xref: /freebsd/crypto/openssh/libcrux_mlkem768_sha3.h (revision 24e4dcf4ba5e9dedcf89efd358ea3e1fe5867020) 
1 /*  $OpenBSD: libcrux_mlkem768_sha3.h,v 1.2 2024/10/27 02:06:01 djm Exp $ */
2 
3 /* Extracted from libcrux revision 84c5d87b3092c59294345aa269ceefe0eb97cc35 */
4 
5 /*
6  * MIT License
7  *
8  * Copyright (c) 2024 Cryspen
9  *
10  * Permission is hereby granted, free of charge, to any person obtaining a copy
11  * of this software and associated documentation files (the "Software"), to deal
12  * in the Software without restriction, including without limitation the rights
13  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
14  * copies of the Software, and to permit persons to whom the Software is
15  * furnished to do so, subject to the following conditions:
16  *
17  * The above copyright notice and this permission notice shall be included in all
18  * copies or substantial portions of the Software.
19  *
20  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
21  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
22  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
23  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
24  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
25  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
26  * SOFTWARE.
27  */
28 
29 #if !defined(__GNUC__) || (__GNUC__ < 2)
30 # define __attribute__(x)
31 #endif
32 #define KRML_MUSTINLINE inline
33 #define KRML_NOINLINE __attribute__((noinline, unused))
34 #define KRML_HOST_EPRINTF(...)
35 #define KRML_HOST_EXIT(x) fatal_f("internal error")
36 
37 /* from libcrux/libcrux-ml-kem/cg/eurydice_glue.h */
38 /*
39  * SPDX-FileCopyrightText: 2024 Eurydice Contributors
40  * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
41  *
42  * SPDX-License-Identifier: MIT or Apache-2.0
43  */
44 
45 #pragma once
46 
47 #if defined(__cplusplus)
48 extern "C" {
49 #endif
50 
51 
52 
53 // SLICES, ARRAYS, ETC.
54 
55 // The MSVC C++ compiler does not support compound literals.
56 // This CLITERAL is used to turn `(type){...}` into `type{...}` when using a C++
57 // compiler.
58 #if defined(__cplusplus)
59 #define CLITERAL(type) type
60 #else
61 #define CLITERAL(type) (type)
62 #endif
63 
64 // We represent a slice as a pair of an (untyped) pointer, along with the length
65 // of the slice, i.e. the number of elements in the slice (this is NOT the
66 // number of bytes). This design choice has two important consequences.
67 // - if you need to use `ptr`, you MUST cast it to a proper type *before*
68 // performing pointer
69 //   arithmetic on it (remember that C desugars pointer arithmetic based on the
70 //   type of the address)
71 // - if you need to use `len` for a C style function (e.g. memcpy, memcmp), you
72 // need to multiply it
73 //   by sizeof t, where t is the type of the elements.
74 //
75 // Empty slices have `len == 0` and `ptr` always needs to be valid pointer that
76 // is not NULL (otherwise the construction in EURYDICE_SLICE computes `NULL +
77 // start`).
78 typedef struct {
79   void *ptr;
80   size_t len;
81 } Eurydice_slice;
82 
83 // Helper macro to create a slice out of a pointer x, a start index in x
84 // (included), and an end index in x (excluded). The argument x must be suitably
85 // cast to something that can decay (see remark above about how pointer
86 // arithmetic works in C), meaning either pointer or array type.
87 #define EURYDICE_SLICE(x, start, end) \
88   (CLITERAL(Eurydice_slice){.ptr = (void *)(x + start), .len = end - start})
89 #define EURYDICE_SLICE_LEN(s, _) s.len
90 // This macro is a pain because in case the dereferenced element type is an
91 // array, you cannot simply write `t x` as it would yield `int[4] x` instead,
92 // which is NOT correct C syntax, so we add a dedicated phase in Eurydice that
93 // adds an extra argument to this macro at the last minute so that we have the
94 // correct type of *pointers* to elements.
95 #define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i])
96 #define Eurydice_slice_subslice(s, r, t, _) \
97   EURYDICE_SLICE((t *)s.ptr, r.start, r.end)
98 // Variant for when the start and end indices are statically known (i.e., the
99 // range argument `r` is a literal).
100 #define Eurydice_slice_subslice2(s, start, end, t) \
101   EURYDICE_SLICE((t *)s.ptr, start, end)
102 #define Eurydice_slice_subslice_to(s, subslice_end_pos, t, _) \
103   EURYDICE_SLICE((t *)s.ptr, 0, subslice_end_pos)
104 #define Eurydice_slice_subslice_from(s, subslice_start_pos, t, _) \
105   EURYDICE_SLICE((t *)s.ptr, subslice_start_pos, s.len)
106 #define Eurydice_array_to_slice(end, x, t) \
107   EURYDICE_SLICE(x, 0,                     \
108                  end) /* x is already at an array type, no need for cast */
109 #define Eurydice_array_to_subslice(_arraylen, x, r, t, _) \
110   EURYDICE_SLICE((t *)x, r.start, r.end)
111 // Same as above, variant for when start and end are statically known
112 #define Eurydice_array_to_subslice2(x, start, end, t) \
113   EURYDICE_SLICE((t *)x, start, end)
114 #define Eurydice_array_to_subslice_to(_size, x, r, t, _range_t) \
115   EURYDICE_SLICE((t *)x, 0, r)
116 #define Eurydice_array_to_subslice_from(size, x, r, t, _range_t) \
117   EURYDICE_SLICE((t *)x, r, size)
118 #define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t)
119 #define Eurydice_slice_copy(dst, src, t) \
120   memcpy(dst.ptr, src.ptr, dst.len * sizeof(t))
121 #define core_array___Array_T__N__23__as_slice(len_, ptr_, t, _ret_t) \
122   ((Eurydice_slice){.ptr = ptr_, .len = len_})
123 
124 #define core_array___core__clone__Clone_for__Array_T__N___20__clone( \
125     len, src, dst, elem_type, _ret_t)                                \
126   (memcpy(dst, src, len * sizeof(elem_type)))
127 #define TryFromSliceError uint8_t
128 
129 #define Eurydice_array_eq(sz, a1, a2, t, _) \
130   (memcmp(a1, a2, sz * sizeof(t)) == 0)
131 #define core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( \
132     sz, a1, a2, t, _, _ret_t)                                                           \
133   Eurydice_array_eq(sz, a1, a2, t, _)
134 #define core_array_equality___core__cmp__PartialEq__0___Slice_U____for__Array_T__N___3__eq( \
135     sz, a1, a2, t, _, _ret_t)                                                               \
136   Eurydice_array_eq(sz, a1, ((a2)->ptr), t, _)
137 
138 #define Eurydice_slice_split_at(slice, mid, element_type, ret_t) \
139   (CLITERAL(ret_t){                                              \
140       .fst = EURYDICE_SLICE((element_type *)slice.ptr, 0, mid),  \
141       .snd = EURYDICE_SLICE((element_type *)slice.ptr, mid, slice.len)})
142 #define Eurydice_slice_split_at_mut(slice, mid, element_type, ret_t) \
143   (CLITERAL(ret_t){                                                  \
144       .fst = {.ptr = slice.ptr, .len = mid},                         \
145       .snd = {.ptr = (char *)slice.ptr + mid * sizeof(element_type), \
146               .len = slice.len - mid}})
147 
148 // Conversion of slice to an array, rewritten (by Eurydice) to name the
149 // destination array, since arrays are not values in C.
150 // N.B.: see note in karamel/lib/Inlining.ml if you change this.
151 #define Eurydice_slice_to_array2(dst, src, _, t_arr)                      \
152   Eurydice_slice_to_array3(&(dst)->tag, (char *)&(dst)->val.case_Ok, src, \
153                            sizeof(t_arr))
154 
155 static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok,
156                                             Eurydice_slice src, size_t sz) {
157   *dst_tag = 0;
158   memcpy(dst_ok, src.ptr, sz);
159 }
160 
161 // CORE STUFF (conversions, endianness, ...)
162 
163 static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) {
164   v = htole64(v);
165   memcpy(buf, &v, sizeof(v));
166 }
167 static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) {
168   uint64_t v;
169   memcpy(&v, buf, sizeof(v));
170   return le64toh(v);
171 }
172 
173 static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) {
174   uint32_t v;
175   memcpy(&v, buf, sizeof(v));
176   return le32toh(v);
177 }
178 
179 static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) {
180 #if defined(_MSC_VER)
181   return __popcnt(x0);
182 #elif !defined(MISSING_BUILTIN_POPCOUNT)
183   return __builtin_popcount(x0);
184 #else
185   const uint8_t v[16] = { 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4 };
186   return v[x0 & 0xf] + v[(x0 >> 4) & 0xf];
187 
188 #endif
189 }
190 
191 // unsigned overflow wraparound semantics in C
192 static inline uint16_t core_num__u16_7__wrapping_add(uint16_t x, uint16_t y) {
193   return x + y;
194 }
195 static inline uint8_t core_num__u8_6__wrapping_sub(uint8_t x, uint8_t y) {
196   return x - y;
197 }
198 
199 // ITERATORS
200 
201 #define Eurydice_range_iter_next(iter_ptr, t, ret_t) \
202   (((iter_ptr)->start == (iter_ptr)->end)            \
203        ? (CLITERAL(ret_t){.tag = None})              \
204        : (CLITERAL(ret_t){.tag = Some, .f0 = (iter_ptr)->start++}))
205 
206 #define core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___6__next \
207   Eurydice_range_iter_next
208 
209 // See note in karamel/lib/Inlining.ml if you change this
210 #define Eurydice_into_iter(x, t, _ret_t) (x)
211 #define core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter \
212   Eurydice_into_iter
213 
214 #if defined(__cplusplus)
215 }
216 #endif
217 
218 /* from libcrux/libcrux-ml-kem/cg/libcrux_core.h */
219 /*
220  * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
221  *
222  * SPDX-License-Identifier: MIT or Apache-2.0
223  *
224  * This code was generated with the following revisions:
225  * Charon: 6b5e110342a771a3e1c739b10294b1778e4be8b4
226  * Eurydice: 31be7d65ca5d6acdacfb33652e478d24dd85c1cb
227  * Karamel: 3205d3365ea2790b02368f79fcee38e38d0b5908
228  * F*: a32b316e521fa4f239b610ec8f1d15e78d62cbe8-dirty
229  * Libcrux: 4ad532b206174114dd4140b718e7794a28fc59ee
230  */
231 
232 #ifndef __libcrux_core_H
233 #define __libcrux_core_H
234 
235 #if defined(__cplusplus)
236 extern "C" {
237 #endif
238 
239 
240 /**
241 A monomorphic instance of core.ops.range.Range
242 with types size_t
243 
244 */
245 typedef struct core_ops_range_Range_b3_s {
246   size_t start;
247   size_t end;
248 } core_ops_range_Range_b3;
249 
250 #define Ok 0
251 #define Err 1
252 
253 typedef uint8_t Result_86_tags;
254 
255 #define None 0
256 #define Some 1
257 
258 typedef uint8_t Option_ef_tags;
259 
260 /**
261 A monomorphic instance of core.option.Option
262 with types size_t
263 
264 */
265 typedef struct Option_b3_s {
266   Option_ef_tags tag;
267   size_t f0;
268 } Option_b3;
269 
270 static inline uint16_t core_num__u16_7__wrapping_add(uint16_t x0, uint16_t x1);
271 
272 #define CORE_NUM__U32_8__BITS (32U)
273 
274 static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t x0[8U]);
275 
276 static inline void core_num__u64_9__to_le_bytes(uint64_t x0, uint8_t x1[8U]);
277 
278 static inline uint32_t core_num__u8_6__count_ones(uint8_t x0);
279 
280 static inline uint8_t core_num__u8_6__wrapping_sub(uint8_t x0, uint8_t x1);
281 
282 #define LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE ((size_t)32U)
283 
284 #define LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_COEFFICIENT ((size_t)12U)
285 
286 #define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U)
287 
288 #define LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_RING_ELEMENT \
289   (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)12U)
290 
291 #define LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT \
292   (LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_RING_ELEMENT / (size_t)8U)
293 
294 #define LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE ((size_t)32U)
295 
296 #define LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE ((size_t)32U)
297 
298 typedef struct libcrux_ml_kem_utils_extraction_helper_Keypair768_s {
299   uint8_t fst[1152U];
300   uint8_t snd[1184U];
301 } libcrux_ml_kem_utils_extraction_helper_Keypair768;
302 
303 /**
304 A monomorphic instance of core.result.Result
305 with types uint8_t[24size_t], core_array_TryFromSliceError
306 
307 */
308 typedef struct Result_6f_s {
309   Result_86_tags tag;
310   union {
311     uint8_t case_Ok[24U];
312     TryFromSliceError case_Err;
313   } val;
314 } Result_6f;
315 
316 /**
317 This function found in impl {core::result::Result<T, E>}
318 */
319 /**
320 A monomorphic instance of core.result.unwrap_41
321 with types uint8_t[24size_t], core_array_TryFromSliceError
322 
323 */
324 static inline void unwrap_41_1c(Result_6f self, uint8_t ret[24U]) {
325   if (self.tag == Ok) {
326     uint8_t f0[24U];
327     memcpy(f0, self.val.case_Ok, (size_t)24U * sizeof(uint8_t));
328     memcpy(ret, f0, (size_t)24U * sizeof(uint8_t));
329   } else {
330     KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
331                       "unwrap not Ok");
332     KRML_HOST_EXIT(255U);
333   }
334 }
335 
336 /**
337 A monomorphic instance of core.result.Result
338 with types uint8_t[20size_t], core_array_TryFromSliceError
339 
340 */
341 typedef struct Result_7a_s {
342   Result_86_tags tag;
343   union {
344     uint8_t case_Ok[20U];
345     TryFromSliceError case_Err;
346   } val;
347 } Result_7a;
348 
349 /**
350 This function found in impl {core::result::Result<T, E>}
351 */
352 /**
353 A monomorphic instance of core.result.unwrap_41
354 with types uint8_t[20size_t], core_array_TryFromSliceError
355 
356 */
357 static inline void unwrap_41_34(Result_7a self, uint8_t ret[20U]) {
358   if (self.tag == Ok) {
359     uint8_t f0[20U];
360     memcpy(f0, self.val.case_Ok, (size_t)20U * sizeof(uint8_t));
361     memcpy(ret, f0, (size_t)20U * sizeof(uint8_t));
362   } else {
363     KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
364                       "unwrap not Ok");
365     KRML_HOST_EXIT(255U);
366   }
367 }
368 
369 /**
370 A monomorphic instance of core.result.Result
371 with types uint8_t[10size_t], core_array_TryFromSliceError
372 
373 */
374 typedef struct Result_cd_s {
375   Result_86_tags tag;
376   union {
377     uint8_t case_Ok[10U];
378     TryFromSliceError case_Err;
379   } val;
380 } Result_cd;
381 
382 /**
383 This function found in impl {core::result::Result<T, E>}
384 */
385 /**
386 A monomorphic instance of core.result.unwrap_41
387 with types uint8_t[10size_t], core_array_TryFromSliceError
388 
389 */
390 static inline void unwrap_41_e8(Result_cd self, uint8_t ret[10U]) {
391   if (self.tag == Ok) {
392     uint8_t f0[10U];
393     memcpy(f0, self.val.case_Ok, (size_t)10U * sizeof(uint8_t));
394     memcpy(ret, f0, (size_t)10U * sizeof(uint8_t));
395   } else {
396     KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
397                       "unwrap not Ok");
398     KRML_HOST_EXIT(255U);
399   }
400 }
401 
402 typedef struct Eurydice_slice_uint8_t_4size_t__x2_s {
403   Eurydice_slice fst[4U];
404   Eurydice_slice snd[4U];
405 } Eurydice_slice_uint8_t_4size_t__x2;
406 
407 typedef struct libcrux_ml_kem_mlkem768_MlKem768Ciphertext_s {
408   uint8_t value[1088U];
409 } libcrux_ml_kem_mlkem768_MlKem768Ciphertext;
410 
411 /**
412  A reference to the raw byte slice.
413 */
414 /**
415 This function found in impl {libcrux_ml_kem::types::MlKemCiphertext<SIZE>#6}
416 */
417 /**
418 A monomorphic instance of libcrux_ml_kem.types.as_slice_d4
419 with const generics
420 - SIZE= 1088
421 */
422 static inline uint8_t *libcrux_ml_kem_types_as_slice_d4_1d(
423     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self) {
424   return self->value;
425 }
426 
427 /**
428 A monomorphic instance of libcrux_ml_kem.types.MlKemPublicKey
429 with const generics
430 - $1184size_t
431 */
432 typedef struct libcrux_ml_kem_types_MlKemPublicKey_15_s {
433   uint8_t value[1184U];
434 } libcrux_ml_kem_types_MlKemPublicKey_15;
435 
436 /**
437 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
438 libcrux_ml_kem::types::MlKemPublicKey<SIZE>)#14}
439 */
440 /**
441 A monomorphic instance of libcrux_ml_kem.types.from_b6
442 with const generics
443 - SIZE= 1184
444 */
445 static inline libcrux_ml_kem_types_MlKemPublicKey_15
446 libcrux_ml_kem_types_from_b6_da(uint8_t value[1184U]) {
447   /* Passing arrays by value in Rust generates a copy in C */
448   uint8_t copy_of_value[1184U];
449   memcpy(copy_of_value, value, (size_t)1184U * sizeof(uint8_t));
450   libcrux_ml_kem_types_MlKemPublicKey_15 lit;
451   memcpy(lit.value, copy_of_value, (size_t)1184U * sizeof(uint8_t));
452   return lit;
453 }
454 
455 /**
456 A monomorphic instance of libcrux_ml_kem.types.MlKemPrivateKey
457 with const generics
458 - $2400size_t
459 */
460 typedef struct libcrux_ml_kem_types_MlKemPrivateKey_55_s {
461   uint8_t value[2400U];
462 } libcrux_ml_kem_types_MlKemPrivateKey_55;
463 
464 typedef struct libcrux_ml_kem_mlkem768_MlKem768KeyPair_s {
465   libcrux_ml_kem_types_MlKemPrivateKey_55 sk;
466   libcrux_ml_kem_types_MlKemPublicKey_15 pk;
467 } libcrux_ml_kem_mlkem768_MlKem768KeyPair;
468 
469 /**
470  Create a new [`MlKemKeyPair`] from the secret and public key.
471 */
472 /**
473 This function found in impl
474 {libcrux_ml_kem::types::MlKemKeyPair<PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE>}
475 */
476 /**
477 A monomorphic instance of libcrux_ml_kem.types.from_17
478 with const generics
479 - PRIVATE_KEY_SIZE= 2400
480 - PUBLIC_KEY_SIZE= 1184
481 */
482 static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair
483 libcrux_ml_kem_types_from_17_35(libcrux_ml_kem_types_MlKemPrivateKey_55 sk,
484                                 libcrux_ml_kem_types_MlKemPublicKey_15 pk) {
485   return (
486       CLITERAL(libcrux_ml_kem_mlkem768_MlKem768KeyPair){.sk = sk, .pk = pk});
487 }
488 
489 /**
490 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
491 libcrux_ml_kem::types::MlKemPrivateKey<SIZE>)#8}
492 */
493 /**
494 A monomorphic instance of libcrux_ml_kem.types.from_05
495 with const generics
496 - SIZE= 2400
497 */
498 static inline libcrux_ml_kem_types_MlKemPrivateKey_55
499 libcrux_ml_kem_types_from_05_f2(uint8_t value[2400U]) {
500   /* Passing arrays by value in Rust generates a copy in C */
501   uint8_t copy_of_value[2400U];
502   memcpy(copy_of_value, value, (size_t)2400U * sizeof(uint8_t));
503   libcrux_ml_kem_types_MlKemPrivateKey_55 lit;
504   memcpy(lit.value, copy_of_value, (size_t)2400U * sizeof(uint8_t));
505   return lit;
506 }
507 
508 /**
509 A monomorphic instance of core.result.Result
510 with types uint8_t[32size_t], core_array_TryFromSliceError
511 
512 */
513 typedef struct Result_00_s {
514   Result_86_tags tag;
515   union {
516     uint8_t case_Ok[32U];
517     TryFromSliceError case_Err;
518   } val;
519 } Result_00;
520 
521 /**
522 This function found in impl {core::result::Result<T, E>}
523 */
524 /**
525 A monomorphic instance of core.result.unwrap_41
526 with types uint8_t[32size_t], core_array_TryFromSliceError
527 
528 */
529 static inline void unwrap_41_83(Result_00 self, uint8_t ret[32U]) {
530   if (self.tag == Ok) {
531     uint8_t f0[32U];
532     memcpy(f0, self.val.case_Ok, (size_t)32U * sizeof(uint8_t));
533     memcpy(ret, f0, (size_t)32U * sizeof(uint8_t));
534   } else {
535     KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
536                       "unwrap not Ok");
537     KRML_HOST_EXIT(255U);
538   }
539 }
540 
541 /**
542 A monomorphic instance of K.
543 with types libcrux_ml_kem_types_MlKemCiphertext[[$1088size_t]],
544 uint8_t[32size_t]
545 
546 */
547 typedef struct tuple_3c_s {
548   libcrux_ml_kem_mlkem768_MlKem768Ciphertext fst;
549   uint8_t snd[32U];
550 } tuple_3c;
551 
552 /**
553 This function found in impl {(core::convert::From<@Array<u8, SIZE>> for
554 libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#2}
555 */
556 /**
557 A monomorphic instance of libcrux_ml_kem.types.from_01
558 with const generics
559 - SIZE= 1088
560 */
561 static inline libcrux_ml_kem_mlkem768_MlKem768Ciphertext
562 libcrux_ml_kem_types_from_01_9f(uint8_t value[1088U]) {
563   /* Passing arrays by value in Rust generates a copy in C */
564   uint8_t copy_of_value[1088U];
565   memcpy(copy_of_value, value, (size_t)1088U * sizeof(uint8_t));
566   libcrux_ml_kem_mlkem768_MlKem768Ciphertext lit;
567   memcpy(lit.value, copy_of_value, (size_t)1088U * sizeof(uint8_t));
568   return lit;
569 }
570 
571 /**
572  A reference to the raw byte slice.
573 */
574 /**
575 This function found in impl {libcrux_ml_kem::types::MlKemPublicKey<SIZE>#18}
576 */
577 /**
578 A monomorphic instance of libcrux_ml_kem.types.as_slice_cb
579 with const generics
580 - SIZE= 1184
581 */
582 static inline uint8_t *libcrux_ml_kem_types_as_slice_cb_50(
583     libcrux_ml_kem_types_MlKemPublicKey_15 *self) {
584   return self->value;
585 }
586 
587 /**
588  Pad the `slice` with `0`s at the end.
589 */
590 /**
591 A monomorphic instance of libcrux_ml_kem.utils.into_padded_array
592 with const generics
593 - LEN= 33
594 */
595 static KRML_MUSTINLINE void libcrux_ml_kem_utils_into_padded_array_ea2(
596     Eurydice_slice slice, uint8_t ret[33U]) {
597   uint8_t out[33U] = {0U};
598   uint8_t *uu____0 = out;
599   Eurydice_slice_copy(
600       Eurydice_array_to_subslice2(uu____0, (size_t)0U,
601                                   Eurydice_slice_len(slice, uint8_t), uint8_t),
602       slice, uint8_t);
603   memcpy(ret, out, (size_t)33U * sizeof(uint8_t));
604 }
605 
606 /**
607  Pad the `slice` with `0`s at the end.
608 */
609 /**
610 A monomorphic instance of libcrux_ml_kem.utils.into_padded_array
611 with const generics
612 - LEN= 34
613 */
614 static KRML_MUSTINLINE void libcrux_ml_kem_utils_into_padded_array_ea1(
615     Eurydice_slice slice, uint8_t ret[34U]) {
616   uint8_t out[34U] = {0U};
617   uint8_t *uu____0 = out;
618   Eurydice_slice_copy(
619       Eurydice_array_to_subslice2(uu____0, (size_t)0U,
620                                   Eurydice_slice_len(slice, uint8_t), uint8_t),
621       slice, uint8_t);
622   memcpy(ret, out, (size_t)34U * sizeof(uint8_t));
623 }
624 
625 /**
626 This function found in impl {(core::convert::AsRef<@Slice<u8>> for
627 libcrux_ml_kem::types::MlKemCiphertext<SIZE>)#1}
628 */
629 /**
630 A monomorphic instance of libcrux_ml_kem.types.as_ref_00
631 with const generics
632 - SIZE= 1088
633 */
634 static inline Eurydice_slice libcrux_ml_kem_types_as_ref_00_24(
635     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self) {
636   return Eurydice_array_to_slice((size_t)1088U, self->value, uint8_t);
637 }
638 
639 /**
640  Pad the `slice` with `0`s at the end.
641 */
642 /**
643 A monomorphic instance of libcrux_ml_kem.utils.into_padded_array
644 with const generics
645 - LEN= 1120
646 */
647 static KRML_MUSTINLINE void libcrux_ml_kem_utils_into_padded_array_ea0(
648     Eurydice_slice slice, uint8_t ret[1120U]) {
649   uint8_t out[1120U] = {0U};
650   uint8_t *uu____0 = out;
651   Eurydice_slice_copy(
652       Eurydice_array_to_subslice2(uu____0, (size_t)0U,
653                                   Eurydice_slice_len(slice, uint8_t), uint8_t),
654       slice, uint8_t);
655   memcpy(ret, out, (size_t)1120U * sizeof(uint8_t));
656 }
657 
658 /**
659  Pad the `slice` with `0`s at the end.
660 */
661 /**
662 A monomorphic instance of libcrux_ml_kem.utils.into_padded_array
663 with const generics
664 - LEN= 64
665 */
666 static KRML_MUSTINLINE void libcrux_ml_kem_utils_into_padded_array_ea(
667     Eurydice_slice slice, uint8_t ret[64U]) {
668   uint8_t out[64U] = {0U};
669   uint8_t *uu____0 = out;
670   Eurydice_slice_copy(
671       Eurydice_array_to_subslice2(uu____0, (size_t)0U,
672                                   Eurydice_slice_len(slice, uint8_t), uint8_t),
673       slice, uint8_t);
674   memcpy(ret, out, (size_t)64U * sizeof(uint8_t));
675 }
676 
677 /**
678 A monomorphic instance of core.result.Result
679 with types int16_t[16size_t], core_array_TryFromSliceError
680 
681 */
682 typedef struct Result_c0_s {
683   Result_86_tags tag;
684   union {
685     int16_t case_Ok[16U];
686     TryFromSliceError case_Err;
687   } val;
688 } Result_c0;
689 
690 /**
691 This function found in impl {core::result::Result<T, E>}
692 */
693 /**
694 A monomorphic instance of core.result.unwrap_41
695 with types int16_t[16size_t], core_array_TryFromSliceError
696 
697 */
698 static inline void unwrap_41_f9(Result_c0 self, int16_t ret[16U]) {
699   if (self.tag == Ok) {
700     int16_t f0[16U];
701     memcpy(f0, self.val.case_Ok, (size_t)16U * sizeof(int16_t));
702     memcpy(ret, f0, (size_t)16U * sizeof(int16_t));
703   } else {
704     KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
705                       "unwrap not Ok");
706     KRML_HOST_EXIT(255U);
707   }
708 }
709 
710 /**
711 A monomorphic instance of core.result.Result
712 with types uint8_t[8size_t], core_array_TryFromSliceError
713 
714 */
715 typedef struct Result_56_s {
716   Result_86_tags tag;
717   union {
718     uint8_t case_Ok[8U];
719     TryFromSliceError case_Err;
720   } val;
721 } Result_56;
722 
723 /**
724 This function found in impl {core::result::Result<T, E>}
725 */
726 /**
727 A monomorphic instance of core.result.unwrap_41
728 with types uint8_t[8size_t], core_array_TryFromSliceError
729 
730 */
731 static inline void unwrap_41_ac(Result_56 self, uint8_t ret[8U]) {
732   if (self.tag == Ok) {
733     uint8_t f0[8U];
734     memcpy(f0, self.val.case_Ok, (size_t)8U * sizeof(uint8_t));
735     memcpy(ret, f0, (size_t)8U * sizeof(uint8_t));
736   } else {
737     KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
738                       "unwrap not Ok");
739     KRML_HOST_EXIT(255U);
740   }
741 }
742 
743 typedef struct Eurydice_slice_uint8_t_x2_s {
744   Eurydice_slice fst;
745   Eurydice_slice snd;
746 } Eurydice_slice_uint8_t_x2;
747 
748 typedef struct Eurydice_slice_uint8_t_1size_t__x2_s {
749   Eurydice_slice fst[1U];
750   Eurydice_slice snd[1U];
751 } Eurydice_slice_uint8_t_1size_t__x2;
752 
753 #if defined(__cplusplus)
754 }
755 #endif
756 
757 #define __libcrux_core_H_DEFINED
758 #endif
759 
760 /* from libcrux/libcrux-ml-kem/cg/libcrux_ct_ops.h */
761 /*
762  * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
763  *
764  * SPDX-License-Identifier: MIT or Apache-2.0
765  *
766  * This code was generated with the following revisions:
767  * Charon: 6b5e110342a771a3e1c739b10294b1778e4be8b4
768  * Eurydice: 31be7d65ca5d6acdacfb33652e478d24dd85c1cb
769  * Karamel: 3205d3365ea2790b02368f79fcee38e38d0b5908
770  * F*: a32b316e521fa4f239b610ec8f1d15e78d62cbe8-dirty
771  * Libcrux: 4ad532b206174114dd4140b718e7794a28fc59ee
772  */
773 
774 #ifndef __libcrux_ct_ops_H
775 #define __libcrux_ct_ops_H
776 
777 #if defined(__cplusplus)
778 extern "C" {
779 #endif
780 
781 
782 /**
783  Return 1 if `value` is not zero and 0 otherwise.
784 */
785 static inline uint8_t libcrux_ml_kem_constant_time_ops_inz(uint8_t value) {
786   uint16_t value0 = (uint16_t)value;
787   uint16_t result = (((uint32_t)value0 |
788                       (uint32_t)core_num__u16_7__wrapping_add(~value0, 1U)) &
789                      0xFFFFU) >>
790                         8U &
791                     1U;
792   return (uint8_t)result;
793 }
794 
795 static KRML_NOINLINE uint8_t
796 libcrux_ml_kem_constant_time_ops_is_non_zero(uint8_t value) {
797   return libcrux_ml_kem_constant_time_ops_inz(value);
798 }
799 
800 /**
801  Return 1 if the bytes of `lhs` and `rhs` do not exactly
802  match and 0 otherwise.
803 */
804 static inline uint8_t libcrux_ml_kem_constant_time_ops_compare(
805     Eurydice_slice lhs, Eurydice_slice rhs) {
806   uint8_t r = 0U;
807   for (size_t i = (size_t)0U; i < Eurydice_slice_len(lhs, uint8_t); i++) {
808     size_t i0 = i;
809     r = (uint32_t)r |
810         ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) ^
811          (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *));
812   }
813   return libcrux_ml_kem_constant_time_ops_is_non_zero(r);
814 }
815 
816 static KRML_NOINLINE uint8_t
817 libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time(
818     Eurydice_slice lhs, Eurydice_slice rhs) {
819   return libcrux_ml_kem_constant_time_ops_compare(lhs, rhs);
820 }
821 
822 /**
823  If `selector` is not zero, return the bytes in `rhs`; return the bytes in
824  `lhs` otherwise.
825 */
826 static inline void libcrux_ml_kem_constant_time_ops_select_ct(
827     Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector,
828     uint8_t ret[32U]) {
829   uint8_t mask = core_num__u8_6__wrapping_sub(
830       libcrux_ml_kem_constant_time_ops_is_non_zero(selector), 1U);
831   uint8_t out[32U] = {0U};
832   for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE;
833        i++) {
834     size_t i0 = i;
835     out[i0] = ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) &
836                (uint32_t)mask) |
837               ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *) &
838                (uint32_t)~mask);
839   }
840   memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
841 }
842 
843 static KRML_NOINLINE void
844 libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time(
845     Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector,
846     uint8_t ret[32U]) {
847   libcrux_ml_kem_constant_time_ops_select_ct(lhs, rhs, selector, ret);
848 }
849 
850 static inline void
851 libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time(
852     Eurydice_slice lhs_c, Eurydice_slice rhs_c, Eurydice_slice lhs_s,
853     Eurydice_slice rhs_s, uint8_t ret[32U]) {
854   uint8_t selector =
855       libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time(
856           lhs_c, rhs_c);
857   uint8_t ret0[32U];
858   libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time(
859       lhs_s, rhs_s, selector, ret0);
860   memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
861 }
862 
863 #if defined(__cplusplus)
864 }
865 #endif
866 
867 #define __libcrux_ct_ops_H_DEFINED
868 #endif
869 
870 /* from libcrux/libcrux-ml-kem/cg/libcrux_sha3_portable.h */
871 /*
872  * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
873  *
874  * SPDX-License-Identifier: MIT or Apache-2.0
875  *
876  * This code was generated with the following revisions:
877  * Charon: 6b5e110342a771a3e1c739b10294b1778e4be8b4
878  * Eurydice: 31be7d65ca5d6acdacfb33652e478d24dd85c1cb
879  * Karamel: 3205d3365ea2790b02368f79fcee38e38d0b5908
880  * F*: a32b316e521fa4f239b610ec8f1d15e78d62cbe8-dirty
881  * Libcrux: 4ad532b206174114dd4140b718e7794a28fc59ee
882  */
883 
884 #ifndef __libcrux_sha3_portable_H
885 #define __libcrux_sha3_portable_H
886 
887 #if defined(__cplusplus)
888 extern "C" {
889 #endif
890 
891 
892 static const uint64_t libcrux_sha3_generic_keccak_ROUNDCONSTANTS[24U] = {
893     1ULL,
894     32898ULL,
895     9223372036854808714ULL,
896     9223372039002292224ULL,
897     32907ULL,
898     2147483649ULL,
899     9223372039002292353ULL,
900     9223372036854808585ULL,
901     138ULL,
902     136ULL,
903     2147516425ULL,
904     2147483658ULL,
905     2147516555ULL,
906     9223372036854775947ULL,
907     9223372036854808713ULL,
908     9223372036854808579ULL,
909     9223372036854808578ULL,
910     9223372036854775936ULL,
911     32778ULL,
912     9223372039002259466ULL,
913     9223372039002292353ULL,
914     9223372036854808704ULL,
915     2147483649ULL,
916     9223372039002292232ULL};
917 
918 /**
919 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
920 usize> for u64)}
921 */
922 static KRML_MUSTINLINE uint64_t libcrux_sha3_portable_keccak_zero_5a(void) {
923   return 0ULL;
924 }
925 
926 static KRML_MUSTINLINE uint64_t libcrux_sha3_portable_keccak__veor5q_u64(
927     uint64_t a, uint64_t b, uint64_t c, uint64_t d, uint64_t e) {
928   uint64_t ab = a ^ b;
929   uint64_t cd = c ^ d;
930   uint64_t abcd = ab ^ cd;
931   return abcd ^ e;
932 }
933 
934 /**
935 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
936 usize> for u64)}
937 */
938 static KRML_MUSTINLINE uint64_t libcrux_sha3_portable_keccak_xor5_5a(
939     uint64_t a, uint64_t b, uint64_t c, uint64_t d, uint64_t e) {
940   return libcrux_sha3_portable_keccak__veor5q_u64(a, b, c, d, e);
941 }
942 
943 /**
944 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
945 with const generics
946 - LEFT= 1
947 - RIGHT= 63
948 */
949 static KRML_MUSTINLINE uint64_t
950 libcrux_sha3_portable_keccak_rotate_left_cb(uint64_t x) {
951   return x << (uint32_t)(int32_t)1 | x >> (uint32_t)(int32_t)63;
952 }
953 
954 static KRML_MUSTINLINE uint64_t
955 libcrux_sha3_portable_keccak__vrax1q_u64(uint64_t a, uint64_t b) {
956   uint64_t uu____0 = a;
957   return uu____0 ^ libcrux_sha3_portable_keccak_rotate_left_cb(b);
958 }
959 
960 /**
961 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
962 usize> for u64)}
963 */
964 static KRML_MUSTINLINE uint64_t
965 libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a(uint64_t a, uint64_t b) {
966   return libcrux_sha3_portable_keccak__vrax1q_u64(a, b);
967 }
968 
969 static KRML_MUSTINLINE uint64_t
970 libcrux_sha3_portable_keccak__vbcaxq_u64(uint64_t a, uint64_t b, uint64_t c) {
971   return a ^ (b & ~c);
972 }
973 
974 /**
975 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
976 usize> for u64)}
977 */
978 static KRML_MUSTINLINE uint64_t libcrux_sha3_portable_keccak_and_not_xor_5a(
979     uint64_t a, uint64_t b, uint64_t c) {
980   return libcrux_sha3_portable_keccak__vbcaxq_u64(a, b, c);
981 }
982 
983 static KRML_MUSTINLINE uint64_t
984 libcrux_sha3_portable_keccak__veorq_n_u64(uint64_t a, uint64_t c) {
985   return a ^ c;
986 }
987 
988 /**
989 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
990 usize> for u64)}
991 */
992 static KRML_MUSTINLINE uint64_t
993 libcrux_sha3_portable_keccak_xor_constant_5a(uint64_t a, uint64_t c) {
994   return libcrux_sha3_portable_keccak__veorq_n_u64(a, c);
995 }
996 
997 /**
998 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
999 usize> for u64)}
1000 */
1001 static KRML_MUSTINLINE uint64_t
1002 libcrux_sha3_portable_keccak_xor_5a(uint64_t a, uint64_t b) {
1003   return a ^ b;
1004 }
1005 
1006 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_slice_1(
1007     Eurydice_slice a[1U], size_t start, size_t len, Eurydice_slice ret[1U]) {
1008   ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t);
1009 }
1010 
1011 /**
1012 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1013 usize> for u64)}
1014 */
1015 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_slice_n_5a(
1016     Eurydice_slice a[1U], size_t start, size_t len, Eurydice_slice ret[1U]) {
1017   /* Passing arrays by value in Rust generates a copy in C */
1018   Eurydice_slice copy_of_a[1U];
1019   memcpy(copy_of_a, a, (size_t)1U * sizeof(Eurydice_slice));
1020   Eurydice_slice ret0[1U];
1021   libcrux_sha3_portable_keccak_slice_1(copy_of_a, start, len, ret0);
1022   memcpy(ret, ret0, (size_t)1U * sizeof(Eurydice_slice));
1023 }
1024 
1025 static KRML_MUSTINLINE Eurydice_slice_uint8_t_1size_t__x2
1026 libcrux_sha3_portable_keccak_split_at_mut_1(Eurydice_slice out[1U],
1027                                             size_t mid) {
1028   Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at_mut(
1029       out[0U], mid, uint8_t, Eurydice_slice_uint8_t_x2);
1030   Eurydice_slice out00 = uu____0.fst;
1031   Eurydice_slice out01 = uu____0.snd;
1032   Eurydice_slice_uint8_t_1size_t__x2 lit;
1033   lit.fst[0U] = out00;
1034   lit.snd[0U] = out01;
1035   return lit;
1036 }
1037 
1038 /**
1039 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1040 usize> for u64)}
1041 */
1042 static KRML_MUSTINLINE Eurydice_slice_uint8_t_1size_t__x2
1043 libcrux_sha3_portable_keccak_split_at_mut_n_5a(Eurydice_slice a[1U],
1044                                                size_t mid) {
1045   return libcrux_sha3_portable_keccak_split_at_mut_1(a, mid);
1046 }
1047 
1048 /**
1049 A monomorphic instance of libcrux_sha3.generic_keccak.KeccakState
1050 with types uint64_t
1051 with const generics
1052 - $1size_t
1053 */
1054 typedef struct libcrux_sha3_generic_keccak_KeccakState_48_s {
1055   uint64_t st[5U][5U];
1056 } libcrux_sha3_generic_keccak_KeccakState_48;
