RubyGems - pq_crypto - Versions diffs - 0.3.2 → 0.5.0 - Mend

pq_crypto 0.3.2 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/native/riscv64/src/rv64v_zetas.inc ADDED Viewed

@@ -0,0 +1,27 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+/*
+ * WARNING: This file is auto-generated from scripts/autogen
+ *          in the mlkem-native repository.
+ *          Do not modify it directly.
+ */
+#include "arith_native_riscv64.h"
+const int16_t zeta[] = {
+    -1044, -758,  573,   -1325, 1223,  652,   -552,  1015,  -1103, 430,   555,
+    843,   -1251, 871,   1550,  105,   -359,  -1517, 264,   383,   -1293, 1491,
+    -282,  -1544, 422,   587,   177,   -235,  -291,  -460,  1574,  1653,  1493,
+    1422,  -829,  1458,  516,   -8,    -320,  -666,  -246,  778,   1159,  -147,
+    -777,  1483,  -602,  1119,  287,   202,   -1602, -130,  -1618, -1162, 126,
+    1469,  -1590, 644,   -872,  349,   418,   329,   -156,  -75,   -171,  622,
+    -681,  1017,  -853,  -90,   -271,  830,   817,   1097,  603,   610,   1322,
+    -1285, -1465, 384,   1577,  182,   732,   608,   107,   -1421, -247,  -951,
+    -1215, -136,  1218,  -1335, -874,  220,   -1187, -1659, 962,   -1202, -1542,
+    411,   -398,  961,   -1508, -725,  -1185, -1530, -1278, 794,   -1510, -854,
+    -870,  478,   -1474, 1468,  -205,  -1571, 448,   -1065, 677,   -1275, -108,
+    -308,  996,   991,   958,   -1460, 1522,  1628,
+};

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/native/riscv64/src/rv64v_zetas_basemul.inc ADDED Viewed

@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+/*
+ * WARNING: This file is auto-generated from scripts/autogen
+ *          in the mlkem-native repository.
+ *          Do not modify it directly.
+ */
+#include "arith_native_riscv64.h"
+const int16_t roots[] = {
+    -1044, -1103, -1044, 1103,  -1044, 430,   -1044, -430,  -1044, 555,   -1044,
+    -555,  -1044, 843,   -1044, -843,  -1044, -1251, -1044, 1251,  -1044, 871,
+    -1044, -871,  -1044, 1550,  -1044, -1550, -1044, 105,   -1044, -105,  -1044,
+    422,   -1044, -422,  -1044, 587,   -1044, -587,  -1044, 177,   -1044, -177,
+    -1044, -235,  -1044, 235,   -1044, -291,  -1044, 291,   -1044, -460,  -1044,
+    460,   -1044, 1574,  -1044, -1574, -1044, 1653,  -1044, -1653, -1044, -246,
+    -1044, 246,   -1044, 778,   -1044, -778,  -1044, 1159,  -1044, -1159, -1044,
+    -147,  -1044, 147,   -1044, -777,  -1044, 777,   -1044, 1483,  -1044, -1483,
+    -1044, -602,  -1044, 602,   -1044, 1119,  -1044, -1119, -1044, -1590, -1044,
+    1590,  -1044, 644,   -1044, -644,  -1044, -872,  -1044, 872,   -1044, 349,
+    -1044, -349,  -1044, 418,   -1044, -418,  -1044, 329,   -1044, -329,  -1044,
+    -156,  -1044, 156,   -1044, -75,   -1044, 75,    -1044, 817,   -1044, -817,
+    -1044, 1097,  -1044, -1097, -1044, 603,   -1044, -603,  -1044, 610,   -1044,
+    -610,  -1044, 1322,  -1044, -1322, -1044, -1285, -1044, 1285,  -1044, -1465,
+    -1044, 1465,  -1044, 384,   -1044, -384,  -1044, -1215, -1044, 1215,  -1044,
+    -136,  -1044, 136,   -1044, 1218,  -1044, -1218, -1044, -1335, -1044, 1335,
+    -1044, -874,  -1044, 874,   -1044, 220,   -1044, -220,  -1044, -1187, -1044,
+    1187,  -1044, -1659, -1044, 1659,  -1044, -1185, -1044, 1185,  -1044, -1530,
+    -1044, 1530,  -1044, -1278, -1044, 1278,  -1044, 794,   -1044, -794,  -1044,
+    -1510, -1044, 1510,  -1044, -854,  -1044, 854,   -1044, -870,  -1044, 870,
+    -1044, 478,   -1044, -478,  -1044, -108,  -1044, 108,   -1044, -308,  -1044,
+    308,   -1044, 996,   -1044, -996,  -1044, 991,   -1044, -991,  -1044, 958,
+    -1044, -958,  -1044, -1460, -1044, 1460,  -1044, 1522,  -1044, -1522, -1044,
+    1628,  -1044, -1628,
+};

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/native/x86_64/README.md ADDED Viewed

@@ -0,0 +1,4 @@
+[//]: # (SPDX-License-Identifier: CC-BY-4.0)
+This directory contains the native x86_64 arithmetic backend for ML-KEM provided by the official [AVX2
+implementation](https://github.com/pq-crystals/kyber/tree/main/avx2) of the Kyber team.

