pq-code-package
diff --git a/‎mlkem/src/indcpa.c‎
Lines changed: 115 additions & 78 deletions b/‎mlkem/src/indcpa.c‎
Lines changed: 115 additions & 78 deletions
diff --git a/‎mlkem/src/indcpa.h‎
Lines changed: 3 additions & 3 deletions b/‎mlkem/src/indcpa.h‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎mlkem/src/kem.c‎
Lines changed: 3 additions & 3 deletions b/‎mlkem/src/kem.c‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎mlkem/src/poly_k.c‎
Lines changed: 38 additions & 38 deletions b/‎mlkem/src/poly_k.c‎
Lines changed: 38 additions & 38 deletions
@@ -39,15 +39,15 @@
  *
  **************************************************/
 MLK_INTERNAL_API
-void mlk_gen_matrix(mlk_polymat a, const uint8_t seed[MLKEM_SYMBYTES],
+void mlk_gen_matrix(mlk_polymat *a, const uint8_t seed[MLKEM_SYMBYTES],
                     int transposed)
 __contract__(
   requires(memory_no_alias(a, sizeof(mlk_polymat)))
   requires(memory_no_alias(seed, MLKEM_SYMBYTES))
   requires(transposed == 0 || transposed == 1)
   assigns(object_whole(a))
-  ensures(forall(x, 0, MLKEM_K * MLKEM_K,
-    array_bound(a[x].coeffs, 0, MLKEM_N, 0, MLKEM_Q)))
+  ensures(forall(x, 0, MLKEM_K, forall(y, 0, MLKEM_K,
+  array_bound(a->vec[x].vec[y].coeffs, 0, MLKEM_N, 0, MLKEM_Q))))
 );
 
 #define mlk_indcpa_keypair_derand MLK_NAMESPACE_K(indcpa_keypair_derand)
 
@@ -46,9 +46,9 @@ int crypto_kem_check_pk(const uint8_t pk[MLKEM_INDCCA_PUBLICKEYBYTES])
   mlk_polyvec p;
   uint8_t p_reencoded[MLKEM_POLYVECBYTES];
 
-  mlk_polyvec_frombytes(p, pk);
-  mlk_polyvec_reduce(p);
-  mlk_polyvec_tobytes(p_reencoded, p);
+  mlk_polyvec_frombytes(&p, pk);
+  mlk_polyvec_reduce(&p);
+  mlk_polyvec_tobytes(p_reencoded, &p);
 
   /* We use a constant-time memcmp here to avoid having to
    * declassify the PK before the PCT has succeeded. */
 
@@ -47,29 +47,29 @@
  *              in the range (-MLKEM_Q+1,...,MLKEM_Q-1). */
 MLK_INTERNAL_API
 void mlk_polyvec_compress_du(uint8_t r[MLKEM_POLYVECCOMPRESSEDBYTES_DU],
-                             const mlk_polyvec a)
+                             const mlk_polyvec *a)
 {
   unsigned i;
-  mlk_assert_bound_2d(a, MLKEM_K, MLKEM_N, 0, MLKEM_Q);
+  mlk_assert_bound_2d(a->vec, MLKEM_K, MLKEM_N, 0, MLKEM_Q);
 
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_compress_du(r + i * MLKEM_POLYCOMPRESSEDBYTES_DU, &a[i]);
+    mlk_poly_compress_du(r + i * MLKEM_POLYCOMPRESSEDBYTES_DU, &a->vec[i]);
   }
 }
 
 /* Reference: `polyvec_decompress()` in the reference implementation @[REF]. */
 MLK_INTERNAL_API
-void mlk_polyvec_decompress_du(mlk_polyvec r,
+void mlk_polyvec_decompress_du(mlk_polyvec *r,
                                const uint8_t a[MLKEM_POLYVECCOMPRESSEDBYTES_DU])
 {
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_decompress_du(&r[i], a + i * MLKEM_POLYCOMPRESSEDBYTES_DU);
+    mlk_poly_decompress_du(&r->vec[i], a + i * MLKEM_POLYCOMPRESSEDBYTES_DU);
   }
 
