pq_crypto 0.6.2 → 0.6.3

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/debug.h

@@ -8,37 +8,30 @@
 
 #if defined(MLKEM_DEBUG)
 
-/*************************************************
- * Name:        mlk_assert
+/**
+ * Check debug assertion.
  *
- * Description: Check debug assertion
+ * Prints an error message to stderr and calls exit(1) on failure.
  *
- *              Prints an error message to stderr and calls
- *              exit(1) if not.
- *
- * Arguments:   - file: filename
- *              - line: line number
- *              - val: Value asserted to be non-zero
- **************************************************/
+ * @param[in] file Filename.
+ * @param     line Line number.
+ * @param     val  Value asserted to be non-zero.
+ */
 #define mlk_debug_check_assert MLK_NAMESPACE(mlkem_debug_assert)
 void mlk_debug_check_assert(const char *file, int line, const int val);
 
-/*************************************************
- * Name:        mlk_debug_check_bounds
+/**
+ * Check whether values in an array of int16_t are within specified bounds.
  *
- * Description: Check whether values in an array of int16_t
- *              are within specified bounds.
+ * Prints an error message to stderr and calls exit(1) on failure.
  *
- *              Prints an error message to stderr and calls
- *              exit(1) if not.
- *
- * Arguments:   - file: filename
- *              - line: line number
- *              - ptr: Base of array to be checked
- *              - len: Number of int16_t in ptr
- *              - lower_bound_exclusive: Exclusive lower bound
- *              - upper_bound_exclusive: Exclusive upper bound
- **************************************************/
+ * @param[in] file                  Filename.
+ * @param     line                  Line number.
+ * @param[in] ptr                   Base of array to be checked.
+ * @param     len                   Number of int16_t in @p ptr.
+ * @param     lower_bound_exclusive Exclusive lower bound.
+ * @param     upper_bound_exclusive Exclusive upper bound.
+ */
 #define mlk_debug_check_bounds MLK_NAMESPACE(mlkem_debug_check_bounds)
 void mlk_debug_check_bounds(const char *file, int line, const int16_t *ptr,
                             unsigned len, int lower_bound_exclusive,

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/fips202/fips202.c

@@ -39,26 +39,23 @@
 #include "fips202.h"
 #include "keccakf1600.h"
 
-/*************************************************
- * Name:        mlk_keccak_absorb_once
+/**
+ * Absorb step of Keccak; non-incremental, starts by zeroeing the state.
  *
- * Description: Absorb step of Keccak;
- *              non-incremental, starts by zeroeing the state.
+ * @warning Must only be called once.
  *
- *              WARNING: Must only be called once.
- *
- * Arguments:   - uint64_t *s:       pointer to (uninitialized) output Keccak
- *                                   state
- *              - unsigned r:        rate in bytes (e.g., 168 for SHAKE128)
- *              - const uint8_t *m:  pointer to input to be absorbed into s
- *              - size_t mlen:       length of input in bytes
- *              - uint8_t p:         domain-separation byte for different
- *                                   Keccak-derived functions
- **************************************************/
+ * @param[out] s    Pointer to (uninitialized) output Keccak state.
+ * @param      r    Rate in bytes (e.g., 168 for SHAKE128).
+ * @param[in]  m    Input to be absorbed into @p s.
+ * @param      mlen Length of input in bytes.
+ * @param      p    Domain-separation byte for different Keccak-derived
+ *                  functions.
+ */
 static void mlk_keccak_absorb_once(uint64_t *s, unsigned r, const uint8_t *m,
                                    size_t mlen, uint8_t p)
 __contract__(
     requires(mlen <= MLK_MAX_BUFFER_SIZE)
+    requires(r > 0)
     requires(r <= sizeof(uint64_t) * MLK_KECCAK_LANES)
     requires(memory_no_alias(s, sizeof(uint64_t) * MLK_KECCAK_LANES))
     requires(memory_no_alias(m, mlen))
@@ -67,7 +64,8 @@ __contract__(
   /* Initialize state */
   size_t i;
   for (i = 0; i < 25; ++i)
-  __loop__(invariant(i <= 25))
+  __loop__(invariant(i <= 25)
+           decreases(25 - i))
   {
     s[i] = 0;
   }
@@ -76,7 +74,8 @@ __contract__(
   __loop__(
     assigns(mlen, m, memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES))
     invariant(mlen <= loop_entry(mlen))
-    invariant(m == loop_entry(m) + (loop_entry(mlen) - mlen)))
+    invariant(m == loop_entry(m) + (loop_entry(mlen) - mlen))
+    decreases(mlen))
   {
     mlk_keccakf1600_xor_bytes(s, m, 0, r);
     mlk_keccakf1600_permute(s);
@@ -104,16 +103,14 @@ __contract__(
   }
 }
 