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/native/x86_64/meta.h ADDED Viewed

@@ -0,0 +1,304 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+#ifndef MLK_NATIVE_X86_64_META_H
+#define MLK_NATIVE_X86_64_META_H
+/* Identifier for this backend so that source and assembly files
+ * in the build can be appropriately guarded. */
+#define MLK_ARITH_BACKEND_X86_64_DEFAULT
+#define MLK_USE_NATIVE_NTT_CUSTOM_ORDER
+#define MLK_USE_NATIVE_REJ_UNIFORM
+#define MLK_USE_NATIVE_NTT
+#define MLK_USE_NATIVE_INTT
+#define MLK_USE_NATIVE_POLY_REDUCE
+#define MLK_USE_NATIVE_POLY_TOMONT
+#define MLK_USE_NATIVE_POLYVEC_BASEMUL_ACC_MONTGOMERY_CACHED
+#define MLK_USE_NATIVE_POLY_MULCACHE_COMPUTE
+#define MLK_USE_NATIVE_POLY_TOBYTES
+#define MLK_USE_NATIVE_POLY_FROMBYTES
+#define MLK_USE_NATIVE_POLY_COMPRESS_D4
+#define MLK_USE_NATIVE_POLY_COMPRESS_D5
+#define MLK_USE_NATIVE_POLY_COMPRESS_D10
+#define MLK_USE_NATIVE_POLY_COMPRESS_D11
+#define MLK_USE_NATIVE_POLY_DECOMPRESS_D4
+#define MLK_USE_NATIVE_POLY_DECOMPRESS_D5
+#define MLK_USE_NATIVE_POLY_DECOMPRESS_D10
+#define MLK_USE_NATIVE_POLY_DECOMPRESS_D11
+#if !defined(__ASSEMBLER__)
+#include "../../common.h"
+#include "../api.h"
+#include "src/arith_native_x86_64.h"
+#include "src/compress_consts.h"
+static MLK_INLINE void mlk_poly_permute_bitrev_to_custom(int16_t data[MLKEM_N])
+{
+  if (mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    mlk_nttunpack_avx2(data);
+  }
+}
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_rej_uniform_native(int16_t *r, unsigned len,
+                                             const uint8_t *buf,
+                                             unsigned buflen)
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2) || len != MLKEM_N ||
+      buflen % 12 != 0)
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  return (int)mlk_rej_uniform_asm(r, buf, buflen, mlk_rej_uniform_table);
+}
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_ntt_native(int16_t data[MLKEM_N])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_ntt_avx2(data, mlk_qdata);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_intt_native(int16_t data[MLKEM_N])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_invntt_avx2(data, mlk_qdata);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_poly_reduce_native(int16_t data[MLKEM_N])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_reduce_avx2(data);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_poly_tomont_native(int16_t data[MLKEM_N])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_tomont_avx2(data);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_poly_mulcache_compute_native(int16_t x[MLKEM_N / 2],
+                                                       const int16_t y[MLKEM_N])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_poly_mulcache_compute_avx2(x, y, mlk_qdata);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+#if defined(MLK_CONFIG_MULTILEVEL_WITH_SHARED) || MLKEM_K == 2
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_polyvec_basemul_acc_montgomery_cached_k2_native(
+    int16_t r[MLKEM_N], const int16_t a[2 * MLKEM_N],
+    const int16_t b[2 * MLKEM_N], const int16_t b_cache[2 * (MLKEM_N / 2)])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_polyvec_basemul_acc_montgomery_cached_asm_k2(r, a, b, b_cache);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+#endif /* MLK_CONFIG_MULTILEVEL_WITH_SHARED || MLKEM_K == 2 */
+#if defined(MLK_CONFIG_MULTILEVEL_WITH_SHARED) || MLKEM_K == 3
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_polyvec_basemul_acc_montgomery_cached_k3_native(
+    int16_t r[MLKEM_N], const int16_t a[3 * MLKEM_N],
+    const int16_t b[3 * MLKEM_N], const int16_t b_cache[3 * (MLKEM_N / 2)])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_polyvec_basemul_acc_montgomery_cached_asm_k3(r, a, b, b_cache);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+#endif /* MLK_CONFIG_MULTILEVEL_WITH_SHARED || MLKEM_K == 3 */