1057 
1058 /**
1059  Create a new Shake128 x4 state.
1060 */
1061 /**
1062 This function found in impl {libcrux_sha3::generic_keccak::KeccakState<T,
1063 N>[TraitClause@0]#1}
1064 */
1065 /**
1066 A monomorphic instance of libcrux_sha3.generic_keccak.new_1e
1067 with types uint64_t
1068 with const generics
1069 - N= 1
1070 */
1071 static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_48
1072 libcrux_sha3_generic_keccak_new_1e_f4(void) {
1073   libcrux_sha3_generic_keccak_KeccakState_48 lit;
1074   lit.st[0U][0U] = libcrux_sha3_portable_keccak_zero_5a();
1075   lit.st[0U][1U] = libcrux_sha3_portable_keccak_zero_5a();
1076   lit.st[0U][2U] = libcrux_sha3_portable_keccak_zero_5a();
1077   lit.st[0U][3U] = libcrux_sha3_portable_keccak_zero_5a();
1078   lit.st[0U][4U] = libcrux_sha3_portable_keccak_zero_5a();
1079   lit.st[1U][0U] = libcrux_sha3_portable_keccak_zero_5a();
1080   lit.st[1U][1U] = libcrux_sha3_portable_keccak_zero_5a();
1081   lit.st[1U][2U] = libcrux_sha3_portable_keccak_zero_5a();
1082   lit.st[1U][3U] = libcrux_sha3_portable_keccak_zero_5a();
1083   lit.st[1U][4U] = libcrux_sha3_portable_keccak_zero_5a();
1084   lit.st[2U][0U] = libcrux_sha3_portable_keccak_zero_5a();
1085   lit.st[2U][1U] = libcrux_sha3_portable_keccak_zero_5a();
1086   lit.st[2U][2U] = libcrux_sha3_portable_keccak_zero_5a();
1087   lit.st[2U][3U] = libcrux_sha3_portable_keccak_zero_5a();
1088   lit.st[2U][4U] = libcrux_sha3_portable_keccak_zero_5a();
1089   lit.st[3U][0U] = libcrux_sha3_portable_keccak_zero_5a();
1090   lit.st[3U][1U] = libcrux_sha3_portable_keccak_zero_5a();
1091   lit.st[3U][2U] = libcrux_sha3_portable_keccak_zero_5a();
1092   lit.st[3U][3U] = libcrux_sha3_portable_keccak_zero_5a();
1093   lit.st[3U][4U] = libcrux_sha3_portable_keccak_zero_5a();
1094   lit.st[4U][0U] = libcrux_sha3_portable_keccak_zero_5a();
1095   lit.st[4U][1U] = libcrux_sha3_portable_keccak_zero_5a();
1096   lit.st[4U][2U] = libcrux_sha3_portable_keccak_zero_5a();
1097   lit.st[4U][3U] = libcrux_sha3_portable_keccak_zero_5a();
1098   lit.st[4U][4U] = libcrux_sha3_portable_keccak_zero_5a();
1099   return lit;
1100 }
1101 
1102 /**
1103 A monomorphic instance of libcrux_sha3.portable_keccak.load_block
1104 with const generics
1105 - RATE= 72
1106 */
1107 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_2c(
1108     uint64_t (*s)[5U], Eurydice_slice blocks[1U]) {
1109   for (size_t i = (size_t)0U; i < (size_t)72U / (size_t)8U; i++) {
1110     size_t i0 = i;
1111     uint8_t uu____0[8U];
1112     Result_56 dst;
1113     Eurydice_slice_to_array2(
1114         &dst,
1115         Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0,
1116                                  (size_t)8U * i0 + (size_t)8U, uint8_t),
1117         Eurydice_slice, uint8_t[8U]);
1118     unwrap_41_ac(dst, uu____0);
1119     size_t uu____1 = i0 / (size_t)5U;
1120     size_t uu____2 = i0 % (size_t)5U;
1121     s[uu____1][uu____2] =
1122         s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0);
1123   }
1124 }
1125 
1126 /**
1127 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1128 usize> for u64)}
1129 */
1130 /**
1131 A monomorphic instance of libcrux_sha3.portable_keccak.load_block_5a
1132 with const generics
1133 - RATE= 72
1134 */
1135 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_b8(
1136     uint64_t (*a)[5U], Eurydice_slice b[1U]) {
1137   uint64_t(*uu____0)[5U] = a;
1138   /* Passing arrays by value in Rust generates a copy in C */
1139   Eurydice_slice copy_of_b[1U];
1140   memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice));
1141   libcrux_sha3_portable_keccak_load_block_2c(uu____0, copy_of_b);
1142 }
1143 
1144 /**
1145 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1146 with const generics
1147 - LEFT= 36
1148 - RIGHT= 28
1149 */
1150 static KRML_MUSTINLINE uint64_t
1151 libcrux_sha3_portable_keccak_rotate_left_cb0(uint64_t x) {
1152   return x << (uint32_t)(int32_t)36 | x >> (uint32_t)(int32_t)28;
1153 }
1154 
1155 /**
1156 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1157 with const generics
1158 - LEFT= 36
1159 - RIGHT= 28
1160 */
1161 static KRML_MUSTINLINE uint64_t
1162 libcrux_sha3_portable_keccak__vxarq_u64_42(uint64_t a, uint64_t b) {
1163   uint64_t ab = a ^ b;
1164   return libcrux_sha3_portable_keccak_rotate_left_cb0(ab);
1165 }
1166 
1167 /**
1168 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1169 usize> for u64)}
1170 */
1171 /**
1172 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1173 with const generics
1174 - LEFT= 36
1175 - RIGHT= 28
1176 */
1177 static KRML_MUSTINLINE uint64_t
1178 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb(uint64_t a, uint64_t b) {
1179   return libcrux_sha3_portable_keccak__vxarq_u64_42(a, b);
1180 }
1181 
1182 /**
1183 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1184 with const generics
1185 - LEFT= 3
1186 - RIGHT= 61
1187 */
1188 static KRML_MUSTINLINE uint64_t
1189 libcrux_sha3_portable_keccak_rotate_left_cb1(uint64_t x) {
1190   return x << (uint32_t)(int32_t)3 | x >> (uint32_t)(int32_t)61;
1191 }
1192 
1193 /**
1194 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1195 with const generics
1196 - LEFT= 3
1197 - RIGHT= 61
1198 */
1199 static KRML_MUSTINLINE uint64_t
1200 libcrux_sha3_portable_keccak__vxarq_u64_420(uint64_t a, uint64_t b) {
1201   uint64_t ab = a ^ b;
1202   return libcrux_sha3_portable_keccak_rotate_left_cb1(ab);
1203 }
1204 
1205 /**
1206 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1207 usize> for u64)}
1208 */
1209 /**
1210 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1211 with const generics
1212 - LEFT= 3
1213 - RIGHT= 61
1214 */
1215 static KRML_MUSTINLINE uint64_t
1216 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb0(uint64_t a, uint64_t b) {
1217   return libcrux_sha3_portable_keccak__vxarq_u64_420(a, b);
1218 }
1219 
1220 /**
1221 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1222 with const generics
1223 - LEFT= 41
1224 - RIGHT= 23
1225 */
1226 static KRML_MUSTINLINE uint64_t
1227 libcrux_sha3_portable_keccak_rotate_left_cb2(uint64_t x) {
1228   return x << (uint32_t)(int32_t)41 | x >> (uint32_t)(int32_t)23;
1229 }
1230 
1231 /**
1232 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1233 with const generics
1234 - LEFT= 41
1235 - RIGHT= 23
1236 */
1237 static KRML_MUSTINLINE uint64_t
1238 libcrux_sha3_portable_keccak__vxarq_u64_421(uint64_t a, uint64_t b) {
1239   uint64_t ab = a ^ b;
1240   return libcrux_sha3_portable_keccak_rotate_left_cb2(ab);
1241 }
1242 
1243 /**
1244 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1245 usize> for u64)}
1246 */
1247 /**
1248 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1249 with const generics
1250 - LEFT= 41
1251 - RIGHT= 23
1252 */
1253 static KRML_MUSTINLINE uint64_t
1254 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb1(uint64_t a, uint64_t b) {
1255   return libcrux_sha3_portable_keccak__vxarq_u64_421(a, b);
1256 }
1257 
1258 /**
1259 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1260 with const generics
1261 - LEFT= 18
1262 - RIGHT= 46
1263 */
1264 static KRML_MUSTINLINE uint64_t
1265 libcrux_sha3_portable_keccak_rotate_left_cb3(uint64_t x) {
1266   return x << (uint32_t)(int32_t)18 | x >> (uint32_t)(int32_t)46;
1267 }
1268 
1269 /**
1270 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1271 with const generics
1272 - LEFT= 18
1273 - RIGHT= 46
1274 */
1275 static KRML_MUSTINLINE uint64_t
1276 libcrux_sha3_portable_keccak__vxarq_u64_422(uint64_t a, uint64_t b) {
1277   uint64_t ab = a ^ b;
1278   return libcrux_sha3_portable_keccak_rotate_left_cb3(ab);
1279 }
1280 
1281 /**
1282 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1283 usize> for u64)}
1284 */
1285 /**
1286 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1287 with const generics
1288 - LEFT= 18
1289 - RIGHT= 46
1290 */
1291 static KRML_MUSTINLINE uint64_t
1292 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb2(uint64_t a, uint64_t b) {
1293   return libcrux_sha3_portable_keccak__vxarq_u64_422(a, b);
1294 }
1295 
1296 /**
1297 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1298 with const generics
1299 - LEFT= 1
1300 - RIGHT= 63
1301 */
1302 static KRML_MUSTINLINE uint64_t
1303 libcrux_sha3_portable_keccak__vxarq_u64_423(uint64_t a, uint64_t b) {
1304   uint64_t ab = a ^ b;
1305   return libcrux_sha3_portable_keccak_rotate_left_cb(ab);
1306 }
1307 
1308 /**
1309 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1310 usize> for u64)}
1311 */
1312 /**
1313 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1314 with const generics
1315 - LEFT= 1
1316 - RIGHT= 63
1317 */
1318 static KRML_MUSTINLINE uint64_t
1319 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb3(uint64_t a, uint64_t b) {
1320   return libcrux_sha3_portable_keccak__vxarq_u64_423(a, b);
1321 }
1322 
1323 /**
1324 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1325 with const generics
1326 - LEFT= 44
1327 - RIGHT= 20
1328 */
1329 static KRML_MUSTINLINE uint64_t
1330 libcrux_sha3_portable_keccak_rotate_left_cb4(uint64_t x) {
1331   return x << (uint32_t)(int32_t)44 | x >> (uint32_t)(int32_t)20;
1332 }
1333 
1334 /**
1335 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1336 with const generics
1337 - LEFT= 44
1338 - RIGHT= 20
1339 */
1340 static KRML_MUSTINLINE uint64_t
1341 libcrux_sha3_portable_keccak__vxarq_u64_424(uint64_t a, uint64_t b) {
1342   uint64_t ab = a ^ b;
1343   return libcrux_sha3_portable_keccak_rotate_left_cb4(ab);
1344 }
1345 
1346 /**
1347 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1348 usize> for u64)}
1349 */
1350 /**
1351 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1352 with const generics
1353 - LEFT= 44
1354 - RIGHT= 20
1355 */
1356 static KRML_MUSTINLINE uint64_t
1357 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb4(uint64_t a, uint64_t b) {
1358   return libcrux_sha3_portable_keccak__vxarq_u64_424(a, b);
1359 }
1360 
1361 /**
1362 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1363 with const generics
1364 - LEFT= 10
1365 - RIGHT= 54
1366 */
1367 static KRML_MUSTINLINE uint64_t
1368 libcrux_sha3_portable_keccak_rotate_left_cb5(uint64_t x) {
1369   return x << (uint32_t)(int32_t)10 | x >> (uint32_t)(int32_t)54;
1370 }
1371 
1372 /**
1373 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1374 with const generics
1375 - LEFT= 10
1376 - RIGHT= 54
1377 */
1378 static KRML_MUSTINLINE uint64_t
1379 libcrux_sha3_portable_keccak__vxarq_u64_425(uint64_t a, uint64_t b) {
1380   uint64_t ab = a ^ b;
1381   return libcrux_sha3_portable_keccak_rotate_left_cb5(ab);
1382 }
1383 
1384 /**
1385 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1386 usize> for u64)}
1387 */
1388 /**
1389 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1390 with const generics
1391 - LEFT= 10
1392 - RIGHT= 54
1393 */
1394 static KRML_MUSTINLINE uint64_t
1395 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb5(uint64_t a, uint64_t b) {
1396   return libcrux_sha3_portable_keccak__vxarq_u64_425(a, b);
1397 }
1398 
1399 /**
1400 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1401 with const generics
1402 - LEFT= 45
1403 - RIGHT= 19
1404 */
1405 static KRML_MUSTINLINE uint64_t
1406 libcrux_sha3_portable_keccak_rotate_left_cb6(uint64_t x) {
1407   return x << (uint32_t)(int32_t)45 | x >> (uint32_t)(int32_t)19;
1408 }
1409 
1410 /**
1411 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1412 with const generics
1413 - LEFT= 45
1414 - RIGHT= 19
1415 */
1416 static KRML_MUSTINLINE uint64_t
1417 libcrux_sha3_portable_keccak__vxarq_u64_426(uint64_t a, uint64_t b) {
1418   uint64_t ab = a ^ b;
1419   return libcrux_sha3_portable_keccak_rotate_left_cb6(ab);
1420 }
1421 
1422 /**
1423 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1424 usize> for u64)}
1425 */
1426 /**
1427 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1428 with const generics
1429 - LEFT= 45
1430 - RIGHT= 19
1431 */
1432 static KRML_MUSTINLINE uint64_t
1433 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb6(uint64_t a, uint64_t b) {
1434   return libcrux_sha3_portable_keccak__vxarq_u64_426(a, b);
1435 }
1436 
1437 /**
1438 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1439 with const generics
1440 - LEFT= 2
1441 - RIGHT= 62
1442 */
1443 static KRML_MUSTINLINE uint64_t
1444 libcrux_sha3_portable_keccak_rotate_left_cb7(uint64_t x) {
1445   return x << (uint32_t)(int32_t)2 | x >> (uint32_t)(int32_t)62;
1446 }
1447 
1448 /**
1449 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1450 with const generics
1451 - LEFT= 2
1452 - RIGHT= 62
1453 */
1454 static KRML_MUSTINLINE uint64_t
1455 libcrux_sha3_portable_keccak__vxarq_u64_427(uint64_t a, uint64_t b) {
1456   uint64_t ab = a ^ b;
1457   return libcrux_sha3_portable_keccak_rotate_left_cb7(ab);
1458 }
1459 
1460 /**
1461 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1462 usize> for u64)}
1463 */
1464 /**
1465 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1466 with const generics
1467 - LEFT= 2
1468 - RIGHT= 62
1469 */
1470 static KRML_MUSTINLINE uint64_t
1471 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb7(uint64_t a, uint64_t b) {
1472   return libcrux_sha3_portable_keccak__vxarq_u64_427(a, b);
1473 }
1474 
1475 /**
1476 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1477 with const generics
1478 - LEFT= 62
1479 - RIGHT= 2
1480 */
1481 static KRML_MUSTINLINE uint64_t
1482 libcrux_sha3_portable_keccak_rotate_left_cb8(uint64_t x) {
1483   return x << (uint32_t)(int32_t)62 | x >> (uint32_t)(int32_t)2;
1484 }
1485 
1486 /**
1487 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1488 with const generics
1489 - LEFT= 62
1490 - RIGHT= 2
1491 */
1492 static KRML_MUSTINLINE uint64_t
1493 libcrux_sha3_portable_keccak__vxarq_u64_428(uint64_t a, uint64_t b) {
1494   uint64_t ab = a ^ b;
1495   return libcrux_sha3_portable_keccak_rotate_left_cb8(ab);
1496 }
1497 
1498 /**
1499 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1500 usize> for u64)}
1501 */
1502 /**
1503 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1504 with const generics
1505 - LEFT= 62
1506 - RIGHT= 2
1507 */
1508 static KRML_MUSTINLINE uint64_t
1509 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb8(uint64_t a, uint64_t b) {
1510   return libcrux_sha3_portable_keccak__vxarq_u64_428(a, b);
1511 }
1512 
1513 /**
1514 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1515 with const generics
1516 - LEFT= 6
1517 - RIGHT= 58
1518 */
1519 static KRML_MUSTINLINE uint64_t
1520 libcrux_sha3_portable_keccak_rotate_left_cb9(uint64_t x) {
1521   return x << (uint32_t)(int32_t)6 | x >> (uint32_t)(int32_t)58;
1522 }
1523 
1524 /**
1525 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1526 with const generics
1527 - LEFT= 6
1528 - RIGHT= 58
1529 */
1530 static KRML_MUSTINLINE uint64_t
1531 libcrux_sha3_portable_keccak__vxarq_u64_429(uint64_t a, uint64_t b) {
1532   uint64_t ab = a ^ b;
1533   return libcrux_sha3_portable_keccak_rotate_left_cb9(ab);
1534 }
1535 
1536 /**
1537 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1538 usize> for u64)}
1539 */
1540 /**
1541 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1542 with const generics
1543 - LEFT= 6
1544 - RIGHT= 58
1545 */
1546 static KRML_MUSTINLINE uint64_t
1547 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb9(uint64_t a, uint64_t b) {
1548   return libcrux_sha3_portable_keccak__vxarq_u64_429(a, b);
1549 }
1550 
1551 /**
1552 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1553 with const generics
1554 - LEFT= 43
1555 - RIGHT= 21
1556 */
1557 static KRML_MUSTINLINE uint64_t
1558 libcrux_sha3_portable_keccak_rotate_left_cb10(uint64_t x) {
1559   return x << (uint32_t)(int32_t)43 | x >> (uint32_t)(int32_t)21;
1560 }
1561 
1562 /**
1563 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1564 with const generics
1565 - LEFT= 43
1566 - RIGHT= 21
1567 */
1568 static KRML_MUSTINLINE uint64_t
1569 libcrux_sha3_portable_keccak__vxarq_u64_4210(uint64_t a, uint64_t b) {
1570   uint64_t ab = a ^ b;
1571   return libcrux_sha3_portable_keccak_rotate_left_cb10(ab);
1572 }
1573 
1574 /**
1575 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1576 usize> for u64)}
1577 */
1578 /**
1579 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1580 with const generics
1581 - LEFT= 43
1582 - RIGHT= 21
1583 */
1584 static KRML_MUSTINLINE uint64_t
1585 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb10(uint64_t a, uint64_t b) {
1586   return libcrux_sha3_portable_keccak__vxarq_u64_4210(a, b);
1587 }
1588 
1589 /**
1590 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1591 with const generics
1592 - LEFT= 15
1593 - RIGHT= 49
1594 */
1595 static KRML_MUSTINLINE uint64_t
1596 libcrux_sha3_portable_keccak_rotate_left_cb11(uint64_t x) {
1597   return x << (uint32_t)(int32_t)15 | x >> (uint32_t)(int32_t)49;
1598 }
1599 
1600 /**
1601 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1602 with const generics
1603 - LEFT= 15
1604 - RIGHT= 49
1605 */
1606 static KRML_MUSTINLINE uint64_t
1607 libcrux_sha3_portable_keccak__vxarq_u64_4211(uint64_t a, uint64_t b) {
1608   uint64_t ab = a ^ b;
1609   return libcrux_sha3_portable_keccak_rotate_left_cb11(ab);
1610 }
1611 
1612 /**
1613 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1614 usize> for u64)}
1615 */
1616 /**
1617 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1618 with const generics
1619 - LEFT= 15
1620 - RIGHT= 49
1621 */
1622 static KRML_MUSTINLINE uint64_t
1623 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb11(uint64_t a, uint64_t b) {
1624   return libcrux_sha3_portable_keccak__vxarq_u64_4211(a, b);
1625 }
1626 
1627 /**
1628 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1629 with const generics
1630 - LEFT= 61
1631 - RIGHT= 3
1632 */
1633 static KRML_MUSTINLINE uint64_t
1634 libcrux_sha3_portable_keccak_rotate_left_cb12(uint64_t x) {
1635   return x << (uint32_t)(int32_t)61 | x >> (uint32_t)(int32_t)3;
1636 }
1637 
1638 /**
1639 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1640 with const generics
1641 - LEFT= 61
1642 - RIGHT= 3
1643 */
1644 static KRML_MUSTINLINE uint64_t
1645 libcrux_sha3_portable_keccak__vxarq_u64_4212(uint64_t a, uint64_t b) {
1646   uint64_t ab = a ^ b;
1647   return libcrux_sha3_portable_keccak_rotate_left_cb12(ab);
1648 }
1649 
1650 /**
1651 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1652 usize> for u64)}
1653 */
1654 /**
1655 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1656 with const generics
1657 - LEFT= 61
1658 - RIGHT= 3
1659 */
1660 static KRML_MUSTINLINE uint64_t
1661 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb12(uint64_t a, uint64_t b) {
1662   return libcrux_sha3_portable_keccak__vxarq_u64_4212(a, b);
1663 }
1664 
1665 /**
1666 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1667 with const generics
1668 - LEFT= 28
1669 - RIGHT= 36
1670 */
1671 static KRML_MUSTINLINE uint64_t
1672 libcrux_sha3_portable_keccak_rotate_left_cb13(uint64_t x) {
1673   return x << (uint32_t)(int32_t)28 | x >> (uint32_t)(int32_t)36;
1674 }
1675 
1676 /**
1677 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1678 with const generics
1679 - LEFT= 28
1680 - RIGHT= 36
1681 */
1682 static KRML_MUSTINLINE uint64_t
1683 libcrux_sha3_portable_keccak__vxarq_u64_4213(uint64_t a, uint64_t b) {
1684   uint64_t ab = a ^ b;
1685   return libcrux_sha3_portable_keccak_rotate_left_cb13(ab);
1686 }
1687 
1688 /**
1689 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1690 usize> for u64)}
1691 */
1692 /**
1693 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1694 with const generics
1695 - LEFT= 28
1696 - RIGHT= 36
1697 */
1698 static KRML_MUSTINLINE uint64_t
1699 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb13(uint64_t a, uint64_t b) {
1700   return libcrux_sha3_portable_keccak__vxarq_u64_4213(a, b);
1701 }
1702 
1703 /**
1704 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1705 with const generics
1706 - LEFT= 55
1707 - RIGHT= 9
1708 */
1709 static KRML_MUSTINLINE uint64_t
1710 libcrux_sha3_portable_keccak_rotate_left_cb14(uint64_t x) {
1711   return x << (uint32_t)(int32_t)55 | x >> (uint32_t)(int32_t)9;
1712 }
1713 
1714 /**
1715 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1716 with const generics
1717 - LEFT= 55
1718 - RIGHT= 9
1719 */
1720 static KRML_MUSTINLINE uint64_t
1721 libcrux_sha3_portable_keccak__vxarq_u64_4214(uint64_t a, uint64_t b) {
1722   uint64_t ab = a ^ b;
1723   return libcrux_sha3_portable_keccak_rotate_left_cb14(ab);
1724 }
1725 
1726 /**
1727 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1728 usize> for u64)}
1729 */
1730 /**
1731 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1732 with const generics
1733 - LEFT= 55
1734 - RIGHT= 9
1735 */
1736 static KRML_MUSTINLINE uint64_t
1737 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb14(uint64_t a, uint64_t b) {
1738   return libcrux_sha3_portable_keccak__vxarq_u64_4214(a, b);
1739 }
1740 
1741 /**
1742 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1743 with const generics
1744 - LEFT= 25
1745 - RIGHT= 39
1746 */
1747 static KRML_MUSTINLINE uint64_t
1748 libcrux_sha3_portable_keccak_rotate_left_cb15(uint64_t x) {
1749   return x << (uint32_t)(int32_t)25 | x >> (uint32_t)(int32_t)39;
1750 }
1751 
1752 /**
1753 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1754 with const generics
1755 - LEFT= 25
1756 - RIGHT= 39
1757 */
1758 static KRML_MUSTINLINE uint64_t
1759 libcrux_sha3_portable_keccak__vxarq_u64_4215(uint64_t a, uint64_t b) {
1760   uint64_t ab = a ^ b;
1761   return libcrux_sha3_portable_keccak_rotate_left_cb15(ab);
1762 }
1763 
1764 /**
1765 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1766 usize> for u64)}
1767 */
1768 /**
1769 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1770 with const generics
1771 - LEFT= 25
1772 - RIGHT= 39
1773 */
1774 static KRML_MUSTINLINE uint64_t
1775 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb15(uint64_t a, uint64_t b) {
1776   return libcrux_sha3_portable_keccak__vxarq_u64_4215(a, b);
1777 }
1778 
1779 /**
1780 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1781 with const generics
1782 - LEFT= 21
1783 - RIGHT= 43
1784 */
1785 static KRML_MUSTINLINE uint64_t
1786 libcrux_sha3_portable_keccak_rotate_left_cb16(uint64_t x) {
1787   return x << (uint32_t)(int32_t)21 | x >> (uint32_t)(int32_t)43;
1788 }
1789 
1790 /**
1791 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1792 with const generics
1793 - LEFT= 21
1794 - RIGHT= 43
1795 */
1796 static KRML_MUSTINLINE uint64_t
1797 libcrux_sha3_portable_keccak__vxarq_u64_4216(uint64_t a, uint64_t b) {
1798   uint64_t ab = a ^ b;
1799   return libcrux_sha3_portable_keccak_rotate_left_cb16(ab);
1800 }
1801 
1802 /**
1803 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1804 usize> for u64)}
1805 */
1806 /**
1807 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1808 with const generics
1809 - LEFT= 21
1810 - RIGHT= 43
1811 */
1812 static KRML_MUSTINLINE uint64_t
1813 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb16(uint64_t a, uint64_t b) {
1814   return libcrux_sha3_portable_keccak__vxarq_u64_4216(a, b);
1815 }
1816 
1817 /**
1818 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1819 with const generics
1820 - LEFT= 56
1821 - RIGHT= 8
1822 */
1823 static KRML_MUSTINLINE uint64_t
1824 libcrux_sha3_portable_keccak_rotate_left_cb17(uint64_t x) {
1825   return x << (uint32_t)(int32_t)56 | x >> (uint32_t)(int32_t)8;
1826 }
1827 
1828 /**
1829 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1830 with const generics
1831 - LEFT= 56
1832 - RIGHT= 8
1833 */
1834 static KRML_MUSTINLINE uint64_t
1835 libcrux_sha3_portable_keccak__vxarq_u64_4217(uint64_t a, uint64_t b) {
1836   uint64_t ab = a ^ b;
1837   return libcrux_sha3_portable_keccak_rotate_left_cb17(ab);
1838 }
1839 
1840 /**
1841 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1842 usize> for u64)}
1843 */
1844 /**
1845 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1846 with const generics
1847 - LEFT= 56
1848 - RIGHT= 8
1849 */
1850 static KRML_MUSTINLINE uint64_t
1851 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb17(uint64_t a, uint64_t b) {
1852   return libcrux_sha3_portable_keccak__vxarq_u64_4217(a, b);
1853 }
1854 
1855 /**
1856 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1857 with const generics
1858 - LEFT= 27
1859 - RIGHT= 37
1860 */
1861 static KRML_MUSTINLINE uint64_t
1862 libcrux_sha3_portable_keccak_rotate_left_cb18(uint64_t x) {
1863   return x << (uint32_t)(int32_t)27 | x >> (uint32_t)(int32_t)37;
1864 }
1865 
1866 /**
1867 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1868 with const generics
1869 - LEFT= 27
1870 - RIGHT= 37
1871 */
1872 static KRML_MUSTINLINE uint64_t
1873 libcrux_sha3_portable_keccak__vxarq_u64_4218(uint64_t a, uint64_t b) {
1874   uint64_t ab = a ^ b;
1875   return libcrux_sha3_portable_keccak_rotate_left_cb18(ab);
1876 }
1877 
1878 /**
1879 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1880 usize> for u64)}
1881 */
1882 /**
1883 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1884 with const generics
1885 - LEFT= 27
1886 - RIGHT= 37
1887 */
1888 static KRML_MUSTINLINE uint64_t
1889 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb18(uint64_t a, uint64_t b) {
1890   return libcrux_sha3_portable_keccak__vxarq_u64_4218(a, b);
1891 }
1892 
1893 /**
1894 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1895 with const generics
1896 - LEFT= 20
1897 - RIGHT= 44
1898 */
1899 static KRML_MUSTINLINE uint64_t
1900 libcrux_sha3_portable_keccak_rotate_left_cb19(uint64_t x) {
1901   return x << (uint32_t)(int32_t)20 | x >> (uint32_t)(int32_t)44;
1902 }
1903 
1904 /**
1905 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1906 with const generics
1907 - LEFT= 20
1908 - RIGHT= 44
1909 */
1910 static KRML_MUSTINLINE uint64_t
1911 libcrux_sha3_portable_keccak__vxarq_u64_4219(uint64_t a, uint64_t b) {
1912   uint64_t ab = a ^ b;
1913   return libcrux_sha3_portable_keccak_rotate_left_cb19(ab);
1914 }
1915 
1916 /**
1917 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1918 usize> for u64)}
1919 */
1920 /**
1921 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1922 with const generics
1923 - LEFT= 20
1924 - RIGHT= 44
1925 */
1926 static KRML_MUSTINLINE uint64_t
1927 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb19(uint64_t a, uint64_t b) {
1928   return libcrux_sha3_portable_keccak__vxarq_u64_4219(a, b);
1929 }
1930 
1931 /**
1932 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1933 with const generics
1934 - LEFT= 39
1935 - RIGHT= 25
1936 */
1937 static KRML_MUSTINLINE uint64_t
1938 libcrux_sha3_portable_keccak_rotate_left_cb20(uint64_t x) {
1939   return x << (uint32_t)(int32_t)39 | x >> (uint32_t)(int32_t)25;
1940 }
1941 
1942 /**
1943 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1944 with const generics
1945 - LEFT= 39
1946 - RIGHT= 25
1947 */
1948 static KRML_MUSTINLINE uint64_t
1949 libcrux_sha3_portable_keccak__vxarq_u64_4220(uint64_t a, uint64_t b) {
1950   uint64_t ab = a ^ b;
1951   return libcrux_sha3_portable_keccak_rotate_left_cb20(ab);
1952 }
1953 
1954 /**
1955 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1956 usize> for u64)}
1957 */
1958 /**
1959 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1960 with const generics
1961 - LEFT= 39
1962 - RIGHT= 25
1963 */
1964 static KRML_MUSTINLINE uint64_t
1965 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb20(uint64_t a, uint64_t b) {
1966   return libcrux_sha3_portable_keccak__vxarq_u64_4220(a, b);
1967 }
1968 
1969 /**
1970 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
1971 with const generics
1972 - LEFT= 8
1973 - RIGHT= 56
1974 */
1975 static KRML_MUSTINLINE uint64_t
1976 libcrux_sha3_portable_keccak_rotate_left_cb21(uint64_t x) {
1977   return x << (uint32_t)(int32_t)8 | x >> (uint32_t)(int32_t)56;
1978 }
1979 
1980 /**
1981 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
1982 with const generics
1983 - LEFT= 8
1984 - RIGHT= 56
1985 */
1986 static KRML_MUSTINLINE uint64_t
1987 libcrux_sha3_portable_keccak__vxarq_u64_4221(uint64_t a, uint64_t b) {
1988   uint64_t ab = a ^ b;
1989   return libcrux_sha3_portable_keccak_rotate_left_cb21(ab);
1990 }
1991 
1992 /**
1993 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
1994 usize> for u64)}
1995 */
1996 /**
1997 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
1998 with const generics
1999 - LEFT= 8
2000 - RIGHT= 56
2001 */
2002 static KRML_MUSTINLINE uint64_t
2003 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb21(uint64_t a, uint64_t b) {
2004   return libcrux_sha3_portable_keccak__vxarq_u64_4221(a, b);
2005 }
2006 
2007 /**
2008 A monomorphic instance of libcrux_sha3.portable_keccak.rotate_left
2009 with const generics
2010 - LEFT= 14
2011 - RIGHT= 50
2012 */
2013 static KRML_MUSTINLINE uint64_t
2014 libcrux_sha3_portable_keccak_rotate_left_cb22(uint64_t x) {
2015   return x << (uint32_t)(int32_t)14 | x >> (uint32_t)(int32_t)50;
2016 }
2017 
2018 /**
2019 A monomorphic instance of libcrux_sha3.portable_keccak._vxarq_u64
2020 with const generics
2021 - LEFT= 14
2022 - RIGHT= 50
2023 */
2024 static KRML_MUSTINLINE uint64_t
2025 libcrux_sha3_portable_keccak__vxarq_u64_4222(uint64_t a, uint64_t b) {
2026   uint64_t ab = a ^ b;
2027   return libcrux_sha3_portable_keccak_rotate_left_cb22(ab);
2028 }
2029 
2030 /**
2031 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
2032 usize> for u64)}
2033 */
2034 /**
2035 A monomorphic instance of libcrux_sha3.portable_keccak.xor_and_rotate_5a
2036 with const generics
2037 - LEFT= 14
2038 - RIGHT= 50
2039 */
2040 static KRML_MUSTINLINE uint64_t
2041 libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb22(uint64_t a, uint64_t b) {
2042   return libcrux_sha3_portable_keccak__vxarq_u64_4222(a, b);
2043 }
2044 
2045 /**
2046 A monomorphic instance of libcrux_sha3.generic_keccak.theta_rho
2047 with types uint64_t
2048 with const generics
2049 - N= 1
2050 */
2051 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_theta_rho_16(
2052     libcrux_sha3_generic_keccak_KeccakState_48 *s) {
2053   uint64_t c[5U] = {
2054       libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][0U], s->st[1U][0U],
2055                                            s->st[2U][0U], s->st[3U][0U],
2056                                            s->st[4U][0U]),
2057       libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][1U], s->st[1U][1U],
2058                                            s->st[2U][1U], s->st[3U][1U],
2059                                            s->st[4U][1U]),
2060       libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][2U], s->st[1U][2U],
2061                                            s->st[2U][2U], s->st[3U][2U],
2062                                            s->st[4U][2U]),
2063       libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][3U], s->st[1U][3U],
2064                                            s->st[2U][3U], s->st[3U][3U],
2065                                            s->st[4U][3U]),
2066       libcrux_sha3_portable_keccak_xor5_5a(s->st[0U][4U], s->st[1U][4U],
2067                                            s->st[2U][4U], s->st[3U][4U],
2068                                            s->st[4U][4U])};
2069   uint64_t uu____0 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a(
2070       c[((size_t)0U + (size_t)4U) % (size_t)5U],
2071       c[((size_t)0U + (size_t)1U) % (size_t)5U]);
2072   uint64_t uu____1 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a(
2073       c[((size_t)1U + (size_t)4U) % (size_t)5U],
2074       c[((size_t)1U + (size_t)1U) % (size_t)5U]);
2075   uint64_t uu____2 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a(
2076       c[((size_t)2U + (size_t)4U) % (size_t)5U],
2077       c[((size_t)2U + (size_t)1U) % (size_t)5U]);
2078   uint64_t uu____3 = libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a(
2079       c[((size_t)3U + (size_t)4U) % (size_t)5U],
2080       c[((size_t)3U + (size_t)1U) % (size_t)5U]);
2081   uint64_t t[5U] = {uu____0, uu____1, uu____2, uu____3,
2082                     libcrux_sha3_portable_keccak_rotate_left1_and_xor_5a(
2083                         c[((size_t)4U + (size_t)4U) % (size_t)5U],
2084                         c[((size_t)4U + (size_t)1U) % (size_t)5U])};
2085   s->st[0U][0U] = libcrux_sha3_portable_keccak_xor_5a(s->st[0U][0U], t[0U]);
2086   s->st[1U][0U] =
2087       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb(s->st[1U][0U], t[0U]);
2088   s->st[2U][0U] =
2089       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb0(s->st[2U][0U], t[0U]);
2090   s->st[3U][0U] =
2091       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb1(s->st[3U][0U], t[0U]);
2092   s->st[4U][0U] =
2093       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb2(s->st[4U][0U], t[0U]);
2094   s->st[0U][1U] =
2095       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb3(s->st[0U][1U], t[1U]);
2096   s->st[1U][1U] =
2097       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb4(s->st[1U][1U], t[1U]);
2098   s->st[2U][1U] =
2099       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb5(s->st[2U][1U], t[1U]);
2100   s->st[3U][1U] =
2101       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb6(s->st[3U][1U], t[1U]);
2102   s->st[4U][1U] =
2103       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb7(s->st[4U][1U], t[1U]);
2104   s->st[0U][2U] =
2105       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb8(s->st[0U][2U], t[2U]);
2106   s->st[1U][2U] =
2107       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb9(s->st[1U][2U], t[2U]);
2108   s->st[2U][2U] =
2109       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb10(s->st[2U][2U], t[2U]);
2110   s->st[3U][2U] =
2111       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb11(s->st[3U][2U], t[2U]);
2112   s->st[4U][2U] =
2113       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb12(s->st[4U][2U], t[2U]);
2114   s->st[0U][3U] =
2115       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb13(s->st[0U][3U], t[3U]);
2116   s->st[1U][3U] =
2117       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb14(s->st[1U][3U], t[3U]);
2118   s->st[2U][3U] =
2119       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb15(s->st[2U][3U], t[3U]);
2120   s->st[3U][3U] =
2121       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb16(s->st[3U][3U], t[3U]);
2122   s->st[4U][3U] =
2123       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb17(s->st[4U][3U], t[3U]);
2124   s->st[0U][4U] =
2125       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb18(s->st[0U][4U], t[4U]);
2126   s->st[1U][4U] =
2127       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb19(s->st[1U][4U], t[4U]);
2128   s->st[2U][4U] =
2129       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb20(s->st[2U][4U], t[4U]);
2130   s->st[3U][4U] =
2131       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb21(s->st[3U][4U], t[4U]);
2132   uint64_t uu____27 =
2133       libcrux_sha3_portable_keccak_xor_and_rotate_5a_bb22(s->st[4U][4U], t[4U]);
2134   s->st[4U][4U] = uu____27;
2135 }
2136 
2137 /**
2138 A monomorphic instance of libcrux_sha3.generic_keccak.pi
2139 with types uint64_t
2140 with const generics
2141 - N= 1
2142 */
2143 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_pi_1d(
2144     libcrux_sha3_generic_keccak_KeccakState_48 *s) {
2145   uint64_t old[5U][5U];
2146   memcpy(old, s->st, (size_t)5U * sizeof(uint64_t[5U]));
2147   s->st[0U][1U] = old[1U][1U];
2148   s->st[0U][2U] = old[2U][2U];
2149   s->st[0U][3U] = old[3U][3U];
2150   s->st[0U][4U] = old[4U][4U];
2151   s->st[1U][0U] = old[0U][3U];
2152   s->st[1U][1U] = old[1U][4U];
2153   s->st[1U][2U] = old[2U][0U];
2154   s->st[1U][3U] = old[3U][1U];
2155   s->st[1U][4U] = old[4U][2U];
2156   s->st[2U][0U] = old[0U][1U];
2157   s->st[2U][1U] = old[1U][2U];
2158   s->st[2U][2U] = old[2U][3U];
2159   s->st[2U][3U] = old[3U][4U];
2160   s->st[2U][4U] = old[4U][0U];
2161   s->st[3U][0U] = old[0U][4U];
2162   s->st[3U][1U] = old[1U][0U];
2163   s->st[3U][2U] = old[2U][1U];
2164   s->st[3U][3U] = old[3U][2U];
2165   s->st[3U][4U] = old[4U][3U];
2166   s->st[4U][0U] = old[0U][2U];
2167   s->st[4U][1U] = old[1U][3U];
2168   s->st[4U][2U] = old[2U][4U];
2169   s->st[4U][3U] = old[3U][0U];
2170   s->st[4U][4U] = old[4U][1U];
2171 }
2172 
2173 /**
2174 A monomorphic instance of libcrux_sha3.generic_keccak.chi
2175 with types uint64_t
2176 with const generics
2177 - N= 1
2178 */
2179 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_chi_12(
2180     libcrux_sha3_generic_keccak_KeccakState_48 *s) {
2181   uint64_t old[5U][5U];
2182   memcpy(old, s->st, (size_t)5U * sizeof(uint64_t[5U]));
2183   for (size_t i0 = (size_t)0U; i0 < (size_t)5U; i0++) {
2184     size_t i1 = i0;
2185     for (size_t i = (size_t)0U; i < (size_t)5U; i++) {
2186       size_t j = i;
2187       s->st[i1][j] = libcrux_sha3_portable_keccak_and_not_xor_5a(
2188           s->st[i1][j], old[i1][(j + (size_t)2U) % (size_t)5U],
2189           old[i1][(j + (size_t)1U) % (size_t)5U]);
2190     }
2191   }
2192 }
2193 
2194 /**
2195 A monomorphic instance of libcrux_sha3.generic_keccak.iota
2196 with types uint64_t
2197 with const generics
2198 - N= 1
2199 */
2200 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_iota_62(
2201     libcrux_sha3_generic_keccak_KeccakState_48 *s, size_t i) {
2202   s->st[0U][0U] = libcrux_sha3_portable_keccak_xor_constant_5a(
2203       s->st[0U][0U], libcrux_sha3_generic_keccak_ROUNDCONSTANTS[i]);
2204 }
2205 
2206 /**
2207 A monomorphic instance of libcrux_sha3.generic_keccak.keccakf1600
2208 with types uint64_t
2209 with const generics
2210 - N= 1
2211 */
2212 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccakf1600_21(
2213     libcrux_sha3_generic_keccak_KeccakState_48 *s) {
2214   for (size_t i = (size_t)0U; i < (size_t)24U; i++) {
2215     size_t i0 = i;
2216     libcrux_sha3_generic_keccak_theta_rho_16(s);
2217     libcrux_sha3_generic_keccak_pi_1d(s);
2218     libcrux_sha3_generic_keccak_chi_12(s);
2219     libcrux_sha3_generic_keccak_iota_62(s, i0);
2220   }
2221 }
2222 
2223 /**
2224 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block
2225 with types uint64_t
2226 with const generics
2227 - N= 1
2228 - RATE= 72
2229 */
2230 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_df(
2231     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice blocks[1U]) {
2232   uint64_t(*uu____0)[5U] = s->st;
2233   Eurydice_slice uu____1[1U];
2234   memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice));
2235   libcrux_sha3_portable_keccak_load_block_5a_b8(uu____0, uu____1);
2236   libcrux_sha3_generic_keccak_keccakf1600_21(s);
2237 }
2238 
2239 /**
2240 A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full
2241 with const generics
2242 - RATE= 72
2243 */
2244 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_df(
2245     uint64_t (*s)[5U], uint8_t blocks[1U][200U]) {
2246   Eurydice_slice buf[1U] = {
2247       Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)};
2248   libcrux_sha3_portable_keccak_load_block_2c(s, buf);
2249 }
2250 
2251 /**
2252 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
2253 usize> for u64)}
2254 */
2255 /**
2256 A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full_5a
2257 with const generics
2258 - RATE= 72
2259 */
2260 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_d2(
2261     uint64_t (*a)[5U], uint8_t b[1U][200U]) {
2262   uint64_t(*uu____0)[5U] = a;
2263   /* Passing arrays by value in Rust generates a copy in C */
2264   uint8_t copy_of_b[1U][200U];
2265   memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U]));
2266   libcrux_sha3_portable_keccak_load_block_full_df(uu____0, copy_of_b);
2267 }
2268 
2269 /**
2270 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final
2271 with types uint64_t
2272 with const generics
2273 - N= 1
2274 - RATE= 72
2275 - DELIM= 6
2276 */
2277 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_c7(
2278     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) {
2279   size_t last_len = Eurydice_slice_len(last[0U], uint8_t);
2280   uint8_t blocks[1U][200U] = {{0U}};
2281   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
2282     size_t i0 = i;
2283     if (last_len > (size_t)0U) {
2284       Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
2285           blocks[i0], (size_t)0U, last_len, uint8_t);
2286       Eurydice_slice_copy(uu____0, last[i0], uint8_t);
2287     }
2288     blocks[i0][last_len] = 6U;
2289     size_t uu____1 = i0;
2290     size_t uu____2 = (size_t)72U - (size_t)1U;
2291     blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;
2292   }
2293   uint64_t(*uu____3)[5U] = s->st;
2294   uint8_t uu____4[1U][200U];
2295   memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U]));
2296   libcrux_sha3_portable_keccak_load_block_full_5a_d2(uu____3, uu____4);
2297   libcrux_sha3_generic_keccak_keccakf1600_21(s);
2298 }
2299 
2300 /**
2301 A monomorphic instance of libcrux_sha3.portable_keccak.store_block
2302 with const generics
2303 - RATE= 72
2304 */
2305 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_58(
2306     uint64_t (*s)[5U], Eurydice_slice out[1U]) {
2307   for (size_t i = (size_t)0U; i < (size_t)72U / (size_t)8U; i++) {
2308     size_t i0 = i;
2309     Eurydice_slice uu____0 = Eurydice_slice_subslice2(
2310         out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t);
2311     uint8_t ret[8U];
2312     core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret);
2313     Eurydice_slice_copy(
2314         uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
2315   }
2316 }
2317 
2318 /**
2319 A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full
2320 with const generics
2321 - RATE= 72
2322 */
2323 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_2d(
2324     uint64_t (*s)[5U], uint8_t ret[1U][200U]) {
2325   uint8_t out[200U] = {0U};
2326   Eurydice_slice buf[1U] = {
2327       Eurydice_array_to_slice((size_t)200U, out, uint8_t)};
2328   libcrux_sha3_portable_keccak_store_block_58(s, buf);
2329   /* Passing arrays by value in Rust generates a copy in C */
2330   uint8_t copy_of_out[200U];
2331   memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t));
2332   memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t));
2333 }
2334 
2335 /**
2336 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
2337 usize> for u64)}
2338 */
2339 /**
2340 A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full_5a
2341 with const generics
2342 - RATE= 72
2343 */
2344 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_5a_29(
2345     uint64_t (*a)[5U], uint8_t ret[1U][200U]) {
2346   libcrux_sha3_portable_keccak_store_block_full_2d(a, ret);
2347 }
2348 
2349 /**
2350 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last
2351 with types uint64_t
2352 with const generics
2353 - N= 1
2354 - RATE= 72
2355 */
2356 static KRML_MUSTINLINE void
2357 libcrux_sha3_generic_keccak_squeeze_first_and_last_c5(
2358     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
2359   uint8_t b[1U][200U];
2360   libcrux_sha3_portable_keccak_store_block_full_5a_29(s->st, b);
2361   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
2362     size_t i0 = i;
2363     Eurydice_slice uu____0 = out[i0];
2364     uint8_t *uu____1 = b[i0];
2365     core_ops_range_Range_b3 lit;
2366     lit.start = (size_t)0U;
2367     lit.end = Eurydice_slice_len(out[i0], uint8_t);
2368     Eurydice_slice_copy(
2369         uu____0,
2370         Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
2371                                    core_ops_range_Range_b3),
2372         uint8_t);
2373   }
2374 }
2375 
2376 /**
2377 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
2378 usize> for u64)}
2379 */
2380 /**
2381 A monomorphic instance of libcrux_sha3.portable_keccak.store_block_5a
2382 with const generics
2383 - RATE= 72
2384 */
2385 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_59(
2386     uint64_t (*a)[5U], Eurydice_slice b[1U]) {
2387   libcrux_sha3_portable_keccak_store_block_58(a, b);
2388 }
2389 
2390 /**
2391 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
2392 with types uint64_t
2393 with const generics
2394 - N= 1
2395 - RATE= 72
2396 */
2397 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_84(
2398     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
2399   libcrux_sha3_portable_keccak_store_block_5a_59(s->st, out);
2400 }
2401 
2402 /**
2403 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
2404 with types uint64_t
2405 with const generics
2406 - N= 1
2407 - RATE= 72
2408 */
2409 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_fc(
2410     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
2411   libcrux_sha3_generic_keccak_keccakf1600_21(s);
2412   libcrux_sha3_portable_keccak_store_block_5a_59(s->st, out);
2413 }
2414 
2415 /**
2416 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last
2417 with types uint64_t
2418 with const generics
2419 - N= 1
2420 - RATE= 72
2421 */
2422 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_cf(
2423     libcrux_sha3_generic_keccak_KeccakState_48 s, Eurydice_slice out[1U]) {
2424   libcrux_sha3_generic_keccak_keccakf1600_21(&s);
2425   uint8_t b[1U][200U];
2426   libcrux_sha3_portable_keccak_store_block_full_5a_29(s.st, b);
2427   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
2428     size_t i0 = i;
2429     Eurydice_slice uu____0 = out[i0];
2430     uint8_t *uu____1 = b[i0];
2431     core_ops_range_Range_b3 lit;
2432     lit.start = (size_t)0U;
2433     lit.end = Eurydice_slice_len(out[i0], uint8_t);
2434     Eurydice_slice_copy(
2435         uu____0,
2436         Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
2437                                    core_ops_range_Range_b3),
2438         uint8_t);
2439   }
2440 }
2441 
2442 /**
2443 A monomorphic instance of libcrux_sha3.generic_keccak.keccak
2444 with types uint64_t
2445 with const generics
2446 - N= 1
2447 - RATE= 72
2448 - DELIM= 6
2449 */
2450 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_e9(
2451     Eurydice_slice data[1U], Eurydice_slice out[1U]) {
2452   libcrux_sha3_generic_keccak_KeccakState_48 s =
2453       libcrux_sha3_generic_keccak_new_1e_f4();
2454   for (size_t i = (size_t)0U;
2455        i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)72U; i++) {
2456     size_t i0 = i;
2457     libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s;
2458     /* Passing arrays by value in Rust generates a copy in C */
2459     Eurydice_slice copy_of_data[1U];
2460     memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
2461     Eurydice_slice ret[1U];
2462     libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)72U,
2463                                             (size_t)72U, ret);
2464     libcrux_sha3_generic_keccak_absorb_block_df(uu____0, ret);
2465   }
2466   size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)72U;
2467   libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s;
2468   /* Passing arrays by value in Rust generates a copy in C */
2469   Eurydice_slice copy_of_data[1U];
2470   memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
2471   Eurydice_slice ret[1U];
2472   libcrux_sha3_portable_keccak_slice_n_5a(
2473       copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret);
2474   libcrux_sha3_generic_keccak_absorb_final_c7(uu____2, ret);
2475   size_t outlen = Eurydice_slice_len(out[0U], uint8_t);
2476   size_t blocks = outlen / (size_t)72U;
2477   size_t last = outlen - outlen % (size_t)72U;
2478   if (blocks == (size_t)0U) {
2479     libcrux_sha3_generic_keccak_squeeze_first_and_last_c5(&s, out);
2480   } else {
2481     Eurydice_slice_uint8_t_1size_t__x2 uu____4 =
2482         libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)72U);
2483     Eurydice_slice o0[1U];
2484     memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice));
2485     Eurydice_slice o1[1U];
2486     memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice));
2487     libcrux_sha3_generic_keccak_squeeze_first_block_84(&s, o0);
2488     core_ops_range_Range_b3 iter =
2489         core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
2490             (CLITERAL(core_ops_range_Range_b3){.start = (size_t)1U,
2491                                                .end = blocks}),
2492             core_ops_range_Range_b3, core_ops_range_Range_b3);
2493     while (true) {
2494       if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___6__next(
2495               &iter, size_t, Option_b3)
2496               .tag == None) {
2497         break;
2498       } else {
2499         Eurydice_slice_uint8_t_1size_t__x2 uu____5 =
2500             libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)72U);
2501         Eurydice_slice o[1U];
2502         memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice));
2503         Eurydice_slice orest[1U];
2504         memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice));
2505         libcrux_sha3_generic_keccak_squeeze_next_block_fc(&s, o);
2506         memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice));
2507       }
2508     }
2509     if (last < outlen) {
2510       libcrux_sha3_generic_keccak_squeeze_last_cf(s, o1);
2511     }
2512   }
2513 }
2514 
2515 /**
2516 A monomorphic instance of libcrux_sha3.portable.keccakx1
2517 with const generics
2518 - RATE= 72
2519 - DELIM= 6
2520 */
2521 static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ce(
2522     Eurydice_slice data[1U], Eurydice_slice out[1U]) {
2523   /* Passing arrays by value in Rust generates a copy in C */
2524   Eurydice_slice copy_of_data[1U];
2525   memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
2526   libcrux_sha3_generic_keccak_keccak_e9(copy_of_data, out);
2527 }
2528 
2529 /**
2530  A portable SHA3 512 implementation.
2531 */
2532 static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest,
2533                                                          Eurydice_slice data) {
2534   Eurydice_slice buf0[1U] = {data};
2535   Eurydice_slice buf[1U] = {digest};
2536   libcrux_sha3_portable_keccakx1_ce(buf0, buf);
2537 }
2538 
2539 /**
2540 A monomorphic instance of libcrux_sha3.portable_keccak.load_block
2541 with const generics
2542 - RATE= 136
2543 */
2544 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_2c0(
2545     uint64_t (*s)[5U], Eurydice_slice blocks[1U]) {
2546   for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)8U; i++) {
2547     size_t i0 = i;
2548     uint8_t uu____0[8U];
2549     Result_56 dst;
2550     Eurydice_slice_to_array2(
2551         &dst,
2552         Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0,
2553                                  (size_t)8U * i0 + (size_t)8U, uint8_t),
2554         Eurydice_slice, uint8_t[8U]);
2555     unwrap_41_ac(dst, uu____0);
2556     size_t uu____1 = i0 / (size_t)5U;
2557     size_t uu____2 = i0 % (size_t)5U;
2558     s[uu____1][uu____2] =
2559         s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0);
2560   }
2561 }
2562 
2563 /**
2564 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
2565 usize> for u64)}
2566 */
2567 /**
2568 A monomorphic instance of libcrux_sha3.portable_keccak.load_block_5a
2569 with const generics
2570 - RATE= 136
2571 */
2572 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_b80(
2573     uint64_t (*a)[5U], Eurydice_slice b[1U]) {
2574   uint64_t(*uu____0)[5U] = a;
2575   /* Passing arrays by value in Rust generates a copy in C */
2576   Eurydice_slice copy_of_b[1U];
2577   memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice));
2578   libcrux_sha3_portable_keccak_load_block_2c0(uu____0, copy_of_b);
2579 }
2580 
2581 /**
2582 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block
2583 with types uint64_t
2584 with const generics
2585 - N= 1
2586 - RATE= 136
2587 */
2588 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_df0(
2589     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice blocks[1U]) {
2590   uint64_t(*uu____0)[5U] = s->st;
2591   Eurydice_slice uu____1[1U];
2592   memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice));
2593   libcrux_sha3_portable_keccak_load_block_5a_b80(uu____0, uu____1);
2594   libcrux_sha3_generic_keccak_keccakf1600_21(s);
2595 }
2596 
2597 /**
2598 A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full
2599 with const generics
2600 - RATE= 136
2601 */
2602 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_df0(
2603     uint64_t (*s)[5U], uint8_t blocks[1U][200U]) {
2604   Eurydice_slice buf[1U] = {
2605       Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)};
2606   libcrux_sha3_portable_keccak_load_block_2c0(s, buf);
2607 }
2608 
2609 /**
2610 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
2611 usize> for u64)}
2612 */
2613 /**
2614 A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full_5a
2615 with const generics
2616 - RATE= 136
2617 */
2618 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_d20(
2619     uint64_t (*a)[5U], uint8_t b[1U][200U]) {
2620   uint64_t(*uu____0)[5U] = a;
2621   /* Passing arrays by value in Rust generates a copy in C */
2622   uint8_t copy_of_b[1U][200U];
2623   memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U]));
2624   libcrux_sha3_portable_keccak_load_block_full_df0(uu____0, copy_of_b);
2625 }
2626 
2627 /**
2628 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final
2629 with types uint64_t
2630 with const generics
2631 - N= 1
2632 - RATE= 136
2633 - DELIM= 6
2634 */
2635 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_c70(
2636     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) {
2637   size_t last_len = Eurydice_slice_len(last[0U], uint8_t);
2638   uint8_t blocks[1U][200U] = {{0U}};
2639   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
2640     size_t i0 = i;
2641     if (last_len > (size_t)0U) {
2642       Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
2643           blocks[i0], (size_t)0U, last_len, uint8_t);
2644       Eurydice_slice_copy(uu____0, last[i0], uint8_t);
2645     }
2646     blocks[i0][last_len] = 6U;
2647     size_t uu____1 = i0;
2648     size_t uu____2 = (size_t)136U - (size_t)1U;
2649     blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;
2650   }
2651   uint64_t(*uu____3)[5U] = s->st;
2652   uint8_t uu____4[1U][200U];
2653   memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U]));
2654   libcrux_sha3_portable_keccak_load_block_full_5a_d20(uu____3, uu____4);
2655   libcrux_sha3_generic_keccak_keccakf1600_21(s);
2656 }
2657 
2658 /**
2659 A monomorphic instance of libcrux_sha3.portable_keccak.store_block
2660 with const generics
2661 - RATE= 136
2662 */
2663 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_580(
2664     uint64_t (*s)[5U], Eurydice_slice out[1U]) {
2665   for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)8U; i++) {
2666     size_t i0 = i;
2667     Eurydice_slice uu____0 = Eurydice_slice_subslice2(
2668         out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t);
2669     uint8_t ret[8U];
2670     core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret);
2671     Eurydice_slice_copy(
2672         uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
2673   }
2674 }
2675 
2676 /**
2677 A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full
2678 with const generics
2679 - RATE= 136
2680 */
2681 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_2d0(
2682     uint64_t (*s)[5U], uint8_t ret[1U][200U]) {
2683   uint8_t out[200U] = {0U};
2684   Eurydice_slice buf[1U] = {
2685       Eurydice_array_to_slice((size_t)200U, out, uint8_t)};
2686   libcrux_sha3_portable_keccak_store_block_580(s, buf);
2687   /* Passing arrays by value in Rust generates a copy in C */
2688   uint8_t copy_of_out[200U];
2689   memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t));
2690   memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t));
2691 }
2692 
2693 /**
2694 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
2695 usize> for u64)}
2696 */
2697 /**
2698 A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full_5a
2699 with const generics
2700 - RATE= 136
2701 */
2702 static KRML_MUSTINLINE void
2703 libcrux_sha3_portable_keccak_store_block_full_5a_290(uint64_t (*a)[5U],
2704                                                      uint8_t ret[1U][200U]) {
2705   libcrux_sha3_portable_keccak_store_block_full_2d0(a, ret);
2706 }
2707 
2708 /**
2709 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last
2710 with types uint64_t
2711 with const generics
2712 - N= 1
2713 - RATE= 136
2714 */
2715 static KRML_MUSTINLINE void
2716 libcrux_sha3_generic_keccak_squeeze_first_and_last_c50(
2717     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
2718   uint8_t b[1U][200U];
2719   libcrux_sha3_portable_keccak_store_block_full_5a_290(s->st, b);
2720   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
2721     size_t i0 = i;
2722     Eurydice_slice uu____0 = out[i0];
2723     uint8_t *uu____1 = b[i0];
2724     core_ops_range_Range_b3 lit;
2725     lit.start = (size_t)0U;
2726     lit.end = Eurydice_slice_len(out[i0], uint8_t);
2727     Eurydice_slice_copy(
2728         uu____0,
2729         Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
2730                                    core_ops_range_Range_b3),
2731         uint8_t);
2732   }
2733 }
2734 
2735 /**
2736 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
2737 usize> for u64)}
2738 */
2739 /**
2740 A monomorphic instance of libcrux_sha3.portable_keccak.store_block_5a
2741 with const generics
2742 - RATE= 136
2743 */
2744 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_590(
2745     uint64_t (*a)[5U], Eurydice_slice b[1U]) {
2746   libcrux_sha3_portable_keccak_store_block_580(a, b);
2747 }
2748 
2749 /**
2750 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
2751 with types uint64_t
2752 with const generics
2753 - N= 1
2754 - RATE= 136
2755 */
2756 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_840(
2757     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
2758   libcrux_sha3_portable_keccak_store_block_5a_590(s->st, out);
2759 }
2760 
2761 /**
2762 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
2763 with types uint64_t
2764 with const generics
2765 - N= 1
2766 - RATE= 136
2767 */
2768 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_fc0(
2769     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
2770   libcrux_sha3_generic_keccak_keccakf1600_21(s);
2771   libcrux_sha3_portable_keccak_store_block_5a_590(s->st, out);
2772 }
2773 
2774 /**
2775 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last
2776 with types uint64_t
2777 with const generics
2778 - N= 1
2779 - RATE= 136
2780 */
2781 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_cf0(
2782     libcrux_sha3_generic_keccak_KeccakState_48 s, Eurydice_slice out[1U]) {
2783   libcrux_sha3_generic_keccak_keccakf1600_21(&s);
2784   uint8_t b[1U][200U];
2785   libcrux_sha3_portable_keccak_store_block_full_5a_290(s.st, b);
2786   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
2787     size_t i0 = i;
2788     Eurydice_slice uu____0 = out[i0];
2789     uint8_t *uu____1 = b[i0];
2790     core_ops_range_Range_b3 lit;
2791     lit.start = (size_t)0U;
2792     lit.end = Eurydice_slice_len(out[i0], uint8_t);
2793     Eurydice_slice_copy(
2794         uu____0,
2795         Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
2796                                    core_ops_range_Range_b3),
2797         uint8_t);
2798   }
2799 }
2800 
2801 /**
2802 A monomorphic instance of libcrux_sha3.generic_keccak.keccak
2803 with types uint64_t
2804 with const generics
2805 - N= 1
2806 - RATE= 136
2807 - DELIM= 6
2808 */
2809 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_e90(
2810     Eurydice_slice data[1U], Eurydice_slice out[1U]) {
2811   libcrux_sha3_generic_keccak_KeccakState_48 s =
2812       libcrux_sha3_generic_keccak_new_1e_f4();
2813   for (size_t i = (size_t)0U;
2814        i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) {
2815     size_t i0 = i;
2816     libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s;
2817     /* Passing arrays by value in Rust generates a copy in C */
2818     Eurydice_slice copy_of_data[1U];
2819     memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
2820     Eurydice_slice ret[1U];
2821     libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)136U,
2822                                             (size_t)136U, ret);
2823     libcrux_sha3_generic_keccak_absorb_block_df0(uu____0, ret);
2824   }
2825   size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U;
2826   libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s;
2827   /* Passing arrays by value in Rust generates a copy in C */
2828   Eurydice_slice copy_of_data[1U];
2829   memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
2830   Eurydice_slice ret[1U];
2831   libcrux_sha3_portable_keccak_slice_n_5a(
2832       copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret);
2833   libcrux_sha3_generic_keccak_absorb_final_c70(uu____2, ret);
2834   size_t outlen = Eurydice_slice_len(out[0U], uint8_t);
2835   size_t blocks = outlen / (size_t)136U;
2836   size_t last = outlen - outlen % (size_t)136U;
2837   if (blocks == (size_t)0U) {
2838     libcrux_sha3_generic_keccak_squeeze_first_and_last_c50(&s, out);
2839   } else {
2840     Eurydice_slice_uint8_t_1size_t__x2 uu____4 =
2841         libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)136U);
2842     Eurydice_slice o0[1U];
2843     memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice));
2844     Eurydice_slice o1[1U];
2845     memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice));
2846     libcrux_sha3_generic_keccak_squeeze_first_block_840(&s, o0);
2847     core_ops_range_Range_b3 iter =
2848         core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
2849             (CLITERAL(core_ops_range_Range_b3){.start = (size_t)1U,
2850                                                .end = blocks}),
2851             core_ops_range_Range_b3, core_ops_range_Range_b3);
2852     while (true) {
2853       if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___6__next(
2854               &iter, size_t, Option_b3)
2855               .tag == None) {
2856         break;
2857       } else {
2858         Eurydice_slice_uint8_t_1size_t__x2 uu____5 =
2859             libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)136U);
2860         Eurydice_slice o[1U];
2861         memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice));
2862         Eurydice_slice orest[1U];
2863         memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice));
2864         libcrux_sha3_generic_keccak_squeeze_next_block_fc0(&s, o);
2865         memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice));
2866       }
2867     }
2868     if (last < outlen) {
2869       libcrux_sha3_generic_keccak_squeeze_last_cf0(s, o1);
2870     }
2871   }
2872 }
2873 
2874 /**
2875 A monomorphic instance of libcrux_sha3.portable.keccakx1
2876 with const generics
2877 - RATE= 136
2878 - DELIM= 6
2879 */
2880 static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ce0(
2881     Eurydice_slice data[1U], Eurydice_slice out[1U]) {
2882   /* Passing arrays by value in Rust generates a copy in C */
2883   Eurydice_slice copy_of_data[1U];
2884   memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
2885   libcrux_sha3_generic_keccak_keccak_e90(copy_of_data, out);
2886 }
2887 
2888 /**
2889  A portable SHA3 256 implementation.
2890 */
2891 static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest,
2892                                                          Eurydice_slice data) {
2893   Eurydice_slice buf0[1U] = {data};
2894   Eurydice_slice buf[1U] = {digest};
2895   libcrux_sha3_portable_keccakx1_ce0(buf0, buf);
2896 }
2897 
2898 /**
2899 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final
2900 with types uint64_t
2901 with const generics
2902 - N= 1
2903 - RATE= 136
2904 - DELIM= 31
2905 */
2906 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_c71(
2907     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) {
2908   size_t last_len = Eurydice_slice_len(last[0U], uint8_t);
2909   uint8_t blocks[1U][200U] = {{0U}};
2910   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
2911     size_t i0 = i;
2912     if (last_len > (size_t)0U) {
2913       Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
2914           blocks[i0], (size_t)0U, last_len, uint8_t);
2915       Eurydice_slice_copy(uu____0, last[i0], uint8_t);
2916     }
2917     blocks[i0][last_len] = 31U;
2918     size_t uu____1 = i0;
2919     size_t uu____2 = (size_t)136U - (size_t)1U;
2920     blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;
2921   }
2922   uint64_t(*uu____3)[5U] = s->st;
2923   uint8_t uu____4[1U][200U];
2924   memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U]));
2925   libcrux_sha3_portable_keccak_load_block_full_5a_d20(uu____3, uu____4);
2926   libcrux_sha3_generic_keccak_keccakf1600_21(s);
2927 }
2928 
2929 /**
2930 A monomorphic instance of libcrux_sha3.generic_keccak.keccak
2931 with types uint64_t
2932 with const generics
2933 - N= 1
2934 - RATE= 136
2935 - DELIM= 31
2936 */
2937 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_e91(
2938     Eurydice_slice data[1U], Eurydice_slice out[1U]) {
2939   libcrux_sha3_generic_keccak_KeccakState_48 s =
2940       libcrux_sha3_generic_keccak_new_1e_f4();
2941   for (size_t i = (size_t)0U;
2942        i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) {
2943     size_t i0 = i;
2944     libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s;
2945     /* Passing arrays by value in Rust generates a copy in C */
2946     Eurydice_slice copy_of_data[1U];
2947     memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
2948     Eurydice_slice ret[1U];
2949     libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)136U,
2950                                             (size_t)136U, ret);
2951     libcrux_sha3_generic_keccak_absorb_block_df0(uu____0, ret);
2952   }
2953   size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U;
2954   libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s;
2955   /* Passing arrays by value in Rust generates a copy in C */
2956   Eurydice_slice copy_of_data[1U];
2957   memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
2958   Eurydice_slice ret[1U];
2959   libcrux_sha3_portable_keccak_slice_n_5a(
2960       copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret);
2961   libcrux_sha3_generic_keccak_absorb_final_c71(uu____2, ret);
2962   size_t outlen = Eurydice_slice_len(out[0U], uint8_t);
2963   size_t blocks = outlen / (size_t)136U;
2964   size_t last = outlen - outlen % (size_t)136U;
2965   if (blocks == (size_t)0U) {
2966     libcrux_sha3_generic_keccak_squeeze_first_and_last_c50(&s, out);
2967   } else {
2968     Eurydice_slice_uint8_t_1size_t__x2 uu____4 =
2969         libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)136U);
2970     Eurydice_slice o0[1U];
2971     memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice));
2972     Eurydice_slice o1[1U];
2973     memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice));
2974     libcrux_sha3_generic_keccak_squeeze_first_block_840(&s, o0);
2975     core_ops_range_Range_b3 iter =
2976         core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
2977             (CLITERAL(core_ops_range_Range_b3){.start = (size_t)1U,
2978                                                .end = blocks}),
2979             core_ops_range_Range_b3, core_ops_range_Range_b3);
2980     while (true) {
2981       if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___6__next(
2982               &iter, size_t, Option_b3)
2983               .tag == None) {
2984         break;
2985       } else {
2986         Eurydice_slice_uint8_t_1size_t__x2 uu____5 =
2987             libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)136U);
2988         Eurydice_slice o[1U];
2989         memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice));
2990         Eurydice_slice orest[1U];
2991         memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice));
2992         libcrux_sha3_generic_keccak_squeeze_next_block_fc0(&s, o);
2993         memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice));
2994       }
2995     }
2996     if (last < outlen) {
2997       libcrux_sha3_generic_keccak_squeeze_last_cf0(s, o1);
2998     }
2999   }
3000 }
3001 
3002 /**
3003 A monomorphic instance of libcrux_sha3.portable.keccakx1
3004 with const generics
3005 - RATE= 136
3006 - DELIM= 31
3007 */
3008 static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ce1(
3009     Eurydice_slice data[1U], Eurydice_slice out[1U]) {
3010   /* Passing arrays by value in Rust generates a copy in C */
3011   Eurydice_slice copy_of_data[1U];
3012   memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
3013   libcrux_sha3_generic_keccak_keccak_e91(copy_of_data, out);