-/*************************************************
- * Name:        mlk_keccak_squeezeblocks
- *
- * Description: block-level Keccak squeeze
+/**
+ * Block-level Keccak squeeze.
  *
- * Arguments:   - uint8_t *h: pointer to output bytes
- *              - size_t nblocks: number of blocks to be squeezed
- *              - uint64_t *s_inc: pointer to input/output state
- *              - unsigned r: rate in bytes (e.g., 168 for SHAKE128)
- **************************************************/
+ * @param[out]    h       Output bytes.
+ * @param         nblocks Number of blocks to be squeezed.
+ * @param[in,out] s       Input/output state.
+ * @param         r       Rate in bytes (e.g., 168 for SHAKE128).
+ */
 static void mlk_keccak_squeezeblocks(uint8_t *h, size_t nblocks, uint64_t *s,
                                      unsigned r)
 __contract__(
@@ -130,7 +127,8 @@ __contract__(
       memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES),
       memory_slice(h, nblocks * r))
     invariant(nblocks <= loop_entry(nblocks) &&
-      h == loop_entry(h) + r * (loop_entry(nblocks) - nblocks)))
+      h == loop_entry(h) + r * (loop_entry(nblocks) - nblocks))
+    decreases(nblocks))
   {
     mlk_keccakf1600_permute(s);
     mlk_keccakf1600_extract_bytes(s, h, 0, r);
@@ -139,22 +137,21 @@ __contract__(
   }
 }
 
-/*************************************************
- * Name:        mlk_keccak_squeeze_once
- *
- * Description: Keccak squeeze; can be called on byte-level
+/**
+ * Keccak squeeze; can be called on byte-level.
  *
- *              WARNING: This must only be called once.
+ * @warning Must only be called once.
  *
- * Arguments:   - uint8_t *h: pointer to output bytes
- *              - size_t outlen: number of bytes to be squeezed
- *              - uint64_t *s_inc: pointer to Keccak state
- *              - unsigned r: rate in bytes (e.g., 168 for SHAKE128)
- **************************************************/
+ * @param[out]    h      Output bytes.
+ * @param         outlen Number of bytes to be squeezed.
+ * @param[in,out] s      Keccak state.
+ * @param         r      Rate in bytes (e.g., 168 for SHAKE128).
+ */
 static void mlk_keccak_squeeze_once(uint8_t *h, size_t outlen, uint64_t *s,
                                     unsigned r)
 __contract__(
     requires(outlen <= MLK_MAX_BUFFER_SIZE)
+    requires(r > 0)
     requires(r <= sizeof(uint64_t) * MLK_KECCAK_LANES)
     requires(memory_no_alias(s, sizeof(uint64_t) * MLK_KECCAK_LANES))
     requires(memory_no_alias(h, outlen))
@@ -168,7 +165,8 @@ __contract__(
       memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES),
       memory_slice(h, outlen))
     invariant(outlen <= loop_entry(outlen) &&
-      h == loop_entry(h) + (loop_entry(outlen) - outlen)))
+      h == loop_entry(h) + (loop_entry(outlen) - outlen))
+    decreases(outlen))
   {
     mlk_keccakf1600_permute(s);
 