+#if defined(MLK_CONFIG_MULTILEVEL_WITH_SHARED) || MLKEM_K == 4
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_polyvec_basemul_acc_montgomery_cached_k4_native(
+    int16_t r[MLKEM_N], const int16_t a[4 * MLKEM_N],
+    const int16_t b[4 * MLKEM_N], const int16_t b_cache[4 * (MLKEM_N / 2)])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_polyvec_basemul_acc_montgomery_cached_asm_k4(r, a, b, b_cache);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+#endif /* MLK_CONFIG_MULTILEVEL_WITH_SHARED || MLKEM_K == 4 */
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_poly_tobytes_native(uint8_t r[MLKEM_POLYBYTES],
+                                              const int16_t a[MLKEM_N])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_ntttobytes_avx2(r, a);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_poly_frombytes_native(
+    int16_t r[MLKEM_N], const uint8_t a[MLKEM_POLYBYTES])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_nttfrombytes_avx2(r, a);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+#if defined(MLK_CONFIG_MULTILEVEL_WITH_SHARED) || (MLKEM_K == 2 || MLKEM_K == 3)
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_poly_compress_d4_native(
+    uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], const int16_t a[MLKEM_N])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_poly_compress_d4_avx2(r, a, mlk_compress_d4_data);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_poly_compress_d10_native(
+    uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], const int16_t a[MLKEM_N])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_poly_compress_d10_avx2(r, a, mlk_compress_d10_data);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_poly_decompress_d4_native(
+    int16_t r[MLKEM_N], const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D4])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_poly_decompress_d4_avx2(r, a, mlk_decompress_d4_data);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_poly_decompress_d10_native(
+    int16_t r[MLKEM_N], const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D10])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_poly_decompress_d10_avx2(r, a, mlk_decompress_d10_data);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+#endif /* MLK_CONFIG_MULTILEVEL_WITH_SHARED || MLKEM_K == 2 || MLKEM_K == 3 */
+#if defined(MLK_CONFIG_MULTILEVEL_WITH_SHARED) || MLKEM_K == 4
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_poly_compress_d5_native(
+    uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], const int16_t a[MLKEM_N])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_poly_compress_d5_avx2(r, a, mlk_compress_d5_data);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_poly_compress_d11_native(
+    uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], const int16_t a[MLKEM_N])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_poly_compress_d11_avx2(r, a, mlk_compress_d11_data);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_poly_decompress_d5_native(
+    int16_t r[MLKEM_N], const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D5])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_poly_decompress_d5_avx2(r, a, mlk_decompress_d5_data);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+MLK_MUST_CHECK_RETURN_VALUE
+static MLK_INLINE int mlk_poly_decompress_d11_native(
+    int16_t r[MLKEM_N], const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D11])
+{
+  if (!mlk_sys_check_capability(MLK_SYS_CAP_AVX2))
+  {
+    return MLK_NATIVE_FUNC_FALLBACK;
+  }
+  mlk_poly_decompress_d11_avx2(r, a, mlk_decompress_d11_data);
+  return MLK_NATIVE_FUNC_SUCCESS;
+}
+#endif /* MLK_CONFIG_MULTILEVEL_WITH_SHARED || MLKEM_K == 4 */
+#endif /* !__ASSEMBLER__ */
+#endif /* !MLK_NATIVE_X86_64_META_H */

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/native/x86_64/src/arith_native_x86_64.h ADDED Viewed

@@ -0,0 +1,309 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+#ifndef MLK_NATIVE_X86_64_SRC_ARITH_NATIVE_X86_64_H