3014 }
3015 
3016 /**
3017  A portable SHAKE256 implementation.
3018 */
3019 static KRML_MUSTINLINE void libcrux_sha3_portable_shake256(
3020     Eurydice_slice digest, Eurydice_slice data) {
3021   Eurydice_slice buf0[1U] = {data};
3022   Eurydice_slice buf[1U] = {digest};
3023   libcrux_sha3_portable_keccakx1_ce1(buf0, buf);
3024 }
3025 
3026 typedef libcrux_sha3_generic_keccak_KeccakState_48
3027     libcrux_sha3_portable_KeccakState;
3028 
3029 /**
3030  Create a new SHAKE-128 state object.
3031 */
3032 static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_48
3033 libcrux_sha3_portable_incremental_shake128_init(void) {
3034   return libcrux_sha3_generic_keccak_new_1e_f4();
3035 }
3036 
3037 /**
3038 A monomorphic instance of libcrux_sha3.portable_keccak.load_block
3039 with const generics
3040 - RATE= 168
3041 */
3042 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_2c1(
3043     uint64_t (*s)[5U], Eurydice_slice blocks[1U]) {
3044   for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)8U; i++) {
3045     size_t i0 = i;
3046     uint8_t uu____0[8U];
3047     Result_56 dst;
3048     Eurydice_slice_to_array2(
3049         &dst,
3050         Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0,
3051                                  (size_t)8U * i0 + (size_t)8U, uint8_t),
3052         Eurydice_slice, uint8_t[8U]);
3053     unwrap_41_ac(dst, uu____0);
3054     size_t uu____1 = i0 / (size_t)5U;
3055     size_t uu____2 = i0 % (size_t)5U;
3056     s[uu____1][uu____2] =
3057         s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0);
3058   }
3059 }
3060 
3061 /**
3062 A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full
3063 with const generics
3064 - RATE= 168
3065 */
3066 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_df1(
3067     uint64_t (*s)[5U], uint8_t blocks[1U][200U]) {
3068   Eurydice_slice buf[1U] = {
3069       Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)};
3070   libcrux_sha3_portable_keccak_load_block_2c1(s, buf);
3071 }
3072 
3073 /**
3074 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
3075 usize> for u64)}
3076 */
3077 /**
3078 A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full_5a
3079 with const generics
3080 - RATE= 168
3081 */
3082 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_d21(
3083     uint64_t (*a)[5U], uint8_t b[1U][200U]) {
3084   uint64_t(*uu____0)[5U] = a;
3085   /* Passing arrays by value in Rust generates a copy in C */
3086   uint8_t copy_of_b[1U][200U];
3087   memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U]));
3088   libcrux_sha3_portable_keccak_load_block_full_df1(uu____0, copy_of_b);
3089 }
3090 
3091 /**
3092 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final
3093 with types uint64_t
3094 with const generics
3095 - N= 1
3096 - RATE= 168
3097 - DELIM= 31
3098 */
3099 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_c72(
3100     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) {
3101   size_t last_len = Eurydice_slice_len(last[0U], uint8_t);
3102   uint8_t blocks[1U][200U] = {{0U}};
3103   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
3104     size_t i0 = i;
3105     if (last_len > (size_t)0U) {
3106       Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
3107           blocks[i0], (size_t)0U, last_len, uint8_t);
3108       Eurydice_slice_copy(uu____0, last[i0], uint8_t);
3109     }
3110     blocks[i0][last_len] = 31U;
3111     size_t uu____1 = i0;
3112     size_t uu____2 = (size_t)168U - (size_t)1U;
3113     blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;
3114   }
3115   uint64_t(*uu____3)[5U] = s->st;
3116   uint8_t uu____4[1U][200U];
3117   memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U]));
3118   libcrux_sha3_portable_keccak_load_block_full_5a_d21(uu____3, uu____4);
3119   libcrux_sha3_generic_keccak_keccakf1600_21(s);
3120 }
3121 
3122 /**
3123  Absorb
3124 */
3125 static KRML_MUSTINLINE void
3126 libcrux_sha3_portable_incremental_shake128_absorb_final(
3127     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice data0) {
3128   Eurydice_slice buf[1U] = {data0};
3129   libcrux_sha3_generic_keccak_absorb_final_c72(s, buf);
3130 }
3131 
3132 /**
3133 A monomorphic instance of libcrux_sha3.portable_keccak.store_block
3134 with const generics
3135 - RATE= 168
3136 */
3137 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_581(
3138     uint64_t (*s)[5U], Eurydice_slice out[1U]) {
3139   for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)8U; i++) {
3140     size_t i0 = i;
3141     Eurydice_slice uu____0 = Eurydice_slice_subslice2(
3142         out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t);
3143     uint8_t ret[8U];
3144     core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret);
3145     Eurydice_slice_copy(
3146         uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
3147   }
3148 }
3149 
3150 /**
3151 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
3152 usize> for u64)}
3153 */
3154 /**
3155 A monomorphic instance of libcrux_sha3.portable_keccak.store_block_5a
3156 with const generics
3157 - RATE= 168
3158 */
3159 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_591(
3160     uint64_t (*a)[5U], Eurydice_slice b[1U]) {
3161   libcrux_sha3_portable_keccak_store_block_581(a, b);
3162 }
3163 
3164 /**
3165 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
3166 with types uint64_t
3167 with const generics
3168 - N= 1
3169 - RATE= 168
3170 */
3171 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_fc1(
3172     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
3173   libcrux_sha3_generic_keccak_keccakf1600_21(s);
3174   libcrux_sha3_portable_keccak_store_block_5a_591(s->st, out);
3175 }
3176 
3177 /**
3178  Squeeze another block
3179 */
3180 static KRML_MUSTINLINE void
3181 libcrux_sha3_portable_incremental_shake128_squeeze_next_block(
3182     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out0) {
3183   Eurydice_slice buf[1U] = {out0};
3184   libcrux_sha3_generic_keccak_squeeze_next_block_fc1(s, buf);
3185 }
3186 
3187 /**
3188 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
3189 with types uint64_t
3190 with const generics
3191 - N= 1
3192 - RATE= 168
3193 */
3194 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_841(
3195     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
3196   libcrux_sha3_portable_keccak_store_block_5a_591(s->st, out);
3197 }
3198 
3199 /**
3200 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_three_blocks
3201 with types uint64_t
3202 with const generics
3203 - N= 1
3204 - RATE= 168
3205 */
3206 static KRML_MUSTINLINE void
3207 libcrux_sha3_generic_keccak_squeeze_first_three_blocks_cc(
3208     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
3209   Eurydice_slice_uint8_t_1size_t__x2 uu____0 =
3210       libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)168U);
3211   Eurydice_slice o0[1U];
3212   memcpy(o0, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice));
3213   Eurydice_slice o10[1U];
3214   memcpy(o10, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice));
3215   libcrux_sha3_generic_keccak_squeeze_first_block_841(s, o0);
3216   Eurydice_slice_uint8_t_1size_t__x2 uu____1 =
3217       libcrux_sha3_portable_keccak_split_at_mut_n_5a(o10, (size_t)168U);
3218   Eurydice_slice o1[1U];
3219   memcpy(o1, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice));
3220   Eurydice_slice o2[1U];
3221   memcpy(o2, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice));
3222   libcrux_sha3_generic_keccak_squeeze_next_block_fc1(s, o1);
3223   libcrux_sha3_generic_keccak_squeeze_next_block_fc1(s, o2);
3224 }
3225 
3226 /**
3227  Squeeze three blocks
3228 */
3229 static KRML_MUSTINLINE void
3230 libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks(
3231     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out0) {
3232   Eurydice_slice buf[1U] = {out0};
3233   libcrux_sha3_generic_keccak_squeeze_first_three_blocks_cc(s, buf);
3234 }
3235 
3236 #define libcrux_sha3_Sha224 0
3237 #define libcrux_sha3_Sha256 1
3238 #define libcrux_sha3_Sha384 2
3239 #define libcrux_sha3_Sha512 3
3240 
3241 typedef uint8_t libcrux_sha3_Algorithm;
3242 
3243 /**
3244  Returns the output size of a digest.
3245 */
3246 static inline size_t libcrux_sha3_digest_size(libcrux_sha3_Algorithm mode) {
3247   size_t uu____0;
3248   switch (mode) {
3249     case libcrux_sha3_Sha224: {
3250       uu____0 = (size_t)28U;
3251       break;
3252     }
3253     case libcrux_sha3_Sha256: {
3254       uu____0 = (size_t)32U;
3255       break;
3256     }
3257     case libcrux_sha3_Sha384: {
3258       uu____0 = (size_t)48U;
3259       break;
3260     }
3261     case libcrux_sha3_Sha512: {
3262       uu____0 = (size_t)64U;
3263       break;
3264     }
3265     default: {
3266       KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__,
3267                         __LINE__);
3268       KRML_HOST_EXIT(253U);
3269     }
3270   }
3271   return uu____0;
3272 }
3273 
3274 /**
3275 A monomorphic instance of libcrux_sha3.portable_keccak.load_block
3276 with const generics
3277 - RATE= 144
3278 */
3279 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_2c2(
3280     uint64_t (*s)[5U], Eurydice_slice blocks[1U]) {
3281   for (size_t i = (size_t)0U; i < (size_t)144U / (size_t)8U; i++) {
3282     size_t i0 = i;
3283     uint8_t uu____0[8U];
3284     Result_56 dst;
3285     Eurydice_slice_to_array2(
3286         &dst,
3287         Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0,
3288                                  (size_t)8U * i0 + (size_t)8U, uint8_t),
3289         Eurydice_slice, uint8_t[8U]);
3290     unwrap_41_ac(dst, uu____0);
3291     size_t uu____1 = i0 / (size_t)5U;
3292     size_t uu____2 = i0 % (size_t)5U;
3293     s[uu____1][uu____2] =
3294         s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0);
3295   }
3296 }
3297 
3298 /**
3299 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
3300 usize> for u64)}
3301 */
3302 /**
3303 A monomorphic instance of libcrux_sha3.portable_keccak.load_block_5a
3304 with const generics
3305 - RATE= 144
3306 */
3307 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_b81(
3308     uint64_t (*a)[5U], Eurydice_slice b[1U]) {
3309   uint64_t(*uu____0)[5U] = a;
3310   /* Passing arrays by value in Rust generates a copy in C */
3311   Eurydice_slice copy_of_b[1U];
3312   memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice));
3313   libcrux_sha3_portable_keccak_load_block_2c2(uu____0, copy_of_b);
3314 }
3315 
3316 /**
3317 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block
3318 with types uint64_t
3319 with const generics
3320 - N= 1
3321 - RATE= 144
3322 */
3323 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_df1(
3324     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice blocks[1U]) {
3325   uint64_t(*uu____0)[5U] = s->st;
3326   Eurydice_slice uu____1[1U];
3327   memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice));
3328   libcrux_sha3_portable_keccak_load_block_5a_b81(uu____0, uu____1);
3329   libcrux_sha3_generic_keccak_keccakf1600_21(s);
3330 }
3331 
3332 /**
3333 A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full
3334 with const generics
3335 - RATE= 144
3336 */
3337 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_df2(
3338     uint64_t (*s)[5U], uint8_t blocks[1U][200U]) {
3339   Eurydice_slice buf[1U] = {
3340       Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)};
3341   libcrux_sha3_portable_keccak_load_block_2c2(s, buf);
3342 }
3343 
3344 /**
3345 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
3346 usize> for u64)}
3347 */
3348 /**
3349 A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full_5a
3350 with const generics
3351 - RATE= 144
3352 */
3353 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_d22(
3354     uint64_t (*a)[5U], uint8_t b[1U][200U]) {
3355   uint64_t(*uu____0)[5U] = a;
3356   /* Passing arrays by value in Rust generates a copy in C */
3357   uint8_t copy_of_b[1U][200U];
3358   memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U]));
3359   libcrux_sha3_portable_keccak_load_block_full_df2(uu____0, copy_of_b);
3360 }
3361 
3362 /**
3363 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final
3364 with types uint64_t
3365 with const generics
3366 - N= 1
3367 - RATE= 144
3368 - DELIM= 6
3369 */
3370 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_c73(
3371     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) {
3372   size_t last_len = Eurydice_slice_len(last[0U], uint8_t);
3373   uint8_t blocks[1U][200U] = {{0U}};
3374   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
3375     size_t i0 = i;
3376     if (last_len > (size_t)0U) {
3377       Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
3378           blocks[i0], (size_t)0U, last_len, uint8_t);
3379       Eurydice_slice_copy(uu____0, last[i0], uint8_t);
3380     }
3381     blocks[i0][last_len] = 6U;
3382     size_t uu____1 = i0;
3383     size_t uu____2 = (size_t)144U - (size_t)1U;
3384     blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;
3385   }
3386   uint64_t(*uu____3)[5U] = s->st;
3387   uint8_t uu____4[1U][200U];
3388   memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U]));
3389   libcrux_sha3_portable_keccak_load_block_full_5a_d22(uu____3, uu____4);
3390   libcrux_sha3_generic_keccak_keccakf1600_21(s);
3391 }
3392 
3393 /**
3394 A monomorphic instance of libcrux_sha3.portable_keccak.store_block
3395 with const generics
3396 - RATE= 144
3397 */
3398 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_582(
3399     uint64_t (*s)[5U], Eurydice_slice out[1U]) {
3400   for (size_t i = (size_t)0U; i < (size_t)144U / (size_t)8U; i++) {
3401     size_t i0 = i;
3402     Eurydice_slice uu____0 = Eurydice_slice_subslice2(
3403         out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t);
3404     uint8_t ret[8U];
3405     core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret);
3406     Eurydice_slice_copy(
3407         uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
3408   }
3409 }
3410 
3411 /**
3412 A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full
3413 with const generics
3414 - RATE= 144
3415 */
3416 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_2d1(
3417     uint64_t (*s)[5U], uint8_t ret[1U][200U]) {
3418   uint8_t out[200U] = {0U};
3419   Eurydice_slice buf[1U] = {
3420       Eurydice_array_to_slice((size_t)200U, out, uint8_t)};
3421   libcrux_sha3_portable_keccak_store_block_582(s, buf);
3422   /* Passing arrays by value in Rust generates a copy in C */
3423   uint8_t copy_of_out[200U];
3424   memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t));
3425   memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t));
3426 }
3427 
3428 /**
3429 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
3430 usize> for u64)}
3431 */
3432 /**
3433 A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full_5a
3434 with const generics
3435 - RATE= 144
3436 */
3437 static KRML_MUSTINLINE void
3438 libcrux_sha3_portable_keccak_store_block_full_5a_291(uint64_t (*a)[5U],
3439                                                      uint8_t ret[1U][200U]) {
3440   libcrux_sha3_portable_keccak_store_block_full_2d1(a, ret);
3441 }
3442 
3443 /**
3444 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last
3445 with types uint64_t
3446 with const generics
3447 - N= 1
3448 - RATE= 144
3449 */
3450 static KRML_MUSTINLINE void
3451 libcrux_sha3_generic_keccak_squeeze_first_and_last_c51(
3452     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
3453   uint8_t b[1U][200U];
3454   libcrux_sha3_portable_keccak_store_block_full_5a_291(s->st, b);
3455   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
3456     size_t i0 = i;
3457     Eurydice_slice uu____0 = out[i0];
3458     uint8_t *uu____1 = b[i0];
3459     core_ops_range_Range_b3 lit;
3460     lit.start = (size_t)0U;
3461     lit.end = Eurydice_slice_len(out[i0], uint8_t);
3462     Eurydice_slice_copy(
3463         uu____0,
3464         Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
3465                                    core_ops_range_Range_b3),
3466         uint8_t);
3467   }
3468 }
3469 
3470 /**
3471 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
3472 usize> for u64)}
3473 */
3474 /**
3475 A monomorphic instance of libcrux_sha3.portable_keccak.store_block_5a
3476 with const generics
3477 - RATE= 144
3478 */
3479 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_592(
3480     uint64_t (*a)[5U], Eurydice_slice b[1U]) {
3481   libcrux_sha3_portable_keccak_store_block_582(a, b);
3482 }
3483 
3484 /**
3485 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
3486 with types uint64_t
3487 with const generics
3488 - N= 1
3489 - RATE= 144
3490 */
3491 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_842(
3492     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
3493   libcrux_sha3_portable_keccak_store_block_5a_592(s->st, out);
3494 }
3495 
3496 /**
3497 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
3498 with types uint64_t
3499 with const generics
3500 - N= 1
3501 - RATE= 144
3502 */
3503 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_fc2(
3504     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
3505   libcrux_sha3_generic_keccak_keccakf1600_21(s);
3506   libcrux_sha3_portable_keccak_store_block_5a_592(s->st, out);
3507 }
3508 
3509 /**
3510 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last
3511 with types uint64_t
3512 with const generics
3513 - N= 1
3514 - RATE= 144
3515 */
3516 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_cf1(
3517     libcrux_sha3_generic_keccak_KeccakState_48 s, Eurydice_slice out[1U]) {
3518   libcrux_sha3_generic_keccak_keccakf1600_21(&s);
3519   uint8_t b[1U][200U];
3520   libcrux_sha3_portable_keccak_store_block_full_5a_291(s.st, b);
3521   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
3522     size_t i0 = i;
3523     Eurydice_slice uu____0 = out[i0];
3524     uint8_t *uu____1 = b[i0];
3525     core_ops_range_Range_b3 lit;
3526     lit.start = (size_t)0U;
3527     lit.end = Eurydice_slice_len(out[i0], uint8_t);
3528     Eurydice_slice_copy(
3529         uu____0,
3530         Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
3531                                    core_ops_range_Range_b3),
3532         uint8_t);
3533   }
3534 }
3535 
3536 /**
3537 A monomorphic instance of libcrux_sha3.generic_keccak.keccak
3538 with types uint64_t
3539 with const generics
3540 - N= 1
3541 - RATE= 144
3542 - DELIM= 6
3543 */
3544 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_e92(
3545     Eurydice_slice data[1U], Eurydice_slice out[1U]) {
3546   libcrux_sha3_generic_keccak_KeccakState_48 s =
3547       libcrux_sha3_generic_keccak_new_1e_f4();
3548   for (size_t i = (size_t)0U;
3549        i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)144U; i++) {
3550     size_t i0 = i;
3551     libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s;
3552     /* Passing arrays by value in Rust generates a copy in C */
3553     Eurydice_slice copy_of_data[1U];
3554     memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
3555     Eurydice_slice ret[1U];
3556     libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)144U,
3557                                             (size_t)144U, ret);
3558     libcrux_sha3_generic_keccak_absorb_block_df1(uu____0, ret);
3559   }
3560   size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)144U;
3561   libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s;
3562   /* Passing arrays by value in Rust generates a copy in C */
3563   Eurydice_slice copy_of_data[1U];
3564   memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
3565   Eurydice_slice ret[1U];
3566   libcrux_sha3_portable_keccak_slice_n_5a(
3567       copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret);
3568   libcrux_sha3_generic_keccak_absorb_final_c73(uu____2, ret);
3569   size_t outlen = Eurydice_slice_len(out[0U], uint8_t);
3570   size_t blocks = outlen / (size_t)144U;
3571   size_t last = outlen - outlen % (size_t)144U;
3572   if (blocks == (size_t)0U) {
3573     libcrux_sha3_generic_keccak_squeeze_first_and_last_c51(&s, out);
3574   } else {
3575     Eurydice_slice_uint8_t_1size_t__x2 uu____4 =
3576         libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)144U);
3577     Eurydice_slice o0[1U];
3578     memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice));
3579     Eurydice_slice o1[1U];
3580     memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice));
3581     libcrux_sha3_generic_keccak_squeeze_first_block_842(&s, o0);
3582     core_ops_range_Range_b3 iter =
3583         core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
3584             (CLITERAL(core_ops_range_Range_b3){.start = (size_t)1U,
3585                                                .end = blocks}),
3586             core_ops_range_Range_b3, core_ops_range_Range_b3);
3587     while (true) {
3588       if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___6__next(
3589               &iter, size_t, Option_b3)
3590               .tag == None) {
3591         break;
3592       } else {
3593         Eurydice_slice_uint8_t_1size_t__x2 uu____5 =
3594             libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)144U);
3595         Eurydice_slice o[1U];
3596         memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice));
3597         Eurydice_slice orest[1U];
3598         memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice));
3599         libcrux_sha3_generic_keccak_squeeze_next_block_fc2(&s, o);
3600         memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice));
3601       }
3602     }
3603     if (last < outlen) {
3604       libcrux_sha3_generic_keccak_squeeze_last_cf1(s, o1);
3605     }
3606   }
3607 }
3608 
3609 /**
3610 A monomorphic instance of libcrux_sha3.portable.keccakx1
3611 with const generics
3612 - RATE= 144
3613 - DELIM= 6
3614 */
3615 static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ce2(
3616     Eurydice_slice data[1U], Eurydice_slice out[1U]) {
3617   /* Passing arrays by value in Rust generates a copy in C */
3618   Eurydice_slice copy_of_data[1U];
3619   memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
3620   libcrux_sha3_generic_keccak_keccak_e92(copy_of_data, out);
3621 }
3622 
3623 /**
3624  A portable SHA3 224 implementation.
3625 */
3626 static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest,
3627                                                          Eurydice_slice data) {
3628   Eurydice_slice buf0[1U] = {data};
3629   Eurydice_slice buf[1U] = {digest};
3630   libcrux_sha3_portable_keccakx1_ce2(buf0, buf);
3631 }
3632 
3633 /**
3634 A monomorphic instance of libcrux_sha3.portable_keccak.load_block
3635 with const generics
3636 - RATE= 104
3637 */
3638 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_2c3(
3639     uint64_t (*s)[5U], Eurydice_slice blocks[1U]) {
3640   for (size_t i = (size_t)0U; i < (size_t)104U / (size_t)8U; i++) {
3641     size_t i0 = i;
3642     uint8_t uu____0[8U];
3643     Result_56 dst;
3644     Eurydice_slice_to_array2(
3645         &dst,
3646         Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0,
3647                                  (size_t)8U * i0 + (size_t)8U, uint8_t),
3648         Eurydice_slice, uint8_t[8U]);
3649     unwrap_41_ac(dst, uu____0);
3650     size_t uu____1 = i0 / (size_t)5U;
3651     size_t uu____2 = i0 % (size_t)5U;
3652     s[uu____1][uu____2] =
3653         s[uu____1][uu____2] ^ core_num__u64_9__from_le_bytes(uu____0);
3654   }
3655 }
3656 
3657 /**
3658 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
3659 usize> for u64)}
3660 */
3661 /**
3662 A monomorphic instance of libcrux_sha3.portable_keccak.load_block_5a
3663 with const generics
3664 - RATE= 104
3665 */
3666 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_b82(
3667     uint64_t (*a)[5U], Eurydice_slice b[1U]) {
3668   uint64_t(*uu____0)[5U] = a;
3669   /* Passing arrays by value in Rust generates a copy in C */
3670   Eurydice_slice copy_of_b[1U];
3671   memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice));
3672   libcrux_sha3_portable_keccak_load_block_2c3(uu____0, copy_of_b);
3673 }
3674 
3675 /**
3676 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block
3677 with types uint64_t
3678 with const generics
3679 - N= 1
3680 - RATE= 104
3681 */
3682 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_df2(
3683     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice blocks[1U]) {
3684   uint64_t(*uu____0)[5U] = s->st;
3685   Eurydice_slice uu____1[1U];
3686   memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice));
3687   libcrux_sha3_portable_keccak_load_block_5a_b82(uu____0, uu____1);
3688   libcrux_sha3_generic_keccak_keccakf1600_21(s);
3689 }
3690 
3691 /**
3692 A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full
3693 with const generics
3694 - RATE= 104
3695 */
3696 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_df3(
3697     uint64_t (*s)[5U], uint8_t blocks[1U][200U]) {
3698   Eurydice_slice buf[1U] = {
3699       Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)};
3700   libcrux_sha3_portable_keccak_load_block_2c3(s, buf);
3701 }
3702 
3703 /**
3704 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
3705 usize> for u64)}
3706 */
3707 /**
3708 A monomorphic instance of libcrux_sha3.portable_keccak.load_block_full_5a
3709 with const generics
3710 - RATE= 104
3711 */
3712 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_d23(
3713     uint64_t (*a)[5U], uint8_t b[1U][200U]) {
3714   uint64_t(*uu____0)[5U] = a;
3715   /* Passing arrays by value in Rust generates a copy in C */
3716   uint8_t copy_of_b[1U][200U];
3717   memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U]));
3718   libcrux_sha3_portable_keccak_load_block_full_df3(uu____0, copy_of_b);
3719 }
3720 
3721 /**
3722 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final
3723 with types uint64_t
3724 with const generics
3725 - N= 1
3726 - RATE= 104
3727 - DELIM= 6
3728 */
3729 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_c74(
3730     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) {
3731   size_t last_len = Eurydice_slice_len(last[0U], uint8_t);
3732   uint8_t blocks[1U][200U] = {{0U}};
3733   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
3734     size_t i0 = i;
3735     if (last_len > (size_t)0U) {
3736       Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
3737           blocks[i0], (size_t)0U, last_len, uint8_t);
3738       Eurydice_slice_copy(uu____0, last[i0], uint8_t);
3739     }
3740     blocks[i0][last_len] = 6U;
3741     size_t uu____1 = i0;
3742     size_t uu____2 = (size_t)104U - (size_t)1U;
3743     blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;
3744   }
3745   uint64_t(*uu____3)[5U] = s->st;
3746   uint8_t uu____4[1U][200U];
3747   memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U]));
3748   libcrux_sha3_portable_keccak_load_block_full_5a_d23(uu____3, uu____4);
3749   libcrux_sha3_generic_keccak_keccakf1600_21(s);
3750 }
3751 
3752 /**
3753 A monomorphic instance of libcrux_sha3.portable_keccak.store_block
3754 with const generics
3755 - RATE= 104
3756 */
3757 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_583(
3758     uint64_t (*s)[5U], Eurydice_slice out[1U]) {
3759   for (size_t i = (size_t)0U; i < (size_t)104U / (size_t)8U; i++) {
3760     size_t i0 = i;
3761     Eurydice_slice uu____0 = Eurydice_slice_subslice2(
3762         out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t);
3763     uint8_t ret[8U];
3764     core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret);
3765     Eurydice_slice_copy(
3766         uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
3767   }
3768 }
3769 
3770 /**
3771 A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full
3772 with const generics
3773 - RATE= 104
3774 */
3775 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_2d2(
3776     uint64_t (*s)[5U], uint8_t ret[1U][200U]) {
3777   uint8_t out[200U] = {0U};
3778   Eurydice_slice buf[1U] = {
3779       Eurydice_array_to_slice((size_t)200U, out, uint8_t)};
3780   libcrux_sha3_portable_keccak_store_block_583(s, buf);
3781   /* Passing arrays by value in Rust generates a copy in C */
3782   uint8_t copy_of_out[200U];
3783   memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t));
3784   memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t));
3785 }
3786 
3787 /**
3788 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
3789 usize> for u64)}
3790 */
3791 /**
3792 A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full_5a
3793 with const generics
3794 - RATE= 104
3795 */
3796 static KRML_MUSTINLINE void
3797 libcrux_sha3_portable_keccak_store_block_full_5a_292(uint64_t (*a)[5U],
3798                                                      uint8_t ret[1U][200U]) {
3799   libcrux_sha3_portable_keccak_store_block_full_2d2(a, ret);
3800 }
3801 
3802 /**
3803 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last
3804 with types uint64_t
3805 with const generics
3806 - N= 1
3807 - RATE= 104
3808 */
3809 static KRML_MUSTINLINE void
3810 libcrux_sha3_generic_keccak_squeeze_first_and_last_c52(
3811     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
3812   uint8_t b[1U][200U];
3813   libcrux_sha3_portable_keccak_store_block_full_5a_292(s->st, b);
3814   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
3815     size_t i0 = i;
3816     Eurydice_slice uu____0 = out[i0];
3817     uint8_t *uu____1 = b[i0];
3818     core_ops_range_Range_b3 lit;
3819     lit.start = (size_t)0U;
3820     lit.end = Eurydice_slice_len(out[i0], uint8_t);
3821     Eurydice_slice_copy(
3822         uu____0,
3823         Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
3824                                    core_ops_range_Range_b3),
3825         uint8_t);
3826   }
3827 }
3828 
3829 /**
3830 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
3831 usize> for u64)}
3832 */
3833 /**
3834 A monomorphic instance of libcrux_sha3.portable_keccak.store_block_5a
3835 with const generics
3836 - RATE= 104
3837 */
3838 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_5a_593(
3839     uint64_t (*a)[5U], Eurydice_slice b[1U]) {
3840   libcrux_sha3_portable_keccak_store_block_583(a, b);
3841 }
3842 
3843 /**
3844 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_block
3845 with types uint64_t
3846 with const generics
3847 - N= 1
3848 - RATE= 104
3849 */
3850 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_block_843(
3851     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
3852   libcrux_sha3_portable_keccak_store_block_5a_593(s->st, out);
3853 }
3854 
3855 /**
3856 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_next_block
3857 with types uint64_t
3858 with const generics
3859 - N= 1
3860 - RATE= 104
3861 */
3862 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_fc3(
3863     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
3864   libcrux_sha3_generic_keccak_keccakf1600_21(s);
3865   libcrux_sha3_portable_keccak_store_block_5a_593(s->st, out);
3866 }
3867 
3868 /**
3869 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last
3870 with types uint64_t
3871 with const generics
3872 - N= 1
3873 - RATE= 104
3874 */
3875 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_cf2(
3876     libcrux_sha3_generic_keccak_KeccakState_48 s, Eurydice_slice out[1U]) {
3877   libcrux_sha3_generic_keccak_keccakf1600_21(&s);
3878   uint8_t b[1U][200U];
3879   libcrux_sha3_portable_keccak_store_block_full_5a_292(s.st, b);
3880   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
3881     size_t i0 = i;
3882     Eurydice_slice uu____0 = out[i0];
3883     uint8_t *uu____1 = b[i0];
3884     core_ops_range_Range_b3 lit;
3885     lit.start = (size_t)0U;
3886     lit.end = Eurydice_slice_len(out[i0], uint8_t);
3887     Eurydice_slice_copy(
3888         uu____0,
3889         Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
3890                                    core_ops_range_Range_b3),
3891         uint8_t);
3892   }
3893 }
3894 
3895 /**
3896 A monomorphic instance of libcrux_sha3.generic_keccak.keccak
3897 with types uint64_t
3898 with const generics
3899 - N= 1
3900 - RATE= 104
3901 - DELIM= 6
3902 */
3903 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_e93(
3904     Eurydice_slice data[1U], Eurydice_slice out[1U]) {
3905   libcrux_sha3_generic_keccak_KeccakState_48 s =
3906       libcrux_sha3_generic_keccak_new_1e_f4();
3907   for (size_t i = (size_t)0U;
3908        i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)104U; i++) {
3909     size_t i0 = i;
3910     libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s;
3911     /* Passing arrays by value in Rust generates a copy in C */
3912     Eurydice_slice copy_of_data[1U];
3913     memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
3914     Eurydice_slice ret[1U];
3915     libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)104U,
3916                                             (size_t)104U, ret);
3917     libcrux_sha3_generic_keccak_absorb_block_df2(uu____0, ret);
3918   }
3919   size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)104U;
3920   libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s;
3921   /* Passing arrays by value in Rust generates a copy in C */
3922   Eurydice_slice copy_of_data[1U];
3923   memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
3924   Eurydice_slice ret[1U];
3925   libcrux_sha3_portable_keccak_slice_n_5a(
3926       copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret);
3927   libcrux_sha3_generic_keccak_absorb_final_c74(uu____2, ret);
3928   size_t outlen = Eurydice_slice_len(out[0U], uint8_t);
3929   size_t blocks = outlen / (size_t)104U;
3930   size_t last = outlen - outlen % (size_t)104U;
3931   if (blocks == (size_t)0U) {
3932     libcrux_sha3_generic_keccak_squeeze_first_and_last_c52(&s, out);
3933   } else {
3934     Eurydice_slice_uint8_t_1size_t__x2 uu____4 =
3935         libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)104U);
3936     Eurydice_slice o0[1U];
3937     memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice));
3938     Eurydice_slice o1[1U];
3939     memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice));
3940     libcrux_sha3_generic_keccak_squeeze_first_block_843(&s, o0);
3941     core_ops_range_Range_b3 iter =
3942         core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
3943             (CLITERAL(core_ops_range_Range_b3){.start = (size_t)1U,
3944                                                .end = blocks}),
3945             core_ops_range_Range_b3, core_ops_range_Range_b3);
3946     while (true) {
3947       if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___6__next(
3948               &iter, size_t, Option_b3)
3949               .tag == None) {
3950         break;
3951       } else {
3952         Eurydice_slice_uint8_t_1size_t__x2 uu____5 =
3953             libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)104U);
3954         Eurydice_slice o[1U];
3955         memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice));
3956         Eurydice_slice orest[1U];
3957         memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice));
3958         libcrux_sha3_generic_keccak_squeeze_next_block_fc3(&s, o);
3959         memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice));
3960       }
3961     }
3962     if (last < outlen) {
3963       libcrux_sha3_generic_keccak_squeeze_last_cf2(s, o1);
3964     }
3965   }
3966 }
3967 
3968 /**
3969 A monomorphic instance of libcrux_sha3.portable.keccakx1
3970 with const generics
3971 - RATE= 104
3972 - DELIM= 6
3973 */
3974 static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ce3(
3975     Eurydice_slice data[1U], Eurydice_slice out[1U]) {
3976   /* Passing arrays by value in Rust generates a copy in C */
3977   Eurydice_slice copy_of_data[1U];
3978   memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
3979   libcrux_sha3_generic_keccak_keccak_e93(copy_of_data, out);
3980 }
3981 
3982 /**
3983  A portable SHA3 384 implementation.
3984 */
3985 static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest,
3986                                                          Eurydice_slice data) {
3987   Eurydice_slice buf0[1U] = {data};
3988   Eurydice_slice buf[1U] = {digest};
3989   libcrux_sha3_portable_keccakx1_ce3(buf0, buf);
3990 }
3991 
3992 /**
3993  SHA3 224
3994 
3995  Preconditions:
3996  - `digest.len() == 28`
3997 */
3998 static KRML_MUSTINLINE void libcrux_sha3_sha224_ema(Eurydice_slice digest,
3999                                                     Eurydice_slice payload) {
4000   libcrux_sha3_portable_sha224(digest, payload);
4001 }
4002 
4003 /**
4004  SHA3 224
4005 */
4006 static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data,
4007                                                 uint8_t ret[28U]) {
4008   uint8_t out[28U] = {0U};
4009   libcrux_sha3_sha224_ema(Eurydice_array_to_slice((size_t)28U, out, uint8_t),
4010                           data);
4011   memcpy(ret, out, (size_t)28U * sizeof(uint8_t));
4012 }
4013 
4014 /**
4015  SHA3 256
4016 */
4017 static KRML_MUSTINLINE void libcrux_sha3_sha256_ema(Eurydice_slice digest,
4018                                                     Eurydice_slice payload) {
4019   libcrux_sha3_portable_sha256(digest, payload);
4020 }
4021 
4022 /**
4023  SHA3 256
4024 */
4025 static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data,
4026                                                 uint8_t ret[32U]) {
4027   uint8_t out[32U] = {0U};
4028   libcrux_sha3_sha256_ema(Eurydice_array_to_slice((size_t)32U, out, uint8_t),
4029                           data);
4030   memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
4031 }
4032 
4033 /**
4034  SHA3 384
4035 */
4036 static KRML_MUSTINLINE void libcrux_sha3_sha384_ema(Eurydice_slice digest,
4037                                                     Eurydice_slice payload) {
4038   libcrux_sha3_portable_sha384(digest, payload);
4039 }
4040 
4041 /**
4042  SHA3 384
4043 */
4044 static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data,
4045                                                 uint8_t ret[48U]) {
4046   uint8_t out[48U] = {0U};
4047   libcrux_sha3_sha384_ema(Eurydice_array_to_slice((size_t)48U, out, uint8_t),
4048                           data);
4049   memcpy(ret, out, (size_t)48U * sizeof(uint8_t));
4050 }
4051 
4052 /**
4053  SHA3 512
4054 */
4055 static KRML_MUSTINLINE void libcrux_sha3_sha512_ema(Eurydice_slice digest,
4056                                                     Eurydice_slice payload) {
4057   libcrux_sha3_portable_sha512(digest, payload);
4058 }
4059 
4060 /**
4061  SHA3 512
4062 */
4063 static KRML_MUSTINLINE void libcrux_sha3_sha512(Eurydice_slice data,
4064                                                 uint8_t ret[64U]) {
4065   uint8_t out[64U] = {0U};
4066   libcrux_sha3_sha512_ema(Eurydice_array_to_slice((size_t)64U, out, uint8_t),
4067                           data);
4068   memcpy(ret, out, (size_t)64U * sizeof(uint8_t));
4069 }
4070 
4071 /**
4072 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
4073 usize> for u64)}
4074 */
4075 /**
4076 A monomorphic instance of libcrux_sha3.portable_keccak.load_block_5a
4077 with const generics
4078 - RATE= 168
4079 */
4080 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_b83(
4081     uint64_t (*a)[5U], Eurydice_slice b[1U]) {
4082   uint64_t(*uu____0)[5U] = a;
4083   /* Passing arrays by value in Rust generates a copy in C */
4084   Eurydice_slice copy_of_b[1U];
4085   memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice));
4086   libcrux_sha3_portable_keccak_load_block_2c1(uu____0, copy_of_b);
4087 }
4088 
4089 /**
4090 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_block
4091 with types uint64_t
4092 with const generics
4093 - N= 1
4094 - RATE= 168
4095 */
4096 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_block_df3(
4097     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice blocks[1U]) {
4098   uint64_t(*uu____0)[5U] = s->st;
4099   Eurydice_slice uu____1[1U];
4100   memcpy(uu____1, blocks, (size_t)1U * sizeof(Eurydice_slice));
4101   libcrux_sha3_portable_keccak_load_block_5a_b83(uu____0, uu____1);
4102   libcrux_sha3_generic_keccak_keccakf1600_21(s);
4103 }
4104 
4105 /**
4106 A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full
4107 with const generics
4108 - RATE= 168
4109 */
4110 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_2d3(
4111     uint64_t (*s)[5U], uint8_t ret[1U][200U]) {
4112   uint8_t out[200U] = {0U};
4113   Eurydice_slice buf[1U] = {
4114       Eurydice_array_to_slice((size_t)200U, out, uint8_t)};
4115   libcrux_sha3_portable_keccak_store_block_581(s, buf);
4116   /* Passing arrays by value in Rust generates a copy in C */
4117   uint8_t copy_of_out[200U];
4118   memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t));
4119   memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t));
4120 }
4121 
4122 /**
4123 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
4124 usize> for u64)}
4125 */
4126 /**
4127 A monomorphic instance of libcrux_sha3.portable_keccak.store_block_full_5a
4128 with const generics
4129 - RATE= 168
4130 */
4131 static KRML_MUSTINLINE void
4132 libcrux_sha3_portable_keccak_store_block_full_5a_293(uint64_t (*a)[5U],
4133                                                      uint8_t ret[1U][200U]) {
4134   libcrux_sha3_portable_keccak_store_block_full_2d3(a, ret);
4135 }
4136 
4137 /**
4138 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_and_last
4139 with types uint64_t
4140 with const generics
4141 - N= 1
4142 - RATE= 168
4143 */
4144 static KRML_MUSTINLINE void
4145 libcrux_sha3_generic_keccak_squeeze_first_and_last_c53(
4146     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
4147   uint8_t b[1U][200U];
4148   libcrux_sha3_portable_keccak_store_block_full_5a_293(s->st, b);
4149   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
4150     size_t i0 = i;
4151     Eurydice_slice uu____0 = out[i0];
4152     uint8_t *uu____1 = b[i0];
4153     core_ops_range_Range_b3 lit;
4154     lit.start = (size_t)0U;
4155     lit.end = Eurydice_slice_len(out[i0], uint8_t);
4156     Eurydice_slice_copy(
4157         uu____0,
4158         Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
4159                                    core_ops_range_Range_b3),
4160         uint8_t);
4161   }
4162 }
4163 
4164 /**
4165 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_last
4166 with types uint64_t
4167 with const generics
4168 - N= 1
4169 - RATE= 168
4170 */
4171 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_cf3(
4172     libcrux_sha3_generic_keccak_KeccakState_48 s, Eurydice_slice out[1U]) {
4173   libcrux_sha3_generic_keccak_keccakf1600_21(&s);
4174   uint8_t b[1U][200U];
4175   libcrux_sha3_portable_keccak_store_block_full_5a_293(s.st, b);
4176   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
4177     size_t i0 = i;
4178     Eurydice_slice uu____0 = out[i0];
4179     uint8_t *uu____1 = b[i0];
4180     core_ops_range_Range_b3 lit;
4181     lit.start = (size_t)0U;
4182     lit.end = Eurydice_slice_len(out[i0], uint8_t);
4183     Eurydice_slice_copy(
4184         uu____0,
4185         Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t,
4186                                    core_ops_range_Range_b3),
4187         uint8_t);
4188   }
4189 }
4190 
4191 /**
4192 A monomorphic instance of libcrux_sha3.generic_keccak.keccak
4193 with types uint64_t
4194 with const generics
4195 - N= 1
4196 - RATE= 168
4197 - DELIM= 31
4198 */
4199 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_e94(
4200     Eurydice_slice data[1U], Eurydice_slice out[1U]) {
4201   libcrux_sha3_generic_keccak_KeccakState_48 s =
4202       libcrux_sha3_generic_keccak_new_1e_f4();
4203   for (size_t i = (size_t)0U;
4204        i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)168U; i++) {
4205     size_t i0 = i;
4206     libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s;
4207     /* Passing arrays by value in Rust generates a copy in C */
4208     Eurydice_slice copy_of_data[1U];
4209     memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
4210     Eurydice_slice ret[1U];
4211     libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)168U,
4212                                             (size_t)168U, ret);
4213     libcrux_sha3_generic_keccak_absorb_block_df3(uu____0, ret);
4214   }
4215   size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)168U;
4216   libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s;
4217   /* Passing arrays by value in Rust generates a copy in C */
4218   Eurydice_slice copy_of_data[1U];
4219   memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
4220   Eurydice_slice ret[1U];
4221   libcrux_sha3_portable_keccak_slice_n_5a(
4222       copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret);
4223   libcrux_sha3_generic_keccak_absorb_final_c72(uu____2, ret);
4224   size_t outlen = Eurydice_slice_len(out[0U], uint8_t);
4225   size_t blocks = outlen / (size_t)168U;
4226   size_t last = outlen - outlen % (size_t)168U;
4227   if (blocks == (size_t)0U) {
4228     libcrux_sha3_generic_keccak_squeeze_first_and_last_c53(&s, out);
4229   } else {
4230     Eurydice_slice_uint8_t_1size_t__x2 uu____4 =
4231         libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)168U);
4232     Eurydice_slice o0[1U];
4233     memcpy(o0, uu____4.fst, (size_t)1U * sizeof(Eurydice_slice));
4234     Eurydice_slice o1[1U];
4235     memcpy(o1, uu____4.snd, (size_t)1U * sizeof(Eurydice_slice));
4236     libcrux_sha3_generic_keccak_squeeze_first_block_841(&s, o0);
4237     core_ops_range_Range_b3 iter =
4238         core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
4239             (CLITERAL(core_ops_range_Range_b3){.start = (size_t)1U,
4240                                                .end = blocks}),
4241             core_ops_range_Range_b3, core_ops_range_Range_b3);
4242     while (true) {
4243       if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___6__next(
4244               &iter, size_t, Option_b3)
4245               .tag == None) {
4246         break;
4247       } else {
4248         Eurydice_slice_uint8_t_1size_t__x2 uu____5 =
4249             libcrux_sha3_portable_keccak_split_at_mut_n_5a(o1, (size_t)168U);
4250         Eurydice_slice o[1U];
4251         memcpy(o, uu____5.fst, (size_t)1U * sizeof(Eurydice_slice));
4252         Eurydice_slice orest[1U];
4253         memcpy(orest, uu____5.snd, (size_t)1U * sizeof(Eurydice_slice));
4254         libcrux_sha3_generic_keccak_squeeze_next_block_fc1(&s, o);
4255         memcpy(o1, orest, (size_t)1U * sizeof(Eurydice_slice));
4256       }
4257     }
4258     if (last < outlen) {
4259       libcrux_sha3_generic_keccak_squeeze_last_cf3(s, o1);
4260     }
4261   }
4262 }
4263 
4264 /**
4265 A monomorphic instance of libcrux_sha3.portable.keccakx1
4266 with const generics
4267 - RATE= 168
4268 - DELIM= 31
4269 */
4270 static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ce4(
4271     Eurydice_slice data[1U], Eurydice_slice out[1U]) {
4272   /* Passing arrays by value in Rust generates a copy in C */
4273   Eurydice_slice copy_of_data[1U];
4274   memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice));
4275   libcrux_sha3_generic_keccak_keccak_e94(copy_of_data, out);
4276 }
4277 
4278 /**
4279  A portable SHAKE128 implementation.
4280 */
4281 static KRML_MUSTINLINE void libcrux_sha3_portable_shake128(
4282     Eurydice_slice digest, Eurydice_slice data) {
4283   Eurydice_slice buf0[1U] = {data};
4284   Eurydice_slice buf[1U] = {digest};
4285   libcrux_sha3_portable_keccakx1_ce4(buf0, buf);
4286 }
4287 
4288 /**
4289  SHAKE 128
4290 
4291  Writes `out.len()` bytes.
4292 */
4293 static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out,
4294                                                       Eurydice_slice data) {
4295   libcrux_sha3_portable_shake128(out, data);
4296 }
4297 
4298 /**
4299  SHAKE 256
4300 
4301  Writes `out.len()` bytes.
4302 */
4303 static KRML_MUSTINLINE void libcrux_sha3_shake256_ema(Eurydice_slice out,
4304                                                       Eurydice_slice data) {
4305   libcrux_sha3_portable_shake256(out, data);
4306 }
4307 
4308 static const size_t libcrux_sha3_generic_keccak__PI[24U] = {
4309     (size_t)6U, (size_t)12U, (size_t)18U, (size_t)24U, (size_t)3U,
4310     (size_t)9U, (size_t)10U, (size_t)16U, (size_t)22U, (size_t)1U,
4311     (size_t)7U, (size_t)13U, (size_t)19U, (size_t)20U, (size_t)4U,
4312     (size_t)5U, (size_t)11U, (size_t)17U, (size_t)23U, (size_t)2U,
4313     (size_t)8U, (size_t)14U, (size_t)15U, (size_t)21U};
4314 
4315 static const size_t libcrux_sha3_generic_keccak__ROTC[24U] = {
4316     (size_t)1U,  (size_t)62U, (size_t)28U, (size_t)27U, (size_t)36U,
4317     (size_t)44U, (size_t)6U,  (size_t)55U, (size_t)20U, (size_t)3U,
4318     (size_t)10U, (size_t)43U, (size_t)25U, (size_t)39U, (size_t)41U,
4319     (size_t)45U, (size_t)15U, (size_t)21U, (size_t)8U,  (size_t)18U,
4320     (size_t)2U,  (size_t)61U, (size_t)56U, (size_t)14U};
4321 
4322 /**
4323  A portable SHA3 224 implementation.
4324 */
4325 static KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest,
4326                                                      Eurydice_slice data) {
4327   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
4328                     "panic!");
4329   KRML_HOST_EXIT(255U);
4330 }
4331 
4332 /**
4333  A portable SHA3 256 implementation.
4334 */
4335 static KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest,
4336                                                      Eurydice_slice data) {
4337   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
4338                     "panic!");
4339   KRML_HOST_EXIT(255U);
4340 }
4341 
4342 /**
4343  A portable SHA3 384 implementation.
4344 */
4345 static KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest,
4346                                                      Eurydice_slice data) {
4347   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
4348                     "panic!");
4349   KRML_HOST_EXIT(255U);
4350 }
4351 
4352 /**
4353  A portable SHA3 512 implementation.
4354 */
4355 static KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest,
4356                                                      Eurydice_slice data) {
4357   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
4358                     "panic!");
4359   KRML_HOST_EXIT(255U);
4360 }
4361 
4362 /**
4363  Run SHAKE256 on both inputs in parallel.
4364 
4365  Writes the two results into `out0` and `out1`
4366 */
4367 static KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0,
4368                                                           Eurydice_slice input1,
4369                                                           Eurydice_slice out0,
4370                                                           Eurydice_slice out1) {
4371   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
4372                     "panic!");
4373   KRML_HOST_EXIT(255U);
4374 }
4375 
4376 typedef struct libcrux_sha3_neon_x2_incremental_KeccakState_s {
4377   libcrux_sha3_generic_keccak_KeccakState_48 state[2U];
4378 } libcrux_sha3_neon_x2_incremental_KeccakState;
4379 
4380 /**
4381  Initialise the `KeccakState2`.
4382 */
4383 static KRML_MUSTINLINE libcrux_sha3_neon_x2_incremental_KeccakState
4384 libcrux_sha3_neon_x2_incremental_shake128_init(void) {
4385   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
4386                     "panic!");
4387   KRML_HOST_EXIT(255U);
4388 }
4389 
4390 /**
4391  Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`.
4392 */
4393 static KRML_MUSTINLINE void
4394 libcrux_sha3_neon_x2_incremental_shake128_absorb_final(
4395     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0,
4396     Eurydice_slice data1) {
4397   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
4398                     "panic!");
4399   KRML_HOST_EXIT(255U);
4400 }
4401 
4402 /**
4403  Squeeze 2 times the first three blocks in parallel in the
4404  [`KeccakState`] and return the output in `out0` and `out1`.
4405 */
4406 static KRML_MUSTINLINE void
4407 libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks(
4408     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
4409     Eurydice_slice out1) {
4410   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
4411                     "panic!");
4412   KRML_HOST_EXIT(255U);
4413 }
4414 
4415 /**
4416  Squeeze 2 times the next block in parallel in the
4417  [`KeccakState`] and return the output in `out0` and `out1`.