-  mlk_assert_bound_2d(r, MLKEM_K, MLKEM_N, 0, MLKEM_Q);
+  mlk_assert_bound_2d(r->vec, MLKEM_K, MLKEM_N, 0, MLKEM_Q);
 }
 
 /* Reference: `polyvec_tobytes()` in the reference implementation @[REF].
@@ -78,45 +78,45 @@ void mlk_polyvec_decompress_du(mlk_polyvec r,
  *              The reference implementation works with coefficients
  *              in the range (-MLKEM_Q+1,...,MLKEM_Q-1). */
 MLK_INTERNAL_API
-void mlk_polyvec_tobytes(uint8_t r[MLKEM_POLYVECBYTES], const mlk_polyvec a)
+void mlk_polyvec_tobytes(uint8_t r[MLKEM_POLYVECBYTES], const mlk_polyvec *a)
 {
   unsigned i;
-  mlk_assert_bound_2d(a, MLKEM_K, MLKEM_N, 0, MLKEM_Q);
+  mlk_assert_bound_2d(a->vec, MLKEM_K, MLKEM_N, 0, MLKEM_Q);
 
   for (i = 0; i < MLKEM_K; i++)
   __loop__(
     assigns(i, object_whole(r))
     invariant(i <= MLKEM_K)
   )
   {
-    mlk_poly_tobytes(&r[i * MLKEM_POLYBYTES], &a[i]);
+    mlk_poly_tobytes(&r[i * MLKEM_POLYBYTES], &a->vec[i]);
   }
 }
 
 /* Reference: `polyvec_frombytes()` in the reference implementation @[REF]. */
 MLK_INTERNAL_API
-void mlk_polyvec_frombytes(mlk_polyvec r, const uint8_t a[MLKEM_POLYVECBYTES])
+void mlk_polyvec_frombytes(mlk_polyvec *r, const uint8_t a[MLKEM_POLYVECBYTES])
 {
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_frombytes(&r[i], a + i * MLKEM_POLYBYTES);
+    mlk_poly_frombytes(&r->vec[i], a + i * MLKEM_POLYBYTES);
   }
 
-  mlk_assert_bound_2d(r, MLKEM_K, MLKEM_N, 0, MLKEM_UINT12_LIMIT);
+  mlk_assert_bound_2d(r->vec, MLKEM_K, MLKEM_N, 0, MLKEM_UINT12_LIMIT);
 }
 
 /* Reference: `polyvec_ntt()` in the reference implementation @[REF]. */
 MLK_INTERNAL_API
-void mlk_polyvec_ntt(mlk_polyvec r)
+void mlk_polyvec_ntt(mlk_polyvec *r)
 {
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_ntt(&r[i]);
+    mlk_poly_ntt(&r->vec[i]);
   }
 
-  mlk_assert_abs_bound_2d(r, MLKEM_K, MLKEM_N, MLK_NTT_BOUND);
+  mlk_assert_abs_bound_2d(r->vec, MLKEM_K, MLKEM_N, MLK_NTT_BOUND);
 }
 
 /* Reference: `polyvec_invntt_tomont()` in the reference implementation @[REF].
@@ -125,15 +125,15 @@ void mlk_polyvec_ntt(mlk_polyvec r)
  *              the end. This allows us to drop a call to `poly_reduce()`
  *              from the base multiplication. */
 MLK_INTERNAL_API
-void mlk_polyvec_invntt_tomont(mlk_polyvec r)
+void mlk_polyvec_invntt_tomont(mlk_polyvec *r)
 {
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_invntt_tomont(&r[i]);
+    mlk_poly_invntt_tomont(&r->vec[i]);
   }
 