+#define MLK_NATIVE_X86_64_SRC_ARITH_NATIVE_X86_64_H
+#include "../../../common.h"
+#include <stdint.h>
+#include "compress_consts.h"
+#include "consts.h"
+#define MLK_AVX2_REJ_UNIFORM_BUFLEN \
+  (3 * 168) /* REJ_UNIFORM_NBLOCKS * SHAKE128_RATE */
+#define mlk_rej_uniform_table MLK_NAMESPACE(rej_uniform_table)
+extern const uint8_t mlk_rej_uniform_table[];
+#define mlk_rej_uniform_asm MLK_NAMESPACE(rej_uniform_asm)
+MLK_MUST_CHECK_RETURN_VALUE
+uint64_t mlk_rej_uniform_asm(int16_t *r, const uint8_t *buf, unsigned buflen,
+                             const uint8_t *table)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mlkem_rej_uniform.ml. */
+__contract__(
+    requires(buflen % 12 == 0)
+    requires(memory_no_alias(buf, buflen))
+    requires(table == mlk_rej_uniform_table)
+    requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N))
+    assigns(memory_slice(r, sizeof(int16_t) * MLKEM_N))
+    ensures(return_value <= MLKEM_N)
+    ensures(array_bound(r, 0, (unsigned) return_value, 0, MLKEM_Q))
+);
+#define mlk_ntt_avx2 MLK_NAMESPACE(ntt_avx2)
+void mlk_ntt_avx2(int16_t *r, const int16_t *qdata)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mlkem_ntt.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N))
+  requires(array_abs_bound(r, 0, MLKEM_N, 8192))
+  requires(qdata == mlk_qdata)
+  assigns(memory_slice(r, sizeof(int16_t) * MLKEM_N))
+  /* check-magic: off */
+  ensures(array_abs_bound(r, 0, MLKEM_N, 23595))
+  /* check-magic: on */
+);
+#define mlk_invntt_avx2 MLK_NAMESPACE(invntt_avx2)
+void mlk_invntt_avx2(int16_t *r, const int16_t *qdata)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mlkem_intt.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N))
+  requires(qdata == mlk_qdata)
+  assigns(memory_slice(r, sizeof(int16_t) * MLKEM_N))
+  /* check-magic: off */
+  ensures(array_abs_bound(r, 0, MLKEM_N, 26632))
+  /* check-magic: on */
+);
+#define mlk_nttunpack_avx2 MLK_NAMESPACE(nttunpack_avx2)
+void mlk_nttunpack_avx2(int16_t *r)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mlkem_unpack.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N))
+  requires(array_bound(r, 0, MLKEM_N, 0, MLKEM_Q))
+  assigns(memory_slice(r, sizeof(int16_t) * MLKEM_N))
+  /* Output is a permutation of input: every output coefficient
+   * is some input coefficient */
+  ensures(forall(i, 0, MLKEM_N, exists(j, 0, MLKEM_N,
+    r[i] == old(*(int16_t (*)[MLKEM_N])r)[j])))
+);
+#define mlk_reduce_avx2 MLK_NAMESPACE(reduce_avx2)
+void mlk_reduce_avx2(int16_t *r)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mlkem_reduce.ml */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N))
+  assigns(memory_slice(r, sizeof(int16_t) * MLKEM_N))
+  ensures(array_bound(r, 0, MLKEM_N, 0, MLKEM_Q))
+);
+#define mlk_poly_mulcache_compute_avx2 MLK_NAMESPACE(poly_mulcache_compute_avx2)
+void mlk_poly_mulcache_compute_avx2(int16_t *out, const int16_t *in,
+                                    const int16_t *qdata)
+/* This must be kept in sync with the HOL-Light specification
+ * in proofs/hol_light/x86_64/proofs/mlkem_mulcache_compute.ml */
+__contract__(
+  requires(memory_no_alias(out, sizeof(int16_t) * (MLKEM_N / 2)))
+  requires(memory_no_alias(in, sizeof(int16_t) * MLKEM_N))
+  requires(qdata == mlk_qdata)
+  assigns(memory_slice(out, sizeof(int16_t) * (MLKEM_N / 2)))
+  ensures(array_abs_bound(out, 0, MLKEM_N/2, MLKEM_Q))
+);
+#define mlk_polyvec_basemul_acc_montgomery_cached_asm_k2 \
+  MLK_NAMESPACE(polyvec_basemul_acc_montgomery_cached_asm_k2)
+void mlk_polyvec_basemul_acc_montgomery_cached_asm_k2(int16_t *r,
+                                                      const int16_t *a,
+                                                      const int16_t *b,
+                                                      const int16_t *b_cache)
+/* This must be kept in sync with the HOL-Light specification in
+ * proofs/hol_light/x86_64/proofs/mlkem_poly_basemul_acc_montgomery_cached_k2.ml.