4418 */
4419 static KRML_MUSTINLINE void
4420 libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block(
4421     libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0,
4422     Eurydice_slice out1) {
4423   KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
4424                     "panic!");
4425   KRML_HOST_EXIT(255U);
4426 }
4427 
4428 /**
4429 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_first_five_blocks
4430 with types uint64_t
4431 with const generics
4432 - N= 1
4433 - RATE= 168
4434 */
4435 static KRML_MUSTINLINE void
4436 libcrux_sha3_generic_keccak_squeeze_first_five_blocks_4f(
4437     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out[1U]) {
4438   Eurydice_slice_uint8_t_1size_t__x2 uu____0 =
4439       libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, (size_t)168U);
4440   Eurydice_slice o0[1U];
4441   memcpy(o0, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice));
4442   Eurydice_slice o10[1U];
4443   memcpy(o10, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice));
4444   libcrux_sha3_generic_keccak_squeeze_first_block_841(s, o0);
4445   Eurydice_slice_uint8_t_1size_t__x2 uu____1 =
4446       libcrux_sha3_portable_keccak_split_at_mut_n_5a(o10, (size_t)168U);
4447   Eurydice_slice o1[1U];
4448   memcpy(o1, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice));
4449   Eurydice_slice o20[1U];
4450   memcpy(o20, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice));
4451   libcrux_sha3_generic_keccak_squeeze_next_block_fc1(s, o1);
4452   Eurydice_slice_uint8_t_1size_t__x2 uu____2 =
4453       libcrux_sha3_portable_keccak_split_at_mut_n_5a(o20, (size_t)168U);
4454   Eurydice_slice o2[1U];
4455   memcpy(o2, uu____2.fst, (size_t)1U * sizeof(Eurydice_slice));
4456   Eurydice_slice o30[1U];
4457   memcpy(o30, uu____2.snd, (size_t)1U * sizeof(Eurydice_slice));
4458   libcrux_sha3_generic_keccak_squeeze_next_block_fc1(s, o2);
4459   Eurydice_slice_uint8_t_1size_t__x2 uu____3 =
4460       libcrux_sha3_portable_keccak_split_at_mut_n_5a(o30, (size_t)168U);
4461   Eurydice_slice o3[1U];
4462   memcpy(o3, uu____3.fst, (size_t)1U * sizeof(Eurydice_slice));
4463   Eurydice_slice o4[1U];
4464   memcpy(o4, uu____3.snd, (size_t)1U * sizeof(Eurydice_slice));
4465   libcrux_sha3_generic_keccak_squeeze_next_block_fc1(s, o3);
4466   libcrux_sha3_generic_keccak_squeeze_next_block_fc1(s, o4);
4467 }
4468 
4469 /**
4470  Squeeze five blocks
4471 */
4472 static KRML_MUSTINLINE void
4473 libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks(
4474     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out0) {
4475   Eurydice_slice buf[1U] = {out0};
4476   libcrux_sha3_generic_keccak_squeeze_first_five_blocks_4f(s, buf);
4477 }
4478 
4479 /**
4480  Absorb some data for SHAKE-256 for the last time
4481 */
4482 static KRML_MUSTINLINE void
4483 libcrux_sha3_portable_incremental_shake256_absorb_final(
4484     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice data) {
4485   Eurydice_slice buf[1U] = {data};
4486   libcrux_sha3_generic_keccak_absorb_final_c71(s, buf);
4487 }
4488 
4489 /**
4490  Create a new SHAKE-256 state object.
4491 */
4492 static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_48
4493 libcrux_sha3_portable_incremental_shake256_init(void) {
4494   return libcrux_sha3_generic_keccak_new_1e_f4();
4495 }
4496 
4497 /**
4498  Squeeze the first SHAKE-256 block
4499 */
4500 static KRML_MUSTINLINE void
4501 libcrux_sha3_portable_incremental_shake256_squeeze_first_block(
4502     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out) {
4503   Eurydice_slice buf[1U] = {out};
4504   libcrux_sha3_generic_keccak_squeeze_first_block_840(s, buf);
4505 }
4506 
4507 /**
4508  Squeeze the next SHAKE-256 block
4509 */
4510 static KRML_MUSTINLINE void
4511 libcrux_sha3_portable_incremental_shake256_squeeze_next_block(
4512     libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out) {
4513   Eurydice_slice buf[1U] = {out};
4514   libcrux_sha3_generic_keccak_squeeze_next_block_fc0(s, buf);
4515 }
4516 
4517 /**
4518 A monomorphic instance of libcrux_sha3.generic_keccak.KeccakXofState
4519 with types uint64_t
4520 with const generics
4521 - $1size_t
4522 - $136size_t
4523 */
4524 typedef struct libcrux_sha3_generic_keccak_KeccakXofState_4f_s {
4525   libcrux_sha3_generic_keccak_KeccakState_48 inner;
4526   uint8_t buf[1U][136U];
4527   size_t buf_len;
4528   bool sponge;
4529 } libcrux_sha3_generic_keccak_KeccakXofState_4f;
4530 
4531 typedef libcrux_sha3_generic_keccak_KeccakXofState_4f
4532     libcrux_sha3_portable_incremental_Shake256Absorb;
4533 
4534 /**
4535  Consume the internal buffer and the required amount of the input to pad to
4536  `RATE`.
4537 
4538  Returns the `consumed` bytes from `inputs` if there's enough buffered
4539  content to consume, and `0` otherwise.
4540  If `consumed > 0` is returned, `self.buf` contains a full block to be
4541  loaded.
4542 */
4543 /**
4544 This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
4545 PARALLEL_LANES, RATE>[TraitClause@0]#2}
4546 */
4547 /**
4548 A monomorphic instance of libcrux_sha3.generic_keccak.fill_buffer_9d
4549 with types uint64_t
4550 with const generics
4551 - PARALLEL_LANES= 1
4552 - RATE= 136
4553 */
4554 static inline size_t libcrux_sha3_generic_keccak_fill_buffer_9d_b0(
4555     libcrux_sha3_generic_keccak_KeccakXofState_4f *self,
4556     Eurydice_slice inputs[1U]) {
4557   size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t);
4558   size_t consumed = (size_t)0U;
4559   if (self->buf_len > (size_t)0U) {
4560     if (self->buf_len + input_len >= (size_t)136U) {
4561       consumed = (size_t)136U - self->buf_len;
4562       for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
4563         size_t i0 = i;
4564         Eurydice_slice uu____0 = Eurydice_array_to_subslice_from(
4565             (size_t)136U, self->buf[i0], self->buf_len, uint8_t, size_t);
4566         Eurydice_slice_copy(
4567             uu____0,
4568             Eurydice_slice_subslice_to(inputs[i0], consumed, uint8_t, size_t),
4569             uint8_t);
4570       }
4571       self->buf_len = self->buf_len + consumed;
4572     }
4573   }
4574   return consumed;
4575 }
4576 
4577 /**
4578 This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
4579 PARALLEL_LANES, RATE>[TraitClause@0]#2}
4580 */
4581 /**
4582 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_full_9d
4583 with types uint64_t
4584 with const generics
4585 - PARALLEL_LANES= 1
4586 - RATE= 136
4587 */
4588 static inline size_t libcrux_sha3_generic_keccak_absorb_full_9d_f8(
4589     libcrux_sha3_generic_keccak_KeccakXofState_4f *self,
4590     Eurydice_slice inputs[1U]) {
4591   libcrux_sha3_generic_keccak_KeccakXofState_4f *uu____0 = self;
4592   /* Passing arrays by value in Rust generates a copy in C */
4593   Eurydice_slice copy_of_inputs0[1U];
4594   memcpy(copy_of_inputs0, inputs, (size_t)1U * sizeof(Eurydice_slice));
4595   size_t input_consumed =
4596       libcrux_sha3_generic_keccak_fill_buffer_9d_b0(uu____0, copy_of_inputs0);
4597   if (input_consumed > (size_t)0U) {
4598     Eurydice_slice borrowed[1U];
4599     for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
4600       uint8_t buf[136U] = {0U};
4601       borrowed[i] = core_array___Array_T__N__23__as_slice(
4602           (size_t)136U, buf, uint8_t, Eurydice_slice);
4603     }
4604     for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
4605       size_t i0 = i;
4606       borrowed[i0] =
4607           Eurydice_array_to_slice((size_t)136U, self->buf[i0], uint8_t);
4608     }
4609     uint64_t(*uu____2)[5U] = self->inner.st;
4610     Eurydice_slice uu____3[1U];
4611     memcpy(uu____3, borrowed, (size_t)1U * sizeof(Eurydice_slice));
4612     libcrux_sha3_portable_keccak_load_block_5a_b80(uu____2, uu____3);
4613     libcrux_sha3_generic_keccak_keccakf1600_21(&self->inner);
4614     self->buf_len = (size_t)0U;
4615   }
4616   size_t input_to_consume =
4617       Eurydice_slice_len(inputs[0U], uint8_t) - input_consumed;
4618   size_t num_blocks = input_to_consume / (size_t)136U;
4619   size_t remainder = input_to_consume % (size_t)136U;
4620   for (size_t i = (size_t)0U; i < num_blocks; i++) {
4621     size_t i0 = i;
4622     uint64_t(*uu____4)[5U] = self->inner.st;
4623     /* Passing arrays by value in Rust generates a copy in C */
4624     Eurydice_slice copy_of_inputs[1U];
4625     memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice));
4626     Eurydice_slice ret[1U];
4627     libcrux_sha3_portable_keccak_slice_n_5a(
4628         copy_of_inputs, input_consumed + i0 * (size_t)136U, (size_t)136U, ret);
4629     libcrux_sha3_portable_keccak_load_block_5a_b80(uu____4, ret);
4630     libcrux_sha3_generic_keccak_keccakf1600_21(&self->inner);
4631   }
4632   return remainder;
4633 }
4634 
4635 /**
4636  Absorb
4637 
4638  This function takes any number of bytes to absorb and buffers if it's not
4639  enough. The function assumes that all input slices in `blocks` have the same
4640  length.
4641 
4642  Only a multiple of `RATE` blocks are absorbed.
4643  For the remaining bytes [`absorb_final`] needs to be called.
4644 
4645  This works best with relatively small `inputs`.
4646 */
4647 /**
4648 This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
4649 PARALLEL_LANES, RATE>[TraitClause@0]#2}
4650 */
4651 /**
4652 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_9d
4653 with types uint64_t
4654 with const generics
4655 - PARALLEL_LANES= 1
4656 - RATE= 136
4657 */
4658 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_9d_7b(
4659     libcrux_sha3_generic_keccak_KeccakXofState_4f *self,
4660     Eurydice_slice inputs[1U]) {
4661   libcrux_sha3_generic_keccak_KeccakXofState_4f *uu____0 = self;
4662   /* Passing arrays by value in Rust generates a copy in C */
4663   Eurydice_slice copy_of_inputs[1U];
4664   memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice));
4665   size_t input_remainder_len =
4666       libcrux_sha3_generic_keccak_absorb_full_9d_f8(uu____0, copy_of_inputs);
4667   if (input_remainder_len > (size_t)0U) {
4668     size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t);
4669     for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
4670       size_t i0 = i;
4671       Eurydice_slice uu____2 = Eurydice_array_to_subslice2(
4672           self->buf[i0], self->buf_len, self->buf_len + input_remainder_len,
4673           uint8_t);
4674       Eurydice_slice_copy(
4675           uu____2,
4676           Eurydice_slice_subslice_from(
4677               inputs[i0], input_len - input_remainder_len, uint8_t, size_t),
4678           uint8_t);
4679     }
4680     self->buf_len = self->buf_len + input_remainder_len;
4681   }
4682 }
4683 
4684 /**
4685  Shake256 absorb
4686 */
4687 /**
4688 This function found in impl
4689 {(libcrux_sha3::portable::incremental::XofAbsorb<136: usize> for
4690 libcrux_sha3::portable::incremental::Shake256Absorb)#2}
4691 */
4692 static inline void libcrux_sha3_portable_incremental_absorb_7d(
4693     libcrux_sha3_generic_keccak_KeccakXofState_4f *self, Eurydice_slice input) {
4694   Eurydice_slice buf[1U] = {input};
4695   libcrux_sha3_generic_keccak_absorb_9d_7b(self, buf);
4696 }
4697 
4698 typedef libcrux_sha3_generic_keccak_KeccakXofState_4f
4699     libcrux_sha3_portable_incremental_Shake256Squeeze;
4700 
4701 /**
4702  Absorb a final block.
4703 
4704  The `inputs` block may be empty. Everything in the `inputs` block beyond
4705  `RATE` bytes is ignored.
4706 */
4707 /**
4708 This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
4709 PARALLEL_LANES, RATE>[TraitClause@0]#2}
4710 */
4711 /**
4712 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final_9d
4713 with types uint64_t
4714 with const generics
4715 - PARALLEL_LANES= 1
4716 - RATE= 136
4717 - DELIMITER= 31
4718 */
4719 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9d_25(
4720     libcrux_sha3_generic_keccak_KeccakXofState_4f *self,
4721     Eurydice_slice inputs[1U]) {
4722   libcrux_sha3_generic_keccak_KeccakXofState_4f *uu____0 = self;
4723   /* Passing arrays by value in Rust generates a copy in C */
4724   Eurydice_slice copy_of_inputs[1U];
4725   memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice));
4726   size_t input_remainder_len =
4727       libcrux_sha3_generic_keccak_absorb_full_9d_f8(uu____0, copy_of_inputs);
4728   size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t);
4729   uint8_t blocks[1U][200U] = {{0U}};
4730   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
4731     size_t i0 = i;
4732     if (self->buf_len > (size_t)0U) {
4733       Eurydice_slice uu____2 = Eurydice_array_to_subslice2(
4734           blocks[i0], (size_t)0U, self->buf_len, uint8_t);
4735       Eurydice_slice_copy(uu____2,
4736                           Eurydice_array_to_subslice2(self->buf[i0], (size_t)0U,
4737                                                       self->buf_len, uint8_t),
4738                           uint8_t);
4739     }
4740     if (input_remainder_len > (size_t)0U) {
4741       Eurydice_slice uu____3 = Eurydice_array_to_subslice2(
4742           blocks[i0], self->buf_len, self->buf_len + input_remainder_len,
4743           uint8_t);
4744       Eurydice_slice_copy(
4745           uu____3,
4746           Eurydice_slice_subslice_from(
4747               inputs[i0], input_len - input_remainder_len, uint8_t, size_t),
4748           uint8_t);
4749     }
4750     blocks[i0][self->buf_len + input_remainder_len] = 31U;
4751     size_t uu____4 = i0;
4752     size_t uu____5 = (size_t)136U - (size_t)1U;
4753     blocks[uu____4][uu____5] = (uint32_t)blocks[uu____4][uu____5] | 128U;
4754   }
4755   uint64_t(*uu____6)[5U] = self->inner.st;
4756   uint8_t uu____7[1U][200U];
4757   memcpy(uu____7, blocks, (size_t)1U * sizeof(uint8_t[200U]));
4758   libcrux_sha3_portable_keccak_load_block_full_5a_d20(uu____6, uu____7);
4759   libcrux_sha3_generic_keccak_keccakf1600_21(&self->inner);
4760 }
4761 
4762 /**
4763  Shake256 absorb final
4764 */
4765 /**
4766 This function found in impl
4767 {(libcrux_sha3::portable::incremental::XofAbsorb<136: usize> for
4768 libcrux_sha3::portable::incremental::Shake256Absorb)#2}
4769 */
4770 static inline libcrux_sha3_generic_keccak_KeccakXofState_4f
4771 libcrux_sha3_portable_incremental_absorb_final_7d(
4772     libcrux_sha3_generic_keccak_KeccakXofState_4f self, Eurydice_slice input) {
4773   Eurydice_slice buf[1U] = {input};
4774   libcrux_sha3_generic_keccak_absorb_final_9d_25(&self, buf);
4775   return self;
4776 }
4777 
4778 /**
4779  An all zero block
4780 */
4781 /**
4782 This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
4783 PARALLEL_LANES, RATE>[TraitClause@0]#2}
4784 */
4785 /**
4786 A monomorphic instance of libcrux_sha3.generic_keccak.zero_block_9d
4787 with types uint64_t
4788 with const generics
4789 - PARALLEL_LANES= 1
4790 - RATE= 136
4791 */
4792 static inline void libcrux_sha3_generic_keccak_zero_block_9d_e6(
4793     uint8_t ret[136U]) {
4794   ret[0U] = 0U;
4795   ret[1U] = 0U;
4796   ret[2U] = 0U;
4797   ret[3U] = 0U;
4798   ret[4U] = 0U;
4799   ret[5U] = 0U;
4800   ret[6U] = 0U;
4801   ret[7U] = 0U;
4802   ret[8U] = 0U;
4803   ret[9U] = 0U;
4804   ret[10U] = 0U;
4805   ret[11U] = 0U;
4806   ret[12U] = 0U;
4807   ret[13U] = 0U;
4808   ret[14U] = 0U;
4809   ret[15U] = 0U;
4810   ret[16U] = 0U;
4811   ret[17U] = 0U;
4812   ret[18U] = 0U;
4813   ret[19U] = 0U;
4814   ret[20U] = 0U;
4815   ret[21U] = 0U;
4816   ret[22U] = 0U;
4817   ret[23U] = 0U;
4818   ret[24U] = 0U;
4819   ret[25U] = 0U;
4820   ret[26U] = 0U;
4821   ret[27U] = 0U;
4822   ret[28U] = 0U;
4823   ret[29U] = 0U;
4824   ret[30U] = 0U;
4825   ret[31U] = 0U;
4826   ret[32U] = 0U;
4827   ret[33U] = 0U;
4828   ret[34U] = 0U;
4829   ret[35U] = 0U;
4830   ret[36U] = 0U;
4831   ret[37U] = 0U;
4832   ret[38U] = 0U;
4833   ret[39U] = 0U;
4834   ret[40U] = 0U;
4835   ret[41U] = 0U;
4836   ret[42U] = 0U;
4837   ret[43U] = 0U;
4838   ret[44U] = 0U;
4839   ret[45U] = 0U;
4840   ret[46U] = 0U;
4841   ret[47U] = 0U;
4842   ret[48U] = 0U;
4843   ret[49U] = 0U;
4844   ret[50U] = 0U;
4845   ret[51U] = 0U;
4846   ret[52U] = 0U;
4847   ret[53U] = 0U;
4848   ret[54U] = 0U;
4849   ret[55U] = 0U;
4850   ret[56U] = 0U;
4851   ret[57U] = 0U;
4852   ret[58U] = 0U;
4853   ret[59U] = 0U;
4854   ret[60U] = 0U;
4855   ret[61U] = 0U;
4856   ret[62U] = 0U;
4857   ret[63U] = 0U;
4858   ret[64U] = 0U;
4859   ret[65U] = 0U;
4860   ret[66U] = 0U;
4861   ret[67U] = 0U;
4862   ret[68U] = 0U;
4863   ret[69U] = 0U;
4864   ret[70U] = 0U;
4865   ret[71U] = 0U;
4866   ret[72U] = 0U;
4867   ret[73U] = 0U;
4868   ret[74U] = 0U;
4869   ret[75U] = 0U;
4870   ret[76U] = 0U;
4871   ret[77U] = 0U;
4872   ret[78U] = 0U;
4873   ret[79U] = 0U;
4874   ret[80U] = 0U;
4875   ret[81U] = 0U;
4876   ret[82U] = 0U;
4877   ret[83U] = 0U;
4878   ret[84U] = 0U;
4879   ret[85U] = 0U;
4880   ret[86U] = 0U;
4881   ret[87U] = 0U;
4882   ret[88U] = 0U;
4883   ret[89U] = 0U;
4884   ret[90U] = 0U;
4885   ret[91U] = 0U;
4886   ret[92U] = 0U;
4887   ret[93U] = 0U;
4888   ret[94U] = 0U;
4889   ret[95U] = 0U;
4890   ret[96U] = 0U;
4891   ret[97U] = 0U;
4892   ret[98U] = 0U;
4893   ret[99U] = 0U;
4894   ret[100U] = 0U;
4895   ret[101U] = 0U;
4896   ret[102U] = 0U;
4897   ret[103U] = 0U;
4898   ret[104U] = 0U;
4899   ret[105U] = 0U;
4900   ret[106U] = 0U;
4901   ret[107U] = 0U;
4902   ret[108U] = 0U;
4903   ret[109U] = 0U;
4904   ret[110U] = 0U;
4905   ret[111U] = 0U;
4906   ret[112U] = 0U;
4907   ret[113U] = 0U;
4908   ret[114U] = 0U;
4909   ret[115U] = 0U;
4910   ret[116U] = 0U;
4911   ret[117U] = 0U;
4912   ret[118U] = 0U;
4913   ret[119U] = 0U;
4914   ret[120U] = 0U;
4915   ret[121U] = 0U;
4916   ret[122U] = 0U;
4917   ret[123U] = 0U;
4918   ret[124U] = 0U;
4919   ret[125U] = 0U;
4920   ret[126U] = 0U;
4921   ret[127U] = 0U;
4922   ret[128U] = 0U;
4923   ret[129U] = 0U;
4924   ret[130U] = 0U;
4925   ret[131U] = 0U;
4926   ret[132U] = 0U;
4927   ret[133U] = 0U;
4928   ret[134U] = 0U;
4929   ret[135U] = 0U;
4930 }
4931 
4932 /**
4933  Generate a new keccak xof state.
4934 */
4935 /**
4936 This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
4937 PARALLEL_LANES, RATE>[TraitClause@0]#2}
4938 */
4939 /**
4940 A monomorphic instance of libcrux_sha3.generic_keccak.new_9d
4941 with types uint64_t
4942 with const generics
4943 - PARALLEL_LANES= 1
4944 - RATE= 136
4945 */
4946 static inline libcrux_sha3_generic_keccak_KeccakXofState_4f
4947 libcrux_sha3_generic_keccak_new_9d_7e(void) {
4948   libcrux_sha3_generic_keccak_KeccakXofState_4f lit;
4949   lit.inner = libcrux_sha3_generic_keccak_new_1e_f4();
4950   uint8_t ret[136U];
4951   libcrux_sha3_generic_keccak_zero_block_9d_e6(ret);
4952   memcpy(lit.buf[0U], ret, (size_t)136U * sizeof(uint8_t));
4953   lit.buf_len = (size_t)0U;
4954   lit.sponge = false;
4955   return lit;
4956 }
4957 
4958 /**
4959  Shake256 new state
4960 */
4961 /**
4962 This function found in impl
4963 {(libcrux_sha3::portable::incremental::XofAbsorb<136: usize> for
4964 libcrux_sha3::portable::incremental::Shake256Absorb)#2}
4965 */
4966 static inline libcrux_sha3_generic_keccak_KeccakXofState_4f
4967 libcrux_sha3_portable_incremental_new_7d(void) {
4968   return libcrux_sha3_generic_keccak_new_9d_7e();
4969 }
4970 
4971 /**
4972 A monomorphic instance of libcrux_sha3.generic_keccak.KeccakXofState
4973 with types uint64_t
4974 with const generics
4975 - $1size_t
4976 - $168size_t
4977 */
4978 typedef struct libcrux_sha3_generic_keccak_KeccakXofState_78_s {
4979   libcrux_sha3_generic_keccak_KeccakState_48 inner;
4980   uint8_t buf[1U][168U];
4981   size_t buf_len;
4982   bool sponge;
4983 } libcrux_sha3_generic_keccak_KeccakXofState_78;
4984 
4985 typedef libcrux_sha3_generic_keccak_KeccakXofState_78
4986     libcrux_sha3_portable_incremental_Shake128Absorb;
4987 
4988 /**
4989  Consume the internal buffer and the required amount of the input to pad to
4990  `RATE`.
4991 
4992  Returns the `consumed` bytes from `inputs` if there's enough buffered
4993  content to consume, and `0` otherwise.
4994  If `consumed > 0` is returned, `self.buf` contains a full block to be
4995  loaded.
4996 */
4997 /**
4998 This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
4999 PARALLEL_LANES, RATE>[TraitClause@0]#2}
5000 */
5001 /**
5002 A monomorphic instance of libcrux_sha3.generic_keccak.fill_buffer_9d
5003 with types uint64_t
5004 with const generics
5005 - PARALLEL_LANES= 1
5006 - RATE= 168
5007 */
5008 static inline size_t libcrux_sha3_generic_keccak_fill_buffer_9d_b00(
5009     libcrux_sha3_generic_keccak_KeccakXofState_78 *self,
5010     Eurydice_slice inputs[1U]) {
5011   size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t);
5012   size_t consumed = (size_t)0U;
5013   if (self->buf_len > (size_t)0U) {
5014     if (self->buf_len + input_len >= (size_t)168U) {
5015       consumed = (size_t)168U - self->buf_len;
5016       for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
5017         size_t i0 = i;
5018         Eurydice_slice uu____0 = Eurydice_array_to_subslice_from(
5019             (size_t)168U, self->buf[i0], self->buf_len, uint8_t, size_t);
5020         Eurydice_slice_copy(
5021             uu____0,
5022             Eurydice_slice_subslice_to(inputs[i0], consumed, uint8_t, size_t),
5023             uint8_t);
5024       }
5025       self->buf_len = self->buf_len + consumed;
5026     }
5027   }
5028   return consumed;
5029 }
5030 
5031 /**
5032 This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
5033 PARALLEL_LANES, RATE>[TraitClause@0]#2}
5034 */
5035 /**
5036 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_full_9d
5037 with types uint64_t
5038 with const generics
5039 - PARALLEL_LANES= 1
5040 - RATE= 168
5041 */
5042 static inline size_t libcrux_sha3_generic_keccak_absorb_full_9d_f80(
5043     libcrux_sha3_generic_keccak_KeccakXofState_78 *self,
5044     Eurydice_slice inputs[1U]) {
5045   libcrux_sha3_generic_keccak_KeccakXofState_78 *uu____0 = self;
5046   /* Passing arrays by value in Rust generates a copy in C */
5047   Eurydice_slice copy_of_inputs0[1U];
5048   memcpy(copy_of_inputs0, inputs, (size_t)1U * sizeof(Eurydice_slice));
5049   size_t input_consumed =
5050       libcrux_sha3_generic_keccak_fill_buffer_9d_b00(uu____0, copy_of_inputs0);
5051   if (input_consumed > (size_t)0U) {
5052     Eurydice_slice borrowed[1U];
5053     for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
5054       uint8_t buf[168U] = {0U};
5055       borrowed[i] = core_array___Array_T__N__23__as_slice(
5056           (size_t)168U, buf, uint8_t, Eurydice_slice);
5057     }
5058     for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
5059       size_t i0 = i;
5060       borrowed[i0] =
5061           Eurydice_array_to_slice((size_t)168U, self->buf[i0], uint8_t);
5062     }
5063     uint64_t(*uu____2)[5U] = self->inner.st;
5064     Eurydice_slice uu____3[1U];
5065     memcpy(uu____3, borrowed, (size_t)1U * sizeof(Eurydice_slice));
5066     libcrux_sha3_portable_keccak_load_block_5a_b83(uu____2, uu____3);
5067     libcrux_sha3_generic_keccak_keccakf1600_21(&self->inner);
5068     self->buf_len = (size_t)0U;
5069   }
5070   size_t input_to_consume =
5071       Eurydice_slice_len(inputs[0U], uint8_t) - input_consumed;
5072   size_t num_blocks = input_to_consume / (size_t)168U;
5073   size_t remainder = input_to_consume % (size_t)168U;
5074   for (size_t i = (size_t)0U; i < num_blocks; i++) {
5075     size_t i0 = i;
5076     uint64_t(*uu____4)[5U] = self->inner.st;
5077     /* Passing arrays by value in Rust generates a copy in C */
5078     Eurydice_slice copy_of_inputs[1U];
5079     memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice));
5080     Eurydice_slice ret[1U];
5081     libcrux_sha3_portable_keccak_slice_n_5a(
5082         copy_of_inputs, input_consumed + i0 * (size_t)168U, (size_t)168U, ret);
5083     libcrux_sha3_portable_keccak_load_block_5a_b83(uu____4, ret);
5084     libcrux_sha3_generic_keccak_keccakf1600_21(&self->inner);
5085   }
5086   return remainder;
5087 }
5088 
5089 /**
5090  Absorb
5091 
5092  This function takes any number of bytes to absorb and buffers if it's not
5093  enough. The function assumes that all input slices in `blocks` have the same
5094  length.
5095 
5096  Only a multiple of `RATE` blocks are absorbed.
5097  For the remaining bytes [`absorb_final`] needs to be called.
5098 
5099  This works best with relatively small `inputs`.
5100 */
5101 /**
5102 This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
5103 PARALLEL_LANES, RATE>[TraitClause@0]#2}
5104 */
5105 /**
5106 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_9d
5107 with types uint64_t
5108 with const generics
5109 - PARALLEL_LANES= 1
5110 - RATE= 168
5111 */
5112 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_9d_7b0(
5113     libcrux_sha3_generic_keccak_KeccakXofState_78 *self,
5114     Eurydice_slice inputs[1U]) {
5115   libcrux_sha3_generic_keccak_KeccakXofState_78 *uu____0 = self;
5116   /* Passing arrays by value in Rust generates a copy in C */
5117   Eurydice_slice copy_of_inputs[1U];
5118   memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice));
5119   size_t input_remainder_len =
5120       libcrux_sha3_generic_keccak_absorb_full_9d_f80(uu____0, copy_of_inputs);
5121   if (input_remainder_len > (size_t)0U) {
5122     size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t);
5123     for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
5124       size_t i0 = i;
5125       Eurydice_slice uu____2 = Eurydice_array_to_subslice2(
5126           self->buf[i0], self->buf_len, self->buf_len + input_remainder_len,
5127           uint8_t);
5128       Eurydice_slice_copy(
5129           uu____2,
5130           Eurydice_slice_subslice_from(
5131               inputs[i0], input_len - input_remainder_len, uint8_t, size_t),
5132           uint8_t);
5133     }
5134     self->buf_len = self->buf_len + input_remainder_len;
5135   }
5136 }
5137 
5138 /**
5139 This function found in impl
5140 {(libcrux_sha3::portable::incremental::XofAbsorb<168: usize> for
5141 libcrux_sha3::portable::incremental::Shake128Absorb)}
5142 */
5143 static inline void libcrux_sha3_portable_incremental_absorb_1c(
5144     libcrux_sha3_generic_keccak_KeccakXofState_78 *self, Eurydice_slice input) {
5145   Eurydice_slice buf[1U] = {input};
5146   libcrux_sha3_generic_keccak_absorb_9d_7b0(self, buf);
5147 }
5148 
5149 typedef libcrux_sha3_generic_keccak_KeccakXofState_78
5150     libcrux_sha3_portable_incremental_Shake128Squeeze;
5151 
5152 /**
5153  Absorb a final block.
5154 
5155  The `inputs` block may be empty. Everything in the `inputs` block beyond
5156  `RATE` bytes is ignored.
5157 */
5158 /**
5159 This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
5160 PARALLEL_LANES, RATE>[TraitClause@0]#2}
5161 */
5162 /**
5163 A monomorphic instance of libcrux_sha3.generic_keccak.absorb_final_9d
5164 with types uint64_t
5165 with const generics
5166 - PARALLEL_LANES= 1
5167 - RATE= 168
5168 - DELIMITER= 31
5169 */
5170 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9d_250(
5171     libcrux_sha3_generic_keccak_KeccakXofState_78 *self,
5172     Eurydice_slice inputs[1U]) {
5173   libcrux_sha3_generic_keccak_KeccakXofState_78 *uu____0 = self;
5174   /* Passing arrays by value in Rust generates a copy in C */
5175   Eurydice_slice copy_of_inputs[1U];
5176   memcpy(copy_of_inputs, inputs, (size_t)1U * sizeof(Eurydice_slice));
5177   size_t input_remainder_len =
5178       libcrux_sha3_generic_keccak_absorb_full_9d_f80(uu____0, copy_of_inputs);
5179   size_t input_len = Eurydice_slice_len(inputs[0U], uint8_t);
5180   uint8_t blocks[1U][200U] = {{0U}};
5181   for (size_t i = (size_t)0U; i < (size_t)1U; i++) {
5182     size_t i0 = i;
5183     if (self->buf_len > (size_t)0U) {
5184       Eurydice_slice uu____2 = Eurydice_array_to_subslice2(
5185           blocks[i0], (size_t)0U, self->buf_len, uint8_t);
5186       Eurydice_slice_copy(uu____2,
5187                           Eurydice_array_to_subslice2(self->buf[i0], (size_t)0U,
5188                                                       self->buf_len, uint8_t),
5189                           uint8_t);
5190     }
5191     if (input_remainder_len > (size_t)0U) {
5192       Eurydice_slice uu____3 = Eurydice_array_to_subslice2(
5193           blocks[i0], self->buf_len, self->buf_len + input_remainder_len,
5194           uint8_t);
5195       Eurydice_slice_copy(
5196           uu____3,
5197           Eurydice_slice_subslice_from(
5198               inputs[i0], input_len - input_remainder_len, uint8_t, size_t),
5199           uint8_t);
5200     }
5201     blocks[i0][self->buf_len + input_remainder_len] = 31U;
5202     size_t uu____4 = i0;
5203     size_t uu____5 = (size_t)168U - (size_t)1U;
5204     blocks[uu____4][uu____5] = (uint32_t)blocks[uu____4][uu____5] | 128U;
5205   }
5206   uint64_t(*uu____6)[5U] = self->inner.st;
5207   uint8_t uu____7[1U][200U];
5208   memcpy(uu____7, blocks, (size_t)1U * sizeof(uint8_t[200U]));
5209   libcrux_sha3_portable_keccak_load_block_full_5a_d21(uu____6, uu____7);
5210   libcrux_sha3_generic_keccak_keccakf1600_21(&self->inner);
5211 }
5212 
5213 /**
5214 This function found in impl
5215 {(libcrux_sha3::portable::incremental::XofAbsorb<168: usize> for
5216 libcrux_sha3::portable::incremental::Shake128Absorb)}
5217 */
5218 static inline libcrux_sha3_generic_keccak_KeccakXofState_78
5219 libcrux_sha3_portable_incremental_absorb_final_1c(
5220     libcrux_sha3_generic_keccak_KeccakXofState_78 self, Eurydice_slice input) {
5221   Eurydice_slice buf[1U] = {input};
5222   libcrux_sha3_generic_keccak_absorb_final_9d_250(&self, buf);
5223   return self;
5224 }
5225 
5226 /**
5227  An all zero block
5228 */
5229 /**
5230 This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
5231 PARALLEL_LANES, RATE>[TraitClause@0]#2}
5232 */
5233 /**
5234 A monomorphic instance of libcrux_sha3.generic_keccak.zero_block_9d
5235 with types uint64_t
5236 with const generics
5237 - PARALLEL_LANES= 1
5238 - RATE= 168
5239 */
5240 static inline void libcrux_sha3_generic_keccak_zero_block_9d_e60(
5241     uint8_t ret[168U]) {
5242   ret[0U] = 0U;
5243   ret[1U] = 0U;
5244   ret[2U] = 0U;
5245   ret[3U] = 0U;
5246   ret[4U] = 0U;
5247   ret[5U] = 0U;
5248   ret[6U] = 0U;
5249   ret[7U] = 0U;
5250   ret[8U] = 0U;
5251   ret[9U] = 0U;
5252   ret[10U] = 0U;
5253   ret[11U] = 0U;
5254   ret[12U] = 0U;
5255   ret[13U] = 0U;
5256   ret[14U] = 0U;
5257   ret[15U] = 0U;
5258   ret[16U] = 0U;
5259   ret[17U] = 0U;
5260   ret[18U] = 0U;
5261   ret[19U] = 0U;
5262   ret[20U] = 0U;
5263   ret[21U] = 0U;
5264   ret[22U] = 0U;
5265   ret[23U] = 0U;
5266   ret[24U] = 0U;
5267   ret[25U] = 0U;
5268   ret[26U] = 0U;
5269   ret[27U] = 0U;
5270   ret[28U] = 0U;
5271   ret[29U] = 0U;
5272   ret[30U] = 0U;
5273   ret[31U] = 0U;
5274   ret[32U] = 0U;
5275   ret[33U] = 0U;
5276   ret[34U] = 0U;
5277   ret[35U] = 0U;
5278   ret[36U] = 0U;
5279   ret[37U] = 0U;
5280   ret[38U] = 0U;
5281   ret[39U] = 0U;
5282   ret[40U] = 0U;
5283   ret[41U] = 0U;
5284   ret[42U] = 0U;
5285   ret[43U] = 0U;
5286   ret[44U] = 0U;
5287   ret[45U] = 0U;
5288   ret[46U] = 0U;
5289   ret[47U] = 0U;
5290   ret[48U] = 0U;
5291   ret[49U] = 0U;
5292   ret[50U] = 0U;
5293   ret[51U] = 0U;
5294   ret[52U] = 0U;
5295   ret[53U] = 0U;
5296   ret[54U] = 0U;
5297   ret[55U] = 0U;
5298   ret[56U] = 0U;
5299   ret[57U] = 0U;
5300   ret[58U] = 0U;
5301   ret[59U] = 0U;
5302   ret[60U] = 0U;
5303   ret[61U] = 0U;
5304   ret[62U] = 0U;
5305   ret[63U] = 0U;
5306   ret[64U] = 0U;
5307   ret[65U] = 0U;
5308   ret[66U] = 0U;
5309   ret[67U] = 0U;
5310   ret[68U] = 0U;
5311   ret[69U] = 0U;
5312   ret[70U] = 0U;
5313   ret[71U] = 0U;
5314   ret[72U] = 0U;
5315   ret[73U] = 0U;
5316   ret[74U] = 0U;
5317   ret[75U] = 0U;
5318   ret[76U] = 0U;
5319   ret[77U] = 0U;
5320   ret[78U] = 0U;
5321   ret[79U] = 0U;
5322   ret[80U] = 0U;
5323   ret[81U] = 0U;
5324   ret[82U] = 0U;
5325   ret[83U] = 0U;
5326   ret[84U] = 0U;
5327   ret[85U] = 0U;
5328   ret[86U] = 0U;
5329   ret[87U] = 0U;
5330   ret[88U] = 0U;
5331   ret[89U] = 0U;
5332   ret[90U] = 0U;
5333   ret[91U] = 0U;
5334   ret[92U] = 0U;
5335   ret[93U] = 0U;
5336   ret[94U] = 0U;
5337   ret[95U] = 0U;
5338   ret[96U] = 0U;
5339   ret[97U] = 0U;
5340   ret[98U] = 0U;
5341   ret[99U] = 0U;
5342   ret[100U] = 0U;
5343   ret[101U] = 0U;
5344   ret[102U] = 0U;
5345   ret[103U] = 0U;
5346   ret[104U] = 0U;
5347   ret[105U] = 0U;
5348   ret[106U] = 0U;
5349   ret[107U] = 0U;
5350   ret[108U] = 0U;
5351   ret[109U] = 0U;
5352   ret[110U] = 0U;
5353   ret[111U] = 0U;
5354   ret[112U] = 0U;
5355   ret[113U] = 0U;
5356   ret[114U] = 0U;
5357   ret[115U] = 0U;
5358   ret[116U] = 0U;
5359   ret[117U] = 0U;
5360   ret[118U] = 0U;
5361   ret[119U] = 0U;
5362   ret[120U] = 0U;
5363   ret[121U] = 0U;
5364   ret[122U] = 0U;
5365   ret[123U] = 0U;
5366   ret[124U] = 0U;
5367   ret[125U] = 0U;
5368   ret[126U] = 0U;
5369   ret[127U] = 0U;
5370   ret[128U] = 0U;
5371   ret[129U] = 0U;
5372   ret[130U] = 0U;
5373   ret[131U] = 0U;
5374   ret[132U] = 0U;
5375   ret[133U] = 0U;
5376   ret[134U] = 0U;
5377   ret[135U] = 0U;
5378   ret[136U] = 0U;
5379   ret[137U] = 0U;
5380   ret[138U] = 0U;
5381   ret[139U] = 0U;
5382   ret[140U] = 0U;
5383   ret[141U] = 0U;
5384   ret[142U] = 0U;
5385   ret[143U] = 0U;
5386   ret[144U] = 0U;
5387   ret[145U] = 0U;
5388   ret[146U] = 0U;
5389   ret[147U] = 0U;
5390   ret[148U] = 0U;
5391   ret[149U] = 0U;
5392   ret[150U] = 0U;
5393   ret[151U] = 0U;
5394   ret[152U] = 0U;
5395   ret[153U] = 0U;
5396   ret[154U] = 0U;
5397   ret[155U] = 0U;
5398   ret[156U] = 0U;
5399   ret[157U] = 0U;
5400   ret[158U] = 0U;
5401   ret[159U] = 0U;
5402   ret[160U] = 0U;
5403   ret[161U] = 0U;
5404   ret[162U] = 0U;
5405   ret[163U] = 0U;
5406   ret[164U] = 0U;
5407   ret[165U] = 0U;
5408   ret[166U] = 0U;
5409   ret[167U] = 0U;
5410 }
5411 
5412 /**
5413  Generate a new keccak xof state.
5414 */
5415 /**
5416 This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
5417 PARALLEL_LANES, RATE>[TraitClause@0]#2}
5418 */
5419 /**
5420 A monomorphic instance of libcrux_sha3.generic_keccak.new_9d
5421 with types uint64_t
5422 with const generics
5423 - PARALLEL_LANES= 1
5424 - RATE= 168
5425 */
5426 static inline libcrux_sha3_generic_keccak_KeccakXofState_78
5427 libcrux_sha3_generic_keccak_new_9d_7e0(void) {
5428   libcrux_sha3_generic_keccak_KeccakXofState_78 lit;
5429   lit.inner = libcrux_sha3_generic_keccak_new_1e_f4();
5430   uint8_t ret[168U];
5431   libcrux_sha3_generic_keccak_zero_block_9d_e60(ret);
5432   memcpy(lit.buf[0U], ret, (size_t)168U * sizeof(uint8_t));
5433   lit.buf_len = (size_t)0U;
5434   lit.sponge = false;
5435   return lit;
5436 }
5437 
5438 /**
5439 This function found in impl
5440 {(libcrux_sha3::portable::incremental::XofAbsorb<168: usize> for
5441 libcrux_sha3::portable::incremental::Shake128Absorb)}
5442 */
5443 static inline libcrux_sha3_generic_keccak_KeccakXofState_78
5444 libcrux_sha3_portable_incremental_new_1c(void) {
5445   return libcrux_sha3_generic_keccak_new_9d_7e0();
5446 }
5447 
5448 /**
5449  `out` has the exact size we want here. It must be less than or equal to `RATE`.
5450 */
5451 /**
5452 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
5453 usize> for u64)}
5454 */
5455 /**
5456 A monomorphic instance of libcrux_sha3.portable_keccak.store_5a
5457 with const generics
5458 - RATE= 136
5459 */
5460 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_5a_1c(
5461     uint64_t (*state)[5U], Eurydice_slice out[1U]) {
5462   size_t num_full_blocks = Eurydice_slice_len(out[0U], uint8_t) / (size_t)8U;
5463   size_t last_block_len = Eurydice_slice_len(out[0U], uint8_t) % (size_t)8U;
5464   for (size_t i = (size_t)0U; i < num_full_blocks; i++) {
5465     size_t i0 = i;
5466     Eurydice_slice uu____0 = Eurydice_slice_subslice2(
5467         out[0U], i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t);
5468     uint8_t ret[8U];
5469     core_num__u64_9__to_le_bytes(state[i0 / (size_t)5U][i0 % (size_t)5U], ret);
5470     Eurydice_slice_copy(
5471         uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
5472   }
5473   if (last_block_len != (size_t)0U) {
5474     Eurydice_slice uu____1 = Eurydice_slice_subslice2(
5475         out[0U], num_full_blocks * (size_t)8U,
5476         num_full_blocks * (size_t)8U + last_block_len, uint8_t);
5477     uint8_t ret[8U];
5478     core_num__u64_9__to_le_bytes(
5479         state[num_full_blocks / (size_t)5U][num_full_blocks % (size_t)5U], ret);
5480     Eurydice_slice_copy(
5481         uu____1,
5482         Eurydice_array_to_subslice2(ret, (size_t)0U, last_block_len, uint8_t),
5483         uint8_t);
5484   }
5485 }
5486 
5487 /**
5488  Squeeze `N` x `LEN` bytes.
5489 */
5490 /**
5491 This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
5492 PARALLEL_LANES, RATE>[TraitClause@0]#2}
5493 */
5494 /**
5495 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_9d
5496 with types uint64_t
5497 with const generics
5498 - PARALLEL_LANES= 1
5499 - RATE= 136
5500 */
5501 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_9d_96(
5502     libcrux_sha3_generic_keccak_KeccakXofState_4f *self,
5503     Eurydice_slice out[1U]) {
5504   if (self->sponge) {
5505     libcrux_sha3_generic_keccak_keccakf1600_21(&self->inner);
5506   }
5507   size_t out_len = Eurydice_slice_len(out[0U], uint8_t);
5508   size_t blocks = out_len / (size_t)136U;
5509   size_t last = out_len - out_len % (size_t)136U;
5510   size_t mid;
5511   if ((size_t)136U >= out_len) {
5512     mid = out_len;
5513   } else {
5514     mid = (size_t)136U;
5515   }
5516   Eurydice_slice_uint8_t_1size_t__x2 uu____0 =
5517       libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, mid);
5518   Eurydice_slice out00[1U];
5519   memcpy(out00, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice));
5520   Eurydice_slice out_rest[1U];
5521   memcpy(out_rest, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice));
5522   libcrux_sha3_portable_keccak_store_5a_1c(self->inner.st, out00);
5523   core_ops_range_Range_b3 iter =
5524       core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
5525           (CLITERAL(core_ops_range_Range_b3){.start = (size_t)1U,
5526                                              .end = blocks}),
5527           core_ops_range_Range_b3, core_ops_range_Range_b3);
5528   while (true) {
5529     if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___6__next(
5530             &iter, size_t, Option_b3)
5531             .tag == None) {
5532       break;
5533     } else {
5534       Eurydice_slice_uint8_t_1size_t__x2 uu____1 =
5535           libcrux_sha3_portable_keccak_split_at_mut_n_5a(out_rest,
5536                                                          (size_t)136U);
5537       Eurydice_slice out0[1U];
5538       memcpy(out0, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice));
5539       Eurydice_slice tmp[1U];
5540       memcpy(tmp, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice));
5541       libcrux_sha3_generic_keccak_keccakf1600_21(&self->inner);
5542       libcrux_sha3_portable_keccak_store_5a_1c(self->inner.st, out0);
5543       memcpy(out_rest, tmp, (size_t)1U * sizeof(Eurydice_slice));
5544     }
5545   }
5546   if (last < out_len) {
5547     libcrux_sha3_generic_keccak_keccakf1600_21(&self->inner);
5548     libcrux_sha3_portable_keccak_store_5a_1c(self->inner.st, out_rest);
5549   }
5550   self->sponge = true;
5551 }
5552 
5553 /**
5554  Shake256 squeeze
5555 */
5556 /**
5557 This function found in impl
5558 {(libcrux_sha3::portable::incremental::XofSqueeze<136: usize> for
5559 libcrux_sha3::portable::incremental::Shake256Squeeze)#3}
5560 */
5561 static inline void libcrux_sha3_portable_incremental_squeeze_8a(
5562     libcrux_sha3_generic_keccak_KeccakXofState_4f *self, Eurydice_slice out) {
5563   Eurydice_slice buf[1U] = {out};
5564   libcrux_sha3_generic_keccak_squeeze_9d_96(self, buf);
5565 }
5566 
5567 /**
5568  `out` has the exact size we want here. It must be less than or equal to `RATE`.
5569 */
5570 /**
5571 This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<1:
5572 usize> for u64)}
5573 */
5574 /**
5575 A monomorphic instance of libcrux_sha3.portable_keccak.store_5a
5576 with const generics
5577 - RATE= 168
5578 */
5579 static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_5a_1c0(
5580     uint64_t (*state)[5U], Eurydice_slice out[1U]) {
5581   size_t num_full_blocks = Eurydice_slice_len(out[0U], uint8_t) / (size_t)8U;
5582   size_t last_block_len = Eurydice_slice_len(out[0U], uint8_t) % (size_t)8U;
5583   for (size_t i = (size_t)0U; i < num_full_blocks; i++) {
5584     size_t i0 = i;
5585     Eurydice_slice uu____0 = Eurydice_slice_subslice2(
5586         out[0U], i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t);
5587     uint8_t ret[8U];
5588     core_num__u64_9__to_le_bytes(state[i0 / (size_t)5U][i0 % (size_t)5U], ret);
5589     Eurydice_slice_copy(
5590         uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t);
5591   }
5592   if (last_block_len != (size_t)0U) {
5593     Eurydice_slice uu____1 = Eurydice_slice_subslice2(
5594         out[0U], num_full_blocks * (size_t)8U,
5595         num_full_blocks * (size_t)8U + last_block_len, uint8_t);
5596     uint8_t ret[8U];
5597     core_num__u64_9__to_le_bytes(
5598         state[num_full_blocks / (size_t)5U][num_full_blocks % (size_t)5U], ret);
5599     Eurydice_slice_copy(
5600         uu____1,
5601         Eurydice_array_to_subslice2(ret, (size_t)0U, last_block_len, uint8_t),
5602         uint8_t);