-  mlk_assert_abs_bound_2d(r, MLKEM_K, MLKEM_N, MLK_INVNTT_BOUND);
+  mlk_assert_abs_bound_2d(r->vec, MLKEM_K, MLKEM_N, MLK_INVNTT_BOUND);
 }
 
 /* Reference: `polyvec_basemul_acc_montgomery()` in the
@@ -148,20 +148,20 @@ void mlk_polyvec_invntt_tomont(mlk_polyvec r)
  *              more modular reductions since it reduces after every modular
  *              multiplication. */
 MLK_STATIC_TESTABLE void mlk_polyvec_basemul_acc_montgomery_cached_c(
-    mlk_poly *r, const mlk_polyvec a, const mlk_polyvec b,
-    const mlk_polyvec_mulcache b_cache)
+    mlk_poly *r, const mlk_polyvec *a, const mlk_polyvec *b,
+    const mlk_polyvec_mulcache *b_cache)
 __contract__(
   requires(memory_no_alias(r, sizeof(mlk_poly)))
   requires(memory_no_alias(a, sizeof(mlk_polyvec)))
   requires(memory_no_alias(b, sizeof(mlk_polyvec)))
   requires(memory_no_alias(b_cache, sizeof(mlk_polyvec_mulcache)))
   requires(forall(k1, 0, MLKEM_K,
-     array_bound(a[k1].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT)))
+     array_bound(a->vec[k1].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT)))
   assigns(object_whole(r))
 )
 {
   unsigned i;
-  mlk_assert_bound_2d(a, MLKEM_K, MLKEM_N, 0, MLKEM_UINT12_LIMIT);
+  mlk_assert_bound_2d(a->vec, MLKEM_K, MLKEM_N, 0, MLKEM_UINT12_LIMIT);
 
   for (i = 0; i < MLKEM_N / 2; i++)
   __loop__(invariant(i <= MLKEM_N / 2))
@@ -176,10 +176,10 @@ __contract__(
          t[1] <=   ((int32_t) k * 2 * MLKEM_UINT12_LIMIT * 32768) &&
          t[1] >= - ((int32_t) k * 2 * MLKEM_UINT12_LIMIT * 32768)))
     {
-      t[0] += (int32_t)a[k].coeffs[2 * i + 1] * b_cache[k].coeffs[i];
-      t[0] += (int32_t)a[k].coeffs[2 * i] * b[k].coeffs[2 * i];
-      t[1] += (int32_t)a[k].coeffs[2 * i] * b[k].coeffs[2 * i + 1];
-      t[1] += (int32_t)a[k].coeffs[2 * i + 1] * b[k].coeffs[2 * i];
+      t[0] += (int32_t)a->vec[k].coeffs[2 * i + 1] * b_cache->vec[k].coeffs[i];
+      t[0] += (int32_t)a->vec[k].coeffs[2 * i] * b->vec[k].coeffs[2 * i];
+      t[1] += (int32_t)a->vec[k].coeffs[2 * i] * b->vec[k].coeffs[2 * i + 1];
+      t[1] += (int32_t)a->vec[k].coeffs[2 * i + 1] * b->vec[k].coeffs[2 * i];
     }
     r->coeffs[2 * i + 0] = mlk_montgomery_reduce(t[0]);
     r->coeffs[2 * i + 1] = mlk_montgomery_reduce(t[1]);
@@ -188,8 +188,8 @@ __contract__(
 