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/fips202/fips202.h

@@ -14,35 +14,30 @@
 #define SHA3_384_RATE 104
 #define SHA3_512_RATE 72
 
-/* Context for non-incremental API */
+/** Context for the non-incremental SHAKE128 API. */
 typedef struct
 {
-  uint64_t ctx[25];
+  uint64_t ctx[25]; /**< Keccak state. */
 } MLK_ALIGN mlk_shake128ctx;
 
 #define mlk_shake128_absorb_once MLK_NAMESPACE(shake128_absorb_once)
-/*************************************************
- * Name:        mlk_shake128_absorb_once
+/**
+ * One-shot absorb step of the SHAKE128 XOF.
  *
- * Description: One-shot absorb step of the SHAKE128 XOF.
+ * For call-sites (in mlkem-native):
+ * - This function MUST ONLY be called straight after mlk_shake128_init().
+ * - This function MUST ONLY be called once.
  *
- *              For call-sites (in mlkem-native):
- *              - This function MUST ONLY be called straight after
- *                mlk_shake128_init().
- *              - This function MUST ONLY be called once.
+ * Consequently, for providers of custom FIPS202 code to be used with
+ * mlkem-native:
+ * - You may assume that the input context is freshly initialized via
+ *   mlk_shake128_init().
+ * - You may assume that this function is called exactly once.
  *
- *              Consequently, for providers of custom FIPS202 code
- *              to be used with mlkem-native:
- *              - You may assume that the input context is
- *                freshly initialized via mlk_shake128_init().
- *              - You may assume that this function is
- *                called exactly once.
- *
- * Arguments:   - mlk_shake128ctx *state:   pointer to SHAKE128 context
- *              - const uint8_t *input: pointer to input to be absorbed into
- *                                      the state
- *              - size_t inlen:         length of input in bytes
- **************************************************/
+ * @param[in,out] state SHAKE128 context.
+ * @param[in]     input Input to be absorbed into the state.
+ * @param         inlen Length of input in bytes.
+ */
 void mlk_shake128_absorb_once(mlk_shake128ctx *state, const uint8_t *input,
                               size_t inlen)
 __contract__(
@@ -53,18 +48,15 @@ __contract__(
 );
 