+ */
+__contract__(
+    requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N))
+    requires(memory_no_alias(a, sizeof(int16_t) * 2 * MLKEM_N))
+    requires(memory_no_alias(b, sizeof(int16_t) * 2 * MLKEM_N))
+    requires(memory_no_alias(b_cache, sizeof(int16_t) * 2 * (MLKEM_N / 2)))
+    requires(array_abs_bound(a, 0, 2 * MLKEM_N, MLKEM_UINT12_LIMIT + 1))
+    assigns(memory_slice(r, sizeof(int16_t) * MLKEM_N))
+);
+#define mlk_polyvec_basemul_acc_montgomery_cached_asm_k3 \
+  MLK_NAMESPACE(polyvec_basemul_acc_montgomery_cached_asm_k3)
+void mlk_polyvec_basemul_acc_montgomery_cached_asm_k3(int16_t *r,
+                                                      const int16_t *a,
+                                                      const int16_t *b,
+                                                      const int16_t *b_cache)
+/* This must be kept in sync with the HOL-Light specification in
+ * proofs/hol_light/x86_64/proofs/mlkem_poly_basemul_acc_montgomery_cached_k3.ml.
+ */
+__contract__(
+    requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N))
+    requires(memory_no_alias(a, sizeof(int16_t) * 3 * MLKEM_N))
+    requires(memory_no_alias(b, sizeof(int16_t) * 3 * MLKEM_N))
+    requires(memory_no_alias(b_cache, sizeof(int16_t) * 3 * (MLKEM_N / 2)))
+    requires(array_abs_bound(a, 0, 3 * MLKEM_N, MLKEM_UINT12_LIMIT + 1))
+    assigns(memory_slice(r, sizeof(int16_t) * MLKEM_N))
+);
+#define mlk_polyvec_basemul_acc_montgomery_cached_asm_k4 \
+  MLK_NAMESPACE(polyvec_basemul_acc_montgomery_cached_asm_k4)
+void mlk_polyvec_basemul_acc_montgomery_cached_asm_k4(int16_t *r,
+                                                      const int16_t *a,
+                                                      const int16_t *b,
+                                                      const int16_t *b_cache)
+/* This must be kept in sync with the HOL-Light specification in
+ * proofs/hol_light/x86_64/proofs/mlkem_poly_basemul_acc_montgomery_cached_k4.ml.
+ */
+__contract__(
+    requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N))
+    requires(memory_no_alias(a, sizeof(int16_t) * 4 * MLKEM_N))
+    requires(memory_no_alias(b, sizeof(int16_t) * 4 * MLKEM_N))
+    requires(memory_no_alias(b_cache, sizeof(int16_t) * 4 * (MLKEM_N / 2)))
+    requires(array_abs_bound(a, 0, 4 * MLKEM_N, MLKEM_UINT12_LIMIT + 1))
+    assigns(memory_slice(r, sizeof(int16_t) * MLKEM_N))
+);
+#define mlk_ntttobytes_avx2 MLK_NAMESPACE(ntttobytes_avx2)
+void mlk_ntttobytes_avx2(uint8_t *r, const int16_t *a)
+/* This must be kept in sync with the HOL-Light specification in
+ * proofs/hol_light/x86_64/proofs/mlkem_tobytes.ml.