 MLK_INTERNAL_API
 void mlk_polyvec_basemul_acc_montgomery_cached(
-    mlk_poly *r, const mlk_polyvec a, const mlk_polyvec b,
-    const mlk_polyvec_mulcache b_cache)
+    mlk_poly *r, const mlk_polyvec *a, const mlk_polyvec *b,
+    const mlk_polyvec_mulcache *b_cache)
 {
 #if defined(MLK_USE_NATIVE_POLYVEC_BASEMUL_ACC_MONTGOMERY_CACHED)
   {
@@ -225,12 +225,12 @@ void mlk_polyvec_basemul_acc_montgomery_cached(
  *              multiplication cache ('mulcache'). This idea originates
  *              from @[NeonNTT] and is used at the C level here. */
 MLK_INTERNAL_API
-void mlk_polyvec_mulcache_compute(mlk_polyvec_mulcache x, const mlk_polyvec a)
+void mlk_polyvec_mulcache_compute(mlk_polyvec_mulcache *x, const mlk_polyvec *a)
 {
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_mulcache_compute(&x[i], &a[i]);
+    mlk_poly_mulcache_compute(&x->vec[i], &a->vec[i]);
   }
 }
 
@@ -242,41 +242,41 @@ void mlk_polyvec_mulcache_compute(mlk_polyvec_mulcache x, const mlk_polyvec a)
  *              This conditional addition is then dropped from all
  *              polynomial compression functions instead (see `compress.c`). */
 MLK_INTERNAL_API
-void mlk_polyvec_reduce(mlk_polyvec r)
+void mlk_polyvec_reduce(mlk_polyvec *r)
 {
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_reduce(&r[i]);
+    mlk_poly_reduce(&r->vec[i]);
   }
 
-  mlk_assert_bound_2d(r, MLKEM_K, MLKEM_N, 0, MLKEM_Q);
+  mlk_assert_bound_2d(r->vec, MLKEM_K, MLKEM_N, 0, MLKEM_Q);
 }
 
 /* Reference: `polyvec_add()` in the reference implementation @[REF].
  *            - We use destructive version (output=first input) to avoid
  *              reasoning about aliasing in the CBMC specification */
 MLK_INTERNAL_API
-void mlk_polyvec_add(mlk_polyvec r, const mlk_polyvec b)
+void mlk_polyvec_add(mlk_polyvec *r, const mlk_polyvec *b)
 {
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_add(&r[i], &b[i]);
+    mlk_poly_add(&r->vec[i], &b->vec[i]);
   }
 }
 
 /* Reference: `polyvec_tomont()` in the reference implementation @[REF]. */
 MLK_INTERNAL_API
-void mlk_polyvec_tomont(mlk_polyvec r)
+void mlk_polyvec_tomont(mlk_polyvec *r)
 {
   unsigned i;
   for (i = 0; i < MLKEM_K; i++)
   {
-    mlk_poly_tomont(&r[i]);
+    mlk_poly_tomont(&r->vec[i]);
   }
 