 #define mlk_shake128_squeezeblocks MLK_NAMESPACE(shake128_squeezeblocks)
-/*************************************************
- * Name:        mlk_shake128_squeezeblocks
- *
- * Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of
- *              SHAKE128_RATE bytes each. Modifies the state. Can be called
- *              multiple times to keep squeezing, i.e., is incremental.
+/**
+ * Squeeze step of SHAKE128 XOF. Squeezes full blocks of SHAKE128_RATE bytes
+ * each. Modifies the state. Can be called multiple times to keep squeezing,
+ * i.e., is incremental.
  *
- * Arguments:   - uint8_t *output:     pointer to output blocks
- *              - size_t nblocks:      number of blocks to be squeezed (written
- *                                     to output)
- *              - mlk_shake128ctx *state:  pointer to in/output Keccak state
- **************************************************/
+ * @param[out]    output  Output blocks.
+ * @param         nblocks Number of blocks to be squeezed (written to output).
+ * @param[in,out] state   Keccak state.
+ */
 void mlk_shake128_squeezeblocks(uint8_t *output, size_t nblocks,
                                 mlk_shake128ctx *state)
 __contract__(
@@ -83,16 +75,14 @@ void mlk_shake128_release(mlk_shake128ctx *state);
 /* One-stop SHAKE256 call. Aliasing between input and
  * output is not permitted */
 #define mlk_shake256 MLK_NAMESPACE(shake256)
-/*************************************************
- * Name:        mlk_shake256
- *
- * Description: SHAKE256 XOF with non-incremental API
+/**
+ * SHAKE256 XOF with non-incremental API.
  *
- * Arguments:   - uint8_t *output:      pointer to output
- *              - size_t outlen:        requested output length in bytes
- *              - const uint8_t *input: pointer to input
- *              - size_t inlen:         length of input in bytes
- **************************************************/
+ * @param[out] output Output buffer.
+ * @param      outlen Requested output length in bytes.
+ * @param[in]  input  Input buffer.
+ * @param      inlen  Length of input in bytes.
+ */
 void mlk_shake256(uint8_t *output, size_t outlen, const uint8_t *input,
                   size_t inlen)
 __contract__(
@@ -107,15 +97,13 @@ __contract__(
  * output is not permitted */
 #define SHA3_256_HASHBYTES 32
 #define mlk_sha3_256 MLK_NAMESPACE(sha3_256)
-/*************************************************
- * Name:        mlk_sha3_256
- *
- * Description: SHA3-256 with non-incremental API
+/**
+ * SHA3-256 with non-incremental API.
  *
- * Arguments:   - uint8_t *output:      pointer to output
- *              - const uint8_t *input: pointer to input
- *              - size_t inlen:         length of input in bytes
- **************************************************/
+ * @param[out] output Output buffer.
+ * @param[in]  input  Input buffer.
+ * @param      inlen  Length of input in bytes.
+ */
 void mlk_sha3_256(uint8_t *output, const uint8_t *input, size_t inlen)
 __contract__(
   requires(inlen <= MLK_MAX_BUFFER_SIZE)
@@ -128,15 +116,13 @@ __contract__(
  * output is not permitted */
 #define SHA3_512_HASHBYTES 64
 #define mlk_sha3_512 MLK_NAMESPACE(sha3_512)
-/*************************************************
- * Name:        mlk_sha3_512
+/**
+ * SHA3-512 with non-incremental API.
  *
- * Description: SHA3-512 with non-incremental API
- *
- * Arguments:   - uint8_t *output:      pointer to output
- *              - const uint8_t *input: pointer to input
- *              - size_t inlen:         length of input in bytes
- **************************************************/
+ * @param[out] output Output buffer.
+ * @param[in]  input  Input buffer.
+ * @param      inlen  Length of input in bytes.
+ */
 void mlk_sha3_512(uint8_t *output, const uint8_t *input, size_t inlen)
 __contract__(
   requires(inlen <= MLK_MAX_BUFFER_SIZE)