+ */
+__contract__(
+  requires(memory_no_alias(r, MLKEM_POLYBYTES))
+  requires(memory_no_alias(a, sizeof(int16_t) * MLKEM_N))
+  requires(array_bound(a, 0, MLKEM_N, 0, MLKEM_Q))
+  assigns(memory_slice(r, MLKEM_POLYBYTES))
+);
+#define mlk_nttfrombytes_avx2 MLK_NAMESPACE(nttfrombytes_avx2)
+void mlk_nttfrombytes_avx2(int16_t *r, const uint8_t *a)
+/* This must be kept in sync with the HOL-Light specification in
+ * proofs/hol_light/x86_64/proofs/mlkem_frombytes.ml.
+ */
+__contract__(
+  requires(memory_no_alias(a, MLKEM_POLYBYTES))
+  requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N))
+  assigns(memory_slice(r, sizeof(int16_t) * MLKEM_N))
+  ensures(array_bound(r, 0, MLKEM_N, 0, MLKEM_UINT12_LIMIT))
+);
+#define mlk_tomont_avx2 MLK_NAMESPACE(tomont_avx2)
+void mlk_tomont_avx2(int16_t *r)
+/* This must be kept in sync with the HOL-Light specification in
+ * proofs/hol_light/x86_64/proofs/mlkem_tomont.ml.
+ */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N))
+  assigns(memory_slice(r, sizeof(int16_t) * MLKEM_N))
+  ensures(array_abs_bound(r, 0, MLKEM_N, MLKEM_Q))
+);
+#define mlk_poly_compress_d4_avx2 MLK_NAMESPACE(poly_compress_d4_avx2)
+void mlk_poly_compress_d4_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4],
+                               const int16_t *MLK_RESTRICT a,
+                               const uint8_t *data)
+/* This must be kept in sync with the HOL-Light specification in
+ * proofs/hol_light/x86_64/proofs/mlkem_poly_compress_d4.ml.
+ */
+__contract__(
+  requires(memory_no_alias(r, MLKEM_POLYCOMPRESSEDBYTES_D4))
+  requires(memory_no_alias(a, sizeof(int16_t) * MLKEM_N))
+  requires(array_bound(a, 0, MLKEM_N, 0, MLKEM_Q))
+  requires(data == mlk_compress_d4_data)
+  assigns(memory_slice(r, MLKEM_POLYCOMPRESSEDBYTES_D4))
+);
+#define mlk_poly_decompress_d4_avx2 MLK_NAMESPACE(poly_decompress_d4_avx2)
+void mlk_poly_decompress_d4_avx2(int16_t *MLK_RESTRICT r,
+                                 const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D4],
+                                 const uint8_t *data)
+/* This must be kept in sync with the HOL-Light specification in
+ * proofs/hol_light/x86_64/proofs/mlkem_poly_decompress_d4.ml.
+ */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N))
+  requires(memory_no_alias(a, MLKEM_POLYCOMPRESSEDBYTES_D4))
+  requires(data == mlk_decompress_d4_data)
+  assigns(memory_slice(r, sizeof(int16_t) * MLKEM_N))
+  ensures(array_bound(r, 0, MLKEM_N, 0, MLKEM_Q))
+);
+#define mlk_poly_compress_d10_avx2 MLK_NAMESPACE(poly_compress_d10_avx2)
+void mlk_poly_compress_d10_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10],
+                                const int16_t *MLK_RESTRICT a,
+                                const uint8_t *data)
+/* This must be kept in sync with the HOL-Light specification in
+ * proofs/hol_light/x86_64/proofs/mlkem_poly_compress_d10.ml.
+ */
+__contract__(
+  requires(memory_no_alias(r, MLKEM_POLYCOMPRESSEDBYTES_D10))
+  requires(memory_no_alias(a, sizeof(int16_t) * MLKEM_N))
+  requires(array_bound(a, 0, MLKEM_N, 0, MLKEM_Q))
+  requires(data == mlk_compress_d10_data)
+  assigns(memory_slice(r, MLKEM_POLYCOMPRESSEDBYTES_D10))
+);
+#define mlk_poly_decompress_d10_avx2 MLK_NAMESPACE(poly_decompress_d10_avx2)
+void mlk_poly_decompress_d10_avx2(
+    int16_t *MLK_RESTRICT r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D10],
+    const uint8_t *data)
+/* This must be kept in sync with the HOL-Light specification in
+ * proofs/hol_light/x86_64/proofs/mlkem_poly_decompress_d10.ml.