5603   }
5604 }
5605 
5606 /**
5607  Squeeze `N` x `LEN` bytes.
5608 */
5609 /**
5610 This function found in impl {libcrux_sha3::generic_keccak::KeccakXofState<STATE,
5611 PARALLEL_LANES, RATE>[TraitClause@0]#2}
5612 */
5613 /**
5614 A monomorphic instance of libcrux_sha3.generic_keccak.squeeze_9d
5615 with types uint64_t
5616 with const generics
5617 - PARALLEL_LANES= 1
5618 - RATE= 168
5619 */
5620 static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_9d_960(
5621     libcrux_sha3_generic_keccak_KeccakXofState_78 *self,
5622     Eurydice_slice out[1U]) {
5623   if (self->sponge) {
5624     libcrux_sha3_generic_keccak_keccakf1600_21(&self->inner);
5625   }
5626   size_t out_len = Eurydice_slice_len(out[0U], uint8_t);
5627   size_t blocks = out_len / (size_t)168U;
5628   size_t last = out_len - out_len % (size_t)168U;
5629   size_t mid;
5630   if ((size_t)168U >= out_len) {
5631     mid = out_len;
5632   } else {
5633     mid = (size_t)168U;
5634   }
5635   Eurydice_slice_uint8_t_1size_t__x2 uu____0 =
5636       libcrux_sha3_portable_keccak_split_at_mut_n_5a(out, mid);
5637   Eurydice_slice out00[1U];
5638   memcpy(out00, uu____0.fst, (size_t)1U * sizeof(Eurydice_slice));
5639   Eurydice_slice out_rest[1U];
5640   memcpy(out_rest, uu____0.snd, (size_t)1U * sizeof(Eurydice_slice));
5641   libcrux_sha3_portable_keccak_store_5a_1c0(self->inner.st, out00);
5642   core_ops_range_Range_b3 iter =
5643       core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
5644           (CLITERAL(core_ops_range_Range_b3){.start = (size_t)1U,
5645                                              .end = blocks}),
5646           core_ops_range_Range_b3, core_ops_range_Range_b3);
5647   while (true) {
5648     if (core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___6__next(
5649             &iter, size_t, Option_b3)
5650             .tag == None) {
5651       break;
5652     } else {
5653       Eurydice_slice_uint8_t_1size_t__x2 uu____1 =
5654           libcrux_sha3_portable_keccak_split_at_mut_n_5a(out_rest,
5655                                                          (size_t)168U);
5656       Eurydice_slice out0[1U];
5657       memcpy(out0, uu____1.fst, (size_t)1U * sizeof(Eurydice_slice));
5658       Eurydice_slice tmp[1U];
5659       memcpy(tmp, uu____1.snd, (size_t)1U * sizeof(Eurydice_slice));
5660       libcrux_sha3_generic_keccak_keccakf1600_21(&self->inner);
5661       libcrux_sha3_portable_keccak_store_5a_1c0(self->inner.st, out0);
5662       memcpy(out_rest, tmp, (size_t)1U * sizeof(Eurydice_slice));
5663     }
5664   }
5665   if (last < out_len) {
5666     libcrux_sha3_generic_keccak_keccakf1600_21(&self->inner);
5667     libcrux_sha3_portable_keccak_store_5a_1c0(self->inner.st, out_rest);
5668   }
5669   self->sponge = true;
5670 }
5671 
5672 /**
5673  Shake128 squeeze
5674 */
5675 /**
5676 This function found in impl
5677 {(libcrux_sha3::portable::incremental::XofSqueeze<168: usize> for
5678 libcrux_sha3::portable::incremental::Shake128Squeeze)#1}
5679 */
5680 static inline void libcrux_sha3_portable_incremental_squeeze_10(
5681     libcrux_sha3_generic_keccak_KeccakXofState_78 *self, Eurydice_slice out) {
5682   Eurydice_slice buf[1U] = {out};
5683   libcrux_sha3_generic_keccak_squeeze_9d_960(self, buf);
5684 }
5685 
5686 /**
5687 This function found in impl {(core::clone::Clone for
5688 libcrux_sha3::portable::KeccakState)}
5689 */
5690 static inline libcrux_sha3_generic_keccak_KeccakState_48
5691 libcrux_sha3_portable_clone_3d(
5692     libcrux_sha3_generic_keccak_KeccakState_48 *self) {
5693   return self[0U];
5694 }
5695 
5696 /**
5697 This function found in impl {(core::convert::From<libcrux_sha3::Algorithm> for
5698 u32)#1}
5699 */
5700 static inline uint32_t libcrux_sha3_from_eb(libcrux_sha3_Algorithm v) {
5701   uint32_t uu____0;
5702   switch (v) {
5703     case libcrux_sha3_Sha224: {
5704       uu____0 = 1U;
5705       break;
5706     }
5707     case libcrux_sha3_Sha256: {
5708       uu____0 = 2U;
5709       break;
5710     }
5711     case libcrux_sha3_Sha384: {
5712       uu____0 = 3U;
5713       break;
5714     }
5715     case libcrux_sha3_Sha512: {
5716       uu____0 = 4U;
5717       break;
5718     }
5719     default: {
5720       KRML_HOST_EPRINTF("KaRaMeL incomplete match at %s:%d\n", __FILE__,
5721                         __LINE__);
5722       KRML_HOST_EXIT(253U);
5723     }
5724   }
5725   return uu____0;
5726 }
5727 
5728 /**
5729 This function found in impl {(core::convert::From<u32> for
5730 libcrux_sha3::Algorithm)}
5731 */
5732 static inline libcrux_sha3_Algorithm libcrux_sha3_from_2d(uint32_t v) {
5733   libcrux_sha3_Algorithm uu____0;
5734   switch (v) {
5735     case 1U: {
5736       uu____0 = libcrux_sha3_Sha224;
5737       break;
5738     }
5739     case 2U: {
5740       uu____0 = libcrux_sha3_Sha256;
5741       break;
5742     }
5743     case 3U: {
5744       uu____0 = libcrux_sha3_Sha384;
5745       break;
5746     }
5747     case 4U: {
5748       uu____0 = libcrux_sha3_Sha512;
5749       break;
5750     }
5751     default: {
5752       KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__,
5753                         "panic!");
5754       KRML_HOST_EXIT(255U);
5755     }
5756   }
5757   return uu____0;
5758 }
5759 
5760 typedef uint8_t libcrux_sha3_Sha3_512Digest[64U];
5761 
5762 typedef uint8_t libcrux_sha3_Sha3_384Digest[48U];
5763 
5764 typedef uint8_t libcrux_sha3_Sha3_256Digest[32U];
5765 
5766 typedef uint8_t libcrux_sha3_Sha3_224Digest[28U];
5767 
5768 #if defined(__cplusplus)
5769 }
5770 #endif
5771 
5772 #define __libcrux_sha3_portable_H_DEFINED
5773 #endif
5774 
5775 /* from libcrux/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h */
5776 /*
5777  * SPDX-FileCopyrightText: 2024 Cryspen Sarl <info@cryspen.com>
5778  *
5779  * SPDX-License-Identifier: MIT or Apache-2.0
5780  *
5781  * This code was generated with the following revisions:
5782  * Charon: 6b5e110342a771a3e1c739b10294b1778e4be8b4
5783  * Eurydice: 31be7d65ca5d6acdacfb33652e478d24dd85c1cb
5784  * Karamel: 3205d3365ea2790b02368f79fcee38e38d0b5908
5785  * F*: a32b316e521fa4f239b610ec8f1d15e78d62cbe8-dirty
5786  * Libcrux: 4ad532b206174114dd4140b718e7794a28fc59ee
5787  */
5788 
5789 #ifndef __libcrux_mlkem768_portable_H
5790 #define __libcrux_mlkem768_portable_H
5791 
5792 #if defined(__cplusplus)
5793 extern "C" {
5794 #endif
5795 
5796 
5797 #define LIBCRUX_ML_KEM_HASH_FUNCTIONS_BLOCK_SIZE ((size_t)168U)
5798 
5799 #define LIBCRUX_ML_KEM_HASH_FUNCTIONS_THREE_BLOCKS \
5800   (LIBCRUX_ML_KEM_HASH_FUNCTIONS_BLOCK_SIZE * (size_t)3U)
5801 
5802 static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_G(
5803     Eurydice_slice input, uint8_t ret[64U]) {
5804   uint8_t digest[64U] = {0U};
5805   libcrux_sha3_portable_sha512(
5806       Eurydice_array_to_slice((size_t)64U, digest, uint8_t), input);
5807   memcpy(ret, digest, (size_t)64U * sizeof(uint8_t));
5808 }
5809 
5810 static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_H(
5811     Eurydice_slice input, uint8_t ret[32U]) {
5812   uint8_t digest[32U] = {0U};
5813   libcrux_sha3_portable_sha256(
5814       Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input);
5815   memcpy(ret, digest, (size_t)32U * sizeof(uint8_t));
5816 }
5817 
5818 #define LIBCRUX_ML_KEM_IND_CCA_ENCAPS_SEED_SIZE \
5819   (LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE)
5820 
5821 #define LIBCRUX_ML_KEM_IND_CCA_KEY_GENERATION_SEED_SIZE        \
5822   (LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE + \
5823    LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE)
5824 
5825 typedef uint8_t libcrux_ml_kem_ind_cca_MlKemSharedSecret[32U];
5826 
5827 static const int16_t libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[128U] =
5828     {(int16_t)-1044, (int16_t)-758,  (int16_t)-359,  (int16_t)-1517,
5829      (int16_t)1493,  (int16_t)1422,  (int16_t)287,   (int16_t)202,
5830      (int16_t)-171,  (int16_t)622,   (int16_t)1577,  (int16_t)182,
5831      (int16_t)962,   (int16_t)-1202, (int16_t)-1474, (int16_t)1468,
5832      (int16_t)573,   (int16_t)-1325, (int16_t)264,   (int16_t)383,
5833      (int16_t)-829,  (int16_t)1458,  (int16_t)-1602, (int16_t)-130,
5834      (int16_t)-681,  (int16_t)1017,  (int16_t)732,   (int16_t)608,
5835      (int16_t)-1542, (int16_t)411,   (int16_t)-205,  (int16_t)-1571,
5836      (int16_t)1223,  (int16_t)652,   (int16_t)-552,  (int16_t)1015,
5837      (int16_t)-1293, (int16_t)1491,  (int16_t)-282,  (int16_t)-1544,
5838      (int16_t)516,   (int16_t)-8,    (int16_t)-320,  (int16_t)-666,
5839      (int16_t)-1618, (int16_t)-1162, (int16_t)126,   (int16_t)1469,
5840      (int16_t)-853,  (int16_t)-90,   (int16_t)-271,  (int16_t)830,
5841      (int16_t)107,   (int16_t)-1421, (int16_t)-247,  (int16_t)-951,
5842      (int16_t)-398,  (int16_t)961,   (int16_t)-1508, (int16_t)-725,
5843      (int16_t)448,   (int16_t)-1065, (int16_t)677,   (int16_t)-1275,
5844      (int16_t)-1103, (int16_t)430,   (int16_t)555,   (int16_t)843,
5845      (int16_t)-1251, (int16_t)871,   (int16_t)1550,  (int16_t)105,
5846      (int16_t)422,   (int16_t)587,   (int16_t)177,   (int16_t)-235,
5847      (int16_t)-291,  (int16_t)-460,  (int16_t)1574,  (int16_t)1653,
5848      (int16_t)-246,  (int16_t)778,   (int16_t)1159,  (int16_t)-147,
5849      (int16_t)-777,  (int16_t)1483,  (int16_t)-602,  (int16_t)1119,
5850      (int16_t)-1590, (int16_t)644,   (int16_t)-872,  (int16_t)349,
5851      (int16_t)418,   (int16_t)329,   (int16_t)-156,  (int16_t)-75,
5852      (int16_t)817,   (int16_t)1097,  (int16_t)603,   (int16_t)610,
5853      (int16_t)1322,  (int16_t)-1285, (int16_t)-1465, (int16_t)384,
5854      (int16_t)-1215, (int16_t)-136,  (int16_t)1218,  (int16_t)-1335,
5855      (int16_t)-874,  (int16_t)220,   (int16_t)-1187, (int16_t)-1659,
5856      (int16_t)-1185, (int16_t)-1530, (int16_t)-1278, (int16_t)794,
5857      (int16_t)-1510, (int16_t)-854,  (int16_t)-870,  (int16_t)478,
5858      (int16_t)-108,  (int16_t)-308,  (int16_t)996,   (int16_t)991,
5859      (int16_t)958,   (int16_t)-1460, (int16_t)1522,  (int16_t)1628};
5860 
5861 #define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR ((size_t)16U)
5862 
5863 #define LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT  \
5864   (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / \
5865    LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR)
5866 
5867 #define LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS ((int16_t)3329)
5868 
5869 #define LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS \
5870   ((int16_t)1353)
5871 
5872 #define LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R \
5873   (62209U)
5874 
5875 typedef struct libcrux_ml_kem_vector_portable_vector_type_PortableVector_s {
5876   int16_t elements[16U];
5877 } libcrux_ml_kem_vector_portable_vector_type_PortableVector;
5878 
5879 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
5880 libcrux_ml_kem_vector_portable_vector_type_from_i16_array(
5881     Eurydice_slice array) {
5882   libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
5883   int16_t ret[16U];
5884   Result_c0 dst;
5885   Eurydice_slice_to_array2(
5886       &dst, Eurydice_slice_subslice2(array, (size_t)0U, (size_t)16U, int16_t),
5887       Eurydice_slice, int16_t[16U]);
5888   unwrap_41_f9(dst, ret);
5889   memcpy(lit.elements, ret, (size_t)16U * sizeof(int16_t));
5890   return lit;
5891 }
5892 
5893 /**
5894 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
5895 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
5896 */
5897 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
5898 libcrux_ml_kem_vector_portable_from_i16_array_0d(Eurydice_slice array) {
5899   return libcrux_ml_kem_vector_portable_vector_type_from_i16_array(array);
5900 }
5901 
5902 typedef struct uint8_t_x11_s {
5903   uint8_t fst;
5904   uint8_t snd;
5905   uint8_t thd;
5906   uint8_t f3;
5907   uint8_t f4;
5908   uint8_t f5;
5909   uint8_t f6;
5910   uint8_t f7;
5911   uint8_t f8;
5912   uint8_t f9;
5913   uint8_t f10;
5914 } uint8_t_x11;
5915 
5916 static KRML_MUSTINLINE uint8_t_x11
5917 libcrux_ml_kem_vector_portable_serialize_serialize_11_int(Eurydice_slice v) {
5918   uint8_t r0 = (uint8_t)Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *);
5919   uint8_t r1 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t,
5920                                                         int16_t *) &
5921                                    (int16_t)31)
5922                    << 3U |
5923                (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t,
5924                                                         int16_t *) >>
5925                                    8U);
5926   uint8_t r2 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t,
5927                                                         int16_t *) &
5928                                    (int16_t)3)
5929                    << 6U |
5930                (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t,
5931                                                         int16_t *) >>
5932                                    5U);
5933   uint8_t r3 =
5934       (uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t, int16_t *) >> 2U &
5935                 (int16_t)255);
5936   uint8_t r4 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t,
5937                                                         int16_t *) &
5938                                    (int16_t)127)
5939                    << 1U |
5940                (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t,
5941                                                         int16_t *) >>
5942                                    10U);
5943   uint8_t r5 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)4U, int16_t,
5944                                                         int16_t *) &
5945                                    (int16_t)15)
5946                    << 4U |
5947                (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t,
5948                                                         int16_t *) >>
5949                                    7U);
5950   uint8_t r6 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)5U, int16_t,
5951                                                         int16_t *) &
5952                                    (int16_t)1)
5953                    << 7U |
5954                (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)4U, int16_t,
5955                                                         int16_t *) >>
5956                                    4U);
5957   uint8_t r7 =
5958       (uint8_t)(Eurydice_slice_index(v, (size_t)5U, int16_t, int16_t *) >> 1U &
5959                 (int16_t)255);
5960   uint8_t r8 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)6U, int16_t,
5961                                                         int16_t *) &
5962                                    (int16_t)63)
5963                    << 2U |
5964                (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)5U, int16_t,
5965                                                         int16_t *) >>
5966                                    9U);
5967   uint8_t r9 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)7U, int16_t,
5968                                                         int16_t *) &
5969                                    (int16_t)7)
5970                    << 5U |
5971                (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)6U, int16_t,
5972                                                         int16_t *) >>
5973                                    6U);
5974   uint8_t r10 =
5975       (uint8_t)(Eurydice_slice_index(v, (size_t)7U, int16_t, int16_t *) >> 3U);
5976   return (CLITERAL(uint8_t_x11){.fst = r0,
5977                                 .snd = r1,
5978                                 .thd = r2,
5979                                 .f3 = r3,
5980                                 .f4 = r4,
5981                                 .f5 = r5,
5982                                 .f6 = r6,
5983                                 .f7 = r7,
5984                                 .f8 = r8,
5985                                 .f9 = r9,
5986                                 .f10 = r10});
5987 }
5988 
5989 static KRML_MUSTINLINE void
5990 libcrux_ml_kem_vector_portable_serialize_serialize_11(
5991     libcrux_ml_kem_vector_portable_vector_type_PortableVector v,
5992     uint8_t ret[22U]) {
5993   uint8_t_x11 r0_10 = libcrux_ml_kem_vector_portable_serialize_serialize_11_int(
5994       Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)8U, int16_t));
5995   uint8_t_x11 r11_21 =
5996       libcrux_ml_kem_vector_portable_serialize_serialize_11_int(
5997           Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U,
5998                                       int16_t));
5999   uint8_t result[22U] = {0U};
6000   result[0U] = r0_10.fst;
6001   result[1U] = r0_10.snd;
6002   result[2U] = r0_10.thd;
6003   result[3U] = r0_10.f3;
6004   result[4U] = r0_10.f4;
6005   result[5U] = r0_10.f5;
6006   result[6U] = r0_10.f6;
6007   result[7U] = r0_10.f7;
6008   result[8U] = r0_10.f8;
6009   result[9U] = r0_10.f9;
6010   result[10U] = r0_10.f10;
6011   result[11U] = r11_21.fst;
6012   result[12U] = r11_21.snd;
6013   result[13U] = r11_21.thd;
6014   result[14U] = r11_21.f3;
6015   result[15U] = r11_21.f4;
6016   result[16U] = r11_21.f5;
6017   result[17U] = r11_21.f6;
6018   result[18U] = r11_21.f7;
6019   result[19U] = r11_21.f8;
6020   result[20U] = r11_21.f9;
6021   result[21U] = r11_21.f10;
6022   memcpy(ret, result, (size_t)22U * sizeof(uint8_t));
6023 }
6024 
6025 /**
6026 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
6027 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
6028 */
6029 static inline void libcrux_ml_kem_vector_portable_serialize_11_0d(
6030     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
6031     uint8_t ret[22U]) {
6032   libcrux_ml_kem_vector_portable_serialize_serialize_11(a, ret);
6033 }
6034 
6035 typedef struct int16_t_x8_s {
6036   int16_t fst;
6037   int16_t snd;
6038   int16_t thd;
6039   int16_t f3;
6040   int16_t f4;
6041   int16_t f5;
6042   int16_t f6;
6043   int16_t f7;
6044 } int16_t_x8;
6045 
6046 static KRML_MUSTINLINE int16_t_x8
6047 libcrux_ml_kem_vector_portable_serialize_deserialize_11_int(
6048     Eurydice_slice bytes) {
6049   int16_t r0 =
6050       ((int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) &
6051        (int16_t)7)
6052           << 8U |
6053       (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *);
6054   int16_t r1 =
6055       ((int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) &
6056        (int16_t)63)
6057           << 5U |
6058       (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) >>
6059           3U;
6060   int16_t r2 =
6061       (((int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) &
6062         (int16_t)1)
6063            << 10U |
6064        (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *)
6065            << 2U) |
6066       (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) >>
6067           6U;
6068   int16_t r3 =
6069       ((int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *) &
6070        (int16_t)15)
6071           << 7U |
6072       (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) >>
6073           1U;
6074   int16_t r4 =
6075       ((int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) &
6076        (int16_t)127)
6077           << 4U |
6078       (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *) >>
6079           4U;
6080   int16_t r5 =
6081       (((int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *) &
6082         (int16_t)3)
6083            << 9U |
6084        (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *)
6085            << 1U) |
6086       (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) >>
6087           7U;
6088   int16_t r6 =
6089       ((int16_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, uint8_t *) &
6090        (int16_t)31)
6091           << 6U |
6092       (int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *) >>
6093           2U;
6094   int16_t r7 =
6095       (int16_t)Eurydice_slice_index(bytes, (size_t)10U, uint8_t, uint8_t *)
6096           << 3U |
6097       (int16_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, uint8_t *) >>
6098           5U;
6099   return (CLITERAL(int16_t_x8){.fst = r0,
6100                                .snd = r1,
6101                                .thd = r2,
6102                                .f3 = r3,
6103                                .f4 = r4,
6104                                .f5 = r5,
6105                                .f6 = r6,
6106                                .f7 = r7});
6107 }
6108 
6109 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
6110 libcrux_ml_kem_vector_portable_vector_type_zero(void) {
6111   libcrux_ml_kem_vector_portable_vector_type_PortableVector lit;
6112   lit.elements[0U] = (int16_t)0;
6113   lit.elements[1U] = (int16_t)0;
6114   lit.elements[2U] = (int16_t)0;
6115   lit.elements[3U] = (int16_t)0;
6116   lit.elements[4U] = (int16_t)0;
6117   lit.elements[5U] = (int16_t)0;
6118   lit.elements[6U] = (int16_t)0;
6119   lit.elements[7U] = (int16_t)0;
6120   lit.elements[8U] = (int16_t)0;
6121   lit.elements[9U] = (int16_t)0;
6122   lit.elements[10U] = (int16_t)0;
6123   lit.elements[11U] = (int16_t)0;
6124   lit.elements[12U] = (int16_t)0;
6125   lit.elements[13U] = (int16_t)0;
6126   lit.elements[14U] = (int16_t)0;
6127   lit.elements[15U] = (int16_t)0;
6128   return lit;
6129 }
6130 
6131 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
6132 libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes) {
6133   int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_11_int(
6134       Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)11U, uint8_t));
6135   int16_t_x8 v8_15 =
6136       libcrux_ml_kem_vector_portable_serialize_deserialize_11_int(
6137           Eurydice_slice_subslice2(bytes, (size_t)11U, (size_t)22U, uint8_t));
6138   libcrux_ml_kem_vector_portable_vector_type_PortableVector v =
6139       libcrux_ml_kem_vector_portable_vector_type_zero();
6140   v.elements[0U] = v0_7.fst;
6141   v.elements[1U] = v0_7.snd;
6142   v.elements[2U] = v0_7.thd;
6143   v.elements[3U] = v0_7.f3;
6144   v.elements[4U] = v0_7.f4;
6145   v.elements[5U] = v0_7.f5;
6146   v.elements[6U] = v0_7.f6;
6147   v.elements[7U] = v0_7.f7;
6148   v.elements[8U] = v8_15.fst;
6149   v.elements[9U] = v8_15.snd;
6150   v.elements[10U] = v8_15.thd;
6151   v.elements[11U] = v8_15.f3;
6152   v.elements[12U] = v8_15.f4;
6153   v.elements[13U] = v8_15.f5;
6154   v.elements[14U] = v8_15.f6;
6155   v.elements[15U] = v8_15.f7;
6156   return v;
6157 }
6158 
6159 /**
6160 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
6161 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
6162 */
6163 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
6164 libcrux_ml_kem_vector_portable_deserialize_11_0d(Eurydice_slice a) {
6165   return libcrux_ml_kem_vector_portable_serialize_deserialize_11(a);
6166 }
6167 
6168 static KRML_MUSTINLINE void
6169 libcrux_ml_kem_vector_portable_vector_type_to_i16_array(
6170     libcrux_ml_kem_vector_portable_vector_type_PortableVector x,
6171     int16_t ret[16U]) {
6172   memcpy(ret, x.elements, (size_t)16U * sizeof(int16_t));
6173 }
6174 
6175 /**
6176 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
6177 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
6178 */
6179 static inline void libcrux_ml_kem_vector_portable_to_i16_array_0d(
6180     libcrux_ml_kem_vector_portable_vector_type_PortableVector x,
6181     int16_t ret[16U]) {
6182   libcrux_ml_kem_vector_portable_vector_type_to_i16_array(x, ret);
6183 }
6184 
6185 static const uint8_t
6186     libcrux_ml_kem_vector_rej_sample_table_REJECTION_SAMPLE_SHUFFLE_TABLE
6187         [256U][16U] = {{255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
6188                         255U, 255U, 255U, 255U, 255U, 255U, 255U},
6189                        {0U, 1U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
6190                         255U, 255U, 255U, 255U, 255U, 255U},
6191                        {2U, 3U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
6192                         255U, 255U, 255U, 255U, 255U, 255U},
6193                        {0U, 1U, 2U, 3U, 255U, 255U, 255U, 255U, 255U, 255U,
6194                         255U, 255U, 255U, 255U, 255U, 255U},
6195                        {4U, 5U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
6196                         255U, 255U, 255U, 255U, 255U, 255U},
6197                        {0U, 1U, 4U, 5U, 255U, 255U, 255U, 255U, 255U, 255U,
6198                         255U, 255U, 255U, 255U, 255U, 255U},
6199                        {2U, 3U, 4U, 5U, 255U, 255U, 255U, 255U, 255U, 255U,
6200                         255U, 255U, 255U, 255U, 255U, 255U},
6201                        {0U, 1U, 2U, 3U, 4U, 5U, 255U, 255U, 255U, 255U, 255U,
6202                         255U, 255U, 255U, 255U, 255U},
6203                        {6U, 7U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
6204                         255U, 255U, 255U, 255U, 255U, 255U},
6205                        {0U, 1U, 6U, 7U, 255U, 255U, 255U, 255U, 255U, 255U,
6206                         255U, 255U, 255U, 255U, 255U, 255U},
6207                        {2U, 3U, 6U, 7U, 255U, 255U, 255U, 255U, 255U, 255U,
6208                         255U, 255U, 255U, 255U, 255U, 255U},
6209                        {0U, 1U, 2U, 3U, 6U, 7U, 255U, 255U, 255U, 255U, 255U,
6210                         255U, 255U, 255U, 255U, 255U},
6211                        {4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U, 255U, 255U,
6212                         255U, 255U, 255U, 255U, 255U, 255U},
6213                        {0U, 1U, 4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U, 255U,
6214                         255U, 255U, 255U, 255U, 255U},
6215                        {2U, 3U, 4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U, 255U,
6216                         255U, 255U, 255U, 255U, 255U},
6217                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 255U, 255U, 255U, 255U,
6218                         255U, 255U, 255U, 255U},
6219                        {8U, 9U, 255U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
6220                         255U, 255U, 255U, 255U, 255U, 255U},
6221                        {0U, 1U, 8U, 9U, 255U, 255U, 255U, 255U, 255U, 255U,
6222                         255U, 255U, 255U, 255U, 255U, 255U},
6223                        {2U, 3U, 8U, 9U, 255U, 255U, 255U, 255U, 255U, 255U,
6224                         255U, 255U, 255U, 255U, 255U, 255U},
6225                        {0U, 1U, 2U, 3U, 8U, 9U, 255U, 255U, 255U, 255U, 255U,
6226                         255U, 255U, 255U, 255U, 255U},
6227                        {4U, 5U, 8U, 9U, 255U, 255U, 255U, 255U, 255U, 255U,
6228                         255U, 255U, 255U, 255U, 255U, 255U},
6229                        {0U, 1U, 4U, 5U, 8U, 9U, 255U, 255U, 255U, 255U, 255U,
6230                         255U, 255U, 255U, 255U, 255U},
6231                        {2U, 3U, 4U, 5U, 8U, 9U, 255U, 255U, 255U, 255U, 255U,
6232                         255U, 255U, 255U, 255U, 255U},
6233                        {0U, 1U, 2U, 3U, 4U, 5U, 8U, 9U, 255U, 255U, 255U, 255U,
6234                         255U, 255U, 255U, 255U},
6235                        {6U, 7U, 8U, 9U, 255U, 255U, 255U, 255U, 255U, 255U,
6236                         255U, 255U, 255U, 255U, 255U, 255U},
6237                        {0U, 1U, 6U, 7U, 8U, 9U, 255U, 255U, 255U, 255U, 255U,
6238                         255U, 255U, 255U, 255U, 255U},
6239                        {2U, 3U, 6U, 7U, 8U, 9U, 255U, 255U, 255U, 255U, 255U,
6240                         255U, 255U, 255U, 255U, 255U},
6241                        {0U, 1U, 2U, 3U, 6U, 7U, 8U, 9U, 255U, 255U, 255U, 255U,
6242                         255U, 255U, 255U, 255U},
6243                        {4U, 5U, 6U, 7U, 8U, 9U, 255U, 255U, 255U, 255U, 255U,
6244                         255U, 255U, 255U, 255U, 255U},
6245                        {0U, 1U, 4U, 5U, 6U, 7U, 8U, 9U, 255U, 255U, 255U, 255U,
6246                         255U, 255U, 255U, 255U},
6247                        {2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 255U, 255U, 255U, 255U,
6248                         255U, 255U, 255U, 255U},
6249                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 255U, 255U,
6250                         255U, 255U, 255U, 255U},
6251                        {10U, 11U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
6252                         255U, 255U, 255U, 255U, 255U, 255U, 255U},
6253                        {0U, 1U, 10U, 11U, 255U, 255U, 255U, 255U, 255U, 255U,
6254                         255U, 255U, 255U, 255U, 255U, 255U},
6255                        {2U, 3U, 10U, 11U, 255U, 255U, 255U, 255U, 255U, 255U,
6256                         255U, 255U, 255U, 255U, 255U, 255U},
6257                        {0U, 1U, 2U, 3U, 10U, 11U, 255U, 255U, 255U, 255U, 255U,
6258                         255U, 255U, 255U, 255U, 255U},
6259                        {4U, 5U, 10U, 11U, 255U, 255U, 255U, 255U, 255U, 255U,
6260                         255U, 255U, 255U, 255U, 255U, 255U},
6261                        {0U, 1U, 4U, 5U, 10U, 11U, 255U, 255U, 255U, 255U, 255U,
6262                         255U, 255U, 255U, 255U, 255U},
6263                        {2U, 3U, 4U, 5U, 10U, 11U, 255U, 255U, 255U, 255U, 255U,
6264                         255U, 255U, 255U, 255U, 255U},
6265                        {0U, 1U, 2U, 3U, 4U, 5U, 10U, 11U, 255U, 255U, 255U,
6266                         255U, 255U, 255U, 255U, 255U},
6267                        {6U, 7U, 10U, 11U, 255U, 255U, 255U, 255U, 255U, 255U,
6268                         255U, 255U, 255U, 255U, 255U, 255U},
6269                        {0U, 1U, 6U, 7U, 10U, 11U, 255U, 255U, 255U, 255U, 255U,
6270                         255U, 255U, 255U, 255U, 255U},
6271                        {2U, 3U, 6U, 7U, 10U, 11U, 255U, 255U, 255U, 255U, 255U,
6272                         255U, 255U, 255U, 255U, 255U},
6273                        {0U, 1U, 2U, 3U, 6U, 7U, 10U, 11U, 255U, 255U, 255U,
6274                         255U, 255U, 255U, 255U, 255U},
6275                        {4U, 5U, 6U, 7U, 10U, 11U, 255U, 255U, 255U, 255U, 255U,
6276                         255U, 255U, 255U, 255U, 255U},
6277                        {0U, 1U, 4U, 5U, 6U, 7U, 10U, 11U, 255U, 255U, 255U,
6278                         255U, 255U, 255U, 255U, 255U},
6279                        {2U, 3U, 4U, 5U, 6U, 7U, 10U, 11U, 255U, 255U, 255U,
6280                         255U, 255U, 255U, 255U, 255U},
6281                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 10U, 11U, 255U, 255U,
6282                         255U, 255U, 255U, 255U},
6283                        {8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, 255U, 255U,
6284                         255U, 255U, 255U, 255U, 255U, 255U},
6285                        {0U, 1U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, 255U,
6286                         255U, 255U, 255U, 255U, 255U},
6287                        {2U, 3U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, 255U,
6288                         255U, 255U, 255U, 255U, 255U},
6289                        {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 255U, 255U, 255U,
6290                         255U, 255U, 255U, 255U, 255U},
6291                        {4U, 5U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, 255U,
6292                         255U, 255U, 255U, 255U, 255U},
6293                        {0U, 1U, 4U, 5U, 8U, 9U, 10U, 11U, 255U, 255U, 255U,
6294                         255U, 255U, 255U, 255U, 255U},
6295                        {2U, 3U, 4U, 5U, 8U, 9U, 10U, 11U, 255U, 255U, 255U,
6296                         255U, 255U, 255U, 255U, 255U},
6297                        {0U, 1U, 2U, 3U, 4U, 5U, 8U, 9U, 10U, 11U, 255U, 255U,
6298                         255U, 255U, 255U, 255U},
6299                        {6U, 7U, 8U, 9U, 10U, 11U, 255U, 255U, 255U, 255U, 255U,
6300                         255U, 255U, 255U, 255U, 255U},
6301                        {0U, 1U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, 255U, 255U,
6302                         255U, 255U, 255U, 255U, 255U},
6303                        {2U, 3U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, 255U, 255U,
6304                         255U, 255U, 255U, 255U, 255U},
6305                        {0U, 1U, 2U, 3U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, 255U,
6306                         255U, 255U, 255U, 255U},
6307                        {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, 255U, 255U,
6308                         255U, 255U, 255U, 255U, 255U},
6309                        {0U, 1U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, 255U,
6310                         255U, 255U, 255U, 255U},
6311                        {2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U, 255U,
6312                         255U, 255U, 255U, 255U},
6313                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 255U,
6314                         255U, 255U, 255U},
6315                        {12U, 13U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
6316                         255U, 255U, 255U, 255U, 255U, 255U, 255U},
6317                        {0U, 1U, 12U, 13U, 255U, 255U, 255U, 255U, 255U, 255U,
6318                         255U, 255U, 255U, 255U, 255U, 255U},
6319                        {2U, 3U, 12U, 13U, 255U, 255U, 255U, 255U, 255U, 255U,
6320                         255U, 255U, 255U, 255U, 255U, 255U},
6321                        {0U, 1U, 2U, 3U, 12U, 13U, 255U, 255U, 255U, 255U, 255U,
6322                         255U, 255U, 255U, 255U, 255U},
6323                        {4U, 5U, 12U, 13U, 255U, 255U, 255U, 255U, 255U, 255U,
6324                         255U, 255U, 255U, 255U, 255U, 255U},
6325                        {0U, 1U, 4U, 5U, 12U, 13U, 255U, 255U, 255U, 255U, 255U,
6326                         255U, 255U, 255U, 255U, 255U},
6327                        {2U, 3U, 4U, 5U, 12U, 13U, 255U, 255U, 255U, 255U, 255U,
6328                         255U, 255U, 255U, 255U, 255U},
6329                        {0U, 1U, 2U, 3U, 4U, 5U, 12U, 13U, 255U, 255U, 255U,
6330                         255U, 255U, 255U, 255U, 255U},
6331                        {6U, 7U, 12U, 13U, 255U, 255U, 255U, 255U, 255U, 255U,
6332                         255U, 255U, 255U, 255U, 255U, 255U},
6333                        {0U, 1U, 6U, 7U, 12U, 13U, 255U, 255U, 255U, 255U, 255U,
6334                         255U, 255U, 255U, 255U, 255U},
6335                        {2U, 3U, 6U, 7U, 12U, 13U, 255U, 255U, 255U, 255U, 255U,
6336                         255U, 255U, 255U, 255U, 255U},
6337                        {0U, 1U, 2U, 3U, 6U, 7U, 12U, 13U, 255U, 255U, 255U,
6338                         255U, 255U, 255U, 255U, 255U},
6339                        {4U, 5U, 6U, 7U, 12U, 13U, 255U, 255U, 255U, 255U, 255U,
6340                         255U, 255U, 255U, 255U, 255U},
6341                        {0U, 1U, 4U, 5U, 6U, 7U, 12U, 13U, 255U, 255U, 255U,
6342                         255U, 255U, 255U, 255U, 255U},
6343                        {2U, 3U, 4U, 5U, 6U, 7U, 12U, 13U, 255U, 255U, 255U,
6344                         255U, 255U, 255U, 255U, 255U},
6345                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 12U, 13U, 255U, 255U,
6346                         255U, 255U, 255U, 255U},
6347                        {8U, 9U, 12U, 13U, 255U, 255U, 255U, 255U, 255U, 255U,
6348                         255U, 255U, 255U, 255U, 255U, 255U},
6349                        {0U, 1U, 8U, 9U, 12U, 13U, 255U, 255U, 255U, 255U, 255U,
6350                         255U, 255U, 255U, 255U, 255U},
6351                        {2U, 3U, 8U, 9U, 12U, 13U, 255U, 255U, 255U, 255U, 255U,
6352                         255U, 255U, 255U, 255U, 255U},
6353                        {0U, 1U, 2U, 3U, 8U, 9U, 12U, 13U, 255U, 255U, 255U,
6354                         255U, 255U, 255U, 255U, 255U},
6355                        {4U, 5U, 8U, 9U, 12U, 13U, 255U, 255U, 255U, 255U, 255U,
6356                         255U, 255U, 255U, 255U, 255U},
6357                        {0U, 1U, 4U, 5U, 8U, 9U, 12U, 13U, 255U, 255U, 255U,
6358                         255U, 255U, 255U, 255U, 255U},
6359                        {2U, 3U, 4U, 5U, 8U, 9U, 12U, 13U, 255U, 255U, 255U,
6360                         255U, 255U, 255U, 255U, 255U},
6361                        {0U, 1U, 2U, 3U, 4U, 5U, 8U, 9U, 12U, 13U, 255U, 255U,
6362                         255U, 255U, 255U, 255U},
6363                        {6U, 7U, 8U, 9U, 12U, 13U, 255U, 255U, 255U, 255U, 255U,
6364                         255U, 255U, 255U, 255U, 255U},
6365                        {0U, 1U, 6U, 7U, 8U, 9U, 12U, 13U, 255U, 255U, 255U,
6366                         255U, 255U, 255U, 255U, 255U},
6367                        {2U, 3U, 6U, 7U, 8U, 9U, 12U, 13U, 255U, 255U, 255U,
6368                         255U, 255U, 255U, 255U, 255U},
6369                        {0U, 1U, 2U, 3U, 6U, 7U, 8U, 9U, 12U, 13U, 255U, 255U,
6370                         255U, 255U, 255U, 255U},
6371                        {4U, 5U, 6U, 7U, 8U, 9U, 12U, 13U, 255U, 255U, 255U,
6372                         255U, 255U, 255U, 255U, 255U},
6373                        {0U, 1U, 4U, 5U, 6U, 7U, 8U, 9U, 12U, 13U, 255U, 255U,
6374                         255U, 255U, 255U, 255U},
6375                        {2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 12U, 13U, 255U, 255U,
6376                         255U, 255U, 255U, 255U},
6377                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 12U, 13U, 255U,
6378                         255U, 255U, 255U},
6379                        {10U, 11U, 12U, 13U, 255U, 255U, 255U, 255U, 255U, 255U,
6380                         255U, 255U, 255U, 255U, 255U, 255U},
6381                        {0U, 1U, 10U, 11U, 12U, 13U, 255U, 255U, 255U, 255U,
6382                         255U, 255U, 255U, 255U, 255U, 255U},
6383                        {2U, 3U, 10U, 11U, 12U, 13U, 255U, 255U, 255U, 255U,
6384                         255U, 255U, 255U, 255U, 255U, 255U},
6385                        {0U, 1U, 2U, 3U, 10U, 11U, 12U, 13U, 255U, 255U, 255U,
6386                         255U, 255U, 255U, 255U, 255U},
6387                        {4U, 5U, 10U, 11U, 12U, 13U, 255U, 255U, 255U, 255U,
6388                         255U, 255U, 255U, 255U, 255U, 255U},
6389                        {0U, 1U, 4U, 5U, 10U, 11U, 12U, 13U, 255U, 255U, 255U,
6390                         255U, 255U, 255U, 255U, 255U},
6391                        {2U, 3U, 4U, 5U, 10U, 11U, 12U, 13U, 255U, 255U, 255U,
6392                         255U, 255U, 255U, 255U, 255U},
6393                        {0U, 1U, 2U, 3U, 4U, 5U, 10U, 11U, 12U, 13U, 255U, 255U,
6394                         255U, 255U, 255U, 255U},
6395                        {6U, 7U, 10U, 11U, 12U, 13U, 255U, 255U, 255U, 255U,
6396                         255U, 255U, 255U, 255U, 255U, 255U},
6397                        {0U, 1U, 6U, 7U, 10U, 11U, 12U, 13U, 255U, 255U, 255U,
6398                         255U, 255U, 255U, 255U, 255U},
6399                        {2U, 3U, 6U, 7U, 10U, 11U, 12U, 13U, 255U, 255U, 255U,
6400                         255U, 255U, 255U, 255U, 255U},
6401                        {0U, 1U, 2U, 3U, 6U, 7U, 10U, 11U, 12U, 13U, 255U, 255U,
6402                         255U, 255U, 255U, 255U},
6403                        {4U, 5U, 6U, 7U, 10U, 11U, 12U, 13U, 255U, 255U, 255U,
6404                         255U, 255U, 255U, 255U, 255U},
6405                        {0U, 1U, 4U, 5U, 6U, 7U, 10U, 11U, 12U, 13U, 255U, 255U,
6406                         255U, 255U, 255U, 255U},
6407                        {2U, 3U, 4U, 5U, 6U, 7U, 10U, 11U, 12U, 13U, 255U, 255U,
6408                         255U, 255U, 255U, 255U},
6409                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 10U, 11U, 12U, 13U,
6410                         255U, 255U, 255U, 255U},
6411                        {8U, 9U, 10U, 11U, 12U, 13U, 255U, 255U, 255U, 255U,
6412                         255U, 255U, 255U, 255U, 255U, 255U},
6413                        {0U, 1U, 8U, 9U, 10U, 11U, 12U, 13U, 255U, 255U, 255U,
6414                         255U, 255U, 255U, 255U, 255U},
6415                        {2U, 3U, 8U, 9U, 10U, 11U, 12U, 13U, 255U, 255U, 255U,
6416                         255U, 255U, 255U, 255U, 255U},
6417                        {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 12U, 13U, 255U, 255U,
6418                         255U, 255U, 255U, 255U},
6419                        {4U, 5U, 8U, 9U, 10U, 11U, 12U, 13U, 255U, 255U, 255U,
6420                         255U, 255U, 255U, 255U, 255U},
6421                        {0U, 1U, 4U, 5U, 8U, 9U, 10U, 11U, 12U, 13U, 255U, 255U,
6422                         255U, 255U, 255U, 255U},
6423                        {2U, 3U, 4U, 5U, 8U, 9U, 10U, 11U, 12U, 13U, 255U, 255U,
6424                         255U, 255U, 255U, 255U},
6425                        {0U, 1U, 2U, 3U, 4U, 5U, 8U, 9U, 10U, 11U, 12U, 13U,
6426                         255U, 255U, 255U, 255U},
6427                        {6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 255U, 255U, 255U,
6428                         255U, 255U, 255U, 255U, 255U},
6429                        {0U, 1U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 255U, 255U,
6430                         255U, 255U, 255U, 255U},
6431                        {2U, 3U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 255U, 255U,
6432                         255U, 255U, 255U, 255U},
6433                        {0U, 1U, 2U, 3U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U,
6434                         255U, 255U, 255U, 255U},
6435                        {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 255U, 255U,
6436                         255U, 255U, 255U, 255U},
6437                        {0U, 1U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U,
6438                         255U, 255U, 255U, 255U},
6439                        {2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U,
6440                         255U, 255U, 255U, 255U},
6441                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U,
6442                         13U, 255U, 255U},
6443                        {14U, 15U, 255U, 255U, 255U, 255U, 255U, 255U, 255U,
6444                         255U, 255U, 255U, 255U, 255U, 255U, 255U},
6445                        {0U, 1U, 14U, 15U, 255U, 255U, 255U, 255U, 255U, 255U,
6446                         255U, 255U, 255U, 255U, 255U, 255U},
6447                        {2U, 3U, 14U, 15U, 255U, 255U, 255U, 255U, 255U, 255U,
6448                         255U, 255U, 255U, 255U, 255U, 255U},
6449                        {0U, 1U, 2U, 3U, 14U, 15U, 255U, 255U, 255U, 255U, 255U,
6450                         255U, 255U, 255U, 255U, 255U},
6451                        {4U, 5U, 14U, 15U, 255U, 255U, 255U, 255U, 255U, 255U,
6452                         255U, 255U, 255U, 255U, 255U, 255U},
6453                        {0U, 1U, 4U, 5U, 14U, 15U, 255U, 255U, 255U, 255U, 255U,
6454                         255U, 255U, 255U, 255U, 255U},
6455                        {2U, 3U, 4U, 5U, 14U, 15U, 255U, 255U, 255U, 255U, 255U,
6456                         255U, 255U, 255U, 255U, 255U},
6457                        {0U, 1U, 2U, 3U, 4U, 5U, 14U, 15U, 255U, 255U, 255U,
6458                         255U, 255U, 255U, 255U, 255U},
6459                        {6U, 7U, 14U, 15U, 255U, 255U, 255U, 255U, 255U, 255U,
6460                         255U, 255U, 255U, 255U, 255U, 255U},
6461                        {0U, 1U, 6U, 7U, 14U, 15U, 255U, 255U, 255U, 255U, 255U,
6462                         255U, 255U, 255U, 255U, 255U},
6463                        {2U, 3U, 6U, 7U, 14U, 15U, 255U, 255U, 255U, 255U, 255U,
6464                         255U, 255U, 255U, 255U, 255U},
6465                        {0U, 1U, 2U, 3U, 6U, 7U, 14U, 15U, 255U, 255U, 255U,
6466                         255U, 255U, 255U, 255U, 255U},
6467                        {4U, 5U, 6U, 7U, 14U, 15U, 255U, 255U, 255U, 255U, 255U,
6468                         255U, 255U, 255U, 255U, 255U},
6469                        {0U, 1U, 4U, 5U, 6U, 7U, 14U, 15U, 255U, 255U, 255U,
6470                         255U, 255U, 255U, 255U, 255U},
6471                        {2U, 3U, 4U, 5U, 6U, 7U, 14U, 15U, 255U, 255U, 255U,
6472                         255U, 255U, 255U, 255U, 255U},
6473                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 14U, 15U, 255U, 255U,
6474                         255U, 255U, 255U, 255U},
6475                        {8U, 9U, 14U, 15U, 255U, 255U, 255U, 255U, 255U, 255U,
6476                         255U, 255U, 255U, 255U, 255U, 255U},
6477                        {0U, 1U, 8U, 9U, 14U, 15U, 255U, 255U, 255U, 255U, 255U,
6478                         255U, 255U, 255U, 255U, 255U},
6479                        {2U, 3U, 8U, 9U, 14U, 15U, 255U, 255U, 255U, 255U, 255U,
6480                         255U, 255U, 255U, 255U, 255U},
6481                        {0U, 1U, 2U, 3U, 8U, 9U, 14U, 15U, 255U, 255U, 255U,
6482                         255U, 255U, 255U, 255U, 255U},
6483                        {4U, 5U, 8U, 9U, 14U, 15U, 255U, 255U, 255U, 255U, 255U,
6484                         255U, 255U, 255U, 255U, 255U},
6485                        {0U, 1U, 4U, 5U, 8U, 9U, 14U, 15U, 255U, 255U, 255U,
6486                         255U, 255U, 255U, 255U, 255U},
6487                        {2U, 3U, 4U, 5U, 8U, 9U, 14U, 15U, 255U, 255U, 255U,
6488                         255U, 255U, 255U, 255U, 255U},
6489                        {0U, 1U, 2U, 3U, 4U, 5U, 8U, 9U, 14U, 15U, 255U, 255U,
6490                         255U, 255U, 255U, 255U},
6491                        {6U, 7U, 8U, 9U, 14U, 15U, 255U, 255U, 255U, 255U, 255U,
6492                         255U, 255U, 255U, 255U, 255U},
6493                        {0U, 1U, 6U, 7U, 8U, 9U, 14U, 15U, 255U, 255U, 255U,
6494                         255U, 255U, 255U, 255U, 255U},
6495                        {2U, 3U, 6U, 7U, 8U, 9U, 14U, 15U, 255U, 255U, 255U,
6496                         255U, 255U, 255U, 255U, 255U},
6497                        {0U, 1U, 2U, 3U, 6U, 7U, 8U, 9U, 14U, 15U, 255U, 255U,
6498                         255U, 255U, 255U, 255U},
6499                        {4U, 5U, 6U, 7U, 8U, 9U, 14U, 15U, 255U, 255U, 255U,
6500                         255U, 255U, 255U, 255U, 255U},
6501                        {0U, 1U, 4U, 5U, 6U, 7U, 8U, 9U, 14U, 15U, 255U, 255U,
6502                         255U, 255U, 255U, 255U},
6503                        {2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 14U, 15U, 255U, 255U,
6504                         255U, 255U, 255U, 255U},
6505                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 14U, 15U, 255U,
6506                         255U, 255U, 255U},
6507                        {10U, 11U, 14U, 15U, 255U, 255U, 255U, 255U, 255U, 255U,
6508                         255U, 255U, 255U, 255U, 255U, 255U},
6509                        {0U, 1U, 10U, 11U, 14U, 15U, 255U, 255U, 255U, 255U,
6510                         255U, 255U, 255U, 255U, 255U, 255U},
6511                        {2U, 3U, 10U, 11U, 14U, 15U, 255U, 255U, 255U, 255U,
6512                         255U, 255U, 255U, 255U, 255U, 255U},
6513                        {0U, 1U, 2U, 3U, 10U, 11U, 14U, 15U, 255U, 255U, 255U,
6514                         255U, 255U, 255U, 255U, 255U},
6515                        {4U, 5U, 10U, 11U, 14U, 15U, 255U, 255U, 255U, 255U,
6516                         255U, 255U, 255U, 255U, 255U, 255U},
6517                        {0U, 1U, 4U, 5U, 10U, 11U, 14U, 15U, 255U, 255U, 255U,
6518                         255U, 255U, 255U, 255U, 255U},
6519                        {2U, 3U, 4U, 5U, 10U, 11U, 14U, 15U, 255U, 255U, 255U,
6520                         255U, 255U, 255U, 255U, 255U},
6521                        {0U, 1U, 2U, 3U, 4U, 5U, 10U, 11U, 14U, 15U, 255U, 255U,
6522                         255U, 255U, 255U, 255U},
6523                        {6U, 7U, 10U, 11U, 14U, 15U, 255U, 255U, 255U, 255U,
6524                         255U, 255U, 255U, 255U, 255U, 255U},
6525                        {0U, 1U, 6U, 7U, 10U, 11U, 14U, 15U, 255U, 255U, 255U,
6526                         255U, 255U, 255U, 255U, 255U},
6527                        {2U, 3U, 6U, 7U, 10U, 11U, 14U, 15U, 255U, 255U, 255U,
6528                         255U, 255U, 255U, 255U, 255U},
6529                        {0U, 1U, 2U, 3U, 6U, 7U, 10U, 11U, 14U, 15U, 255U, 255U,
6530                         255U, 255U, 255U, 255U},
6531                        {4U, 5U, 6U, 7U, 10U, 11U, 14U, 15U, 255U, 255U, 255U,
6532                         255U, 255U, 255U, 255U, 255U},
6533                        {0U, 1U, 4U, 5U, 6U, 7U, 10U, 11U, 14U, 15U, 255U, 255U,
6534                         255U, 255U, 255U, 255U},
6535                        {2U, 3U, 4U, 5U, 6U, 7U, 10U, 11U, 14U, 15U, 255U, 255U,
6536                         255U, 255U, 255U, 255U},
6537                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 10U, 11U, 14U, 15U,
6538                         255U, 255U, 255U, 255U},
6539                        {8U, 9U, 10U, 11U, 14U, 15U, 255U, 255U, 255U, 255U,
6540                         255U, 255U, 255U, 255U, 255U, 255U},
6541                        {0U, 1U, 8U, 9U, 10U, 11U, 14U, 15U, 255U, 255U, 255U,
6542                         255U, 255U, 255U, 255U, 255U},
6543                        {2U, 3U, 8U, 9U, 10U, 11U, 14U, 15U, 255U, 255U, 255U,
6544                         255U, 255U, 255U, 255U, 255U},
6545                        {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 14U, 15U, 255U, 255U,
6546                         255U, 255U, 255U, 255U},
6547                        {4U, 5U, 8U, 9U, 10U, 11U, 14U, 15U, 255U, 255U, 255U,
6548                         255U, 255U, 255U, 255U, 255U},
6549                        {0U, 1U, 4U, 5U, 8U, 9U, 10U, 11U, 14U, 15U, 255U, 255U,
6550                         255U, 255U, 255U, 255U},
6551                        {2U, 3U, 4U, 5U, 8U, 9U, 10U, 11U, 14U, 15U, 255U, 255U,
6552                         255U, 255U, 255U, 255U},
6553                        {0U, 1U, 2U, 3U, 4U, 5U, 8U, 9U, 10U, 11U, 14U, 15U,
6554                         255U, 255U, 255U, 255U},
6555                        {6U, 7U, 8U, 9U, 10U, 11U, 14U, 15U, 255U, 255U, 255U,
6556                         255U, 255U, 255U, 255U, 255U},
6557                        {0U, 1U, 6U, 7U, 8U, 9U, 10U, 11U, 14U, 15U, 255U, 255U,
6558                         255U, 255U, 255U, 255U},
6559                        {2U, 3U, 6U, 7U, 8U, 9U, 10U, 11U, 14U, 15U, 255U, 255U,
6560                         255U, 255U, 255U, 255U},
6561                        {0U, 1U, 2U, 3U, 6U, 7U, 8U, 9U, 10U, 11U, 14U, 15U,
6562                         255U, 255U, 255U, 255U},
6563                        {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 14U, 15U, 255U, 255U,
6564                         255U, 255U, 255U, 255U},
6565                        {0U, 1U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 14U, 15U,
6566                         255U, 255U, 255U, 255U},
6567                        {2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 14U, 15U,
6568                         255U, 255U, 255U, 255U},
6569                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 14U,
6570                         15U, 255U, 255U},
6571                        {12U, 13U, 14U, 15U, 255U, 255U, 255U, 255U, 255U, 255U,
6572                         255U, 255U, 255U, 255U, 255U, 255U},
6573                        {0U, 1U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, 255U,
6574                         255U, 255U, 255U, 255U, 255U, 255U},
6575                        {2U, 3U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, 255U,
6576                         255U, 255U, 255U, 255U, 255U, 255U},
6577                        {0U, 1U, 2U, 3U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
6578                         255U, 255U, 255U, 255U, 255U},
6579                        {4U, 5U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, 255U,
6580                         255U, 255U, 255U, 255U, 255U, 255U},
6581                        {0U, 1U, 4U, 5U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
6582                         255U, 255U, 255U, 255U, 255U},
6583                        {2U, 3U, 4U, 5U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
6584                         255U, 255U, 255U, 255U, 255U},
6585                        {0U, 1U, 2U, 3U, 4U, 5U, 12U, 13U, 14U, 15U, 255U, 255U,
6586                         255U, 255U, 255U, 255U},
6587                        {6U, 7U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, 255U,
6588                         255U, 255U, 255U, 255U, 255U, 255U},
6589                        {0U, 1U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
6590                         255U, 255U, 255U, 255U, 255U},
6591                        {2U, 3U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
6592                         255U, 255U, 255U, 255U, 255U},
6593                        {0U, 1U, 2U, 3U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, 255U,
6594                         255U, 255U, 255U, 255U},
6595                        {4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
6596                         255U, 255U, 255U, 255U, 255U},
6597                        {0U, 1U, 4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, 255U,
6598                         255U, 255U, 255U, 255U},
6599                        {2U, 3U, 4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U, 255U, 255U,
6600                         255U, 255U, 255U, 255U},
6601                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U,
6602                         255U, 255U, 255U, 255U},
6603                        {8U, 9U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, 255U,
6604                         255U, 255U, 255U, 255U, 255U, 255U},
6605                        {0U, 1U, 8U, 9U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
6606                         255U, 255U, 255U, 255U, 255U},
6607                        {2U, 3U, 8U, 9U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
6608                         255U, 255U, 255U, 255U, 255U},
6609                        {0U, 1U, 2U, 3U, 8U, 9U, 12U, 13U, 14U, 15U, 255U, 255U,
6610                         255U, 255U, 255U, 255U},
6611                        {4U, 5U, 8U, 9U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
6612                         255U, 255U, 255U, 255U, 255U},
6613                        {0U, 1U, 4U, 5U, 8U, 9U, 12U, 13U, 14U, 15U, 255U, 255U,
6614                         255U, 255U, 255U, 255U},
6615                        {2U, 3U, 4U, 5U, 8U, 9U, 12U, 13U, 14U, 15U, 255U, 255U,
6616                         255U, 255U, 255U, 255U},
6617                        {0U, 1U, 2U, 3U, 4U, 5U, 8U, 9U, 12U, 13U, 14U, 15U,
6618                         255U, 255U, 255U, 255U},
6619                        {6U, 7U, 8U, 9U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
6620                         255U, 255U, 255U, 255U, 255U},
6621                        {0U, 1U, 6U, 7U, 8U, 9U, 12U, 13U, 14U, 15U, 255U, 255U,
6622                         255U, 255U, 255U, 255U},
6623                        {2U, 3U, 6U, 7U, 8U, 9U, 12U, 13U, 14U, 15U, 255U, 255U,
6624                         255U, 255U, 255U, 255U},
6625                        {0U, 1U, 2U, 3U, 6U, 7U, 8U, 9U, 12U, 13U, 14U, 15U,
6626                         255U, 255U, 255U, 255U},
6627                        {4U, 5U, 6U, 7U, 8U, 9U, 12U, 13U, 14U, 15U, 255U, 255U,
6628                         255U, 255U, 255U, 255U},
6629                        {0U, 1U, 4U, 5U, 6U, 7U, 8U, 9U, 12U, 13U, 14U, 15U,
6630                         255U, 255U, 255U, 255U},
6631                        {2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 12U, 13U, 14U, 15U,
6632                         255U, 255U, 255U, 255U},
6633                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 12U, 13U, 14U,
6634                         15U, 255U, 255U},
6635                        {10U, 11U, 12U, 13U, 14U, 15U, 255U, 255U, 255U, 255U,
6636                         255U, 255U, 255U, 255U, 255U, 255U},
6637                        {0U, 1U, 10U, 11U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
6638                         255U, 255U, 255U, 255U, 255U},
6639                        {2U, 3U, 10U, 11U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
6640                         255U, 255U, 255U, 255U, 255U},
6641                        {0U, 1U, 2U, 3U, 10U, 11U, 12U, 13U, 14U, 15U, 255U,
6642                         255U, 255U, 255U, 255U, 255U},
6643                        {4U, 5U, 10U, 11U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
6644                         255U, 255U, 255U, 255U, 255U},
6645                        {0U, 1U, 4U, 5U, 10U, 11U, 12U, 13U, 14U, 15U, 255U,
6646                         255U, 255U, 255U, 255U, 255U},
6647                        {2U, 3U, 4U, 5U, 10U, 11U, 12U, 13U, 14U, 15U, 255U,
6648                         255U, 255U, 255U, 255U, 255U},
6649                        {0U, 1U, 2U, 3U, 4U, 5U, 10U, 11U, 12U, 13U, 14U, 15U,
6650                         255U, 255U, 255U, 255U},
6651                        {6U, 7U, 10U, 11U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
6652                         255U, 255U, 255U, 255U, 255U},
6653                        {0U, 1U, 6U, 7U, 10U, 11U, 12U, 13U, 14U, 15U, 255U,
6654                         255U, 255U, 255U, 255U, 255U},
6655                        {2U, 3U, 6U, 7U, 10U, 11U, 12U, 13U, 14U, 15U, 255U,
6656                         255U, 255U, 255U, 255U, 255U},
6657                        {0U, 1U, 2U, 3U, 6U, 7U, 10U, 11U, 12U, 13U, 14U, 15U,
6658                         255U, 255U, 255U, 255U},
6659                        {4U, 5U, 6U, 7U, 10U, 11U, 12U, 13U, 14U, 15U, 255U,
6660                         255U, 255U, 255U, 255U, 255U},
6661                        {0U, 1U, 4U, 5U, 6U, 7U, 10U, 11U, 12U, 13U, 14U, 15U,
6662                         255U, 255U, 255U, 255U},
6663                        {2U, 3U, 4U, 5U, 6U, 7U, 10U, 11U, 12U, 13U, 14U, 15U,
6664                         255U, 255U, 255U, 255U},
6665                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 10U, 11U, 12U, 13U, 14U,
6666                         15U, 255U, 255U},
6667                        {8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, 255U, 255U, 255U,
6668                         255U, 255U, 255U, 255U, 255U},
6669                        {0U, 1U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, 255U,
6670                         255U, 255U, 255U, 255U, 255U},
6671                        {2U, 3U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, 255U,
6672                         255U, 255U, 255U, 255U, 255U},
6673                        {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U,
6674                         255U, 255U, 255U, 255U},
6675                        {4U, 5U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, 255U,
6676                         255U, 255U, 255U, 255U, 255U},
6677                        {0U, 1U, 4U, 5U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U,
6678                         255U, 255U, 255U, 255U},
6679                        {2U, 3U, 4U, 5U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U,
6680                         255U, 255U, 255U, 255U},
6681                        {0U, 1U, 2U, 3U, 4U, 5U, 8U, 9U, 10U, 11U, 12U, 13U, 14U,
6682                         15U, 255U, 255U},
6683                        {6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U, 255U,
6684                         255U, 255U, 255U, 255U, 255U},
6685                        {0U, 1U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U,
6686                         255U, 255U, 255U, 255U},
6687                        {2U, 3U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U,
6688                         255U, 255U, 255U, 255U},
6689                        {0U, 1U, 2U, 3U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U,
6690                         15U, 255U, 255U},
6691                        {4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U,
6692                         255U, 255U, 255U, 255U},
6693                        {0U, 1U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U,
6694                         15U, 255U, 255U},
6695                        {2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U,
6696                         15U, 255U, 255U},
6697                        {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U,
6698                         13U, 14U, 15U}};
6699 
6700 /**
6701 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
6702 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
6703 */
6704 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
6705 libcrux_ml_kem_vector_portable_ZERO_0d(void) {
6706   return libcrux_ml_kem_vector_portable_vector_type_zero();
6707 }
6708 
6709 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
6710 libcrux_ml_kem_vector_portable_arithmetic_add(
6711     libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs,
6712     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) {
6713   for (size_t i = (size_t)0U;
6714        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
6715     size_t i0 = i;
6716     size_t uu____0 = i0;
6717     lhs.elements[uu____0] = lhs.elements[uu____0] + rhs->elements[i0];
6718   }
6719   return lhs;
6720 }
6721 
6722 /**
6723 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
6724 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
6725 */
6726 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
6727 libcrux_ml_kem_vector_portable_add_0d(
6728     libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs,
6729     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) {
6730   return libcrux_ml_kem_vector_portable_arithmetic_add(lhs, rhs);
6731 }
6732 
6733 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
6734 libcrux_ml_kem_vector_portable_arithmetic_sub(
6735     libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs,
6736     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) {
6737   for (size_t i = (size_t)0U;
6738        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
6739     size_t i0 = i;
6740     size_t uu____0 = i0;
6741     lhs.elements[uu____0] = lhs.elements[uu____0] - rhs->elements[i0];
6742   }
6743   return lhs;
6744 }
6745 
6746 /**
6747 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
6748 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
6749 */
6750 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
6751 libcrux_ml_kem_vector_portable_sub_0d(
6752     libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs,
6753     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) {
6754   return libcrux_ml_kem_vector_portable_arithmetic_sub(lhs, rhs);
6755 }
6756 
6757 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
6758 libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(
6759     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) {
6760   for (size_t i = (size_t)0U;
6761        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
6762     size_t i0 = i;
6763     size_t uu____0 = i0;
6764     v.elements[uu____0] = v.elements[uu____0] * c;
6765   }
6766   return v;
6767 }
6768 
6769 /**
6770 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
6771 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
6772 */
6773 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
6774 libcrux_ml_kem_vector_portable_multiply_by_constant_0d(
6775     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) {
6776   return libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(v, c);
6777 }
6778 
6779 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
6780 libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant(
6781     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) {
6782   for (size_t i = (size_t)0U;
6783        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
6784     size_t i0 = i;
6785     size_t uu____0 = i0;
6786     v.elements[uu____0] = v.elements[uu____0] & c;
6787   }
6788   return v;
6789 }
6790 
6791 /**
6792 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
6793 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
6794 */
6795 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
6796 libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d(
6797     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) {
6798   return libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant(v,
6799                                                                              c);
6800 }
6801 
6802 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
6803 libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329(
6804     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
6805   core_ops_range_Range_b3 iter =
6806       core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter(
6807           (CLITERAL(core_ops_range_Range_b3){
6808               .start = (size_t)0U,
6809               .end = LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR}),
6810           core_ops_range_Range_b3, core_ops_range_Range_b3);
6811   while (true) {
6812     Option_b3 uu____0 =
6813         core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___6__next(
6814             &iter, size_t, Option_b3);
6815     if (!(uu____0.tag == None)) {
6816       size_t i = uu____0.f0;
6817       if (v.elements[i] >= (int16_t)3329) {
6818         size_t uu____1 = i;
6819         v.elements[uu____1] = v.elements[uu____1] - (int16_t)3329;
6820       }
6821       continue;
6822     }
6823     return v;
6824   }
6825 }
6826 
6827 /**
6828 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
6829 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
6830 */
6831 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
6832 libcrux_ml_kem_vector_portable_cond_subtract_3329_0d(
6833     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
6834   return libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329(v);
6835 }
6836 
6837 #define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER \
6838   ((int32_t)20159)
6839 
6840 #define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT ((int32_t)26)
6841 
6842 #define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_R \
6843   ((int32_t)1 << (uint32_t)                                 \
6844        LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT)
6845 
6846 /**
6847  Signed Barrett Reduction
6848 
6849  Given an input `value`, `barrett_reduce` outputs a representative `result`
6850  such that:
6851 
6852  - result ≡ value (mod FIELD_MODULUS)
6853  - the absolute value of `result` is bound as follows:
6854 
6855  `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1)