-  mlk_assert_abs_bound_2d(r, MLKEM_K, MLKEM_N, MLKEM_Q);
+  mlk_assert_abs_bound_2d(r->vec, MLKEM_K, MLKEM_N, MLKEM_Q);
 }
Original file line number	Diff line number	Diff line change
`@@ -47,29 +47,29 @@`
`47`	`47`	`* in the range (-MLKEM_Q+1,...,MLKEM_Q-1). */`
`48`	`48`	`MLK_INTERNAL_API`
`49`	`49`	`void mlk_polyvec_compress_du(uint8_t r[MLKEM_POLYVECCOMPRESSEDBYTES_DU],`
`50`		`- const mlk_polyvec a)`
	`50`	`+ const mlk_polyvec *a)`
`51`	`51`	`{`
`52`	`52`	`unsigned i;`
`53`		`- mlk_assert_bound_2d(a, MLKEM_K, MLKEM_N, 0, MLKEM_Q);`
	`53`	`+ mlk_assert_bound_2d(a->vec, MLKEM_K, MLKEM_N, 0, MLKEM_Q);`
`54`	`54`
`55`	`55`	`for (i = 0; i < MLKEM_K; i++)`
`56`	`56`	`{`
`57`		`- mlk_poly_compress_du(r + i * MLKEM_POLYCOMPRESSEDBYTES_DU, &a[i]);`
	`57`	`+ mlk_poly_compress_du(r + i * MLKEM_POLYCOMPRESSEDBYTES_DU, &a->vec[i]);`
`58`	`58`	`}`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	/* Reference: `polyvec_decompress()` in the reference implementation @[REF]. */
`62`	`62`	`MLK_INTERNAL_API`
`63`		`-void mlk_polyvec_decompress_du(mlk_polyvec r,`
	`63`	`+void mlk_polyvec_decompress_du(mlk_polyvec *r,`
`64`	`64`	`const uint8_t a[MLKEM_POLYVECCOMPRESSEDBYTES_DU])`
`65`	`65`	`{`
`66`	`66`	`unsigned i;`
`67`	`67`	`for (i = 0; i < MLKEM_K; i++)`
`68`	`68`	`{`
`69`		`- mlk_poly_decompress_du(&r[i], a + i * MLKEM_POLYCOMPRESSEDBYTES_DU);`
	`69`	`+ mlk_poly_decompress_du(&r->vec[i], a + i * MLKEM_POLYCOMPRESSEDBYTES_DU);`
`70`	`70`	`}`
`71`	`71`
`72`		`- mlk_assert_bound_2d(r, MLKEM_K, MLKEM_N, 0, MLKEM_Q);`
	`72`	`+ mlk_assert_bound_2d(r->vec, MLKEM_K, MLKEM_N, 0, MLKEM_Q);`
`73`	`73`	`}`
`74`	`74`
`75`	`75`	/* Reference: `polyvec_tobytes()` in the reference implementation @[REF].
`@@ -78,45 +78,45 @@ void mlk_polyvec_decompress_du(mlk_polyvec r,`
`78`	`78`	`* The reference implementation works with coefficients`
`79`	`79`	`* in the range (-MLKEM_Q+1,...,MLKEM_Q-1). */`
`80`	`80`	`MLK_INTERNAL_API`
`81`		`-void mlk_polyvec_tobytes(uint8_t r[MLKEM_POLYVECBYTES], const mlk_polyvec a)`
	`81`	`+void mlk_polyvec_tobytes(uint8_t r[MLKEM_POLYVECBYTES], const mlk_polyvec *a)`
`82`	`82`	`{`
`83`	`83`	`unsigned i;`
`84`		`- mlk_assert_bound_2d(a, MLKEM_K, MLKEM_N, 0, MLKEM_Q);`
	`84`	`+ mlk_assert_bound_2d(a->vec, MLKEM_K, MLKEM_N, 0, MLKEM_Q);`
`85`	`85`
`86`	`86`	`for (i = 0; i < MLKEM_K; i++)`
`87`	`87`	`__loop__(`
`88`	`88`	`assigns(i, object_whole(r))`
`89`	`89`	`invariant(i <= MLKEM_K)`
`90`	`90`	`)`
`91`	`91`	`{`
`92`		`- mlk_poly_tobytes(&r[i * MLKEM_POLYBYTES], &a[i]);`
	`92`	`+ mlk_poly_tobytes(&r[i * MLKEM_POLYBYTES], &a->vec[i]);`