+ */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N))
+  requires(memory_no_alias(a, MLKEM_POLYCOMPRESSEDBYTES_D10))
+  requires(data == mlk_decompress_d10_data)
+  assigns(memory_slice(r, sizeof(int16_t) * MLKEM_N))
+  ensures(array_bound(r, 0, MLKEM_N, 0, MLKEM_Q))
+);
+#define mlk_poly_compress_d5_avx2 MLK_NAMESPACE(poly_compress_d5_avx2)
+void mlk_poly_compress_d5_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5],
+                               const int16_t *MLK_RESTRICT a,
+                               const uint8_t *data)
+/* This must be kept in sync with the HOL-Light specification in
+ * proofs/hol_light/x86_64/proofs/mlkem_poly_compress_d5.ml.
+ */
+__contract__(
+  requires(memory_no_alias(r, MLKEM_POLYCOMPRESSEDBYTES_D5))
+  requires(memory_no_alias(a, sizeof(int16_t) * MLKEM_N))
+  requires(array_bound(a, 0, MLKEM_N, 0, MLKEM_Q))
+  requires(data == mlk_compress_d5_data)
+  assigns(memory_slice(r, MLKEM_POLYCOMPRESSEDBYTES_D5))
+);
+#define mlk_poly_decompress_d5_avx2 MLK_NAMESPACE(poly_decompress_d5_avx2)
+void mlk_poly_decompress_d5_avx2(int16_t *MLK_RESTRICT r,
+                                 const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D5],
+                                 const uint8_t *data)
+/* This must be kept in sync with the HOL-Light specification in
+ * proofs/hol_light/x86_64/proofs/mlkem_poly_decompress_d5.ml.
+ */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N))
+  requires(memory_no_alias(a, MLKEM_POLYCOMPRESSEDBYTES_D5))
+  requires(data == mlk_decompress_d5_data)
+  assigns(memory_slice(r, sizeof(int16_t) * MLKEM_N))
+  ensures(array_bound(r, 0, MLKEM_N, 0, MLKEM_Q))
+);
+#define mlk_poly_compress_d11_avx2 MLK_NAMESPACE(poly_compress_d11_avx2)
+void mlk_poly_compress_d11_avx2(uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11],
+                                const int16_t *MLK_RESTRICT a,
+                                const uint8_t *data)
+/* This must be kept in sync with the HOL-Light specification in
+ * proofs/hol_light/x86_64/proofs/mlkem_poly_compress_d11.ml.
+ */
+__contract__(
+  requires(memory_no_alias(r, MLKEM_POLYCOMPRESSEDBYTES_D11))
+  requires(memory_no_alias(a, sizeof(int16_t) * MLKEM_N))
+  requires(array_bound(a, 0, MLKEM_N, 0, MLKEM_Q))
+  requires(data == mlk_compress_d11_data)
+  assigns(memory_slice(r, MLKEM_POLYCOMPRESSEDBYTES_D11))
+);
+#define mlk_poly_decompress_d11_avx2 MLK_NAMESPACE(poly_decompress_d11_avx2)
+void mlk_poly_decompress_d11_avx2(
+    int16_t *MLK_RESTRICT r, const uint8_t a[MLKEM_POLYCOMPRESSEDBYTES_D11],
+    const uint8_t *data)
+/* This must be kept in sync with the HOL-Light specification in
+ * proofs/hol_light/x86_64/proofs/mlkem_poly_decompress_d11.ml.
+ */
+__contract__(
+  requires(memory_no_alias(r, sizeof(int16_t) * MLKEM_N))
+  requires(memory_no_alias(a, MLKEM_POLYCOMPRESSEDBYTES_D11))
+  requires(data == mlk_decompress_d11_data)
+  assigns(memory_slice(r, sizeof(int16_t) * MLKEM_N))
+  ensures(array_bound(r, 0, MLKEM_N, 0, MLKEM_Q))
+);
+#endif /* !MLK_NATIVE_X86_64_SRC_ARITH_NATIVE_X86_64_H */