6856 
6857  In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`.
6858 */
6859 static inline int16_t
6860 libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element(
6861     int16_t value) {
6862   int32_t t = (int32_t)value *
6863                   LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER +
6864               (LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_R >> 1U);
6865   int16_t quotient =
6866       (int16_t)(t >>
6867                 (uint32_t)
6868                     LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT);
6869   return value - quotient * LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
6870 }
6871 
6872 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
6873 libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(
6874     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
6875   for (size_t i = (size_t)0U;
6876        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
6877     size_t i0 = i;
6878     v.elements[i0] =
6879         libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element(
6880             v.elements[i0]);
6881   }
6882   return v;
6883 }
6884 
6885 /**
6886 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
6887 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
6888 */
6889 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
6890 libcrux_ml_kem_vector_portable_barrett_reduce_0d(
6891     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
6892   return libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(v);
6893 }
6894 
6895 #define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT (16U)
6896 
6897 #define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_R \
6898   ((int32_t)1 << (uint32_t)                                    \
6899        LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT)
6900 
6901 /**
6902  Signed Montgomery Reduction
6903 
6904  Given an input `value`, `montgomery_reduce` outputs a representative `o`
6905  such that:
6906 
6907  - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS)
6908  - the absolute value of `o` is bound as follows:
6909 
6910  `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2)
6911 
6912  In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 ·
6913  FIELD_MODULUS) / 2`.
6914 */
6915 static inline int16_t
6916 libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
6917     int32_t value) {
6918   int32_t k =
6919       (int32_t)(int16_t)value *
6920       (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R;
6921   int32_t k_times_modulus =
6922       (int32_t)(int16_t)k * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
6923   int16_t c =
6924       (int16_t)(k_times_modulus >>
6925                 (uint32_t)
6926                     LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT);
6927   int16_t value_high =
6928       (int16_t)(value >>
6929                 (uint32_t)
6930                     LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT);
6931   return value_high - c;
6932 }
6933 
6934 /**
6935  If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to
6936  `y · MONTGOMERY_R`, this procedure outputs a value that is congruent to
6937  `x · y`, as follows:
6938 
6939     `fe · fer ≡ x · y · MONTGOMERY_R (mod FIELD_MODULUS)`
6940 
6941  `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a
6942  representative `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod
6943  FIELD_MODULUS)`.
6944 */
6945 static KRML_MUSTINLINE int16_t
6946 libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer(
6947     int16_t fe, int16_t fer) {
6948   return libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
6949       (int32_t)fe * (int32_t)fer);
6950 }
6951 
6952 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
6953 libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant(
6954     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) {
6955   for (size_t i = (size_t)0U;
6956        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
6957     size_t i0 = i;
6958     v.elements[i0] =
6959         libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer(
6960             v.elements[i0], c);
6961   }
6962   return v;
6963 }
6964 
6965 /**
6966 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
6967 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
6968 */
6969 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
6970 libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
6971     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t r) {
6972   return libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant(
6973       v, r);
6974 }
6975 
6976 /**
6977  The `compress_*` functions implement the `Compress` function specified in the
6978  NIST FIPS 203 standard (Page 18, Expression 4.5), which is defined as:
6979 
6980  ```plaintext
6981  Compress_d: ℤq -> ℤ_{2ᵈ}
6982  Compress_d(x) = ⌈(2ᵈ/q)·x⌋
6983  ```
6984 
6985  Since `⌈x⌋ = ⌊x + 1/2⌋` we have:
6986 
6987  ```plaintext
6988  Compress_d(x) = ⌊(2ᵈ/q)·x + 1/2⌋
6989                = ⌊(2^{d+1}·x + q) / 2q⌋
6990  ```
6991 
6992  For further information about the function implementations, consult the
6993  `implementation_notes.pdf` document in this directory.
6994 
6995  The NIST FIPS 203 standard can be found at
6996  <https://csrc.nist.gov/pubs/fips/203/ipd>.
6997 */
6998 static inline uint8_t
6999 libcrux_ml_kem_vector_portable_compress_compress_message_coefficient(
7000     uint16_t fe) {
7001   int16_t shifted = (int16_t)1664 - (int16_t)fe;
7002   int16_t mask = shifted >> 15U;
7003   int16_t shifted_to_positive = mask ^ shifted;
7004   int16_t shifted_positive_in_range = shifted_to_positive - (int16_t)832;
7005   return (uint8_t)(shifted_positive_in_range >> 15U & (int16_t)1);
7006 }
7007 
7008 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
7009 libcrux_ml_kem_vector_portable_compress_compress_1(
7010     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
7011   for (size_t i = (size_t)0U;
7012        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
7013     size_t i0 = i;
7014     v.elements[i0] = (int16_t)
7015         libcrux_ml_kem_vector_portable_compress_compress_message_coefficient(
7016             (uint16_t)v.elements[i0]);
7017   }
7018   return v;
7019 }
7020 
7021 /**
7022 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7023 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7024 */
7025 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
7026 libcrux_ml_kem_vector_portable_compress_1_0d(
7027     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
7028   return libcrux_ml_kem_vector_portable_compress_compress_1(v);
7029 }
7030 
7031 static KRML_MUSTINLINE uint32_t
7032 libcrux_ml_kem_vector_portable_arithmetic_get_n_least_significant_bits(
7033     uint8_t n, uint32_t value) {
7034   return value & ((1U << (uint32_t)n) - 1U);
7035 }
7036 
7037 static inline int16_t
7038 libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
7039     uint8_t coefficient_bits, uint16_t fe) {
7040   uint64_t compressed = (uint64_t)fe << (uint32_t)coefficient_bits;
7041   compressed = compressed + 1664ULL;
7042   compressed = compressed * 10321340ULL;
7043   compressed = compressed >> 35U;
7044   return (int16_t)
7045       libcrux_ml_kem_vector_portable_arithmetic_get_n_least_significant_bits(
7046           coefficient_bits, (uint32_t)compressed);
7047 }
7048 
7049 static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_step(
7050     libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t zeta,
7051     size_t i, size_t j) {
7052   int16_t t =
7053       libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer(
7054           v->elements[j], zeta);
7055   v->elements[j] = v->elements[i] - t;
7056   v->elements[i] = v->elements[i] + t;
7057 }
7058 
7059 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
7060 libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step(
7061     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
7062     int16_t zeta1, int16_t zeta2, int16_t zeta3) {
7063   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)0U,
7064                                               (size_t)2U);
7065   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)1U,
7066                                               (size_t)3U);
7067   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)4U,
7068                                               (size_t)6U);
7069   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)5U,
7070                                               (size_t)7U);
7071   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta2, (size_t)8U,
7072                                               (size_t)10U);
7073   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta2, (size_t)9U,
7074                                               (size_t)11U);
7075   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta3, (size_t)12U,
7076                                               (size_t)14U);
7077   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta3, (size_t)13U,
7078                                               (size_t)15U);
7079   return v;
7080 }
7081 
7082 /**
7083 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7084 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7085 */
7086 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
7087 libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d(
7088     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
7089     int16_t zeta1, int16_t zeta2, int16_t zeta3) {
7090   return libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step(a, zeta0, zeta1,
7091                                                              zeta2, zeta3);
7092 }
7093 
7094 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
7095 libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step(
7096     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
7097     int16_t zeta1) {
7098   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)0U,
7099                                               (size_t)4U);
7100   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)1U,
7101                                               (size_t)5U);
7102   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)2U,
7103                                               (size_t)6U);
7104   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta0, (size_t)3U,
7105                                               (size_t)7U);
7106   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)8U,
7107                                               (size_t)12U);
7108   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)9U,
7109                                               (size_t)13U);
7110   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)10U,
7111                                               (size_t)14U);
7112   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta1, (size_t)11U,
7113                                               (size_t)15U);
7114   return v;
7115 }
7116 
7117 /**
7118 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7119 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7120 */
7121 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
7122 libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d(
7123     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
7124     int16_t zeta1) {
7125   return libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step(a, zeta0, zeta1);
7126 }
7127 
7128 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
7129 libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step(
7130     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta) {
7131   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)0U, (size_t)8U);
7132   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)1U, (size_t)9U);
7133   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)2U,
7134                                               (size_t)10U);
7135   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)3U,
7136                                               (size_t)11U);
7137   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)4U,
7138                                               (size_t)12U);
7139   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)5U,
7140                                               (size_t)13U);
7141   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)6U,
7142                                               (size_t)14U);
7143   libcrux_ml_kem_vector_portable_ntt_ntt_step(&v, zeta, (size_t)7U,
7144                                               (size_t)15U);
7145   return v;
7146 }
7147 
7148 /**
7149 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7150 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7151 */
7152 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
7153 libcrux_ml_kem_vector_portable_ntt_layer_3_step_0d(
7154     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta) {
7155   return libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step(a, zeta);
7156 }
7157 
7158 static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(
7159     libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, int16_t zeta,
7160     size_t i, size_t j) {
7161   int16_t a_minus_b = v->elements[j] - v->elements[i];
7162   v->elements[i] =
7163       libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element(
7164           v->elements[i] + v->elements[j]);
7165   v->elements[j] =
7166       libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer(
7167           a_minus_b, zeta);
7168 }
7169 
7170 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
7171 libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step(
7172     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
7173     int16_t zeta1, int16_t zeta2, int16_t zeta3) {
7174   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)0U,
7175                                                   (size_t)2U);
7176   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)1U,
7177                                                   (size_t)3U);
7178   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)4U,
7179                                                   (size_t)6U);
7180   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)5U,
7181                                                   (size_t)7U);
7182   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta2, (size_t)8U,
7183                                                   (size_t)10U);
7184   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta2, (size_t)9U,
7185                                                   (size_t)11U);
7186   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta3, (size_t)12U,
7187                                                   (size_t)14U);
7188   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta3, (size_t)13U,
7189                                                   (size_t)15U);
7190   return v;
7191 }
7192 
7193 /**
7194 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7195 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7196 */
7197 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
7198 libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d(
7199     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
7200     int16_t zeta1, int16_t zeta2, int16_t zeta3) {
7201   return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step(
7202       a, zeta0, zeta1, zeta2, zeta3);
7203 }
7204 
7205 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
7206 libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step(
7207     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0,
7208     int16_t zeta1) {
7209   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)0U,
7210                                                   (size_t)4U);
7211   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)1U,
7212                                                   (size_t)5U);
7213   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)2U,
7214                                                   (size_t)6U);
7215   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta0, (size_t)3U,
7216                                                   (size_t)7U);
7217   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)8U,
7218                                                   (size_t)12U);
7219   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)9U,
7220                                                   (size_t)13U);
7221   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)10U,
7222                                                   (size_t)14U);
7223   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta1, (size_t)11U,
7224                                                   (size_t)15U);
7225   return v;
7226 }
7227 
7228 /**
7229 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7230 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7231 */
7232 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
7233 libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d(
7234     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0,
7235     int16_t zeta1) {
7236   return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step(a, zeta0,
7237                                                                  zeta1);
7238 }
7239 
7240 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
7241 libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(
7242     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta) {
7243   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)0U,
7244                                                   (size_t)8U);
7245   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)1U,
7246                                                   (size_t)9U);
7247   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)2U,
7248                                                   (size_t)10U);
7249   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)3U,
7250                                                   (size_t)11U);
7251   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)4U,
7252                                                   (size_t)12U);
7253   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)5U,
7254                                                   (size_t)13U);
7255   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)6U,
7256                                                   (size_t)14U);
7257   libcrux_ml_kem_vector_portable_ntt_inv_ntt_step(&v, zeta, (size_t)7U,
7258                                                   (size_t)15U);
7259   return v;
7260 }
7261 
7262 /**
7263 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7264 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7265 */
7266 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
7267 libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d(
7268     libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta) {
7269   return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(a, zeta);
7270 }
7271 
7272 /**
7273  Compute the product of two Kyber binomials with respect to the
7274  modulus `X² - zeta`.
7275 
7276  This function almost implements <strong>Algorithm 11</strong> of the
7277  NIST FIPS 203 standard, which is reproduced below:
7278 
7279  ```plaintext
7280  Input:  a₀, a₁, b₀, b₁ ∈ ℤq.
7281  Input: γ ∈ ℤq.
7282  Output: c₀, c₁ ∈ ℤq.
7283 
7284  c₀ ← a₀·b₀ + a₁·b₁·γ
7285  c₁ ← a₀·b₁ + a₁·b₀
7286  return c₀, c₁
7287  ```
7288  We say "almost" because the coefficients output by this function are in
7289  the Montgomery domain (unlike in the specification).
7290 
7291  The NIST FIPS 203 standard can be found at
7292  <https://csrc.nist.gov/pubs/fips/203/ipd>.
7293 */
7294 static KRML_MUSTINLINE void
7295 libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
7296     libcrux_ml_kem_vector_portable_vector_type_PortableVector *a,
7297     libcrux_ml_kem_vector_portable_vector_type_PortableVector *b, int16_t zeta,
7298     size_t i, size_t j,
7299     libcrux_ml_kem_vector_portable_vector_type_PortableVector *out) {
7300   int16_t o0 = libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
7301       (int32_t)a->elements[i] * (int32_t)b->elements[i] +
7302       (int32_t)
7303               libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
7304                   (int32_t)a->elements[j] * (int32_t)b->elements[j]) *
7305           (int32_t)zeta);
7306   int16_t o1 =
7307       libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element(
7308           (int32_t)a->elements[i] * (int32_t)b->elements[j] +
7309           (int32_t)a->elements[j] * (int32_t)b->elements[i]);
7310   out->elements[i] = o0;
7311   out->elements[j] = o1;
7312 }
7313 
7314 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
7315 libcrux_ml_kem_vector_portable_ntt_ntt_multiply(
7316     libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs,
7317     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs,
7318     int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) {
7319   libcrux_ml_kem_vector_portable_vector_type_PortableVector out =
7320       libcrux_ml_kem_vector_portable_vector_type_zero();
7321   libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
7322       lhs, rhs, zeta0, (size_t)0U, (size_t)1U, &out);
7323   libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
7324       lhs, rhs, -zeta0, (size_t)2U, (size_t)3U, &out);
7325   libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
7326       lhs, rhs, zeta1, (size_t)4U, (size_t)5U, &out);
7327   libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
7328       lhs, rhs, -zeta1, (size_t)6U, (size_t)7U, &out);
7329   libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
7330       lhs, rhs, zeta2, (size_t)8U, (size_t)9U, &out);
7331   libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
7332       lhs, rhs, -zeta2, (size_t)10U, (size_t)11U, &out);
7333   libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
7334       lhs, rhs, zeta3, (size_t)12U, (size_t)13U, &out);
7335   libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(
7336       lhs, rhs, -zeta3, (size_t)14U, (size_t)15U, &out);
7337   return out;
7338 }
7339 
7340 /**
7341 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7342 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7343 */
7344 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
7345 libcrux_ml_kem_vector_portable_ntt_multiply_0d(
7346     libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs,
7347     libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs,
7348     int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) {
7349   return libcrux_ml_kem_vector_portable_ntt_ntt_multiply(lhs, rhs, zeta0, zeta1,
7350                                                          zeta2, zeta3);
7351 }
7352 
7353 static KRML_MUSTINLINE void
7354 libcrux_ml_kem_vector_portable_serialize_serialize_1(
7355     libcrux_ml_kem_vector_portable_vector_type_PortableVector v,
7356     uint8_t ret[2U]) {
7357   uint8_t result[2U] = {0U};
7358   for (size_t i = (size_t)0U; i < (size_t)8U; i++) {
7359     size_t i0 = i;
7360     size_t uu____0 = (size_t)0U;
7361     result[uu____0] = (uint32_t)result[uu____0] |
7362                       (uint32_t)(uint8_t)v.elements[i0] << (uint32_t)i0;
7363   }
7364   for (size_t i = (size_t)8U; i < (size_t)16U; i++) {
7365     size_t i0 = i;
7366     size_t uu____1 = (size_t)1U;
7367     result[uu____1] =
7368         (uint32_t)result[uu____1] | (uint32_t)(uint8_t)v.elements[i0]
7369                                         << (uint32_t)(i0 - (size_t)8U);
7370   }
7371   memcpy(ret, result, (size_t)2U * sizeof(uint8_t));
7372 }
7373 
7374 /**
7375 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7376 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7377 */
7378 static inline void libcrux_ml_kem_vector_portable_serialize_1_0d(
7379     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
7380     uint8_t ret[2U]) {
7381   libcrux_ml_kem_vector_portable_serialize_serialize_1(a, ret);
7382 }
7383 
7384 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
7385 libcrux_ml_kem_vector_portable_serialize_deserialize_1(Eurydice_slice v) {
7386   libcrux_ml_kem_vector_portable_vector_type_PortableVector result =
7387       libcrux_ml_kem_vector_portable_vector_type_zero();
7388   for (size_t i = (size_t)0U; i < (size_t)8U; i++) {
7389     size_t i0 = i;
7390     result.elements[i0] = (int16_t)((uint32_t)Eurydice_slice_index(
7391                                         v, (size_t)0U, uint8_t, uint8_t *) >>
7392                                         (uint32_t)i0 &
7393                                     1U);
7394   }
7395   for (size_t i = (size_t)8U;
7396        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
7397     size_t i0 = i;
7398     result.elements[i0] = (int16_t)((uint32_t)Eurydice_slice_index(
7399                                         v, (size_t)1U, uint8_t, uint8_t *) >>
7400                                         (uint32_t)(i0 - (size_t)8U) &
7401                                     1U);
7402   }
7403   return result;
7404 }
7405 
7406 /**
7407 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7408 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7409 */
7410 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
7411 libcrux_ml_kem_vector_portable_deserialize_1_0d(Eurydice_slice a) {
7412   return libcrux_ml_kem_vector_portable_serialize_deserialize_1(a);
7413 }
7414 
7415 typedef struct uint8_t_x4_s {
7416   uint8_t fst;
7417   uint8_t snd;
7418   uint8_t thd;
7419   uint8_t f3;
7420 } uint8_t_x4;
7421 
7422 static KRML_MUSTINLINE uint8_t_x4
7423 libcrux_ml_kem_vector_portable_serialize_serialize_4_int(Eurydice_slice v) {
7424   uint8_t result0 =
7425       (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *)
7426           << 4U |
7427       (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)0U, int16_t,
7428                                               int16_t *);
7429   uint8_t result1 =
7430       (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *)
7431           << 4U |
7432       (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)2U, int16_t,
7433                                               int16_t *);
7434   uint8_t result2 =
7435       (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)5U, int16_t, int16_t *)
7436           << 4U |
7437       (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)4U, int16_t,
7438                                               int16_t *);
7439   uint8_t result3 =
7440       (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)7U, int16_t, int16_t *)
7441           << 4U |
7442       (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)6U, int16_t,
7443                                               int16_t *);
7444   return (CLITERAL(uint8_t_x4){
7445       .fst = result0, .snd = result1, .thd = result2, .f3 = result3});
7446 }
7447 
7448 static KRML_MUSTINLINE void
7449 libcrux_ml_kem_vector_portable_serialize_serialize_4(
7450     libcrux_ml_kem_vector_portable_vector_type_PortableVector v,
7451     uint8_t ret[8U]) {
7452   uint8_t_x4 result0_3 =
7453       libcrux_ml_kem_vector_portable_serialize_serialize_4_int(
7454           Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)8U,
7455                                       int16_t));
7456   uint8_t_x4 result4_7 =
7457       libcrux_ml_kem_vector_portable_serialize_serialize_4_int(
7458           Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U,
7459                                       int16_t));
7460   uint8_t result[8U] = {0U};
7461   result[0U] = result0_3.fst;
7462   result[1U] = result0_3.snd;
7463   result[2U] = result0_3.thd;
7464   result[3U] = result0_3.f3;
7465   result[4U] = result4_7.fst;
7466   result[5U] = result4_7.snd;
7467   result[6U] = result4_7.thd;
7468   result[7U] = result4_7.f3;
7469   memcpy(ret, result, (size_t)8U * sizeof(uint8_t));
7470 }
7471 
7472 /**
7473 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7474 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7475 */
7476 static inline void libcrux_ml_kem_vector_portable_serialize_4_0d(
7477     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
7478     uint8_t ret[8U]) {
7479   libcrux_ml_kem_vector_portable_serialize_serialize_4(a, ret);
7480 }
7481 
7482 static KRML_MUSTINLINE int16_t_x8
7483 libcrux_ml_kem_vector_portable_serialize_deserialize_4_int(
7484     Eurydice_slice bytes) {
7485   int16_t v0 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)0U,
7486                                                         uint8_t, uint8_t *) &
7487                          15U);
7488   int16_t v1 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)0U,
7489                                                         uint8_t, uint8_t *) >>
7490                              4U &
7491                          15U);
7492   int16_t v2 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)1U,
7493                                                         uint8_t, uint8_t *) &
7494                          15U);
7495   int16_t v3 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)1U,
7496                                                         uint8_t, uint8_t *) >>
7497                              4U &
7498                          15U);
7499   int16_t v4 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)2U,
7500                                                         uint8_t, uint8_t *) &
7501                          15U);
7502   int16_t v5 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)2U,
7503                                                         uint8_t, uint8_t *) >>
7504                              4U &
7505                          15U);
7506   int16_t v6 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)3U,
7507                                                         uint8_t, uint8_t *) &
7508                          15U);
7509   int16_t v7 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)3U,
7510                                                         uint8_t, uint8_t *) >>
7511                              4U &
7512                          15U);
7513   return (CLITERAL(int16_t_x8){.fst = v0,
7514                                .snd = v1,
7515                                .thd = v2,
7516                                .f3 = v3,
7517                                .f4 = v4,
7518                                .f5 = v5,
7519                                .f6 = v6,
7520                                .f7 = v7});
7521 }
7522 
7523 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
7524 libcrux_ml_kem_vector_portable_serialize_deserialize_4(Eurydice_slice bytes) {
7525   int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int(
7526       Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)4U, uint8_t));
7527   int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int(
7528       Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)8U, uint8_t));
7529   libcrux_ml_kem_vector_portable_vector_type_PortableVector v =
7530       libcrux_ml_kem_vector_portable_vector_type_zero();
7531   v.elements[0U] = v0_7.fst;
7532   v.elements[1U] = v0_7.snd;
7533   v.elements[2U] = v0_7.thd;
7534   v.elements[3U] = v0_7.f3;
7535   v.elements[4U] = v0_7.f4;
7536   v.elements[5U] = v0_7.f5;
7537   v.elements[6U] = v0_7.f6;
7538   v.elements[7U] = v0_7.f7;
7539   v.elements[8U] = v8_15.fst;
7540   v.elements[9U] = v8_15.snd;
7541   v.elements[10U] = v8_15.thd;
7542   v.elements[11U] = v8_15.f3;
7543   v.elements[12U] = v8_15.f4;
7544   v.elements[13U] = v8_15.f5;
7545   v.elements[14U] = v8_15.f6;
7546   v.elements[15U] = v8_15.f7;
7547   return v;
7548 }
7549 
7550 /**
7551 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7552 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7553 */
7554 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
7555 libcrux_ml_kem_vector_portable_deserialize_4_0d(Eurydice_slice a) {
7556   return libcrux_ml_kem_vector_portable_serialize_deserialize_4(a);
7557 }
7558 
7559 typedef struct uint8_t_x5_s {
7560   uint8_t fst;
7561   uint8_t snd;
7562   uint8_t thd;
7563   uint8_t f3;
7564   uint8_t f4;
7565 } uint8_t_x5;
7566 
7567 static KRML_MUSTINLINE uint8_t_x5
7568 libcrux_ml_kem_vector_portable_serialize_serialize_5_int(Eurydice_slice v) {
7569   uint8_t r0 =
7570       (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *) |
7571                 Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) << 5U);
7572   uint8_t r1 =
7573       (uint8_t)((Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) >> 3U |
7574                  Eurydice_slice_index(v, (size_t)2U, int16_t, int16_t *)
7575                      << 2U) |
7576                 Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *) << 7U);
7577   uint8_t r2 =
7578       (uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *) >> 1U |
7579                 Eurydice_slice_index(v, (size_t)4U, int16_t, int16_t *) << 4U);
7580   uint8_t r3 =
7581       (uint8_t)((Eurydice_slice_index(v, (size_t)4U, int16_t, int16_t *) >> 4U |
7582                  Eurydice_slice_index(v, (size_t)5U, int16_t, int16_t *)
7583                      << 1U) |
7584                 Eurydice_slice_index(v, (size_t)6U, int16_t, int16_t *) << 6U);
7585   uint8_t r4 =
7586       (uint8_t)(Eurydice_slice_index(v, (size_t)6U, int16_t, int16_t *) >> 2U |
7587                 Eurydice_slice_index(v, (size_t)7U, int16_t, int16_t *) << 3U);
7588   return (CLITERAL(uint8_t_x5){
7589       .fst = r0, .snd = r1, .thd = r2, .f3 = r3, .f4 = r4});
7590 }
7591 
7592 static KRML_MUSTINLINE void
7593 libcrux_ml_kem_vector_portable_serialize_serialize_5(
7594     libcrux_ml_kem_vector_portable_vector_type_PortableVector v,
7595     uint8_t ret[10U]) {
7596   uint8_t_x5 r0_4 = libcrux_ml_kem_vector_portable_serialize_serialize_5_int(
7597       Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)8U, int16_t));
7598   uint8_t_x5 r5_9 = libcrux_ml_kem_vector_portable_serialize_serialize_5_int(
7599       Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U,
7600                                   int16_t));
7601   uint8_t result[10U] = {0U};
7602   result[0U] = r0_4.fst;
7603   result[1U] = r0_4.snd;
7604   result[2U] = r0_4.thd;
7605   result[3U] = r0_4.f3;
7606   result[4U] = r0_4.f4;
7607   result[5U] = r5_9.fst;
7608   result[6U] = r5_9.snd;
7609   result[7U] = r5_9.thd;
7610   result[8U] = r5_9.f3;
7611   result[9U] = r5_9.f4;
7612   memcpy(ret, result, (size_t)10U * sizeof(uint8_t));
7613 }
7614 
7615 /**
7616 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7617 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7618 */
7619 static inline void libcrux_ml_kem_vector_portable_serialize_5_0d(
7620     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
7621     uint8_t ret[10U]) {
7622   libcrux_ml_kem_vector_portable_serialize_serialize_5(a, ret);
7623 }
7624 
7625 static KRML_MUSTINLINE int16_t_x8
7626 libcrux_ml_kem_vector_portable_serialize_deserialize_5_int(
7627     Eurydice_slice bytes) {
7628   int16_t v0 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)0U,
7629                                                         uint8_t, uint8_t *) &
7630                          31U);
7631   int16_t v1 = (int16_t)(((uint32_t)Eurydice_slice_index(bytes, (size_t)1U,
7632                                                          uint8_t, uint8_t *) &
7633                           3U) << 3U |
7634                          (uint32_t)Eurydice_slice_index(bytes, (size_t)0U,
7635                                                         uint8_t, uint8_t *) >>
7636                              5U);
7637   int16_t v2 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)1U,
7638                                                         uint8_t, uint8_t *) >>
7639                              2U &
7640                          31U);
7641   int16_t v3 = (int16_t)(((uint32_t)Eurydice_slice_index(bytes, (size_t)2U,
7642                                                          uint8_t, uint8_t *) &
7643                           15U)
7644                              << 1U |
7645                          (uint32_t)Eurydice_slice_index(bytes, (size_t)1U,
7646                                                         uint8_t, uint8_t *) >>
7647                              7U);
7648   int16_t v4 = (int16_t)(((uint32_t)Eurydice_slice_index(bytes, (size_t)3U,
7649                                                          uint8_t, uint8_t *) &
7650                           1U) << 4U |
7651                          (uint32_t)Eurydice_slice_index(bytes, (size_t)2U,
7652                                                         uint8_t, uint8_t *) >>
7653                              4U);
7654   int16_t v5 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)3U,
7655                                                         uint8_t, uint8_t *) >>
7656                              1U &
7657                          31U);
7658   int16_t v6 = (int16_t)(((uint32_t)Eurydice_slice_index(bytes, (size_t)4U,
7659                                                          uint8_t, uint8_t *) &
7660                           7U) << 2U |
7661                          (uint32_t)Eurydice_slice_index(bytes, (size_t)3U,
7662                                                         uint8_t, uint8_t *) >>
7663                              6U);
7664   int16_t v7 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)4U,
7665                                                         uint8_t, uint8_t *) >>
7666                          3U);
7667   return (CLITERAL(int16_t_x8){.fst = v0,
7668                                .snd = v1,
7669                                .thd = v2,
7670                                .f3 = v3,
7671                                .f4 = v4,
7672                                .f5 = v5,
7673                                .f6 = v6,
7674                                .f7 = v7});
7675 }
7676 
7677 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
7678 libcrux_ml_kem_vector_portable_serialize_deserialize_5(Eurydice_slice bytes) {
7679   int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_5_int(
7680       Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)5U, uint8_t));
7681   int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_5_int(
7682       Eurydice_slice_subslice2(bytes, (size_t)5U, (size_t)10U, uint8_t));
7683   libcrux_ml_kem_vector_portable_vector_type_PortableVector v =
7684       libcrux_ml_kem_vector_portable_vector_type_zero();
7685   v.elements[0U] = v0_7.fst;
7686   v.elements[1U] = v0_7.snd;
7687   v.elements[2U] = v0_7.thd;
7688   v.elements[3U] = v0_7.f3;
7689   v.elements[4U] = v0_7.f4;
7690   v.elements[5U] = v0_7.f5;
7691   v.elements[6U] = v0_7.f6;
7692   v.elements[7U] = v0_7.f7;
7693   v.elements[8U] = v8_15.fst;
7694   v.elements[9U] = v8_15.snd;
7695   v.elements[10U] = v8_15.thd;
7696   v.elements[11U] = v8_15.f3;
7697   v.elements[12U] = v8_15.f4;
7698   v.elements[13U] = v8_15.f5;
7699   v.elements[14U] = v8_15.f6;
7700   v.elements[15U] = v8_15.f7;
7701   return v;
7702 }
7703 
7704 /**
7705 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7706 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7707 */
7708 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
7709 libcrux_ml_kem_vector_portable_deserialize_5_0d(Eurydice_slice a) {
7710   return libcrux_ml_kem_vector_portable_serialize_deserialize_5(a);
7711 }
7712 
7713 static KRML_MUSTINLINE uint8_t_x5
7714 libcrux_ml_kem_vector_portable_serialize_serialize_10_int(Eurydice_slice v) {
7715   uint8_t r0 =
7716       (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *) &
7717                 (int16_t)255);
7718   uint8_t r1 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t,
7719                                                         int16_t *) &
7720                                    (int16_t)63)
7721                    << 2U |
7722                (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t,
7723                                                         int16_t *) >>
7724                                        8U &
7725                                    (int16_t)3);
7726   uint8_t r2 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t,
7727                                                         int16_t *) &
7728                                    (int16_t)15)
7729                    << 4U |
7730                (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t,
7731                                                         int16_t *) >>
7732                                        6U &
7733                                    (int16_t)15);
7734   uint8_t r3 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t,
7735                                                         int16_t *) &
7736                                    (int16_t)3)
7737                    << 6U |
7738                (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t,
7739                                                         int16_t *) >>
7740                                        4U &
7741                                    (int16_t)63);
7742   uint8_t r4 =
7743       (uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *) >> 2U &
7744                 (int16_t)255);
7745   return (CLITERAL(uint8_t_x5){
7746       .fst = r0, .snd = r1, .thd = r2, .f3 = r3, .f4 = r4});
7747 }
7748 
7749 static KRML_MUSTINLINE void
7750 libcrux_ml_kem_vector_portable_serialize_serialize_10(
7751     libcrux_ml_kem_vector_portable_vector_type_PortableVector v,
7752     uint8_t ret[20U]) {
7753   uint8_t_x5 r0_4 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int(
7754       Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)4U, int16_t));
7755   uint8_t_x5 r5_9 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int(
7756       Eurydice_array_to_subslice2(v.elements, (size_t)4U, (size_t)8U, int16_t));
7757   uint8_t_x5 r10_14 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int(
7758       Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)12U,
7759                                   int16_t));
7760   uint8_t_x5 r15_19 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int(
7761       Eurydice_array_to_subslice2(v.elements, (size_t)12U, (size_t)16U,
7762                                   int16_t));
7763   uint8_t result[20U] = {0U};
7764   result[0U] = r0_4.fst;
7765   result[1U] = r0_4.snd;
7766   result[2U] = r0_4.thd;
7767   result[3U] = r0_4.f3;
7768   result[4U] = r0_4.f4;
7769   result[5U] = r5_9.fst;
7770   result[6U] = r5_9.snd;
7771   result[7U] = r5_9.thd;
7772   result[8U] = r5_9.f3;
7773   result[9U] = r5_9.f4;
7774   result[10U] = r10_14.fst;
7775   result[11U] = r10_14.snd;
7776   result[12U] = r10_14.thd;
7777   result[13U] = r10_14.f3;
7778   result[14U] = r10_14.f4;
7779   result[15U] = r15_19.fst;
7780   result[16U] = r15_19.snd;
7781   result[17U] = r15_19.thd;
7782   result[18U] = r15_19.f3;
7783   result[19U] = r15_19.f4;
7784   memcpy(ret, result, (size_t)20U * sizeof(uint8_t));
7785 }
7786 
7787 /**
7788 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7789 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7790 */
7791 static inline void libcrux_ml_kem_vector_portable_serialize_10_0d(
7792     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
7793     uint8_t ret[20U]) {
7794   libcrux_ml_kem_vector_portable_serialize_serialize_10(a, ret);
7795 }
7796 
7797 static KRML_MUSTINLINE int16_t_x8
7798 libcrux_ml_kem_vector_portable_serialize_deserialize_10_int(
7799     Eurydice_slice bytes) {
7800   int16_t r0 =
7801       ((int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) &
7802        (int16_t)3)
7803           << 8U |
7804       ((int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *) &
7805        (int16_t)255);
7806   int16_t r1 =
7807       ((int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) &
7808        (int16_t)15)
7809           << 6U |
7810       (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) >>
7811           2U;
7812   int16_t r2 =
7813       ((int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *) &
7814        (int16_t)63)
7815           << 4U |
7816       (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) >>
7817           4U;
7818   int16_t r3 =
7819       (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *)
7820           << 2U |
7821       (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *) >>
7822           6U;
7823   int16_t r4 =
7824       ((int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) &
7825        (int16_t)3)
7826           << 8U |
7827       ((int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *) &
7828        (int16_t)255);
7829   int16_t r5 =
7830       ((int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *) &
7831        (int16_t)15)
7832           << 6U |
7833       (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) >>
7834           2U;
7835   int16_t r6 =
7836       ((int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *) &
7837        (int16_t)63)
7838           << 4U |
7839       (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *) >>
7840           4U;
7841   int16_t r7 =
7842       (int16_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, uint8_t *)
7843           << 2U |
7844       (int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *) >>
7845           6U;
7846   return (CLITERAL(int16_t_x8){.fst = r0,
7847                                .snd = r1,
7848                                .thd = r2,
7849                                .f3 = r3,
7850                                .f4 = r4,
7851                                .f5 = r5,
7852                                .f6 = r6,
7853                                .f7 = r7});
7854 }
7855 
7856 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
7857 libcrux_ml_kem_vector_portable_serialize_deserialize_10(Eurydice_slice bytes) {
7858   int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_10_int(
7859       Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)10U, uint8_t));
7860   int16_t_x8 v8_15 =
7861       libcrux_ml_kem_vector_portable_serialize_deserialize_10_int(
7862           Eurydice_slice_subslice2(bytes, (size_t)10U, (size_t)20U, uint8_t));
7863   libcrux_ml_kem_vector_portable_vector_type_PortableVector v =
7864       libcrux_ml_kem_vector_portable_vector_type_zero();
7865   v.elements[0U] = v0_7.fst;
7866   v.elements[1U] = v0_7.snd;
7867   v.elements[2U] = v0_7.thd;
7868   v.elements[3U] = v0_7.f3;
7869   v.elements[4U] = v0_7.f4;
7870   v.elements[5U] = v0_7.f5;
7871   v.elements[6U] = v0_7.f6;
7872   v.elements[7U] = v0_7.f7;
7873   v.elements[8U] = v8_15.fst;
7874   v.elements[9U] = v8_15.snd;
7875   v.elements[10U] = v8_15.thd;
7876   v.elements[11U] = v8_15.f3;
7877   v.elements[12U] = v8_15.f4;
7878   v.elements[13U] = v8_15.f5;
7879   v.elements[14U] = v8_15.f6;
7880   v.elements[15U] = v8_15.f7;
7881   return v;
7882 }
7883 
7884 /**
7885 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7886 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7887 */
7888 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
7889 libcrux_ml_kem_vector_portable_deserialize_10_0d(Eurydice_slice a) {
7890   return libcrux_ml_kem_vector_portable_serialize_deserialize_10(a);
7891 }
7892 
7893 typedef struct uint8_t_x3_s {
7894   uint8_t fst;
7895   uint8_t snd;
7896   uint8_t thd;
7897 } uint8_t_x3;
7898 
7899 static KRML_MUSTINLINE uint8_t_x3
7900 libcrux_ml_kem_vector_portable_serialize_serialize_12_int(Eurydice_slice v) {
7901   uint8_t r0 =
7902       (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *) &
7903                 (int16_t)255);
7904   uint8_t r1 =
7905       (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *) >> 8U |
7906                 (Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) &
7907                  (int16_t)15)
7908                     << 4U);
7909   uint8_t r2 =
7910       (uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) >> 4U &
7911                 (int16_t)255);
7912   return (CLITERAL(uint8_t_x3){.fst = r0, .snd = r1, .thd = r2});
7913 }
7914 
7915 static KRML_MUSTINLINE void
7916 libcrux_ml_kem_vector_portable_serialize_serialize_12(
7917     libcrux_ml_kem_vector_portable_vector_type_PortableVector v,
7918     uint8_t ret[24U]) {
7919   uint8_t_x3 r0_2 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int(
7920       Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)2U, int16_t));
7921   uint8_t_x3 r3_5 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int(
7922       Eurydice_array_to_subslice2(v.elements, (size_t)2U, (size_t)4U, int16_t));
7923   uint8_t_x3 r6_8 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int(
7924       Eurydice_array_to_subslice2(v.elements, (size_t)4U, (size_t)6U, int16_t));
7925   uint8_t_x3 r9_11 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int(
7926       Eurydice_array_to_subslice2(v.elements, (size_t)6U, (size_t)8U, int16_t));
7927   uint8_t_x3 r12_14 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int(
7928       Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)10U,
7929                                   int16_t));
7930   uint8_t_x3 r15_17 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int(
7931       Eurydice_array_to_subslice2(v.elements, (size_t)10U, (size_t)12U,
7932                                   int16_t));
7933   uint8_t_x3 r18_20 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int(
7934       Eurydice_array_to_subslice2(v.elements, (size_t)12U, (size_t)14U,
7935                                   int16_t));
7936   uint8_t_x3 r21_23 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int(
7937       Eurydice_array_to_subslice2(v.elements, (size_t)14U, (size_t)16U,
7938                                   int16_t));
7939   uint8_t result[24U] = {0U};
7940   result[0U] = r0_2.fst;
7941   result[1U] = r0_2.snd;
7942   result[2U] = r0_2.thd;
7943   result[3U] = r3_5.fst;
7944   result[4U] = r3_5.snd;
7945   result[5U] = r3_5.thd;
7946   result[6U] = r6_8.fst;
7947   result[7U] = r6_8.snd;
7948   result[8U] = r6_8.thd;
7949   result[9U] = r9_11.fst;
7950   result[10U] = r9_11.snd;
7951   result[11U] = r9_11.thd;
7952   result[12U] = r12_14.fst;
7953   result[13U] = r12_14.snd;
7954   result[14U] = r12_14.thd;
7955   result[15U] = r15_17.fst;
7956   result[16U] = r15_17.snd;
7957   result[17U] = r15_17.thd;
7958   result[18U] = r18_20.fst;
7959   result[19U] = r18_20.snd;
7960   result[20U] = r18_20.thd;
7961   result[21U] = r21_23.fst;
7962   result[22U] = r21_23.snd;
7963   result[23U] = r21_23.thd;
7964   memcpy(ret, result, (size_t)24U * sizeof(uint8_t));
7965 }
7966 
7967 /**
7968 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
7969 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
7970 */
7971 static inline void libcrux_ml_kem_vector_portable_serialize_12_0d(
7972     libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
7973     uint8_t ret[24U]) {
7974   libcrux_ml_kem_vector_portable_serialize_serialize_12(a, ret);
7975 }
7976 
7977 typedef struct int16_t_x2_s {
7978   int16_t fst;
7979   int16_t snd;
7980 } int16_t_x2;
7981 
7982 static KRML_MUSTINLINE int16_t_x2
7983 libcrux_ml_kem_vector_portable_serialize_deserialize_12_int(
7984     Eurydice_slice bytes) {
7985   int16_t byte0 =
7986       (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *);
7987   int16_t byte1 =
7988       (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *);
7989   int16_t byte2 =
7990       (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *);
7991   int16_t r0 = (byte1 & (int16_t)15) << 8U | (byte0 & (int16_t)255);
7992   int16_t r1 = byte2 << 4U | (byte1 >> 4U & (int16_t)15);
7993   return (CLITERAL(int16_t_x2){.fst = r0, .snd = r1});
7994 }
7995 
7996 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
7997 libcrux_ml_kem_vector_portable_serialize_deserialize_12(Eurydice_slice bytes) {
7998   int16_t_x2 v0_1 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int(
7999       Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)3U, uint8_t));
8000   int16_t_x2 v2_3 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int(
8001       Eurydice_slice_subslice2(bytes, (size_t)3U, (size_t)6U, uint8_t));
8002   int16_t_x2 v4_5 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int(
8003       Eurydice_slice_subslice2(bytes, (size_t)6U, (size_t)9U, uint8_t));
8004   int16_t_x2 v6_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int(
8005       Eurydice_slice_subslice2(bytes, (size_t)9U, (size_t)12U, uint8_t));
8006   int16_t_x2 v8_9 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int(
8007       Eurydice_slice_subslice2(bytes, (size_t)12U, (size_t)15U, uint8_t));
8008   int16_t_x2 v10_11 =
8009       libcrux_ml_kem_vector_portable_serialize_deserialize_12_int(
8010           Eurydice_slice_subslice2(bytes, (size_t)15U, (size_t)18U, uint8_t));
8011   int16_t_x2 v12_13 =
8012       libcrux_ml_kem_vector_portable_serialize_deserialize_12_int(
8013           Eurydice_slice_subslice2(bytes, (size_t)18U, (size_t)21U, uint8_t));
8014   int16_t_x2 v14_15 =
8015       libcrux_ml_kem_vector_portable_serialize_deserialize_12_int(
8016           Eurydice_slice_subslice2(bytes, (size_t)21U, (size_t)24U, uint8_t));
8017   libcrux_ml_kem_vector_portable_vector_type_PortableVector re =
8018       libcrux_ml_kem_vector_portable_vector_type_zero();
8019   re.elements[0U] = v0_1.fst;
8020   re.elements[1U] = v0_1.snd;
8021   re.elements[2U] = v2_3.fst;
8022   re.elements[3U] = v2_3.snd;
8023   re.elements[4U] = v4_5.fst;
8024   re.elements[5U] = v4_5.snd;
8025   re.elements[6U] = v6_7.fst;
8026   re.elements[7U] = v6_7.snd;
8027   re.elements[8U] = v8_9.fst;
8028   re.elements[9U] = v8_9.snd;
8029   re.elements[10U] = v10_11.fst;
8030   re.elements[11U] = v10_11.snd;
8031   re.elements[12U] = v12_13.fst;
8032   re.elements[13U] = v12_13.snd;
8033   re.elements[14U] = v14_15.fst;
8034   re.elements[15U] = v14_15.snd;
8035   return re;
8036 }
8037 
8038 /**
8039 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
8040 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
8041 */
8042 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
8043 libcrux_ml_kem_vector_portable_deserialize_12_0d(Eurydice_slice a) {
8044   return libcrux_ml_kem_vector_portable_serialize_deserialize_12(a);
8045 }
8046 
8047 static KRML_MUSTINLINE size_t
8048 libcrux_ml_kem_vector_portable_sampling_rej_sample(Eurydice_slice a,
8049                                                    Eurydice_slice result) {
8050   size_t sampled = (size_t)0U;
8051   for (size_t i = (size_t)0U; i < Eurydice_slice_len(a, uint8_t) / (size_t)3U;
8052        i++) {
8053     size_t i0 = i;
8054     int16_t b1 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)0U,
8055                                                uint8_t, uint8_t *);
8056     int16_t b2 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)1U,
8057                                                uint8_t, uint8_t *);
8058     int16_t b3 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)2U,
8059                                                uint8_t, uint8_t *);
8060     int16_t d1 = (b2 & (int16_t)15) << 8U | b1;
8061     int16_t d2 = b3 << 4U | b2 >> 4U;
8062     bool uu____0;
8063     int16_t uu____1;
8064     bool uu____2;
8065     size_t uu____3;
8066     int16_t uu____4;
8067     size_t uu____5;
8068     int16_t uu____6;
8069     if (d1 < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS) {
8070       if (sampled < (size_t)16U) {
8071         Eurydice_slice_index(result, sampled, int16_t, int16_t *) = d1;
8072         sampled++;
8073         uu____1 = d2;
8074         uu____6 = LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
8075         uu____0 = uu____1 < uu____6;
8076         if (uu____0) {
8077           uu____3 = sampled;
8078           uu____2 = uu____3 < (size_t)16U;
8079           if (uu____2) {
8080             uu____4 = d2;
8081             uu____5 = sampled;
8082             Eurydice_slice_index(result, uu____5, int16_t, int16_t *) = uu____4;
8083             sampled++;
8084             continue;
8085           }
8086         }
8087         continue;
8088       }
8089     }
8090     uu____1 = d2;
8091     uu____6 = LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
8092     uu____0 = uu____1 < uu____6;
8093     if (uu____0) {
8094       uu____3 = sampled;
8095       uu____2 = uu____3 < (size_t)16U;
8096       if (uu____2) {
8097         uu____4 = d2;
8098         uu____5 = sampled;
8099         Eurydice_slice_index(result, uu____5, int16_t, int16_t *) = uu____4;
8100         sampled++;
8101         continue;
8102       }
8103     }
8104   }
8105   return sampled;
8106 }
8107 
8108 /**
8109 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
8110 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
8111 */
8112 static inline size_t libcrux_ml_kem_vector_portable_rej_sample_0d(
8113     Eurydice_slice a, Eurydice_slice out) {
8114   return libcrux_ml_kem_vector_portable_sampling_rej_sample(a, out);
8115 }
8116 
8117 #define LIBCRUX_ML_KEM_MLKEM768_VECTOR_U_COMPRESSION_FACTOR_768 ((size_t)10U)
8118 
8119 #define LIBCRUX_ML_KEM_MLKEM768_C1_BLOCK_SIZE_768          \
8120   (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * \
8121    LIBCRUX_ML_KEM_MLKEM768_VECTOR_U_COMPRESSION_FACTOR_768 / (size_t)8U)
8122 
8123 #define LIBCRUX_ML_KEM_MLKEM768_RANK_768 ((size_t)3U)
8124 
8125 #define LIBCRUX_ML_KEM_MLKEM768_C1_SIZE_768 \
8126   (LIBCRUX_ML_KEM_MLKEM768_C1_BLOCK_SIZE_768 * LIBCRUX_ML_KEM_MLKEM768_RANK_768)
8127 
8128 #define LIBCRUX_ML_KEM_MLKEM768_VECTOR_V_COMPRESSION_FACTOR_768 ((size_t)4U)
8129 
8130 #define LIBCRUX_ML_KEM_MLKEM768_C2_SIZE_768                \
8131   (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * \
8132    LIBCRUX_ML_KEM_MLKEM768_VECTOR_V_COMPRESSION_FACTOR_768 / (size_t)8U)
8133 
8134 #define LIBCRUX_ML_KEM_MLKEM768_CPA_PKE_CIPHERTEXT_SIZE_768 \
8135   (LIBCRUX_ML_KEM_MLKEM768_C1_SIZE_768 + LIBCRUX_ML_KEM_MLKEM768_C2_SIZE_768)
8136 
8137 #define LIBCRUX_ML_KEM_MLKEM768_T_AS_NTT_ENCODED_SIZE_768  \
8138   (LIBCRUX_ML_KEM_MLKEM768_RANK_768 *                      \
8139    LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * \
8140    LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_COEFFICIENT / (size_t)8U)
8141 
8142 #define LIBCRUX_ML_KEM_MLKEM768_CPA_PKE_PUBLIC_KEY_SIZE_768 \
8143   (LIBCRUX_ML_KEM_MLKEM768_T_AS_NTT_ENCODED_SIZE_768 + (size_t)32U)
8144 
8145 #define LIBCRUX_ML_KEM_MLKEM768_CPA_PKE_SECRET_KEY_SIZE_768 \
8146   (LIBCRUX_ML_KEM_MLKEM768_RANK_768 *                       \
8147    LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT *  \
8148    LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_COEFFICIENT / (size_t)8U)
8149 
8150 #define LIBCRUX_ML_KEM_MLKEM768_ETA1 ((size_t)2U)
8151 
8152 #define LIBCRUX_ML_KEM_MLKEM768_ETA1_RANDOMNESS_SIZE \
8153   (LIBCRUX_ML_KEM_MLKEM768_ETA1 * (size_t)64U)
8154 
8155 #define LIBCRUX_ML_KEM_MLKEM768_ETA2 ((size_t)2U)
8156 
8157 #define LIBCRUX_ML_KEM_MLKEM768_ETA2_RANDOMNESS_SIZE \
8158   (LIBCRUX_ML_KEM_MLKEM768_ETA2 * (size_t)64U)
8159 
8160 #define LIBCRUX_ML_KEM_MLKEM768_IMPLICIT_REJECTION_HASH_INPUT_SIZE \
8161   (LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE +                   \
8162    LIBCRUX_ML_KEM_MLKEM768_CPA_PKE_CIPHERTEXT_SIZE_768)
8163 
8164 typedef libcrux_ml_kem_types_MlKemPrivateKey_55
8165     libcrux_ml_kem_mlkem768_MlKem768PrivateKey;
8166 
8167 typedef libcrux_ml_kem_types_MlKemPublicKey_15
8168     libcrux_ml_kem_mlkem768_MlKem768PublicKey;
8169 
8170 #define LIBCRUX_ML_KEM_MLKEM768_RANKED_BYTES_PER_RING_ELEMENT_768 \
8171   (LIBCRUX_ML_KEM_MLKEM768_RANK_768 *                             \
8172    LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_RING_ELEMENT / (size_t)8U)
8173 
8174 #define LIBCRUX_ML_KEM_MLKEM768_SECRET_KEY_SIZE_768      \
8175   (LIBCRUX_ML_KEM_MLKEM768_CPA_PKE_SECRET_KEY_SIZE_768 + \
8176    LIBCRUX_ML_KEM_MLKEM768_CPA_PKE_PUBLIC_KEY_SIZE_768 + \
8177    LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE +              \
8178    LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE)
8179 
8180 /**
8181 A monomorphic instance of libcrux_ml_kem.polynomial.PolynomialRingElement
8182 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8183 
8184 */
8185 typedef struct libcrux_ml_kem_polynomial_PolynomialRingElement_f0_s {
8186   libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficients[16U];
8187 } libcrux_ml_kem_polynomial_PolynomialRingElement_f0;
8188 
8189 /**
8190 This function found in impl
8191 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0]}
8192 */
8193 /**
8194 A monomorphic instance of libcrux_ml_kem.polynomial.ZERO_89
8195 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8196 with const generics
8197 
8198 */
8199 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0
8200 libcrux_ml_kem_polynomial_ZERO_89_ea(void) {
8201   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 lit;
8202   lit.coefficients[0U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8203   lit.coefficients[1U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8204   lit.coefficients[2U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8205   lit.coefficients[3U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8206   lit.coefficients[4U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8207   lit.coefficients[5U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8208   lit.coefficients[6U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8209   lit.coefficients[7U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8210   lit.coefficients[8U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8211   lit.coefficients[9U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8212   lit.coefficients[10U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8213   lit.coefficients[11U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8214   lit.coefficients[12U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8215   lit.coefficients[13U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8216   lit.coefficients[14U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8217   lit.coefficients[15U] = libcrux_ml_kem_vector_portable_ZERO_0d();
8218   return lit;
8219 }
8220 
8221 /**
8222 A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key.closure
8223 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8224 with const generics
8225 - K= 3
8226 */
8227 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0
8228 libcrux_ml_kem_ind_cpa_deserialize_secret_key_closure_6b(size_t _) {
8229   return libcrux_ml_kem_polynomial_ZERO_89_ea();
8230 }
8231 
8232 /**
8233 A monomorphic instance of
8234 libcrux_ml_kem.serialize.deserialize_to_uncompressed_ring_element with types
8235 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
8236 
8237 */
8238 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
8239 libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_af(
8240     Eurydice_slice serialized) {
8241   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re =
8242       libcrux_ml_kem_polynomial_ZERO_89_ea();
8243   for (size_t i = (size_t)0U;
8244        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) {
8245     size_t i0 = i;
8246     Eurydice_slice bytes = Eurydice_slice_subslice2(
8247         serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t);
8248     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
8249         libcrux_ml_kem_vector_portable_deserialize_12_0d(bytes);
8250     re.coefficients[i0] = uu____0;
8251   }
8252   return re;