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/fips202/fips202x4.c

@@ -29,6 +29,7 @@ static void mlk_keccak_absorb_once_x4(uint64_t *s, unsigned r,
 __contract__(
   requires(inlen <= MLK_MAX_BUFFER_SIZE)
   requires(memory_no_alias(s, sizeof(uint64_t) * MLK_KECCAK_LANES * MLK_KECCAK_WAY))
+  requires(r > 0)
   requires(r <= sizeof(uint64_t) * MLK_KECCAK_LANES)
   requires(memory_no_alias(in0, inlen))
   requires(memory_no_alias(in1, inlen))
@@ -43,7 +44,8 @@ __contract__(
     invariant(in0 == loop_entry(in0) + (loop_entry(inlen) - inlen))
     invariant(in1 == loop_entry(in1) + (loop_entry(inlen) - inlen))
     invariant(in2 == loop_entry(in2) + (loop_entry(inlen) - inlen))
-    invariant(in3 == loop_entry(in3) + (loop_entry(inlen) - inlen)))
+    invariant(in3 == loop_entry(in3) + (loop_entry(inlen) - inlen))
+    decreases(inlen))
   {
     mlk_keccakf1600x4_xor_bytes(s, in0, in1, in2, in3, 0, r);
     mlk_keccakf1600x4_permute(s);
@@ -93,27 +95,24 @@ __contract__(
     assigns(memory_slice(out2, nblocks * r))
     assigns(memory_slice(out3, nblocks * r)))
 {
+  size_t current_offset = 0;
   while (nblocks > 0)
   __loop__(
-    assigns(out0, out1, out2, out3, nblocks,
+    assigns(nblocks, current_offset,
             memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES * MLK_KECCAK_WAY),
             memory_slice(out0, nblocks * r),
             memory_slice(out1, nblocks * r),
             memory_slice(out2, nblocks * r),
             memory_slice(out3, nblocks * r))
-    invariant(nblocks <= loop_entry(nblocks) &&
-      out0 == loop_entry(out0) + r * (loop_entry(nblocks) - nblocks) &&
-      out1 == loop_entry(out1) + r * (loop_entry(nblocks) - nblocks) &&
-      out2 == loop_entry(out2) + r * (loop_entry(nblocks) - nblocks) &&
-      out3 == loop_entry(out3) + r * (loop_entry(nblocks) - nblocks)))
+    invariant(nblocks <= loop_entry(nblocks))
+    invariant(current_offset == (loop_entry(nblocks) - nblocks) * r)
+    decreases(nblocks))
   {
     mlk_keccakf1600x4_permute(s);
-    mlk_keccakf1600x4_extract_bytes(s, out0, out1, out2, out3, 0, r);
-
-    out0 += r;
-    out1 += r;
-    out2 += r;
-    out3 += r;
+    mlk_keccakf1600x4_extract_bytes(
+        s, &out0[current_offset], &out1[current_offset], &out2[current_offset],
+        &out3[current_offset], 0, r);
+    current_offset += r;
     nblocks--;
   }
 }
@@ -163,8 +162,8 @@ static void mlk_shake256x4_squeezeblocks(uint8_t *out0, uint8_t *out1,
 }
 
 void mlk_shake256x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3,
-                    size_t outlen, uint8_t *in0, uint8_t *in1, uint8_t *in2,
-                    uint8_t *in3, size_t inlen)
+                    size_t outlen, const uint8_t *in0, const uint8_t *in1,
+                    const uint8_t *in2, const uint8_t *in3, size_t inlen)
 {
   mlk_shake256x4_ctx statex;
   size_t nblocks = outlen / SHAKE256_RATE;

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/fips202/fips202x4.h

@@ -12,10 +12,11 @@
 #include "fips202.h"
 #include "keccakf1600.h"
 
-/* Context for non-incremental API */
+/** Context for the non-incremental 4-way SHAKE128 API. */
 typedef struct
 {
-  uint64_t ctx[MLK_KECCAK_LANES * MLK_KECCAK_WAY];
+  uint64_t ctx[MLK_KECCAK_LANES *
+               MLK_KECCAK_WAY]; /**< 4-way Keccak state, stored sequentially. */
 } MLK_ALIGN mlk_shake128x4ctx;
 
 #define mlk_shake128x4_absorb_once MLK_NAMESPACE(shake128x4_absorb_once)
@@ -58,8 +59,8 @@ void mlk_shake128x4_release(mlk_shake128x4ctx *state);
 
 #define mlk_shake256x4 MLK_NAMESPACE(shake256x4)
 void mlk_shake256x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, uint8_t *out3,
-                    size_t outlen, uint8_t *in0, uint8_t *in1, uint8_t *in2,
-                    uint8_t *in3, size_t inlen)
+                    size_t outlen, const uint8_t *in0, const uint8_t *in1,
+                    const uint8_t *in2, const uint8_t *in3, size_t inlen)
 __contract__(
   requires(inlen <= MLK_MAX_BUFFER_SIZE)
   requires(outlen <= MLK_MAX_BUFFER_SIZE)

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/fips202/keccakf1600.c

@@ -31,7 +31,7 @@
 #if !defined(MLK_CONFIG_MULTILEVEL_NO_SHARED)
 
