afddd55f00e50bd402c998043ba3f45\ + 53558391be010abb209af935224b8c331d0d29c008185f2c900abad89885\ + 1c4f3d941a13f03e3c315c4fb058fca2bb4e2bc53fec7866eb7e7636f276\ + dc5a167cad77b286c9a94946fe054927c48db7f30424787f56153cc67ca4\ + 9609928d24c16563d3a0aaad1ca1495003374868ec422a72bedd2f387abc\ + 350b46a9a6580a3ceb56b602b7edab836d58d8bb6b1a6975aaad42554132\ + 71ec544ddea12dbb65003da4273650d6e3b51373e4e86fced975dad607ad\ + d1184702952d4bf8459d05197293d35b59688a9f13806887f9845211eb2d\ + 0b9cc1e089eba8c16f9967d80ec181a754ea6511a897c736ba4c09871d99\ + 3a41cf7efb08f0479935eaa811865002353f39594d432417d0e70d371509\ + bb0b76003e9712354427ab1e4f69ebd5e32b585166b3e843b062efa32bc7\ + 1bbdc0989b87137752452a8a908ccea6ee1980e9213c6a380cdb947be228\ + 5416b088ee4646793286d44b25df89575df2ef08a4c78237e7e25ec8b3a3\ + af7a63c0aa0fd46582874ab9417fb4e720298a4d6de8faa6f71a4ef4e6a1\ + 4a5dcce0f002465987e661e9ed0d39fa79d018572ac40613630bf68868de\ + 5cbe1e33eb014cdeeb125f8842fd1b0bd3c4970f2ddb9a3db5cdd0ca7e37\ + 785d2029bbe2e6a8a225265fbbdd12e9712a538f5a346eeab6f9cc296580\ + e6d7c274d07084e758d01006b22bd45778ecb86bb495d413aef4dc28aa84\ + 8f46cbe4e189fb0d3de54bf2c146d280b163e9358200547ee71207f11a4e\ + 25e643a4552d6971cf4efb277a7d1d10095"; + pub const STAR0_FIVE_BLOCKS: &str = + "318b90eacc9b56ffc4d3d6c4fe4983ff1e42c294c7b7df777b631956cfb5f2dce\ + b839182800ff60b0cc2df9e282860abdae32c9e1c71cd1cf6b753b1e3edb\ + f181a9e7503bb92de170a9656c164801e985099c69bf70dc24d1aa405719\ + f9389584759754297877c18254c431db55de8310adb892cf3ca1f08eaf1d\ + eeb3cc97c1e25841e03e83a0b71686cc4fc828f14cea4b80906aa0138aaf\ + febb5c179fa68b96ea4249f442b6689a7736d1e888602aced180b23405f0\ + d5c5a859485769f5e22d00496672f5dedd6f8a5d68d209020c127021e8a1\ + b8b98dfe88e8407724702dd42576fc57404d54fc3ef3149225a9487ec1c6\ + d0e73dc15787a0fef9fde69f3f7416aec6942cc3a78ad17967d3eb607fb0\ + c55579cb3f88f8cefdeb45ba2d0b31f5986a89f5ac1eaf762e7092625251\ + 28f5b6cc29e382a8e22afad105fd6d7cc407868d5aeb71eae736fb2a1974\ + a1d185e9faf57c237bd8cf76ad86ceb36626fdef09ab79c700aa5bf0bbaf\ + b715903ee99b37e8c82061c6c40a4817208c1eb457b2d9972240b7e70853\ + cfab815594ab5118cb31edc61d1d632a9524f6a43fc2fc72a8c0402ce51c\ + 9acbcba25acae9f66eff30d865c493c6be716fbe130e17b774ae9d8bc67d\ + 2eb9fd2f71c9f896b68a25fd09bcd8074353286b7878418c8a7d2a0a9a2b\ + bb219120cf35ab38059670b300a0a4b79be03b37974641b22e51198657d2\ + 7641b685952064d16efc2e70752f2fc882b108e0a23bfbd1dffafbbf5701\ + d801b0e1c5788e60646ed82a045ee5c843111e73863e8cd644f49b93b6aa\ + 39621bbe7ed44179707e146440926bca29226db5bee9d986f4cd564cd5a2\ + f2948d56792b1a17a8fea43d60bb81d31020d6a37b52b5f00bb164ccd0c0\ + e7d32d74816ebace533f5ef6eb44b621a9352862ae55f8d6924f2923a4a2\ + 57a4f0430584b8b029fac9e675116589513"; +}