8253 }
8254 
8255 /**
8256  Call [`deserialize_to_uncompressed_ring_element`] for each ring element.
8257 */
8258 /**
8259 A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key
8260 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8261 with const generics
8262 - K= 3
8263 */
8264 static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_24(
8265     Eurydice_slice secret_key,
8266     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) {
8267   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[3U];
8268   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
8269     secret_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_89_ea();
8270   }
8271   for (size_t i = (size_t)0U;
8272        i < Eurydice_slice_len(secret_key, uint8_t) /
8273                LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
8274        i++) {
8275     size_t i0 = i;
8276     Eurydice_slice secret_bytes = Eurydice_slice_subslice2(
8277         secret_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
8278         i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT +
8279             LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
8280         uint8_t);
8281     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 =
8282         libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_af(
8283             secret_bytes);
8284     secret_as_ntt[i0] = uu____0;
8285   }
8286   memcpy(
8287       ret, secret_as_ntt,
8288       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
8289 }
8290 
8291 /**
8292 A monomorphic instance of
8293 libcrux_ml_kem.ind_cpa.unpacked.IndCpaPrivateKeyUnpacked with types
8294 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
8295 - $3size_t
8296 */
8297 typedef struct libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_f8_s {
8298   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[3U];
8299 } libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_f8;
8300 
8301 /**
8302 A monomorphic instance of
8303 libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u.closure with types
8304 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
8305 - K= 3
8306 - CIPHERTEXT_SIZE= 1088
8307 - U_COMPRESSION_FACTOR= 10
8308 */
8309 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0
8310 libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_closure_7c(size_t _) {
8311   return libcrux_ml_kem_polynomial_ZERO_89_ea();
8312 }
8313 
8314 /**
8315 A monomorphic instance of
8316 libcrux_ml_kem.vector.portable.compress.decompress_ciphertext_coefficient with
8317 const generics
8318 - COEFFICIENT_BITS= 10
8319 */
8320 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
8321 libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_6b(
8322     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
8323   for (size_t i = (size_t)0U;
8324        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
8325     size_t i0 = i;
8326     int32_t decompressed = (int32_t)v.elements[i0] *
8327                            (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
8328     decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)10);
8329     decompressed = decompressed >> (uint32_t)((int32_t)10 + (int32_t)1);
8330     v.elements[i0] = (int16_t)decompressed;
8331   }
8332   return v;
8333 }
8334 
8335 /**
8336 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
8337 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
8338 */
8339 /**
8340 A monomorphic instance of
8341 libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_0d with const
8342 generics
8343 - COEFFICIENT_BITS= 10
8344 */
8345 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
8346 libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_5a(
8347     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
8348   return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_6b(
8349       v);
8350 }
8351 
8352 /**
8353 A monomorphic instance of
8354 libcrux_ml_kem.serialize.deserialize_then_decompress_10 with types
8355 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
8356 
8357 */
8358 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
8359 libcrux_ml_kem_serialize_deserialize_then_decompress_10_2c(
8360     Eurydice_slice serialized) {
8361   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re =
8362       libcrux_ml_kem_polynomial_ZERO_89_ea();
8363   for (size_t i = (size_t)0U;
8364        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) {
8365     size_t i0 = i;
8366     Eurydice_slice bytes = Eurydice_slice_subslice2(
8367         serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t);
8368     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
8369         libcrux_ml_kem_vector_portable_deserialize_10_0d(bytes);
8370     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
8371         libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_5a(
8372             coefficient);
8373     re.coefficients[i0] = uu____0;
8374   }
8375   return re;
8376 }
8377 
8378 /**
8379 A monomorphic instance of
8380 libcrux_ml_kem.vector.portable.compress.decompress_ciphertext_coefficient with
8381 const generics
8382 - COEFFICIENT_BITS= 11
8383 */
8384 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
8385 libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_6b0(
8386     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
8387   for (size_t i = (size_t)0U;
8388        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
8389     size_t i0 = i;
8390     int32_t decompressed = (int32_t)v.elements[i0] *
8391                            (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
8392     decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)11);
8393     decompressed = decompressed >> (uint32_t)((int32_t)11 + (int32_t)1);
8394     v.elements[i0] = (int16_t)decompressed;
8395   }
8396   return v;
8397 }
8398 
8399 /**
8400 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
8401 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
8402 */
8403 /**
8404 A monomorphic instance of
8405 libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_0d with const
8406 generics
8407 - COEFFICIENT_BITS= 11
8408 */
8409 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
8410 libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_5a0(
8411     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
8412   return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_6b0(
8413       v);
8414 }
8415 
8416 /**
8417 A monomorphic instance of
8418 libcrux_ml_kem.serialize.deserialize_then_decompress_11 with types
8419 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
8420 
8421 */
8422 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
8423 libcrux_ml_kem_serialize_deserialize_then_decompress_11_8d(
8424     Eurydice_slice serialized) {
8425   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re =
8426       libcrux_ml_kem_polynomial_ZERO_89_ea();
8427   for (size_t i = (size_t)0U;
8428        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) {
8429     size_t i0 = i;
8430     Eurydice_slice bytes = Eurydice_slice_subslice2(
8431         serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t);
8432     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
8433         libcrux_ml_kem_vector_portable_deserialize_11_0d(bytes);
8434     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
8435         libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_5a0(
8436             coefficient);
8437     re.coefficients[i0] = uu____0;
8438   }
8439   return re;
8440 }
8441 
8442 /**
8443 A monomorphic instance of
8444 libcrux_ml_kem.serialize.deserialize_then_decompress_ring_element_u with types
8445 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
8446 - COMPRESSION_FACTOR= 10
8447 */
8448 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
8449 libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_34(
8450     Eurydice_slice serialized) {
8451   return libcrux_ml_kem_serialize_deserialize_then_decompress_10_2c(serialized);
8452 }
8453 
8454 typedef struct libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2_s {
8455   libcrux_ml_kem_vector_portable_vector_type_PortableVector fst;
8456   libcrux_ml_kem_vector_portable_vector_type_PortableVector snd;
8457 } libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2;
8458 
8459 /**
8460 A monomorphic instance of libcrux_ml_kem.vector.traits.montgomery_multiply_fe
8461 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8462 with const generics
8463 
8464 */
8465 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
8466 libcrux_ml_kem_vector_traits_montgomery_multiply_fe_67(
8467     libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t fer) {
8468   return libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(v,
8469                                                                            fer);
8470 }
8471 
8472 /**
8473 A monomorphic instance of libcrux_ml_kem.ntt.ntt_layer_int_vec_step
8474 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8475 with const generics
8476 
8477 */
8478 static KRML_MUSTINLINE
8479     libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2
8480     libcrux_ml_kem_ntt_ntt_layer_int_vec_step_0c(
8481         libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
8482         libcrux_ml_kem_vector_portable_vector_type_PortableVector b,
8483         int16_t zeta_r) {
8484   libcrux_ml_kem_vector_portable_vector_type_PortableVector t =
8485       libcrux_ml_kem_vector_traits_montgomery_multiply_fe_67(b, zeta_r);
8486   b = libcrux_ml_kem_vector_portable_sub_0d(a, &t);
8487   a = libcrux_ml_kem_vector_portable_add_0d(a, &t);
8488   return (
8489       CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2){
8490           .fst = a, .snd = b});
8491 }
8492 
8493 /**
8494 A monomorphic instance of libcrux_ml_kem.ntt.ntt_at_layer_4_plus
8495 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8496 with const generics
8497 
8498 */
8499 static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_51(
8500     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re,
8501     size_t layer, size_t _initial_coefficient_bound) {
8502   size_t step = (size_t)1U << (uint32_t)layer;
8503   for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) {
8504     size_t round = i0;
8505     zeta_i[0U] = zeta_i[0U] + (size_t)1U;
8506     size_t offset = round * step * (size_t)2U;
8507     size_t offset_vec = offset / (size_t)16U;
8508     size_t step_vec = step / (size_t)16U;
8509     for (size_t i = offset_vec; i < offset_vec + step_vec; i++) {
8510       size_t j = i;
8511       libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 =
8512           libcrux_ml_kem_ntt_ntt_layer_int_vec_step_0c(
8513               re->coefficients[j], re->coefficients[j + step_vec],
8514               libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
8515       libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst;
8516       libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd;
8517       re->coefficients[j] = x;
8518       re->coefficients[j + step_vec] = y;
8519     }
8520   }
8521 }
8522 
8523 /**
8524 A monomorphic instance of libcrux_ml_kem.ntt.ntt_at_layer_3
8525 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8526 with const generics
8527 
8528 */
8529 static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_fd(
8530     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re,
8531     size_t _layer, size_t _initial_coefficient_bound) {
8532   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
8533     size_t round = i;
8534     zeta_i[0U] = zeta_i[0U] + (size_t)1U;
8535     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
8536         libcrux_ml_kem_vector_portable_ntt_layer_3_step_0d(
8537             re->coefficients[round],
8538             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
8539     re->coefficients[round] = uu____0;
8540   }
8541 }
8542 
8543 /**
8544 A monomorphic instance of libcrux_ml_kem.ntt.ntt_at_layer_2
8545 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8546 with const generics
8547 
8548 */
8549 static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_ad(
8550     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re,
8551     size_t _layer, size_t _initial_coefficient_bound) {
8552   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
8553     size_t round = i;
8554     zeta_i[0U] = zeta_i[0U] + (size_t)1U;
8555     re->coefficients[round] =
8556         libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d(
8557             re->coefficients[round],
8558             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
8559             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
8560                                                                (size_t)1U]);
8561     zeta_i[0U] = zeta_i[0U] + (size_t)1U;
8562   }
8563 }
8564 
8565 /**
8566 A monomorphic instance of libcrux_ml_kem.ntt.ntt_at_layer_1
8567 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8568 with const generics
8569 
8570 */
8571 static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_a2(
8572     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re,
8573     size_t _layer, size_t _initial_coefficient_bound) {
8574   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
8575     size_t round = i;
8576     zeta_i[0U] = zeta_i[0U] + (size_t)1U;
8577     re->coefficients[round] =
8578         libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d(
8579             re->coefficients[round],
8580             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
8581             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
8582                                                                (size_t)1U],
8583             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
8584                                                                (size_t)2U],
8585             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] +
8586                                                                (size_t)3U]);
8587     zeta_i[0U] = zeta_i[0U] + (size_t)3U;
8588   }
8589 }
8590 
8591 /**
8592 This function found in impl
8593 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0]}
8594 */
8595 /**
8596 A monomorphic instance of libcrux_ml_kem.polynomial.poly_barrett_reduce_89
8597 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8598 with const generics
8599 
8600 */
8601 static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_89_8b(
8602     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self) {
8603   for (size_t i = (size_t)0U;
8604        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
8605     size_t i0 = i;
8606     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
8607         libcrux_ml_kem_vector_portable_barrett_reduce_0d(
8608             self->coefficients[i0]);
8609     self->coefficients[i0] = uu____0;
8610   }
8611 }
8612 
8613 /**
8614 A monomorphic instance of libcrux_ml_kem.ntt.ntt_vector_u
8615 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8616 with const generics
8617 - VECTOR_U_COMPRESSION_FACTOR= 10
8618 */
8619 static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_9f(
8620     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re) {
8621   size_t zeta_i = (size_t)0U;
8622   libcrux_ml_kem_ntt_ntt_at_layer_4_plus_51(&zeta_i, re, (size_t)7U,
8623                                             (size_t)3328U);
8624   libcrux_ml_kem_ntt_ntt_at_layer_4_plus_51(&zeta_i, re, (size_t)6U,
8625                                             (size_t)3328U);
8626   libcrux_ml_kem_ntt_ntt_at_layer_4_plus_51(&zeta_i, re, (size_t)5U,
8627                                             (size_t)3328U);
8628   libcrux_ml_kem_ntt_ntt_at_layer_4_plus_51(&zeta_i, re, (size_t)4U,
8629                                             (size_t)3328U);
8630   libcrux_ml_kem_ntt_ntt_at_layer_3_fd(&zeta_i, re, (size_t)3U, (size_t)3328U);
8631   libcrux_ml_kem_ntt_ntt_at_layer_2_ad(&zeta_i, re, (size_t)2U, (size_t)3328U);
8632   libcrux_ml_kem_ntt_ntt_at_layer_1_a2(&zeta_i, re, (size_t)1U, (size_t)3328U);
8633   libcrux_ml_kem_polynomial_poly_barrett_reduce_89_8b(re);
8634 }
8635 
8636 /**
8637  Call [`deserialize_then_decompress_ring_element_u`] on each ring element
8638  in the `ciphertext`.
8639 */
8640 /**
8641 A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u
8642 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8643 with const generics
8644 - K= 3
8645 - CIPHERTEXT_SIZE= 1088
8646 - U_COMPRESSION_FACTOR= 10
8647 */
8648 static KRML_MUSTINLINE void
8649 libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_f4(
8650     uint8_t *ciphertext,
8651     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) {
8652   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 u_as_ntt[3U];
8653   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
8654     u_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_89_ea();
8655   }
8656   for (size_t i = (size_t)0U;
8657        i < Eurydice_slice_len(
8658                Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t),
8659                uint8_t) /
8660                (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT *
8661                 (size_t)10U / (size_t)8U);
8662        i++) {
8663     size_t i0 = i;
8664     Eurydice_slice u_bytes = Eurydice_array_to_subslice2(
8665         ciphertext,
8666         i0 * (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT *
8667               (size_t)10U / (size_t)8U),
8668         i0 * (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT *
8669               (size_t)10U / (size_t)8U) +
8670             LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT *
8671                 (size_t)10U / (size_t)8U,
8672         uint8_t);
8673     u_as_ntt[i0] =
8674         libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_34(
8675             u_bytes);
8676     libcrux_ml_kem_ntt_ntt_vector_u_9f(&u_as_ntt[i0]);
8677   }
8678   memcpy(
8679       ret, u_as_ntt,
8680       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
8681 }
8682 
8683 /**
8684 A monomorphic instance of
8685 libcrux_ml_kem.vector.portable.compress.decompress_ciphertext_coefficient with
8686 const generics
8687 - COEFFICIENT_BITS= 4
8688 */
8689 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
8690 libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_6b1(
8691     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
8692   for (size_t i = (size_t)0U;
8693        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
8694     size_t i0 = i;
8695     int32_t decompressed = (int32_t)v.elements[i0] *
8696                            (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
8697     decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)4);
8698     decompressed = decompressed >> (uint32_t)((int32_t)4 + (int32_t)1);
8699     v.elements[i0] = (int16_t)decompressed;
8700   }
8701   return v;
8702 }
8703 
8704 /**
8705 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
8706 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
8707 */
8708 /**
8709 A monomorphic instance of
8710 libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_0d with const
8711 generics
8712 - COEFFICIENT_BITS= 4
8713 */
8714 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
8715 libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_5a1(
8716     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
8717   return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_6b1(
8718       v);
8719 }
8720 
8721 /**
8722 A monomorphic instance of libcrux_ml_kem.serialize.deserialize_then_decompress_4
8723 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8724 with const generics
8725 
8726 */
8727 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
8728 libcrux_ml_kem_serialize_deserialize_then_decompress_4_41(
8729     Eurydice_slice serialized) {
8730   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re =
8731       libcrux_ml_kem_polynomial_ZERO_89_ea();
8732   for (size_t i = (size_t)0U;
8733        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) {
8734     size_t i0 = i;
8735     Eurydice_slice bytes = Eurydice_slice_subslice2(
8736         serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t);
8737     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
8738         libcrux_ml_kem_vector_portable_deserialize_4_0d(bytes);
8739     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
8740         libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_5a1(
8741             coefficient);
8742     re.coefficients[i0] = uu____0;
8743   }
8744   return re;
8745 }
8746 
8747 /**
8748 A monomorphic instance of
8749 libcrux_ml_kem.vector.portable.compress.decompress_ciphertext_coefficient with
8750 const generics
8751 - COEFFICIENT_BITS= 5
8752 */
8753 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
8754 libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_6b2(
8755     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
8756   for (size_t i = (size_t)0U;
8757        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
8758     size_t i0 = i;
8759     int32_t decompressed = (int32_t)v.elements[i0] *
8760                            (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS;
8761     decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)5);
8762     decompressed = decompressed >> (uint32_t)((int32_t)5 + (int32_t)1);
8763     v.elements[i0] = (int16_t)decompressed;
8764   }
8765   return v;
8766 }
8767 
8768 /**
8769 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
8770 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
8771 */
8772 /**
8773 A monomorphic instance of
8774 libcrux_ml_kem.vector.portable.decompress_ciphertext_coefficient_0d with const
8775 generics
8776 - COEFFICIENT_BITS= 5
8777 */
8778 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
8779 libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_5a2(
8780     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
8781   return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_6b2(
8782       v);
8783 }
8784 
8785 /**
8786 A monomorphic instance of libcrux_ml_kem.serialize.deserialize_then_decompress_5
8787 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8788 with const generics
8789 
8790 */
8791 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
8792 libcrux_ml_kem_serialize_deserialize_then_decompress_5_4e(
8793     Eurydice_slice serialized) {
8794   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re =
8795       libcrux_ml_kem_polynomial_ZERO_89_ea();
8796   for (size_t i = (size_t)0U;
8797        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) {
8798     size_t i0 = i;
8799     Eurydice_slice bytes = Eurydice_slice_subslice2(
8800         serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t);
8801     re.coefficients[i0] =
8802         libcrux_ml_kem_vector_portable_deserialize_5_0d(bytes);
8803     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 =
8804         libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_5a2(
8805             re.coefficients[i0]);
8806     re.coefficients[i0] = uu____1;
8807   }
8808   return re;
8809 }
8810 
8811 /**
8812 A monomorphic instance of
8813 libcrux_ml_kem.serialize.deserialize_then_decompress_ring_element_v with types
8814 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
8815 - COMPRESSION_FACTOR= 4
8816 */
8817 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
8818 libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_56(
8819     Eurydice_slice serialized) {
8820   return libcrux_ml_kem_serialize_deserialize_then_decompress_4_41(serialized);
8821 }
8822 
8823 /**
8824  Given two `KyberPolynomialRingElement`s in their NTT representations,
8825  compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`,
8826  the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation:
8827 
8828  ```plaintext
8829  ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X²
8830  - ζ^(2·BitRev₇(i) + 1))
8831  ```
8832 
8833  This function almost implements <strong>Algorithm 10</strong> of the
8834  NIST FIPS 203 standard, which is reproduced below:
8835 
8836  ```plaintext
8837  Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆.
8838  Output: An array ĥ ∈ ℤq.
8839 
8840  for(i ← 0; i < 128; i++)
8841      (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1],
8842  ζ^(2·BitRev₇(i) + 1)) end for return ĥ
8843  ```
8844  We say "almost" because the coefficients of the ring element output by
8845  this function are in the Montgomery domain.
8846 
8847  The NIST FIPS 203 standard can be found at
8848  <https://csrc.nist.gov/pubs/fips/203/ipd>.
8849 */
8850 /**
8851 This function found in impl
8852 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0]}
8853 */
8854 /**
8855 A monomorphic instance of libcrux_ml_kem.polynomial.ntt_multiply_89
8856 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8857 with const generics
8858 
8859 */
8860 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
8861 libcrux_ml_kem_polynomial_ntt_multiply_89_2a(
8862     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self,
8863     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *rhs) {
8864   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 out =
8865       libcrux_ml_kem_polynomial_ZERO_89_ea();
8866   for (size_t i = (size_t)0U;
8867        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
8868     size_t i0 = i;
8869     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
8870         libcrux_ml_kem_vector_portable_ntt_multiply_0d(
8871             &self->coefficients[i0], &rhs->coefficients[i0],
8872             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
8873                                                                (size_t)4U * i0],
8874             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
8875                                                                (size_t)4U * i0 +
8876                                                                (size_t)1U],
8877             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
8878                                                                (size_t)4U * i0 +
8879                                                                (size_t)2U],
8880             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U +
8881                                                                (size_t)4U * i0 +
8882                                                                (size_t)3U]);
8883     out.coefficients[i0] = uu____0;
8884   }
8885   return out;
8886 }
8887 
8888 /**
8889  Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
8890  sum of their constituent coefficients.
8891 */
8892 /**
8893 This function found in impl
8894 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0]}
8895 */
8896 /**
8897 A monomorphic instance of libcrux_ml_kem.polynomial.add_to_ring_element_89
8898 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8899 with const generics
8900 - K= 3
8901 */
8902 static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_89_84(
8903     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self,
8904     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *rhs) {
8905   for (size_t i = (size_t)0U;
8906        i < Eurydice_slice_len(
8907                Eurydice_array_to_slice(
8908                    (size_t)16U, self->coefficients,
8909                    libcrux_ml_kem_vector_portable_vector_type_PortableVector),
8910                libcrux_ml_kem_vector_portable_vector_type_PortableVector);
8911        i++) {
8912     size_t i0 = i;
8913     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
8914         libcrux_ml_kem_vector_portable_add_0d(self->coefficients[i0],
8915                                               &rhs->coefficients[i0]);
8916     self->coefficients[i0] = uu____0;
8917   }
8918 }
8919 
8920 /**
8921 A monomorphic instance of libcrux_ml_kem.invert_ntt.invert_ntt_at_layer_1
8922 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8923 with const generics
8924 
8925 */
8926 static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_83(
8927     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re,
8928     size_t _layer) {
8929   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
8930     size_t round = i;
8931     zeta_i[0U] = zeta_i[0U] - (size_t)1U;
8932     re->coefficients[round] =
8933         libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d(
8934             re->coefficients[round],
8935             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
8936             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
8937                                                                (size_t)1U],
8938             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
8939                                                                (size_t)2U],
8940             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
8941                                                                (size_t)3U]);
8942     zeta_i[0U] = zeta_i[0U] - (size_t)3U;
8943   }
8944 }
8945 
8946 /**
8947 A monomorphic instance of libcrux_ml_kem.invert_ntt.invert_ntt_at_layer_2
8948 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8949 with const generics
8950 
8951 */
8952 static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_c3(
8953     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re,
8954     size_t _layer) {
8955   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
8956     size_t round = i;
8957     zeta_i[0U] = zeta_i[0U] - (size_t)1U;
8958     re->coefficients[round] =
8959         libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d(
8960             re->coefficients[round],
8961             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]],
8962             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] -
8963                                                                (size_t)1U]);
8964     zeta_i[0U] = zeta_i[0U] - (size_t)1U;
8965   }
8966 }
8967 
8968 /**
8969 A monomorphic instance of libcrux_ml_kem.invert_ntt.invert_ntt_at_layer_3
8970 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
8971 with const generics
8972 
8973 */
8974 static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_68(
8975     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re,
8976     size_t _layer) {
8977   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
8978     size_t round = i;
8979     zeta_i[0U] = zeta_i[0U] - (size_t)1U;
8980     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
8981         libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d(
8982             re->coefficients[round],
8983             libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
8984     re->coefficients[round] = uu____0;
8985   }
8986 }
8987 
8988 /**
8989 A monomorphic instance of
8990 libcrux_ml_kem.invert_ntt.inv_ntt_layer_int_vec_step_reduce with types
8991 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
8992 
8993 */
8994 static KRML_MUSTINLINE
8995     libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2
8996     libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_65(
8997         libcrux_ml_kem_vector_portable_vector_type_PortableVector a,
8998         libcrux_ml_kem_vector_portable_vector_type_PortableVector b,
8999         int16_t zeta_r) {
9000   libcrux_ml_kem_vector_portable_vector_type_PortableVector a_minus_b =
9001       libcrux_ml_kem_vector_portable_sub_0d(b, &a);
9002   a = libcrux_ml_kem_vector_portable_barrett_reduce_0d(
9003       libcrux_ml_kem_vector_portable_add_0d(a, &b));
9004   b = libcrux_ml_kem_vector_traits_montgomery_multiply_fe_67(a_minus_b, zeta_r);
9005   return (
9006       CLITERAL(libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2){
9007           .fst = a, .snd = b});
9008 }
9009 
9010 /**
9011 A monomorphic instance of libcrux_ml_kem.invert_ntt.invert_ntt_at_layer_4_plus
9012 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
9013 with const generics
9014 
9015 */
9016 static KRML_MUSTINLINE void
9017 libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_6e(
9018     size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re,
9019     size_t layer) {
9020   size_t step = (size_t)1U << (uint32_t)layer;
9021   for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) {
9022     size_t round = i0;
9023     zeta_i[0U] = zeta_i[0U] - (size_t)1U;
9024     size_t offset = round * step * (size_t)2U;
9025     size_t offset_vec =
9026         offset / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR;
9027     size_t step_vec =
9028         step / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR;
9029     for (size_t i = offset_vec; i < offset_vec + step_vec; i++) {
9030       size_t j = i;
9031       libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2 uu____0 =
9032           libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_65(
9033               re->coefficients[j], re->coefficients[j + step_vec],
9034               libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
9035       libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst;
9036       libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd;
9037       re->coefficients[j] = x;
9038       re->coefficients[j + step_vec] = y;
9039     }
9040   }
9041 }
9042 
9043 /**
9044 A monomorphic instance of libcrux_ml_kem.invert_ntt.invert_ntt_montgomery
9045 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
9046 with const generics
9047 - K= 3
9048 */
9049 static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_f6(
9050     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re) {
9051   size_t zeta_i =
9052       LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U;
9053   libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_83(&zeta_i, re, (size_t)1U);
9054   libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_c3(&zeta_i, re, (size_t)2U);
9055   libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_68(&zeta_i, re, (size_t)3U);
9056   libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_6e(&zeta_i, re,
9057                                                           (size_t)4U);
9058   libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_6e(&zeta_i, re,
9059                                                           (size_t)5U);
9060   libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_6e(&zeta_i, re,
9061                                                           (size_t)6U);
9062   libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_6e(&zeta_i, re,
9063                                                           (size_t)7U);
9064   libcrux_ml_kem_polynomial_poly_barrett_reduce_89_8b(re);
9065 }
9066 
9067 /**
9068 This function found in impl
9069 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0]}
9070 */
9071 /**
9072 A monomorphic instance of libcrux_ml_kem.polynomial.subtract_reduce_89
9073 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
9074 with const generics
9075 
9076 */
9077 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
9078 libcrux_ml_kem_polynomial_subtract_reduce_89_d4(
9079     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self,
9080     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 b) {
9081   for (size_t i = (size_t)0U;
9082        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
9083     size_t i0 = i;
9084     libcrux_ml_kem_vector_portable_vector_type_PortableVector
9085         coefficient_normal_form =
9086             libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
9087                 b.coefficients[i0], (int16_t)1441);
9088     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
9089         libcrux_ml_kem_vector_portable_barrett_reduce_0d(
9090             libcrux_ml_kem_vector_portable_sub_0d(self->coefficients[i0],
9091                                                   &coefficient_normal_form));
9092     b.coefficients[i0] = uu____0;
9093   }
9094   return b;
9095 }
9096 
9097 /**
9098  The following functions compute various expressions involving
9099  vectors and matrices. The computation of these expressions has been
9100  abstracted away into these functions in order to save on loop iterations.
9101  Compute v − InverseNTT(sᵀ ◦ NTT(u))
9102 */
9103 /**
9104 A monomorphic instance of libcrux_ml_kem.matrix.compute_message
9105 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
9106 with const generics
9107 - K= 3
9108 */
9109 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
9110 libcrux_ml_kem_matrix_compute_message_b3(
9111     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *v,
9112     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *secret_as_ntt,
9113     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *u_as_ntt) {
9114   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 result =
9115       libcrux_ml_kem_polynomial_ZERO_89_ea();
9116   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
9117     size_t i0 = i;
9118     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 product =
9119         libcrux_ml_kem_polynomial_ntt_multiply_89_2a(&secret_as_ntt[i0],
9120                                                      &u_as_ntt[i0]);
9121     libcrux_ml_kem_polynomial_add_to_ring_element_89_84(&result, &product);
9122   }
9123   libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_f6(&result);
9124   result = libcrux_ml_kem_polynomial_subtract_reduce_89_d4(v, result);
9125   return result;
9126 }
9127 
9128 /**
9129 A monomorphic instance of libcrux_ml_kem.vector.portable.arithmetic.shift_right
9130 with const generics
9131 - SHIFT_BY= 15
9132 */
9133 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
9134 libcrux_ml_kem_vector_portable_arithmetic_shift_right_94(
9135     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
9136   for (size_t i = (size_t)0U;
9137        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
9138     size_t i0 = i;
9139     v.elements[i0] = v.elements[i0] >> (uint32_t)(int32_t)15;
9140   }
9141   return v;
9142 }
9143 
9144 /**
9145 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
9146 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
9147 */
9148 /**
9149 A monomorphic instance of libcrux_ml_kem.vector.portable.shift_right_0d
9150 with const generics
9151 - SHIFT_BY= 15
9152 */
9153 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
9154 libcrux_ml_kem_vector_portable_shift_right_0d_19(
9155     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
9156   return libcrux_ml_kem_vector_portable_arithmetic_shift_right_94(v);
9157 }
9158 
9159 /**
9160 A monomorphic instance of
9161 libcrux_ml_kem.vector.traits.to_unsigned_representative with types
9162 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
9163 
9164 */
9165 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
9166 libcrux_ml_kem_vector_traits_to_unsigned_representative_db(
9167     libcrux_ml_kem_vector_portable_vector_type_PortableVector a) {
9168   libcrux_ml_kem_vector_portable_vector_type_PortableVector t =
9169       libcrux_ml_kem_vector_portable_shift_right_0d_19(a);
9170   libcrux_ml_kem_vector_portable_vector_type_PortableVector fm =
9171       libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d(
9172           t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS);
9173   return libcrux_ml_kem_vector_portable_add_0d(a, &fm);
9174 }
9175 
9176 /**
9177 A monomorphic instance of
9178 libcrux_ml_kem.serialize.compress_then_serialize_message with types
9179 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
9180 
9181 */
9182 static KRML_MUSTINLINE void
9183 libcrux_ml_kem_serialize_compress_then_serialize_message_aa(
9184     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re, uint8_t ret[32U]) {
9185   uint8_t serialized[32U] = {0U};
9186   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
9187     size_t i0 = i;
9188     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
9189         libcrux_ml_kem_vector_traits_to_unsigned_representative_db(
9190             re.coefficients[i0]);
9191     libcrux_ml_kem_vector_portable_vector_type_PortableVector
9192         coefficient_compressed =
9193             libcrux_ml_kem_vector_portable_compress_1_0d(coefficient);
9194     uint8_t bytes[2U];
9195     libcrux_ml_kem_vector_portable_serialize_1_0d(coefficient_compressed,
9196                                                   bytes);
9197     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
9198         serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t);
9199     Eurydice_slice_copy(
9200         uu____0, Eurydice_array_to_slice((size_t)2U, bytes, uint8_t), uint8_t);
9201   }
9202   memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t));
9203 }
9204 
9205 /**
9206  This function implements <strong>Algorithm 14</strong> of the
9207  NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm.
9208 
9209  Algorithm 14 is reproduced below:
9210 
9211  ```plaintext
9212  Input: decryption key dkₚₖₑ ∈ ��^{384k}.
9213  Input: ciphertext c ∈ ��^{32(dᵤk + dᵥ)}.
9214  Output: message m ∈ ��^{32}.
9215 
9216  c₁ ← c[0 : 32dᵤk]
9217  c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)]
9218  u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁))
9219  v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂))
9220  ŝ ← ByteDecode₁₂(dkₚₖₑ)
9221  w ← v - NTT-¹(ŝᵀ ◦ NTT(u))
9222  m ← ByteEncode₁(Compress₁(w))
9223  return m
9224  ```
9225 
9226  The NIST FIPS 203 standard can be found at
9227  <https://csrc.nist.gov/pubs/fips/203/ipd>.
9228 */
9229 /**
9230 A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked
9231 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
9232 with const generics
9233 - K= 3
9234 - CIPHERTEXT_SIZE= 1088
9235 - VECTOR_U_ENCODED_SIZE= 960
9236 - U_COMPRESSION_FACTOR= 10
9237 - V_COMPRESSION_FACTOR= 4
9238 */
9239 static inline void libcrux_ml_kem_ind_cpa_decrypt_unpacked_6d(
9240     libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_f8 *secret_key,
9241     uint8_t *ciphertext, uint8_t ret[32U]) {
9242   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 u_as_ntt[3U];
9243   libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_f4(ciphertext, u_as_ntt);
9244   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 v =
9245       libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_56(
9246           Eurydice_array_to_subslice_from((size_t)1088U, ciphertext,
9247                                           (size_t)960U, uint8_t, size_t));
9248   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 message =
9249       libcrux_ml_kem_matrix_compute_message_b3(&v, secret_key->secret_as_ntt,
9250                                                u_as_ntt);
9251   uint8_t ret0[32U];
9252   libcrux_ml_kem_serialize_compress_then_serialize_message_aa(message, ret0);
9253   memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
9254 }
9255 
9256 /**
9257 A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt
9258 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
9259 with const generics
9260 - K= 3
9261 - CIPHERTEXT_SIZE= 1088
9262 - VECTOR_U_ENCODED_SIZE= 960
9263 - U_COMPRESSION_FACTOR= 10
9264 - V_COMPRESSION_FACTOR= 4
9265 */
9266 static inline void libcrux_ml_kem_ind_cpa_decrypt_43(Eurydice_slice secret_key,
9267                                                      uint8_t *ciphertext,
9268                                                      uint8_t ret[32U]) {
9269   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[3U];
9270   libcrux_ml_kem_ind_cpa_deserialize_secret_key_24(secret_key, secret_as_ntt);
9271   /* Passing arrays by value in Rust generates a copy in C */
9272   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_secret_as_ntt[3U];
9273   memcpy(
9274       copy_of_secret_as_ntt, secret_as_ntt,
9275       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
9276   libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_f8
9277       secret_key_unpacked;
9278   memcpy(
9279       secret_key_unpacked.secret_as_ntt, copy_of_secret_as_ntt,
9280       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
9281   uint8_t ret0[32U];
9282   libcrux_ml_kem_ind_cpa_decrypt_unpacked_6d(&secret_key_unpacked, ciphertext,
9283                                              ret0);
9284   memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
9285 }
9286 
9287 /**
9288 This function found in impl {(libcrux_ml_kem::hash_functions::Hash<K> for
9289 libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
9290 */
9291 /**
9292 A monomorphic instance of libcrux_ml_kem.hash_functions.portable.G_f1
9293 with const generics
9294 - K= 3
9295 */
9296 static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_G_f1_e4(
9297     Eurydice_slice input, uint8_t ret[64U]) {
9298   libcrux_ml_kem_hash_functions_portable_G(input, ret);
9299 }
9300 
9301 /**
9302 A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF
9303 with const generics
9304 - LEN= 32
9305 */
9306 static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_PRF_2b(
9307     Eurydice_slice input, uint8_t ret[32U]) {
9308   uint8_t digest[32U] = {0U};
9309   libcrux_sha3_portable_shake256(
9310       Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input);
9311   memcpy(ret, digest, (size_t)32U * sizeof(uint8_t));
9312 }
9313 
9314 /**
9315 This function found in impl {(libcrux_ml_kem::hash_functions::Hash<K> for
9316 libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
9317 */
9318 /**
9319 A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_f1
9320 with const generics
9321 - K= 3
9322 - LEN= 32
9323 */
9324 static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_PRF_f1_ee(
9325     Eurydice_slice input, uint8_t ret[32U]) {
9326   libcrux_ml_kem_hash_functions_portable_PRF_2b(input, ret);
9327 }
9328 
9329 /**
9330 A monomorphic instance of
9331 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced.closure with types
9332 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
9333 - PUBLIC_KEY_SIZE= 1152
9334 - K= 3
9335 */
9336 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0
9337 libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_closure_cd(
9338     size_t _i) {
9339   return libcrux_ml_kem_polynomial_ZERO_89_ea();
9340 }
9341 
9342 /**
9343  Only use with public values.
9344 
9345  This MUST NOT be used with secret inputs, like its caller
9346  `deserialize_ring_elements_reduced`.
9347 */
9348 /**
9349 A monomorphic instance of
9350 libcrux_ml_kem.serialize.deserialize_to_reduced_ring_element with types
9351 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
9352 
9353 */
9354 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
9355 libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_4c(
9356     Eurydice_slice serialized) {
9357   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re =
9358       libcrux_ml_kem_polynomial_ZERO_89_ea();
9359   for (size_t i = (size_t)0U;
9360        i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) {
9361     size_t i0 = i;
9362     Eurydice_slice bytes = Eurydice_slice_subslice2(
9363         serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t);
9364     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
9365         libcrux_ml_kem_vector_portable_deserialize_12_0d(bytes);
9366     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
9367         libcrux_ml_kem_vector_portable_cond_subtract_3329_0d(coefficient);
9368     re.coefficients[i0] = uu____0;
9369   }
9370   return re;
9371 }
9372 
9373 /**
9374  This function deserializes ring elements and reduces the result by the field
9375  modulus.
9376 
9377  This function MUST NOT be used on secret inputs.
9378 */
9379 /**
9380 A monomorphic instance of
9381 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
9382 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
9383 - PUBLIC_KEY_SIZE= 1152
9384 - K= 3
9385 */
9386 static KRML_MUSTINLINE void
9387 libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_33(
9388     Eurydice_slice public_key,
9389     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) {
9390   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 deserialized_pk[3U];
9391   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
9392     deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_89_ea();
9393   }
9394   for (size_t i = (size_t)0U;
9395        i < Eurydice_slice_len(public_key, uint8_t) /
9396                LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
9397        i++) {
9398     size_t i0 = i;
9399     Eurydice_slice ring_element = Eurydice_slice_subslice2(
9400         public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
9401         i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT +
9402             LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
9403         uint8_t);
9404     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 =
9405         libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_4c(
9406             ring_element);
9407     deserialized_pk[i0] = uu____0;
9408   }
9409   memcpy(
9410       ret, deserialized_pk,
9411       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
9412 }
9413 
9414 /**
9415 A monomorphic instance of libcrux_ml_kem.matrix.sample_matrix_A.closure.closure
9416 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
9417 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const
9418 generics
9419 - K= 3
9420 */
9421 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0
9422 libcrux_ml_kem_matrix_sample_matrix_A_closure_closure_78(size_t _j) {
9423   return libcrux_ml_kem_polynomial_ZERO_89_ea();
9424 }
9425 
9426 /**
9427 A monomorphic instance of libcrux_ml_kem.matrix.sample_matrix_A.closure
9428 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
9429 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const
9430 generics
9431 - K= 3
9432 */
9433 static inline void libcrux_ml_kem_matrix_sample_matrix_A_closure_4b(
9434     size_t _i, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) {
9435   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
9436     ret[i] = libcrux_ml_kem_polynomial_ZERO_89_ea();
9437   }
9438 }
9439 
9440 /**
9441 A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PortableHash
9442 with const generics
9443 - $3size_t
9444 */
9445 typedef struct libcrux_ml_kem_hash_functions_portable_PortableHash_58_s {
9446   libcrux_sha3_generic_keccak_KeccakState_48 shake128_state[3U];
9447 } libcrux_ml_kem_hash_functions_portable_PortableHash_58;
9448 
9449 /**
9450 A monomorphic instance of
9451 libcrux_ml_kem.hash_functions.portable.shake128_init_absorb with const generics
9452 - K= 3
9453 */
9454 static KRML_MUSTINLINE libcrux_ml_kem_hash_functions_portable_PortableHash_58
9455 libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_b7(
9456     uint8_t input[3U][34U]) {
9457   libcrux_sha3_generic_keccak_KeccakState_48 shake128_state[3U];
9458   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
9459     shake128_state[i] = libcrux_sha3_portable_incremental_shake128_init();
9460   }
9461   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
9462     size_t i0 = i;
9463     libcrux_sha3_portable_incremental_shake128_absorb_final(
9464         &shake128_state[i0],
9465         Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t));
9466   }
9467   /* Passing arrays by value in Rust generates a copy in C */
9468   libcrux_sha3_generic_keccak_KeccakState_48 copy_of_shake128_state[3U];
9469   memcpy(copy_of_shake128_state, shake128_state,
9470          (size_t)3U * sizeof(libcrux_sha3_generic_keccak_KeccakState_48));
9471   libcrux_ml_kem_hash_functions_portable_PortableHash_58 lit;
9472   memcpy(lit.shake128_state, copy_of_shake128_state,
9473          (size_t)3U * sizeof(libcrux_sha3_generic_keccak_KeccakState_48));
9474   return lit;
9475 }
9476 
9477 /**
9478 This function found in impl {(libcrux_ml_kem::hash_functions::Hash<K> for
9479 libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
9480 */
9481 /**
9482 A monomorphic instance of
9483 libcrux_ml_kem.hash_functions.portable.shake128_init_absorb_f1 with const
9484 generics
9485 - K= 3
9486 */
9487 static KRML_MUSTINLINE libcrux_ml_kem_hash_functions_portable_PortableHash_58
9488 libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_f1_8c(
9489     uint8_t input[3U][34U]) {
9490   /* Passing arrays by value in Rust generates a copy in C */
9491   uint8_t copy_of_input[3U][34U];
9492   memcpy(copy_of_input, input, (size_t)3U * sizeof(uint8_t[34U]));
9493   return libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_b7(
9494       copy_of_input);
9495 }
9496 
9497 /**
9498 A monomorphic instance of
9499 libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks with const
9500 generics
9501 - K= 3
9502 */
9503 static KRML_MUSTINLINE void
9504 libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_ca(
9505     libcrux_ml_kem_hash_functions_portable_PortableHash_58 *st,
9506     uint8_t ret[3U][504U]) {
9507   uint8_t out[3U][504U] = {{0U}};
9508   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
9509     size_t i0 = i;
9510     libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks(
9511         &st->shake128_state[i0],
9512         Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t));
9513   }
9514   memcpy(ret, out, (size_t)3U * sizeof(uint8_t[504U]));
9515 }
9516 
9517 /**
9518 This function found in impl {(libcrux_ml_kem::hash_functions::Hash<K> for
9519 libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
9520 */
9521 /**
9522 A monomorphic instance of
9523 libcrux_ml_kem.hash_functions.portable.shake128_squeeze_three_blocks_f1 with
9524 const generics
9525 - K= 3
9526 */
9527 static KRML_MUSTINLINE void
9528 libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_f1_69(
9529     libcrux_ml_kem_hash_functions_portable_PortableHash_58 *self,
9530     uint8_t ret[3U][504U]) {
9531   libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_ca(self,
9532                                                                           ret);
9533 }
9534 
9535 /**
9536  If `bytes` contains a set of uniformly random bytes, this function
9537  uniformly samples a ring element `â` that is treated as being the NTT
9538  representation of the corresponding polynomial `a`.
9539 
9540  Since rejection sampling is used, it is possible the supplied bytes are
9541  not enough to sample the element, in which case an `Err` is returned and the
9542  caller must try again with a fresh set of bytes.
9543 
9544  This function <strong>partially</strong> implements <strong>Algorithm
9545  6</strong> of the NIST FIPS 203 standard, We say "partially" because this
9546  implementation only accepts a finite set of bytes as input and returns an error
9547  if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other
9548  hand samples from an infinite stream of bytes until the ring element is filled.
9549  Algorithm 6 is reproduced below:
9550 
9551  ```plaintext
9552  Input: byte stream B ∈ ��*.
9553  Output: array â ∈ ℤ₂₅₆.
9554 
9555  i ← 0
9556  j ← 0
9557  while j < 256 do
9558      d₁ ← B[i] + 256·(B[i+1] mod 16)
9559      d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2]
9560      if d₁ < q then
9561          â[j] ← d₁
9562          j ← j + 1
9563      end if
9564      if d₂ < q and j < 256 then
9565          â[j] ← d₂
9566          j ← j + 1
9567      end if
9568      i ← i + 3
9569  end while
9570  return â
9571  ```
9572 
9573  The NIST FIPS 203 standard can be found at
9574  <https://csrc.nist.gov/pubs/fips/203/ipd>.
9575 */
9576 /**
9577 A monomorphic instance of
9578 libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types
9579 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
9580 - K= 3
9581 - N= 504
9582 */
9583 static KRML_MUSTINLINE bool
9584 libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_db(
9585     uint8_t randomness[3U][504U], size_t *sampled_coefficients,
9586     int16_t (*out)[272U]) {
9587   for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) {
9588     size_t i1 = i0;
9589     for (size_t i = (size_t)0U; i < (size_t)504U / (size_t)24U; i++) {
9590       size_t r = i;
9591       if (sampled_coefficients[i1] <
9592           LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) {
9593         Eurydice_slice uu____0 =
9594             Eurydice_array_to_subslice2(randomness[i1], r * (size_t)24U,
9595                                         r * (size_t)24U + (size_t)24U, uint8_t);
9596         size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d(
9597             uu____0, Eurydice_array_to_subslice2(
9598                          out[i1], sampled_coefficients[i1],
9599                          sampled_coefficients[i1] + (size_t)16U, int16_t));
9600         size_t uu____1 = i1;
9601         sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled;
9602       }
9603     }
9604   }
9605   bool done = true;
9606   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
9607     size_t i0 = i;
9608     if (sampled_coefficients[i0] >=
9609         LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) {
9610       sampled_coefficients[i0] =
9611           LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT;
9612     } else {
9613       done = false;
9614     }
9615   }
9616   return done;
9617 }
9618 
9619 /**
9620 A monomorphic instance of
9621 libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block with const
9622 generics
9623 - K= 3
9624 */
9625 static KRML_MUSTINLINE void
9626 libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_dd(
9627     libcrux_ml_kem_hash_functions_portable_PortableHash_58 *st,
9628     uint8_t ret[3U][168U]) {
9629   uint8_t out[3U][168U] = {{0U}};
9630   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
9631     size_t i0 = i;
9632     libcrux_sha3_portable_incremental_shake128_squeeze_next_block(
9633         &st->shake128_state[i0],
9634         Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t));
9635   }
9636   memcpy(ret, out, (size_t)3U * sizeof(uint8_t[168U]));
9637 }
9638 
9639 /**
9640 This function found in impl {(libcrux_ml_kem::hash_functions::Hash<K> for
9641 libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
9642 */
9643 /**
9644 A monomorphic instance of
9645 libcrux_ml_kem.hash_functions.portable.shake128_squeeze_block_f1 with const
9646 generics
9647 - K= 3
9648 */
9649 static KRML_MUSTINLINE void
9650 libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_f1_60(
9651     libcrux_ml_kem_hash_functions_portable_PortableHash_58 *self,
9652     uint8_t ret[3U][168U]) {
9653   libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_dd(self, ret);
9654 }
9655 
9656 /**
9657  If `bytes` contains a set of uniformly random bytes, this function
9658  uniformly samples a ring element `â` that is treated as being the NTT
9659  representation of the corresponding polynomial `a`.
9660 
9661  Since rejection sampling is used, it is possible the supplied bytes are
9662  not enough to sample the element, in which case an `Err` is returned and the
9663  caller must try again with a fresh set of bytes.
9664 
9665  This function <strong>partially</strong> implements <strong>Algorithm
9666  6</strong> of the NIST FIPS 203 standard, We say "partially" because this
9667  implementation only accepts a finite set of bytes as input and returns an error
9668  if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other
9669  hand samples from an infinite stream of bytes until the ring element is filled.
9670  Algorithm 6 is reproduced below:
9671 
9672  ```plaintext
9673  Input: byte stream B ∈ ��*.
9674  Output: array â ∈ ℤ₂₅₆.
9675 
9676  i ← 0
9677  j ← 0
9678  while j < 256 do
9679      d₁ ← B[i] + 256·(B[i+1] mod 16)
9680      d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2]
9681      if d₁ < q then
9682          â[j] ← d₁
9683          j ← j + 1
9684      end if
9685      if d₂ < q and j < 256 then
9686          â[j] ← d₂
9687          j ← j + 1
9688      end if
9689      i ← i + 3
9690  end while
9691  return â
9692  ```
9693 
9694  The NIST FIPS 203 standard can be found at
9695  <https://csrc.nist.gov/pubs/fips/203/ipd>.