 #define MLK_KECCAK_NROUNDS 24
-#define MLK_KECCAK_ROL(a, offset) ((a << offset) ^ (a >> (64 - offset)))
+#define MLK_KECCAK_ROL(a, offset) (((a) << (offset)) ^ ((a) >> (64 - (offset))))
 
 void mlk_keccakf1600_extract_bytes(uint64_t *state, unsigned char *data,
                                    unsigned offset, unsigned length)
@@ -40,14 +40,16 @@ void mlk_keccakf1600_extract_bytes(uint64_t *state, unsigned char *data,
 #if defined(MLK_SYS_LITTLE_ENDIAN)
   uint8_t *state_ptr = (uint8_t *)state + offset;
   for (i = 0; i < length; i++)
-  __loop__(invariant(i <= length))
+  __loop__(invariant(i <= length)
+           decreases(length - i))
   {
     data[i] = state_ptr[i];
   }
 #else  /* MLK_SYS_LITTLE_ENDIAN */
   /* Portable version */
   for (i = 0; i < length; i++)
-  __loop__(invariant(i <= length))
+  __loop__(invariant(i <= length)
+           decreases(length - i))
   {
     data[i] = (state[(offset + i) >> 3] >> (8 * ((offset + i) & 0x07))) & 0xFF;
   }
@@ -61,14 +63,16 @@ void mlk_keccakf1600_xor_bytes(uint64_t *state, const unsigned char *data,
 #if defined(MLK_SYS_LITTLE_ENDIAN)
   uint8_t *state_ptr = (uint8_t *)state + offset;
   for (i = 0; i < length; i++)
-  __loop__(invariant(i <= length))
+  __loop__(invariant(i <= length)
+           decreases(length - i))
   {
     state_ptr[i] ^= data[i];
   }
 #else  /* MLK_SYS_LITTLE_ENDIAN */
   /* Portable version */
   for (i = 0; i < length; i++)
-  __loop__(invariant(i <= length))
+  __loop__(invariant(i <= length)
+           decreases(length - i))
   {
     state[(offset + i) >> 3] ^= (uint64_t)data[i]
                                 << (8 * ((offset + i) & 0x07));
@@ -82,6 +86,19 @@ static void mlk_keccakf1600x4_extract_bytes_c(uint64_t *state,
                                               unsigned char *data2,
                                               unsigned char *data3,
                                               unsigned offset, unsigned length)
+__contract__(
+    requires(0 <= offset && offset <= MLK_KECCAK_LANES * sizeof(uint64_t) &&
+         0 <= length && length <= MLK_KECCAK_LANES * sizeof(uint64_t) - offset)
+    requires(memory_no_alias(state, sizeof(uint64_t) * MLK_KECCAK_LANES * MLK_KECCAK_WAY))
+    requires(memory_no_alias(data0, length))
+    requires(memory_no_alias(data1, length))
+    requires(memory_no_alias(data2, length))
+    requires(memory_no_alias(data3, length))
+    assigns(memory_slice(data0, length))
+    assigns(memory_slice(data1, length))
+    assigns(memory_slice(data2, length))
+    assigns(memory_slice(data3, length))
+)
 {
   mlk_keccakf1600_extract_bytes(state + MLK_KECCAK_LANES * 0, data0, offset,
                                 length);
@@ -116,6 +133,20 @@ static void mlk_keccakf1600x4_xor_bytes_c(uint64_t *state,
                                           const unsigned char *data2,
                                           const unsigned char *data3,
                                           unsigned offset, unsigned length)
+__contract__(
+    requires(0 <= offset && offset <= MLK_KECCAK_LANES * sizeof(uint64_t) &&
+         0 <= length && length <= MLK_KECCAK_LANES * sizeof(uint64_t) - offset)
+    requires(memory_no_alias(state, sizeof(uint64_t) * MLK_KECCAK_LANES * MLK_KECCAK_WAY))
+    requires(memory_no_alias(data0, length))
+    /* Case 1: all input buffers are distinct; Case 2: All input buffers are the same */
+    requires((data0 == data1 &&
+              data0 == data2 &&
+              data0 == data3) ||
+         (memory_no_alias(data1, length) &&
+              memory_no_alias(data2, length) &&
+              memory_no_alias(data3, length)))
+    assigns(memory_slice(state, sizeof(uint64_t) * MLK_KECCAK_LANES * MLK_KECCAK_WAY))
+)
 {
   mlk_keccakf1600_xor_bytes(state + MLK_KECCAK_LANES * 0, data0, offset,
                             length);
@@ -175,6 +206,10 @@ static const uint64_t mlk_KeccakF_RoundConstants[MLK_KECCAK_NROUNDS] = {
 