`93`	`93`	`}`
`94`	`94`	`}`
`95`	`95`
`96`	`96`	/* Reference: `polyvec_frombytes()` in the reference implementation @[REF]. */
`97`	`97`	`MLK_INTERNAL_API`
`98`		`-void mlk_polyvec_frombytes(mlk_polyvec r, const uint8_t a[MLKEM_POLYVECBYTES])`
	`98`	`+void mlk_polyvec_frombytes(mlk_polyvec *r, const uint8_t a[MLKEM_POLYVECBYTES])`
`99`	`99`	`{`
`100`	`100`	`unsigned i;`
`101`	`101`	`for (i = 0; i < MLKEM_K; i++)`
`102`	`102`	`{`
`103`		`- mlk_poly_frombytes(&r[i], a + i * MLKEM_POLYBYTES);`
	`103`	`+ mlk_poly_frombytes(&r->vec[i], a + i * MLKEM_POLYBYTES);`
`104`	`104`	`}`
`105`	`105`
`106`		`- mlk_assert_bound_2d(r, MLKEM_K, MLKEM_N, 0, MLKEM_UINT12_LIMIT);`
	`106`	`+ mlk_assert_bound_2d(r->vec, MLKEM_K, MLKEM_N, 0, MLKEM_UINT12_LIMIT);`
`107`	`107`	`}`
`108`	`108`
`109`	`109`	/* Reference: `polyvec_ntt()` in the reference implementation @[REF]. */
`110`	`110`	`MLK_INTERNAL_API`
`111`		`-void mlk_polyvec_ntt(mlk_polyvec r)`
	`111`	`+void mlk_polyvec_ntt(mlk_polyvec *r)`
`112`	`112`	`{`
`113`	`113`	`unsigned i;`
`114`	`114`	`for (i = 0; i < MLKEM_K; i++)`
`115`	`115`	`{`
`116`		`- mlk_poly_ntt(&r[i]);`
	`116`	`+ mlk_poly_ntt(&r->vec[i]);`
`117`	`117`	`}`
`118`	`118`
`119`		`- mlk_assert_abs_bound_2d(r, MLKEM_K, MLKEM_N, MLK_NTT_BOUND);`
	`119`	`+ mlk_assert_abs_bound_2d(r->vec, MLKEM_K, MLKEM_N, MLK_NTT_BOUND);`
`120`	`120`	`}`
`121`	`121`
`122`	`122`	/* Reference: `polyvec_invntt_tomont()` in the reference implementation @[REF].
`@@ -125,15 +125,15 @@ void mlk_polyvec_ntt(mlk_polyvec r)`
`125`	`125`	* the end. This allows us to drop a call to `poly_reduce()`
`126`	`126`	`* from the base multiplication. */`
`127`	`127`	`MLK_INTERNAL_API`
`128`		`-void mlk_polyvec_invntt_tomont(mlk_polyvec r)`
	`128`	`+void mlk_polyvec_invntt_tomont(mlk_polyvec *r)`
`129`	`129`	`{`
`130`	`130`	`unsigned i;`
`131`	`131`	`for (i = 0; i < MLKEM_K; i++)`
`132`	`132`	`{`
`133`		`- mlk_poly_invntt_tomont(&r[i]);`
	`133`	`+ mlk_poly_invntt_tomont(&r->vec[i]);`
`134`	`134`	`}`
`135`	`135`
`136`		`- mlk_assert_abs_bound_2d(r, MLKEM_K, MLKEM_N, MLK_INVNTT_BOUND);`
	`136`	`+ mlk_assert_abs_bound_2d(r->vec, MLKEM_K, MLKEM_N, MLK_INVNTT_BOUND);`
`137`	`137`	`}`
`138`	`138`
`139`	`139`	/* Reference: `polyvec_basemul_acc_montgomery()` in the
`@@ -148,20 +148,20 @@ void mlk_polyvec_invntt_tomont(mlk_polyvec r)`
`148`	`148`	`* more modular reductions since it reduces after every modular`
`149`	`149`	`* multiplication. */`
`150`	`150`	`MLK_STATIC_TESTABLE void mlk_polyvec_basemul_acc_montgomery_cached_c(`
`151`		`- mlk_poly *r, const mlk_polyvec a, const mlk_polyvec b,`