 MLK_STATIC_TESTABLE
 void mlk_keccakf1600_permute_c(uint64_t *state)
+__contract__(
+    requires(memory_no_alias(state, sizeof(uint64_t) * MLK_KECCAK_LANES))
+    assigns(memory_slice(state, sizeof(uint64_t) * MLK_KECCAK_LANES))
+)
 {
   unsigned round;
 
@@ -219,7 +254,8 @@ void mlk_keccakf1600_permute_c(uint64_t *state)
   Asu = state[24];
 
   for (round = 0; round < MLK_KECCAK_NROUNDS; round += 2)
-  __loop__(invariant(round <= MLK_KECCAK_NROUNDS && round % 2 == 0))
+  __loop__(invariant(round <= MLK_KECCAK_NROUNDS && round % 2 == 0)
+           decreases(MLK_KECCAK_NROUNDS - round))
   {
     /* prepareTheta */
     BCa = Aba ^ Aga ^ Aka ^ Ama ^ Asa;

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/fips202/native/aarch64/src/fips202_native_aarch64.h

@@ -10,56 +10,67 @@
 
 #define mlk_keccakf1600_round_constants \
   MLK_NAMESPACE(keccakf1600_round_constants)
-extern const uint64_t mlk_keccakf1600_round_constants[];
+MLK_INTERNAL_DATA_DECLARATION const uint64_t
+    mlk_keccakf1600_round_constants[24];
 
-#define mlk_keccak_f1600_x1_scalar_asm MLK_NAMESPACE(keccak_f1600_x1_scalar_asm)
-void mlk_keccak_f1600_x1_scalar_asm(uint64_t state[25], const uint64_t rc[24])
+#define mlk_keccak_f1600_x1_scalar_aarch64_asm \
+  MLK_NAMESPACE(keccak_f1600_x1_scalar_aarch64_asm)
+void mlk_keccak_f1600_x1_scalar_aarch64_asm(uint64_t state[25],
+                                            const uint64_t rc[24])
 /* This must be kept in sync with the HOL-Light specification
- * in proofs/hol_light/aarch64/proofs/keccak_f1600_x1_scalar.ml */
+ * in proofs/hol_light/aarch64/proofs/keccak_f1600_x1_scalar_aarch64_asm.ml */
 __contract__(
   requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 1))
   requires(rc == mlk_keccakf1600_round_constants)
   assigns(memory_slice(state, sizeof(uint64_t) * 25 * 1))
 );
 
-#define mlk_keccak_f1600_x1_v84a_asm MLK_NAMESPACE(keccak_f1600_x1_v84a_asm)
-void mlk_keccak_f1600_x1_v84a_asm(uint64_t state[25], const uint64_t rc[24])
+#define mlk_keccak_f1600_x1_v84a_aarch64_asm \
+  MLK_NAMESPACE(keccak_f1600_x1_v84a_aarch64_asm)
+void mlk_keccak_f1600_x1_v84a_aarch64_asm(uint64_t state[25],
+                                          const uint64_t rc[24])
 /* This must be kept in sync with the HOL-Light specification
- * in proofs/hol_light/aarch64/proofs/keccak_f1600_x1_v84a.ml */
+ * in proofs/hol_light/aarch64/proofs/keccak_f1600_x1_v84a_aarch64_asm.ml */
 __contract__(
   requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 1))
   requires(rc == mlk_keccakf1600_round_constants)
   assigns(memory_slice(state, sizeof(uint64_t) * 25 * 1))
 );
 
-#define mlk_keccak_f1600_x2_v84a_asm MLK_NAMESPACE(keccak_f1600_x2_v84a_asm)
-void mlk_keccak_f1600_x2_v84a_asm(uint64_t state[50], const uint64_t rc[24])
+#define mlk_keccak_f1600_x2_v84a_aarch64_asm \
+  MLK_NAMESPACE(keccak_f1600_x2_v84a_aarch64_asm)
+void mlk_keccak_f1600_x2_v84a_aarch64_asm(uint64_t state[50],
+                                          const uint64_t rc[24])
 /* This must be kept in sync with the HOL-Light specification
- * in proofs/hol_light/aarch64/proofs/keccak_f1600_x2_v84a.ml */
+ * in proofs/hol_light/aarch64/proofs/keccak_f1600_x2_v84a_aarch64_asm.ml */
 __contract__(
   requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 2))
   requires(rc == mlk_keccakf1600_round_constants)
   assigns(memory_slice(state, sizeof(uint64_t) * 25 * 2))
 );
 
-#define mlk_keccak_f1600_x4_v8a_scalar_hybrid_asm \
-  MLK_NAMESPACE(keccak_f1600_x4_v8a_scalar_hybrid_asm)
-void mlk_keccak_f1600_x4_v8a_scalar_hybrid_asm(uint64_t state[100],
-                                               const uint64_t rc[24])
+#define mlk_keccak_f1600_x4_v8a_scalar_hybrid_aarch64_asm \
+  MLK_NAMESPACE(keccak_f1600_x4_v8a_scalar_hybrid_aarch64_asm)
+void mlk_keccak_f1600_x4_v8a_scalar_hybrid_aarch64_asm(uint64_t state[100],
+                                                       const uint64_t rc[24])
 /* This must be kept in sync with the HOL-Light specification
- * in proofs/hol_light/aarch64/proofs/keccak_f1600_x4_v8a_scalar.ml */
+ * in
+ * proofs/hol_light/aarch64/proofs/keccak_f1600_x4_v8a_scalar_hybrid_aarch64_asm.ml
+ */
 __contract__(
   requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 4))
   requires(rc == mlk_keccakf1600_round_constants)
   assigns(memory_slice(state, sizeof(uint64_t) * 25 * 4))
 );
 
-#define mlk_keccak_f1600_x4_v8a_v84a_scalar_hybrid_asm \
-  MLK_NAMESPACE(keccak_f1600_x4_v8a_v84a_scalar_hybrid_asm)
-void mlk_keccak_f1600_x4_v8a_v84a_scalar_hybrid_asm(uint64_t state[100],
-                                                    const uint64_t rc[24])
+#define mlk_keccak_f1600_x4_v8a_v84a_scalar_hybrid_aarch64_asm \
+  MLK_NAMESPACE(keccak_f1600_x4_v8a_v84a_scalar_hybrid_aarch64_asm)
+void mlk_keccak_f1600_x4_v8a_v84a_scalar_hybrid_aarch64_asm(
+    uint64_t state[100], const uint64_t rc[24])
 /* This must be kept in sync with the HOL-Light specification
- * in proofs/hol_light/aarch64/proofs/keccak_f1600_x4_v8a_v84a_scalar.ml */
+ * in
+ * proofs/hol_light/aarch64/proofs/keccak_f1600_x4_v8a_v84a_scalar_hybrid_aarch64_asm.ml
+ */
 __contract__(
   requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 4))
   requires(rc == mlk_keccakf1600_round_constants)