`152`		`- const mlk_polyvec_mulcache b_cache)`
	`151`	`+ mlk_poly r, const mlk_polyvec a, const mlk_polyvec *b,`
	`152`	`+ const mlk_polyvec_mulcache *b_cache)`
`153`	`153`	`__contract__(`
`154`	`154`	`requires(memory_no_alias(r, sizeof(mlk_poly)))`
`155`	`155`	`requires(memory_no_alias(a, sizeof(mlk_polyvec)))`
`156`	`156`	`requires(memory_no_alias(b, sizeof(mlk_polyvec)))`
`157`	`157`	`requires(memory_no_alias(b_cache, sizeof(mlk_polyvec_mulcache)))`
`158`	`158`	`requires(forall(k1, 0, MLKEM_K,`
`159`		`- array_bound(a[k1].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT)))`
	`159`	`+ array_bound(a->vec[k1].coeffs, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT)))`
`160`	`160`	`assigns(object_whole(r))`
`161`	`161`	`)`
`162`	`162`	`{`
`163`	`163`	`unsigned i;`
`164`		`- mlk_assert_bound_2d(a, MLKEM_K, MLKEM_N, 0, MLKEM_UINT12_LIMIT);`
	`164`	`+ mlk_assert_bound_2d(a->vec, MLKEM_K, MLKEM_N, 0, MLKEM_UINT12_LIMIT);`
`165`	`165`
`166`	`166`	`for (i = 0; i < MLKEM_N / 2; i++)`
`167`	`167`	`__loop__(invariant(i <= MLKEM_N / 2))`
`@@ -176,10 +176,10 @@ __contract__(`
`176`	`176`	`t[1] <= ((int32_t) k * 2 * MLKEM_UINT12_LIMIT * 32768) &&`
`177`	`177`	`t[1] >= - ((int32_t) k * 2 * MLKEM_UINT12_LIMIT * 32768)))`
`178`	`178`	`{`
`179`		`- t[0] += (int32_t)a[k].coeffs[2 * i + 1] * b_cache[k].coeffs[i];`
`180`		`- t[0] += (int32_t)a[k].coeffs[2 * i] * b[k].coeffs[2 * i];`
`181`		`- t[1] += (int32_t)a[k].coeffs[2 * i] * b[k].coeffs[2 * i + 1];`
`182`		`- t[1] += (int32_t)a[k].coeffs[2 * i + 1] * b[k].coeffs[2 * i];`
	`179`	`+ t[0] += (int32_t)a->vec[k].coeffs[2 * i + 1] * b_cache->vec[k].coeffs[i];`
	`180`	`+ t[0] += (int32_t)a->vec[k].coeffs[2 * i] * b->vec[k].coeffs[2 * i];`
	`181`	`+ t[1] += (int32_t)a->vec[k].coeffs[2 * i] * b->vec[k].coeffs[2 * i + 1];`
	`182`	`+ t[1] += (int32_t)a->vec[k].coeffs[2 * i + 1] * b->vec[k].coeffs[2 * i];`
`183`	`183`	`}`
`184`	`184`	`r->coeffs[2 * i + 0] = mlk_montgomery_reduce(t[0]);`
`185`	`185`	`r->coeffs[2 * i + 1] = mlk_montgomery_reduce(t[1]);`
`@@ -188,8 +188,8 @@ __contract__(`
`188`	`188`
`189`	`189`	`MLK_INTERNAL_API`
`190`	`190`	`void mlk_polyvec_basemul_acc_montgomery_cached(`
`191`		`- mlk_poly *r, const mlk_polyvec a, const mlk_polyvec b,`
`192`		`- const mlk_polyvec_mulcache b_cache)`
	`191`	`+ mlk_poly r, const mlk_polyvec a, const mlk_polyvec *b,`
	`192`	`+ const mlk_polyvec_mulcache *b_cache)`
`193`	`193`	`{`
`194`	`194`	`#if defined(MLK_USE_NATIVE_POLYVEC_BASEMUL_ACC_MONTGOMERY_CACHED)`
`195`	`195`	`{`
`@@ -225,12 +225,12 @@ void mlk_polyvec_basemul_acc_montgomery_cached(`
`225`	`225`	`* multiplication cache ('mulcache'). This idea originates`
`226`	`226`	`* from @[NeonNTT] and is used at the C level here. */`
`227`	`227`	`MLK_INTERNAL_API`
`228`		`-void mlk_polyvec_mulcache_compute(mlk_polyvec_mulcache x, const mlk_polyvec a)`
	`228`	`+void mlk_polyvec_mulcache_compute(mlk_polyvec_mulcache x, const mlk_polyvec a)`
`229`	`229`	`{`
`230`	`230`	`unsigned i;`
`231`	`231`	`for (i = 0; i < MLKEM_K; i++)`
`232`	`232`	`{`
`233`		`- mlk_poly_mulcache_compute(&x[i], &a[i]);`
	`233`	`+ mlk_poly_mulcache_compute(&x->vec[i], &a->vec[i]);`
`234`	`234`	`}`
`235`	`235`	`}`
`236`	`236`
`@@ -242,41 +242,41 @@ void mlk_polyvec_mulcache_compute(mlk_polyvec_mulcache x, const mlk_polyvec a)`
`242`	`242`	`* This conditional addition is then dropped from all`
`243`	`243`	* polynomial compression functions instead (see `compress.c`). */
`244`	`244`	`MLK_INTERNAL_API`
`245`		`-void mlk_polyvec_reduce(mlk_polyvec r)`
	`245`	`+void mlk_polyvec_reduce(mlk_polyvec *r)`
`246`	`246`	`{`
`247`	`247`	`unsigned i;`
`248`	`248`	`for (i = 0; i < MLKEM_K; i++)`
`249`	`249`	`{`
`250`		`- mlk_poly_reduce(&r[i]);`
	`250`	`+ mlk_poly_reduce(&r->vec[i]);`
`251`	`251`	`}`
`252`	`252`
`253`		`- mlk_assert_bound_2d(r, MLKEM_K, MLKEM_N, 0, MLKEM_Q);`
	`253`	`+ mlk_assert_bound_2d(r->vec, MLKEM_K, MLKEM_N, 0, MLKEM_Q);`
`254`	`254`	`}`
`255`	`255`
`256`	`256`	/* Reference: `polyvec_add()` in the reference implementation @[REF].
`257`	`257`	`* - We use destructive version (output=first input) to avoid`
`258`	`258`	`* reasoning about aliasing in the CBMC specification */`
`259`	`259`	`MLK_INTERNAL_API`
`260`		`-void mlk_polyvec_add(mlk_polyvec r, const mlk_polyvec b)`
	`260`	`+void mlk_polyvec_add(mlk_polyvec r, const mlk_polyvec b)`
`261`	`261`	`{`
`262`	`262`	`unsigned i;`
`263`	`263`	`for (i = 0; i < MLKEM_K; i++)`
`264`	`264`	`{`
`265`		`- mlk_poly_add(&r[i], &b[i]);`
	`265`	`+ mlk_poly_add(&r->vec[i], &b->vec[i]);`
`266`	`266`	`}`
`267`	`267`	`}`
`268`	`268`
`269`	`269`	/* Reference: `polyvec_tomont()` in the reference implementation @[REF]. */
`270`	`270`	`MLK_INTERNAL_API`
`271`		`-void mlk_polyvec_tomont(mlk_polyvec r)`
	`271`	`+void mlk_polyvec_tomont(mlk_polyvec *r)`
`272`	`272`	`{`
`273`	`273`	`unsigned i;`
`274`	`274`	`for (i = 0; i < MLKEM_K; i++)`
`275`	`275`	`{`
`276`		`- mlk_poly_tomont(&r[i]);`
	`276`	`+ mlk_poly_tomont(&r->vec[i]);`
`277`	`277`	`}`
`278`	`278`
`279`		`- mlk_assert_abs_bound_2d(r, MLKEM_K, MLKEM_N, MLKEM_Q);`
	`279`	`+ mlk_assert_abs_bound_2d(r->vec, MLKEM_K, MLKEM_N, MLKEM_Q);`
`280`	`280`	`}`
`281`	`281`
`282`	`282`