9696 */
9697 /**
9698 A monomorphic instance of
9699 libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types
9700 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
9701 - K= 3
9702 - N= 168
9703 */
9704 static KRML_MUSTINLINE bool
9705 libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_db0(
9706     uint8_t randomness[3U][168U], size_t *sampled_coefficients,
9707     int16_t (*out)[272U]) {
9708   for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) {
9709     size_t i1 = i0;
9710     for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)24U; i++) {
9711       size_t r = i;
9712       if (sampled_coefficients[i1] <
9713           LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) {
9714         Eurydice_slice uu____0 =
9715             Eurydice_array_to_subslice2(randomness[i1], r * (size_t)24U,
9716                                         r * (size_t)24U + (size_t)24U, uint8_t);
9717         size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d(
9718             uu____0, Eurydice_array_to_subslice2(
9719                          out[i1], sampled_coefficients[i1],
9720                          sampled_coefficients[i1] + (size_t)16U, int16_t));
9721         size_t uu____1 = i1;
9722         sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled;
9723       }
9724     }
9725   }
9726   bool done = true;
9727   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
9728     size_t i0 = i;
9729     if (sampled_coefficients[i0] >=
9730         LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) {
9731       sampled_coefficients[i0] =
9732           LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT;
9733     } else {
9734       done = false;
9735     }
9736   }
9737   return done;
9738 }
9739 
9740 /**
9741 This function found in impl
9742 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0]}
9743 */
9744 /**
9745 A monomorphic instance of libcrux_ml_kem.polynomial.from_i16_array_89
9746 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
9747 with const generics
9748 
9749 */
9750 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
9751 libcrux_ml_kem_polynomial_from_i16_array_89_c1(Eurydice_slice a) {
9752   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 result =
9753       libcrux_ml_kem_polynomial_ZERO_89_ea();
9754   for (size_t i = (size_t)0U;
9755        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
9756     size_t i0 = i;
9757     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
9758         libcrux_ml_kem_vector_portable_from_i16_array_0d(
9759             Eurydice_slice_subslice2(a, i0 * (size_t)16U,
9760                                      (i0 + (size_t)1U) * (size_t)16U, int16_t));
9761     result.coefficients[i0] = uu____0;
9762   }
9763   return result;
9764 }
9765 
9766 /**
9767 A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof.closure
9768 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
9769 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const
9770 generics
9771 - K= 3
9772 */
9773 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0
9774 libcrux_ml_kem_sampling_sample_from_xof_closure_04(int16_t s[272U]) {
9775   return libcrux_ml_kem_polynomial_from_i16_array_89_c1(
9776       Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t));
9777 }
9778 
9779 /**
9780 A monomorphic instance of libcrux_ml_kem.sampling.sample_from_xof
9781 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
9782 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const
9783 generics
9784 - K= 3
9785 */
9786 static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_3f(
9787     uint8_t seeds[3U][34U],
9788     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) {
9789   size_t sampled_coefficients[3U] = {0U};
9790   int16_t out[3U][272U] = {{0U}};
9791   /* Passing arrays by value in Rust generates a copy in C */
9792   uint8_t copy_of_seeds[3U][34U];
9793   memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U]));
9794   libcrux_ml_kem_hash_functions_portable_PortableHash_58 xof_state =
9795       libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_f1_8c(
9796           copy_of_seeds);
9797   uint8_t randomness0[3U][504U];
9798   libcrux_ml_kem_hash_functions_portable_shake128_squeeze_three_blocks_f1_69(
9799       &xof_state, randomness0);
9800   /* Passing arrays by value in Rust generates a copy in C */
9801   uint8_t copy_of_randomness0[3U][504U];
9802   memcpy(copy_of_randomness0, randomness0, (size_t)3U * sizeof(uint8_t[504U]));
9803   bool done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_db(
9804       copy_of_randomness0, sampled_coefficients, out);
9805   while (true) {
9806     if (done) {
9807       break;
9808     } else {
9809       uint8_t randomness[3U][168U];
9810       libcrux_ml_kem_hash_functions_portable_shake128_squeeze_block_f1_60(
9811           &xof_state, randomness);
9812       /* Passing arrays by value in Rust generates a copy in C */
9813       uint8_t copy_of_randomness[3U][168U];
9814       memcpy(copy_of_randomness, randomness,
9815              (size_t)3U * sizeof(uint8_t[168U]));
9816       done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_db0(
9817           copy_of_randomness, sampled_coefficients, out);
9818     }
9819   }
9820   /* Passing arrays by value in Rust generates a copy in C */
9821   int16_t copy_of_out[3U][272U];
9822   memcpy(copy_of_out, out, (size_t)3U * sizeof(int16_t[272U]));
9823   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret0[3U];
9824   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
9825     ret0[i] =
9826         libcrux_ml_kem_sampling_sample_from_xof_closure_04(copy_of_out[i]);
9827   }
9828   memcpy(
9829       ret, ret0,
9830       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
9831 }
9832 
9833 /**
9834 A monomorphic instance of libcrux_ml_kem.matrix.sample_matrix_A
9835 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
9836 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const
9837 generics
9838 - K= 3
9839 */
9840 static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_38(
9841     uint8_t seed[34U], bool transpose,
9842     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U][3U]) {
9843   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A_transpose[3U][3U];
9844   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
9845     libcrux_ml_kem_matrix_sample_matrix_A_closure_4b(i, A_transpose[i]);
9846   }
9847   for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) {
9848     size_t i1 = i0;
9849     /* Passing arrays by value in Rust generates a copy in C */
9850     uint8_t copy_of_seed[34U];
9851     memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t));
9852     uint8_t seeds[3U][34U];
9853     for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
9854       memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t));
9855     }
9856     for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
9857       size_t j = i;
9858       seeds[j][32U] = (uint8_t)i1;
9859       seeds[j][33U] = (uint8_t)j;
9860     }
9861     /* Passing arrays by value in Rust generates a copy in C */
9862     uint8_t copy_of_seeds[3U][34U];
9863     memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U]));
9864     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 sampled[3U];
9865     libcrux_ml_kem_sampling_sample_from_xof_3f(copy_of_seeds, sampled);
9866     for (size_t i = (size_t)0U;
9867          i < Eurydice_slice_len(
9868                  Eurydice_array_to_slice(
9869                      (size_t)3U, sampled,
9870                      libcrux_ml_kem_polynomial_PolynomialRingElement_f0),
9871                  libcrux_ml_kem_polynomial_PolynomialRingElement_f0);
9872          i++) {
9873       size_t j = i;
9874       libcrux_ml_kem_polynomial_PolynomialRingElement_f0 sample = sampled[j];
9875       if (transpose) {
9876         A_transpose[j][i1] = sample;
9877       } else {
9878         A_transpose[i1][j] = sample;
9879       }
9880     }
9881   }
9882   memcpy(ret, A_transpose,
9883          (size_t)3U *
9884              sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U]));
9885 }
9886 
9887 /**
9888 A monomorphic instance of K.
9889 with types libcrux_ml_kem_polynomial_PolynomialRingElement
9890 libcrux_ml_kem_vector_portable_vector_type_PortableVector[3size_t], uint8_t
9891 
9892 */
9893 typedef struct tuple_b0_s {
9894   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 fst[3U];
9895   uint8_t snd;
9896 } tuple_b0;
9897 
9898 /**
9899 A monomorphic instance of
9900 libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt.closure with types
9901 libcrux_ml_kem_vector_portable_vector_type_PortableVector,
9902 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const
9903 generics
9904 - K= 3
9905 - ETA= 2
9906 - ETA_RANDOMNESS_SIZE= 128
9907 */
9908 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0
9909 libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_closure_f7(size_t _i) {
9910   return libcrux_ml_kem_polynomial_ZERO_89_ea();
9911 }
9912 
9913 /**
9914 A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRFxN
9915 with const generics
9916 - K= 3
9917 - LEN= 128
9918 */
9919 static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_PRFxN_c5(
9920     uint8_t (*input)[33U], uint8_t ret[3U][128U]) {
9921   uint8_t out[3U][128U] = {{0U}};
9922   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
9923     size_t i0 = i;
9924     libcrux_sha3_portable_shake256(
9925         Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t),
9926         Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t));
9927   }
9928   memcpy(ret, out, (size_t)3U * sizeof(uint8_t[128U]));
9929 }
9930 
9931 /**
9932 This function found in impl {(libcrux_ml_kem::hash_functions::Hash<K> for
9933 libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
9934 */
9935 /**
9936 A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRFxN_f1
9937 with const generics
9938 - K= 3
9939 - LEN= 128
9940 */
9941 static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_PRFxN_f1_93(
9942     uint8_t (*input)[33U], uint8_t ret[3U][128U]) {
9943   libcrux_ml_kem_hash_functions_portable_PRFxN_c5(input, ret);
9944 }
9945 
9946 /**
9947  Given a series of uniformly random bytes in `randomness`, for some number
9948  `eta`, the `sample_from_binomial_distribution_{eta}` functions sample a ring
9949  element from a binomial distribution centered at 0 that uses two sets of `eta`
9950  coin flips. If, for example, `eta = ETA`, each ring coefficient is a value `v`
9951  such such that `v ∈ {-ETA, -ETA + 1, ..., 0, ..., ETA + 1, ETA}` and:
9952 
9953  ```plaintext
9954  - If v < 0, Pr[v] = Pr[-v]
9955  - If v >= 0, Pr[v] = BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / 2 ^ (2 * ETA)
9956  ```
9957 
9958  The values `v < 0` are mapped to the appropriate `KyberFieldElement`.
9959 
9960  The expected value is:
9961 
9962  ```plaintext
9963  E[X] = (-ETA)Pr[-ETA] + (-(ETA - 1))Pr[-(ETA - 1)] + ... + (ETA - 1)Pr[ETA - 1]
9964  + (ETA)Pr[ETA] = 0 since Pr[-v] = Pr[v] when v < 0.
9965  ```
9966 
9967  And the variance is:
9968 
9969  ```plaintext
9970  Var(X) = E[(X - E[X])^2]
9971         = E[X^2]
9972         = sum_(v=-ETA to ETA)v^2 * (BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) /
9973  2^(2 * ETA)) = ETA / 2
9974  ```
9975 
9976  This function implements <strong>Algorithm 7</strong> of the NIST FIPS 203
9977  standard, which is reproduced below:
9978 
9979  ```plaintext
9980  Input: byte array B ∈ ��^{64η}.
9981  Output: array f ∈ ℤ₂₅₆.
9982 
9983  b ← BytesToBits(B)
9984  for (i ← 0; i < 256; i++)
9985      x ← ∑(j=0 to η - 1) b[2iη + j]
9986      y ← ∑(j=0 to η - 1) b[2iη + η + j]
9987      f[i] ← x−y mod q
9988  end for
9989  return f
9990  ```
9991 
9992  The NIST FIPS 203 standard can be found at
9993  <https://csrc.nist.gov/pubs/fips/203/ipd>.
9994 */
9995 /**
9996 A monomorphic instance of
9997 libcrux_ml_kem.sampling.sample_from_binomial_distribution_2 with types
9998 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
9999 
10000 */
10001 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
10002 libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_85(
10003     Eurydice_slice randomness) {
10004   int16_t sampled_i16s[256U] = {0U};
10005   for (size_t i0 = (size_t)0U;
10006        i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i0++) {
10007     size_t chunk_number = i0;
10008     Eurydice_slice byte_chunk = Eurydice_slice_subslice2(
10009         randomness, chunk_number * (size_t)4U,
10010         chunk_number * (size_t)4U + (size_t)4U, uint8_t);
10011     uint32_t random_bits_as_u32 =
10012         (((uint32_t)Eurydice_slice_index(byte_chunk, (size_t)0U, uint8_t,
10013                                          uint8_t *) |
10014           (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, uint8_t,
10015                                          uint8_t *)
10016               << 8U) |
10017          (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, uint8_t,
10018                                         uint8_t *)
10019              << 16U) |
10020         (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)3U, uint8_t,
10021                                        uint8_t *)
10022             << 24U;
10023     uint32_t even_bits = random_bits_as_u32 & 1431655765U;
10024     uint32_t odd_bits = random_bits_as_u32 >> 1U & 1431655765U;
10025     uint32_t coin_toss_outcomes = even_bits + odd_bits;
10026     for (uint32_t i = 0U; i < CORE_NUM__U32_8__BITS / 4U; i++) {
10027       uint32_t outcome_set = i;
10028       uint32_t outcome_set0 = outcome_set * 4U;
10029       int16_t outcome_1 =
10030           (int16_t)(coin_toss_outcomes >> (uint32_t)outcome_set0 & 3U);
10031       int16_t outcome_2 =
10032           (int16_t)(coin_toss_outcomes >> (uint32_t)(outcome_set0 + 2U) & 3U);
10033       size_t offset = (size_t)(outcome_set0 >> 2U);
10034       sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2;
10035     }
10036   }
10037   return libcrux_ml_kem_polynomial_from_i16_array_89_c1(
10038       Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t));
10039 }
10040 
10041 /**
10042 A monomorphic instance of
10043 libcrux_ml_kem.sampling.sample_from_binomial_distribution_3 with types
10044 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
10045 
10046 */
10047 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
10048 libcrux_ml_kem_sampling_sample_from_binomial_distribution_3_eb(
10049     Eurydice_slice randomness) {
10050   int16_t sampled_i16s[256U] = {0U};
10051   for (size_t i0 = (size_t)0U;
10052        i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)3U; i0++) {
10053     size_t chunk_number = i0;
10054     Eurydice_slice byte_chunk = Eurydice_slice_subslice2(
10055         randomness, chunk_number * (size_t)3U,
10056         chunk_number * (size_t)3U + (size_t)3U, uint8_t);
10057     uint32_t random_bits_as_u24 =
10058         ((uint32_t)Eurydice_slice_index(byte_chunk, (size_t)0U, uint8_t,
10059                                         uint8_t *) |
10060          (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, uint8_t,
10061                                         uint8_t *)
10062              << 8U) |
10063         (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, uint8_t,
10064                                        uint8_t *)
10065             << 16U;
10066     uint32_t first_bits = random_bits_as_u24 & 2396745U;
10067     uint32_t second_bits = random_bits_as_u24 >> 1U & 2396745U;
10068     uint32_t third_bits = random_bits_as_u24 >> 2U & 2396745U;
10069     uint32_t coin_toss_outcomes = first_bits + second_bits + third_bits;
10070     for (int32_t i = (int32_t)0; i < (int32_t)24 / (int32_t)6; i++) {
10071       int32_t outcome_set = i;
10072       int32_t outcome_set0 = outcome_set * (int32_t)6;
10073       int16_t outcome_1 =
10074           (int16_t)(coin_toss_outcomes >> (uint32_t)outcome_set0 & 7U);
10075       int16_t outcome_2 = (int16_t)(coin_toss_outcomes >>
10076                                         (uint32_t)(outcome_set0 + (int32_t)3) &
10077                                     7U);
10078       size_t offset = (size_t)(outcome_set0 / (int32_t)6);
10079       sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2;
10080     }
10081   }
10082   return libcrux_ml_kem_polynomial_from_i16_array_89_c1(
10083       Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t));
10084 }
10085 
10086 /**
10087 A monomorphic instance of
10088 libcrux_ml_kem.sampling.sample_from_binomial_distribution with types
10089 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
10090 - ETA= 2
10091 */
10092 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
10093 libcrux_ml_kem_sampling_sample_from_binomial_distribution_c6(
10094     Eurydice_slice randomness) {
10095   return libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_85(
10096       randomness);
10097 }
10098 
10099 /**
10100 A monomorphic instance of libcrux_ml_kem.ntt.ntt_at_layer_7
10101 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
10102 with const generics
10103 
10104 */
10105 static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_f4(
10106     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re) {
10107   size_t step = LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT / (size_t)2U;
10108   for (size_t i = (size_t)0U; i < step; i++) {
10109     size_t j = i;
10110     libcrux_ml_kem_vector_portable_vector_type_PortableVector t =
10111         libcrux_ml_kem_vector_portable_multiply_by_constant_0d(
10112             re->coefficients[j + step], (int16_t)-1600);
10113     re->coefficients[j + step] =
10114         libcrux_ml_kem_vector_portable_sub_0d(re->coefficients[j], &t);
10115     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 =
10116         libcrux_ml_kem_vector_portable_add_0d(re->coefficients[j], &t);
10117     re->coefficients[j] = uu____1;
10118   }
10119 }
10120 
10121 /**
10122 A monomorphic instance of libcrux_ml_kem.ntt.ntt_binomially_sampled_ring_element
10123 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
10124 with const generics
10125 
10126 */
10127 static KRML_MUSTINLINE void
10128 libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_0f(
10129     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re) {
10130   libcrux_ml_kem_ntt_ntt_at_layer_7_f4(re);
10131   size_t zeta_i = (size_t)1U;
10132   libcrux_ml_kem_ntt_ntt_at_layer_4_plus_51(&zeta_i, re, (size_t)6U,
10133                                             (size_t)3U);
10134   libcrux_ml_kem_ntt_ntt_at_layer_4_plus_51(&zeta_i, re, (size_t)5U,
10135                                             (size_t)3U);
10136   libcrux_ml_kem_ntt_ntt_at_layer_4_plus_51(&zeta_i, re, (size_t)4U,
10137                                             (size_t)3U);
10138   libcrux_ml_kem_ntt_ntt_at_layer_3_fd(&zeta_i, re, (size_t)3U, (size_t)3U);
10139   libcrux_ml_kem_ntt_ntt_at_layer_2_ad(&zeta_i, re, (size_t)2U, (size_t)3U);
10140   libcrux_ml_kem_ntt_ntt_at_layer_1_a2(&zeta_i, re, (size_t)1U, (size_t)3U);
10141   libcrux_ml_kem_polynomial_poly_barrett_reduce_89_8b(re);
10142 }
10143 
10144 /**
10145  Sample a vector of ring elements from a centered binomial distribution and
10146  convert them into their NTT representations.
10147 */
10148 /**
10149 A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt
10150 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
10151 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const
10152 generics
10153 - K= 3
10154 - ETA= 2
10155 - ETA_RANDOMNESS_SIZE= 128
10156 */
10157 static KRML_MUSTINLINE tuple_b0
10158 libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_fc(uint8_t prf_input[33U],
10159                                                      uint8_t domain_separator) {
10160   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re_as_ntt[3U];
10161   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
10162     re_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_89_ea();
10163   }
10164   /* Passing arrays by value in Rust generates a copy in C */
10165   uint8_t copy_of_prf_input[33U];
10166   memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t));
10167   uint8_t prf_inputs[3U][33U];
10168   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
10169     memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));
10170   }
10171   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
10172     size_t i0 = i;
10173     prf_inputs[i0][32U] = domain_separator;
10174     domain_separator = (uint32_t)domain_separator + 1U;
10175   }
10176   uint8_t prf_outputs[3U][128U];
10177   libcrux_ml_kem_hash_functions_portable_PRFxN_f1_93(prf_inputs, prf_outputs);
10178   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
10179     size_t i0 = i;
10180     re_as_ntt[i0] =
10181         libcrux_ml_kem_sampling_sample_from_binomial_distribution_c6(
10182             Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t));
10183     libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_0f(&re_as_ntt[i0]);
10184   }
10185   /* Passing arrays by value in Rust generates a copy in C */
10186   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_re_as_ntt[3U];
10187   memcpy(
10188       copy_of_re_as_ntt, re_as_ntt,
10189       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
10190   tuple_b0 lit;
10191   memcpy(
10192       lit.fst, copy_of_re_as_ntt,
10193       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
10194   lit.snd = domain_separator;
10195   return lit;
10196 }
10197 
10198 /**
10199 A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd.closure
10200 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
10201 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const
10202 generics
10203 - K= 3
10204 - ETA2_RANDOMNESS_SIZE= 128
10205 - ETA2= 2
10206 */
10207 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0
10208 libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_closure_77(size_t _i) {
10209   return libcrux_ml_kem_polynomial_ZERO_89_ea();
10210 }
10211 
10212 /**
10213  Sample a vector of ring elements from a centered binomial distribution.
10214 */
10215 /**
10216 A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd
10217 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
10218 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const
10219 generics
10220 - K= 3
10221 - ETA2_RANDOMNESS_SIZE= 128
10222 - ETA2= 2
10223 */
10224 static KRML_MUSTINLINE tuple_b0
10225 libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_ac(uint8_t prf_input[33U],
10226                                                   uint8_t domain_separator) {
10227   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_1[3U];
10228   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
10229     error_1[i] = libcrux_ml_kem_polynomial_ZERO_89_ea();
10230   }
10231   /* Passing arrays by value in Rust generates a copy in C */
10232   uint8_t copy_of_prf_input[33U];
10233   memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t));
10234   uint8_t prf_inputs[3U][33U];
10235   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
10236     memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));
10237   }
10238   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
10239     size_t i0 = i;
10240     prf_inputs[i0][32U] = domain_separator;
10241     domain_separator = (uint32_t)domain_separator + 1U;
10242   }
10243   uint8_t prf_outputs[3U][128U];
10244   libcrux_ml_kem_hash_functions_portable_PRFxN_f1_93(prf_inputs, prf_outputs);
10245   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
10246     size_t i0 = i;
10247     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1 =
10248         libcrux_ml_kem_sampling_sample_from_binomial_distribution_c6(
10249             Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t));
10250     error_1[i0] = uu____1;
10251   }
10252   /* Passing arrays by value in Rust generates a copy in C */
10253   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_error_1[3U];
10254   memcpy(
10255       copy_of_error_1, error_1,
10256       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
10257   tuple_b0 lit;
10258   memcpy(
10259       lit.fst, copy_of_error_1,
10260       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
10261   lit.snd = domain_separator;
10262   return lit;
10263 }
10264 
10265 /**
10266 A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF
10267 with const generics
10268 - LEN= 128
10269 */
10270 static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_PRF_2b0(
10271     Eurydice_slice input, uint8_t ret[128U]) {
10272   uint8_t digest[128U] = {0U};
10273   libcrux_sha3_portable_shake256(
10274       Eurydice_array_to_slice((size_t)128U, digest, uint8_t), input);
10275   memcpy(ret, digest, (size_t)128U * sizeof(uint8_t));
10276 }
10277 
10278 /**
10279 This function found in impl {(libcrux_ml_kem::hash_functions::Hash<K> for
10280 libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
10281 */
10282 /**
10283 A monomorphic instance of libcrux_ml_kem.hash_functions.portable.PRF_f1
10284 with const generics
10285 - K= 3
10286 - LEN= 128
10287 */
10288 static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_PRF_f1_ee0(
10289     Eurydice_slice input, uint8_t ret[128U]) {
10290   libcrux_ml_kem_hash_functions_portable_PRF_2b0(input, ret);
10291 }
10292 
10293 /**
10294 A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u.closure
10295 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
10296 with const generics
10297 - K= 3
10298 */
10299 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0
10300 libcrux_ml_kem_matrix_compute_vector_u_closure_d6(size_t _i) {
10301   return libcrux_ml_kem_polynomial_ZERO_89_ea();
10302 }
10303 
10304 /**
10305 This function found in impl
10306 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0]}
10307 */
10308 /**
10309 A monomorphic instance of libcrux_ml_kem.polynomial.add_error_reduce_89
10310 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
10311 with const generics
10312 
10313 */
10314 static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_89_38(
10315     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self,
10316     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *error) {
10317   for (size_t i = (size_t)0U;
10318        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
10319     size_t j = i;
10320     libcrux_ml_kem_vector_portable_vector_type_PortableVector
10321         coefficient_normal_form =
10322             libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
10323                 self->coefficients[j], (int16_t)1441);
10324     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
10325         libcrux_ml_kem_vector_portable_barrett_reduce_0d(
10326             libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form,
10327                                                   &error->coefficients[j]));
10328     self->coefficients[j] = uu____0;
10329   }
10330 }
10331 
10332 /**
10333  Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁
10334 */
10335 /**
10336 A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u
10337 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
10338 with const generics
10339 - K= 3
10340 */
10341 static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_59(
10342     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 (*a_as_ntt)[3U],
10343     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *r_as_ntt,
10344     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *error_1,
10345     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) {
10346   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 result[3U];
10347   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
10348     result[i] = libcrux_ml_kem_polynomial_ZERO_89_ea();
10349   }
10350   for (size_t i0 = (size_t)0U;
10351        i0 < Eurydice_slice_len(
10352                 Eurydice_array_to_slice(
10353                     (size_t)3U, a_as_ntt,
10354                     libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U]),
10355                 libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U]);
10356        i0++) {
10357     size_t i1 = i0;
10358     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *row = a_as_ntt[i1];
10359     for (size_t i = (size_t)0U;
10360          i < Eurydice_slice_len(
10361                  Eurydice_array_to_slice(
10362                      (size_t)3U, row,
10363                      libcrux_ml_kem_polynomial_PolynomialRingElement_f0),
10364                  libcrux_ml_kem_polynomial_PolynomialRingElement_f0);
10365          i++) {
10366       size_t j = i;
10367       libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *a_element = &row[j];
10368       libcrux_ml_kem_polynomial_PolynomialRingElement_f0 product =
10369           libcrux_ml_kem_polynomial_ntt_multiply_89_2a(a_element, &r_as_ntt[j]);
10370       libcrux_ml_kem_polynomial_add_to_ring_element_89_84(&result[i1],
10371                                                           &product);
10372     }
10373     libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_f6(&result[i1]);
10374     libcrux_ml_kem_polynomial_add_error_reduce_89_38(&result[i1], &error_1[i1]);
10375   }
10376   memcpy(
10377       ret, result,
10378       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
10379 }
10380 
10381 /**
10382 A monomorphic instance of libcrux_ml_kem.vector.traits.decompress_1
10383 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
10384 with const generics
10385 
10386 */
10387 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
10388 libcrux_ml_kem_vector_traits_decompress_1_63(
10389     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
10390   libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
10391       libcrux_ml_kem_vector_portable_ZERO_0d();
10392   return libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d(
10393       libcrux_ml_kem_vector_portable_sub_0d(uu____0, &v), (int16_t)1665);
10394 }
10395 
10396 /**
10397 A monomorphic instance of
10398 libcrux_ml_kem.serialize.deserialize_then_decompress_message with types
10399 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
10400 
10401 */
10402 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
10403 libcrux_ml_kem_serialize_deserialize_then_decompress_message_0d(
10404     uint8_t serialized[32U]) {
10405   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re =
10406       libcrux_ml_kem_polynomial_ZERO_89_ea();
10407   for (size_t i = (size_t)0U; i < (size_t)16U; i++) {
10408     size_t i0 = i;
10409     libcrux_ml_kem_vector_portable_vector_type_PortableVector
10410         coefficient_compressed =
10411             libcrux_ml_kem_vector_portable_deserialize_1_0d(
10412                 Eurydice_array_to_subslice2(serialized, (size_t)2U * i0,
10413                                             (size_t)2U * i0 + (size_t)2U,
10414                                             uint8_t));
10415     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
10416         libcrux_ml_kem_vector_traits_decompress_1_63(coefficient_compressed);
10417     re.coefficients[i0] = uu____0;
10418   }
10419   return re;
10420 }
10421 
10422 /**
10423 This function found in impl
10424 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0]}
10425 */
10426 /**
10427 A monomorphic instance of libcrux_ml_kem.polynomial.add_message_error_reduce_89
10428 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
10429 with const generics
10430 
10431 */
10432 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
10433 libcrux_ml_kem_polynomial_add_message_error_reduce_89_ea(
10434     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self,
10435     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *message,
10436     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 result) {
10437   for (size_t i = (size_t)0U;
10438        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
10439     size_t i0 = i;
10440     libcrux_ml_kem_vector_portable_vector_type_PortableVector
10441         coefficient_normal_form =
10442             libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
10443                 result.coefficients[i0], (int16_t)1441);
10444     libcrux_ml_kem_vector_portable_vector_type_PortableVector tmp =
10445         libcrux_ml_kem_vector_portable_add_0d(self->coefficients[i0],
10446                                               &message->coefficients[i0]);
10447     libcrux_ml_kem_vector_portable_vector_type_PortableVector tmp0 =
10448         libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form, &tmp);
10449     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
10450         libcrux_ml_kem_vector_portable_barrett_reduce_0d(tmp0);
10451     result.coefficients[i0] = uu____0;
10452   }
10453   return result;
10454 }
10455 
10456 /**
10457  Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message
10458 */
10459 /**
10460 A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v
10461 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
10462 with const generics
10463 - K= 3
10464 */
10465 static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0
10466 libcrux_ml_kem_matrix_compute_ring_element_v_54(
10467     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *t_as_ntt,
10468     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *r_as_ntt,
10469     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *error_2,
10470     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *message) {
10471   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 result =
10472       libcrux_ml_kem_polynomial_ZERO_89_ea();
10473   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
10474     size_t i0 = i;
10475     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 product =
10476         libcrux_ml_kem_polynomial_ntt_multiply_89_2a(&t_as_ntt[i0],
10477                                                      &r_as_ntt[i0]);
10478     libcrux_ml_kem_polynomial_add_to_ring_element_89_84(&result, &product);
10479   }
10480   libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_f6(&result);
10481   result = libcrux_ml_kem_polynomial_add_message_error_reduce_89_ea(
10482       error_2, message, result);
10483   return result;
10484 }
10485 
10486 /**
10487 A monomorphic instance of libcrux_ml_kem.vector.portable.compress.compress
10488 with const generics
10489 - COEFFICIENT_BITS= 10
10490 */
10491 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
10492 libcrux_ml_kem_vector_portable_compress_compress_02(
10493     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
10494   for (size_t i = (size_t)0U;
10495        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
10496     size_t i0 = i;
10497     int16_t uu____0 =
10498         libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
10499             (uint8_t)(int32_t)10, (uint16_t)v.elements[i0]);
10500     v.elements[i0] = uu____0;
10501   }
10502   return v;
10503 }
10504 
10505 /**
10506 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
10507 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
10508 */
10509 /**
10510 A monomorphic instance of libcrux_ml_kem.vector.portable.compress_0d
10511 with const generics
10512 - COEFFICIENT_BITS= 10
10513 */
10514 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
10515 libcrux_ml_kem_vector_portable_compress_0d_28(
10516     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
10517   return libcrux_ml_kem_vector_portable_compress_compress_02(v);
10518 }
10519 
10520 /**
10521 A monomorphic instance of libcrux_ml_kem.serialize.compress_then_serialize_10
10522 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
10523 with const generics
10524 - OUT_LEN= 320
10525 */
10526 static KRML_MUSTINLINE void
10527 libcrux_ml_kem_serialize_compress_then_serialize_10_fc(
10528     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re, uint8_t ret[320U]) {
10529   uint8_t serialized[320U] = {0U};
10530   for (size_t i = (size_t)0U;
10531        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
10532     size_t i0 = i;
10533     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
10534         libcrux_ml_kem_vector_portable_compress_0d_28(
10535             libcrux_ml_kem_vector_traits_to_unsigned_representative_db(
10536                 re->coefficients[i0]));
10537     uint8_t bytes[20U];
10538     libcrux_ml_kem_vector_portable_serialize_10_0d(coefficient, bytes);
10539     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
10540         serialized, (size_t)20U * i0, (size_t)20U * i0 + (size_t)20U, uint8_t);
10541     Eurydice_slice_copy(
10542         uu____0, Eurydice_array_to_slice((size_t)20U, bytes, uint8_t), uint8_t);
10543   }
10544   memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t));
10545 }
10546 
10547 /**
10548 A monomorphic instance of libcrux_ml_kem.vector.portable.compress.compress
10549 with const generics
10550 - COEFFICIENT_BITS= 11
10551 */
10552 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
10553 libcrux_ml_kem_vector_portable_compress_compress_020(
10554     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
10555   for (size_t i = (size_t)0U;
10556        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
10557     size_t i0 = i;
10558     int16_t uu____0 =
10559         libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
10560             (uint8_t)(int32_t)11, (uint16_t)v.elements[i0]);
10561     v.elements[i0] = uu____0;
10562   }
10563   return v;
10564 }
10565 
10566 /**
10567 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
10568 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
10569 */
10570 /**
10571 A monomorphic instance of libcrux_ml_kem.vector.portable.compress_0d
10572 with const generics
10573 - COEFFICIENT_BITS= 11
10574 */
10575 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
10576 libcrux_ml_kem_vector_portable_compress_0d_280(
10577     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
10578   return libcrux_ml_kem_vector_portable_compress_compress_020(v);
10579 }
10580 
10581 /**
10582 A monomorphic instance of libcrux_ml_kem.serialize.compress_then_serialize_11
10583 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
10584 with const generics
10585 - OUT_LEN= 320
10586 */
10587 static KRML_MUSTINLINE void
10588 libcrux_ml_kem_serialize_compress_then_serialize_11_e1(
10589     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re, uint8_t ret[320U]) {
10590   uint8_t serialized[320U] = {0U};
10591   for (size_t i = (size_t)0U;
10592        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
10593     size_t i0 = i;
10594     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
10595         libcrux_ml_kem_vector_portable_compress_0d_280(
10596             libcrux_ml_kem_vector_traits_to_unsigned_representative_db(
10597                 re->coefficients[i0]));
10598     uint8_t bytes[22U];
10599     libcrux_ml_kem_vector_portable_serialize_11_0d(coefficient, bytes);
10600     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
10601         serialized, (size_t)22U * i0, (size_t)22U * i0 + (size_t)22U, uint8_t);
10602     Eurydice_slice_copy(
10603         uu____0, Eurydice_array_to_slice((size_t)22U, bytes, uint8_t), uint8_t);
10604   }
10605   memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t));
10606 }
10607 
10608 /**
10609 A monomorphic instance of
10610 libcrux_ml_kem.serialize.compress_then_serialize_ring_element_u with types
10611 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
10612 - COMPRESSION_FACTOR= 10
10613 - OUT_LEN= 320
10614 */
10615 static KRML_MUSTINLINE void
10616 libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_5f(
10617     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re, uint8_t ret[320U]) {
10618   uint8_t uu____0[320U];
10619   libcrux_ml_kem_serialize_compress_then_serialize_10_fc(re, uu____0);
10620   memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t));
10621 }
10622 
10623 /**
10624  Call [`compress_then_serialize_ring_element_u`] on each ring element.
10625 */
10626 /**
10627 A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u
10628 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
10629 with const generics
10630 - K= 3
10631 - OUT_LEN= 960
10632 - COMPRESSION_FACTOR= 10
10633 - BLOCK_LEN= 320
10634 */
10635 static inline void libcrux_ml_kem_ind_cpa_compress_then_serialize_u_a7(
10636     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 input[3U],
10637     Eurydice_slice out) {
10638   for (size_t i = (size_t)0U;
10639        i < Eurydice_slice_len(
10640                Eurydice_array_to_slice(
10641                    (size_t)3U, input,
10642                    libcrux_ml_kem_polynomial_PolynomialRingElement_f0),
10643                libcrux_ml_kem_polynomial_PolynomialRingElement_f0);
10644        i++) {
10645     size_t i0 = i;
10646     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = input[i0];
10647     Eurydice_slice uu____0 = Eurydice_slice_subslice2(
10648         out, i0 * ((size_t)960U / (size_t)3U),
10649         (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t);
10650     uint8_t ret[320U];
10651     libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_5f(&re,
10652                                                                        ret);
10653     Eurydice_slice_copy(
10654         uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t);
10655   }
10656 }
10657 
10658 /**
10659 A monomorphic instance of libcrux_ml_kem.vector.portable.compress.compress
10660 with const generics
10661 - COEFFICIENT_BITS= 4
10662 */
10663 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
10664 libcrux_ml_kem_vector_portable_compress_compress_021(
10665     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
10666   for (size_t i = (size_t)0U;
10667        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
10668     size_t i0 = i;
10669     int16_t uu____0 =
10670         libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
10671             (uint8_t)(int32_t)4, (uint16_t)v.elements[i0]);
10672     v.elements[i0] = uu____0;
10673   }
10674   return v;
10675 }
10676 
10677 /**
10678 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
10679 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
10680 */
10681 /**
10682 A monomorphic instance of libcrux_ml_kem.vector.portable.compress_0d
10683 with const generics
10684 - COEFFICIENT_BITS= 4
10685 */
10686 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
10687 libcrux_ml_kem_vector_portable_compress_0d_281(
10688     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
10689   return libcrux_ml_kem_vector_portable_compress_compress_021(v);
10690 }
10691 
10692 /**
10693 A monomorphic instance of libcrux_ml_kem.serialize.compress_then_serialize_4
10694 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
10695 with const generics
10696 
10697 */
10698 static KRML_MUSTINLINE void
10699 libcrux_ml_kem_serialize_compress_then_serialize_4_9a(
10700     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re,
10701     Eurydice_slice serialized) {
10702   for (size_t i = (size_t)0U;
10703        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
10704     size_t i0 = i;
10705     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
10706         libcrux_ml_kem_vector_portable_compress_0d_281(
10707             libcrux_ml_kem_vector_traits_to_unsigned_representative_db(
10708                 re.coefficients[i0]));
10709     uint8_t bytes[8U];
10710     libcrux_ml_kem_vector_portable_serialize_4_0d(coefficient, bytes);
10711     Eurydice_slice_copy(
10712         Eurydice_slice_subslice2(serialized, (size_t)8U * i0,
10713                                  (size_t)8U * i0 + (size_t)8U, uint8_t),
10714         Eurydice_array_to_slice((size_t)8U, bytes, uint8_t), uint8_t);
10715   }
10716 }
10717 
10718 /**
10719 A monomorphic instance of libcrux_ml_kem.vector.portable.compress.compress
10720 with const generics
10721 - COEFFICIENT_BITS= 5
10722 */
10723 static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector
10724 libcrux_ml_kem_vector_portable_compress_compress_022(
10725     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
10726   for (size_t i = (size_t)0U;
10727        i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) {
10728     size_t i0 = i;
10729     int16_t uu____0 =
10730         libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient(
10731             (uint8_t)(int32_t)5, (uint16_t)v.elements[i0]);
10732     v.elements[i0] = uu____0;
10733   }
10734   return v;
10735 }
10736 
10737 /**
10738 This function found in impl {(libcrux_ml_kem::vector::traits::Operations for
10739 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
10740 */
10741 /**
10742 A monomorphic instance of libcrux_ml_kem.vector.portable.compress_0d
10743 with const generics
10744 - COEFFICIENT_BITS= 5
10745 */
10746 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
10747 libcrux_ml_kem_vector_portable_compress_0d_282(
10748     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
10749   return libcrux_ml_kem_vector_portable_compress_compress_022(v);
10750 }
10751 
10752 /**
10753 A monomorphic instance of libcrux_ml_kem.serialize.compress_then_serialize_5
10754 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
10755 with const generics
10756 
10757 */
10758 static KRML_MUSTINLINE void
10759 libcrux_ml_kem_serialize_compress_then_serialize_5_1f(
10760     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re,
10761     Eurydice_slice serialized) {
10762   for (size_t i = (size_t)0U;
10763        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
10764     size_t i0 = i;
10765     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficients =
10766         libcrux_ml_kem_vector_portable_compress_0d_282(
10767             libcrux_ml_kem_vector_traits_to_unsigned_representative_db(
10768                 re.coefficients[i0]));
10769     uint8_t bytes[10U];
10770     libcrux_ml_kem_vector_portable_serialize_5_0d(coefficients, bytes);
10771     Eurydice_slice_copy(
10772         Eurydice_slice_subslice2(serialized, (size_t)10U * i0,
10773                                  (size_t)10U * i0 + (size_t)10U, uint8_t),
10774         Eurydice_array_to_slice((size_t)10U, bytes, uint8_t), uint8_t);
10775   }
10776 }
10777 
10778 /**
10779 A monomorphic instance of
10780 libcrux_ml_kem.serialize.compress_then_serialize_ring_element_v with types
10781 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
10782 - COMPRESSION_FACTOR= 4
10783 - OUT_LEN= 128
10784 */
10785 static KRML_MUSTINLINE void
10786 libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_4e(
10787     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re, Eurydice_slice out) {
10788   libcrux_ml_kem_serialize_compress_then_serialize_4_9a(re, out);
10789 }
10790 
10791 /**
10792 A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt
10793 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
10794 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const
10795 generics
10796 - K= 3
10797 - CIPHERTEXT_SIZE= 1088
10798 - T_AS_NTT_ENCODED_SIZE= 1152
10799 - C1_LEN= 960
10800 - C2_LEN= 128
10801 - U_COMPRESSION_FACTOR= 10
10802 - V_COMPRESSION_FACTOR= 4
10803 - BLOCK_LEN= 320
10804 - ETA1= 2
10805 - ETA1_RANDOMNESS_SIZE= 128
10806 - ETA2= 2
10807 - ETA2_RANDOMNESS_SIZE= 128
10808 */
10809 static inline void libcrux_ml_kem_ind_cpa_encrypt_60(Eurydice_slice public_key,
10810                                                      uint8_t message[32U],
10811                                                      Eurydice_slice randomness,
10812                                                      uint8_t ret[1088U]) {
10813   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 t_as_ntt[3U];
10814   libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_33(
10815       Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t),
10816       t_as_ntt);
10817   Eurydice_slice seed =
10818       Eurydice_slice_subslice_from(public_key, (size_t)1152U, uint8_t, size_t);
10819   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A[3U][3U];
10820   uint8_t ret0[34U];
10821   libcrux_ml_kem_utils_into_padded_array_ea1(seed, ret0);
10822   libcrux_ml_kem_matrix_sample_matrix_A_38(ret0, false, A);
10823   uint8_t prf_input[33U];
10824   libcrux_ml_kem_utils_into_padded_array_ea2(randomness, prf_input);
10825   /* Passing arrays by value in Rust generates a copy in C */
10826   uint8_t copy_of_prf_input0[33U];
10827   memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t));
10828   tuple_b0 uu____1 = libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_fc(
10829       copy_of_prf_input0, 0U);
10830   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 r_as_ntt[3U];
10831   memcpy(
10832       r_as_ntt, uu____1.fst,
10833       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
10834   uint8_t domain_separator0 = uu____1.snd;
10835   /* Passing arrays by value in Rust generates a copy in C */
10836   uint8_t copy_of_prf_input[33U];
10837   memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t));
10838   tuple_b0 uu____3 = libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_ac(
10839       copy_of_prf_input, domain_separator0);
10840   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_1[3U];
10841   memcpy(
10842       error_1, uu____3.fst,
10843       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
10844   uint8_t domain_separator = uu____3.snd;
10845   prf_input[32U] = domain_separator;
10846   uint8_t prf_output[128U];
10847   libcrux_ml_kem_hash_functions_portable_PRF_f1_ee0(
10848       Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), prf_output);
10849   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_2 =
10850       libcrux_ml_kem_sampling_sample_from_binomial_distribution_c6(
10851           Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t));
10852   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 u[3U];
10853   libcrux_ml_kem_matrix_compute_vector_u_59(A, r_as_ntt, error_1, u);
10854   /* Passing arrays by value in Rust generates a copy in C */
10855   uint8_t copy_of_message[32U];
10856   memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t));
10857   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 message_as_ring_element =
10858       libcrux_ml_kem_serialize_deserialize_then_decompress_message_0d(
10859           copy_of_message);
10860   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 v =
10861       libcrux_ml_kem_matrix_compute_ring_element_v_54(
10862           t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element);
10863   uint8_t ciphertext[1088U] = {0U};
10864   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____5[3U];
10865   memcpy(
10866       uu____5, u,
10867       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
10868   libcrux_ml_kem_ind_cpa_compress_then_serialize_u_a7(
10869       uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U, (size_t)960U,
10870                                            uint8_t));
10871   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____6 = v;
10872   libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_4e(
10873       uu____6, Eurydice_array_to_subslice_from((size_t)1088U, ciphertext,
10874                                                (size_t)960U, uint8_t, size_t));
10875   memcpy(ret, ciphertext, (size_t)1088U * sizeof(uint8_t));
10876 }
10877 
10878 /**
10879 This function found in impl {(libcrux_ml_kem::variant::Variant for
10880 libcrux_ml_kem::variant::MlKem)#1}
10881 */
10882 /**
10883 A monomorphic instance of libcrux_ml_kem.variant.kdf_d8
10884 with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]]
10885 with const generics
10886 - K= 3
10887 - CIPHERTEXT_SIZE= 1088
10888 */
10889 static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_d8_41(
10890     Eurydice_slice shared_secret, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *_,
10891     uint8_t ret[32U]) {
10892   uint8_t out[32U] = {0U};
10893   Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t),
10894                       shared_secret, uint8_t);
10895   memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
10896 }
10897 
10898 /**
10899 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
10900 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
10901 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]],
10902 libcrux_ml_kem_variant_MlKem with const generics
10903 - K= 3
10904 - SECRET_KEY_SIZE= 2400
10905 - CPA_SECRET_KEY_SIZE= 1152
10906 - PUBLIC_KEY_SIZE= 1184
10907 - CIPHERTEXT_SIZE= 1088
10908 - T_AS_NTT_ENCODED_SIZE= 1152
10909 - C1_SIZE= 960
10910 - C2_SIZE= 128
10911 - VECTOR_U_COMPRESSION_FACTOR= 10
10912 - VECTOR_V_COMPRESSION_FACTOR= 4
10913 - C1_BLOCK_SIZE= 320
10914 - ETA1= 2
10915 - ETA1_RANDOMNESS_SIZE= 128
10916 - ETA2= 2
10917 - ETA2_RANDOMNESS_SIZE= 128
10918 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120
10919 */
10920 static inline void libcrux_ml_kem_ind_cca_decapsulate_70(
10921     libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key,
10922     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) {
10923   Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at(
10924       Eurydice_array_to_slice((size_t)2400U, private_key->value, uint8_t),
10925       (size_t)1152U, uint8_t, Eurydice_slice_uint8_t_x2);
10926   Eurydice_slice ind_cpa_secret_key = uu____0.fst;
10927   Eurydice_slice secret_key0 = uu____0.snd;
10928   Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at(
10929       secret_key0, (size_t)1184U, uint8_t, Eurydice_slice_uint8_t_x2);
10930   Eurydice_slice ind_cpa_public_key = uu____1.fst;
10931   Eurydice_slice secret_key = uu____1.snd;
10932   Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at(
10933       secret_key, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t,
10934       Eurydice_slice_uint8_t_x2);
10935   Eurydice_slice ind_cpa_public_key_hash = uu____2.fst;
10936   Eurydice_slice implicit_rejection_value = uu____2.snd;
10937   uint8_t decrypted[32U];
10938   libcrux_ml_kem_ind_cpa_decrypt_43(ind_cpa_secret_key, ciphertext->value,
10939                                     decrypted);
10940   uint8_t to_hash0[64U];
10941   libcrux_ml_kem_utils_into_padded_array_ea(
10942       Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0);
10943   Eurydice_slice_copy(
10944       Eurydice_array_to_subslice_from(
10945           (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
10946           uint8_t, size_t),
10947       ind_cpa_public_key_hash, uint8_t);
10948   uint8_t hashed[64U];
10949   libcrux_ml_kem_hash_functions_portable_G_f1_e4(
10950       Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed);
10951   Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at(
10952       Eurydice_array_to_slice((size_t)64U, hashed, uint8_t),
10953       LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t,
10954       Eurydice_slice_uint8_t_x2);
10955   Eurydice_slice shared_secret0 = uu____3.fst;
10956   Eurydice_slice pseudorandomness = uu____3.snd;
10957   uint8_t to_hash[1120U];
10958   libcrux_ml_kem_utils_into_padded_array_ea0(implicit_rejection_value, to_hash);
10959   Eurydice_slice uu____4 = Eurydice_array_to_subslice_from(
10960       (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
10961       uint8_t, size_t);
10962   Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_00_24(ciphertext),
10963                       uint8_t);
10964   uint8_t implicit_rejection_shared_secret0[32U];
10965   libcrux_ml_kem_hash_functions_portable_PRF_f1_ee(
10966       Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t),
10967       implicit_rejection_shared_secret0);
10968   Eurydice_slice uu____5 = ind_cpa_public_key;
10969   /* Passing arrays by value in Rust generates a copy in C */
10970   uint8_t copy_of_decrypted[32U];
10971   memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t));
10972   uint8_t expected_ciphertext[1088U];
10973   libcrux_ml_kem_ind_cpa_encrypt_60(uu____5, copy_of_decrypted,
10974                                     pseudorandomness, expected_ciphertext);
10975   uint8_t implicit_rejection_shared_secret[32U];
10976   libcrux_ml_kem_variant_kdf_d8_41(
10977       Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0,
10978                               uint8_t),
10979       ciphertext, implicit_rejection_shared_secret);
10980   uint8_t shared_secret[32U];
10981   libcrux_ml_kem_variant_kdf_d8_41(shared_secret0, ciphertext, shared_secret);
10982   uint8_t ret0[32U];
10983   libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time(
10984       libcrux_ml_kem_types_as_ref_00_24(ciphertext),
10985       Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t),
10986       Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t),
10987       Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret,
10988                               uint8_t),
10989       ret0);
10990   memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
10991 }
10992 
10993 /**
10994  Portable decapsulate
10995 */
10996 /**
10997 A monomorphic instance of
10998 libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics
10999 - K= 3
11000 - SECRET_KEY_SIZE= 2400
11001 - CPA_SECRET_KEY_SIZE= 1152
11002 - PUBLIC_KEY_SIZE= 1184
11003 - CIPHERTEXT_SIZE= 1088
11004 - T_AS_NTT_ENCODED_SIZE= 1152
11005 - C1_SIZE= 960
11006 - C2_SIZE= 128
11007 - VECTOR_U_COMPRESSION_FACTOR= 10
11008 - VECTOR_V_COMPRESSION_FACTOR= 4
11009 - C1_BLOCK_SIZE= 320
11010 - ETA1= 2
11011 - ETA1_RANDOMNESS_SIZE= 128
11012 - ETA2= 2
11013 - ETA2_RANDOMNESS_SIZE= 128
11014 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120
11015 */
11016 static inline void
11017 libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_2e(
11018     libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key,
11019     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) {
11020   libcrux_ml_kem_ind_cca_decapsulate_70(private_key, ciphertext, ret);
11021 }
11022 
11023 /**
11024  Decapsulate ML-KEM 768
11025 
11026  Generates an [`MlKemSharedSecret`].
11027  The input is a reference to an [`MlKem768PrivateKey`] and an
11028  [`MlKem768Ciphertext`].
11029 */
11030 static inline void libcrux_ml_kem_mlkem768_portable_decapsulate(
11031     libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key,
11032     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) {
11033   libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_2e(
11034       private_key, ciphertext, ret);
11035 }
11036 
11037 /**
11038 This function found in impl {(libcrux_ml_kem::variant::Variant for
11039 libcrux_ml_kem::variant::MlKem)#1}
11040 */
11041 /**
11042 A monomorphic instance of libcrux_ml_kem.variant.entropy_preprocess_d8
11043 with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]]
11044 with const generics
11045 - K= 3
11046 */
11047 static KRML_MUSTINLINE void libcrux_ml_kem_variant_entropy_preprocess_d8_63(
11048     Eurydice_slice randomness, uint8_t ret[32U]) {
11049   uint8_t out[32U] = {0U};
11050   Eurydice_slice_copy(Eurydice_array_to_slice((size_t)32U, out, uint8_t),
11051                       randomness, uint8_t);
11052   memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
11053 }
11054 
11055 /**
11056 This function found in impl {(libcrux_ml_kem::hash_functions::Hash<K> for
11057 libcrux_ml_kem::hash_functions::portable::PortableHash<K>)}
11058 */
11059 /**
11060 A monomorphic instance of libcrux_ml_kem.hash_functions.portable.H_f1
11061 with const generics
11062 - K= 3
11063 */
11064 static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_H_f1_1a(
11065     Eurydice_slice input, uint8_t ret[32U]) {
11066   libcrux_ml_kem_hash_functions_portable_H(input, ret);
11067 }
11068 
11069 /**
11070 A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate
11071 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
11072 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]],
11073 libcrux_ml_kem_variant_MlKem with const generics
11074 - K= 3
11075 - CIPHERTEXT_SIZE= 1088
11076 - PUBLIC_KEY_SIZE= 1184
11077 - T_AS_NTT_ENCODED_SIZE= 1152
11078 - C1_SIZE= 960
11079 - C2_SIZE= 128
11080 - VECTOR_U_COMPRESSION_FACTOR= 10
11081 - VECTOR_V_COMPRESSION_FACTOR= 4
11082 - VECTOR_U_BLOCK_LEN= 320
11083 - ETA1= 2
11084 - ETA1_RANDOMNESS_SIZE= 128
11085 - ETA2= 2
11086 - ETA2_RANDOMNESS_SIZE= 128
11087 */
11088 static inline tuple_3c libcrux_ml_kem_ind_cca_encapsulate_cd(
11089     libcrux_ml_kem_types_MlKemPublicKey_15 *public_key,
11090     uint8_t randomness[32U]) {
11091   uint8_t randomness0[32U];
11092   libcrux_ml_kem_variant_entropy_preprocess_d8_63(
11093       Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0);
11094   uint8_t to_hash[64U];
11095   libcrux_ml_kem_utils_into_padded_array_ea(
11096       Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash);
11097   Eurydice_slice uu____0 = Eurydice_array_to_subslice_from(
11098       (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t,
11099       size_t);
11100   uint8_t ret[32U];
11101   libcrux_ml_kem_hash_functions_portable_H_f1_1a(
11102       Eurydice_array_to_slice((size_t)1184U,
11103                               libcrux_ml_kem_types_as_slice_cb_50(public_key),
11104                               uint8_t),
11105       ret);
11106   Eurydice_slice_copy(
11107       uu____0, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t);
11108   uint8_t hashed[64U];
11109   libcrux_ml_kem_hash_functions_portable_G_f1_e4(
11110       Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed);
11111   Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at(
11112       Eurydice_array_to_slice((size_t)64U, hashed, uint8_t),
11113       LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t,
11114       Eurydice_slice_uint8_t_x2);
11115   Eurydice_slice shared_secret = uu____1.fst;
11116   Eurydice_slice pseudorandomness = uu____1.snd;
11117   Eurydice_slice uu____2 = Eurydice_array_to_slice(
11118       (size_t)1184U, libcrux_ml_kem_types_as_slice_cb_50(public_key), uint8_t);
11119   /* Passing arrays by value in Rust generates a copy in C */
11120   uint8_t copy_of_randomness[32U];
11121   memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t));
11122   uint8_t ciphertext[1088U];
11123   libcrux_ml_kem_ind_cpa_encrypt_60(uu____2, copy_of_randomness,
11124                                     pseudorandomness, ciphertext);
11125   /* Passing arrays by value in Rust generates a copy in C */
11126   uint8_t copy_of_ciphertext[1088U];
11127   memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t));
11128   libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 =
11129       libcrux_ml_kem_types_from_01_9f(copy_of_ciphertext);
11130   uint8_t shared_secret_array[32U];
11131   libcrux_ml_kem_variant_kdf_d8_41(shared_secret, &ciphertext0,
11132                                    shared_secret_array);
11133   libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = ciphertext0;
11134   /* Passing arrays by value in Rust generates a copy in C */
11135   uint8_t copy_of_shared_secret_array[32U];
11136   memcpy(copy_of_shared_secret_array, shared_secret_array,
11137          (size_t)32U * sizeof(uint8_t));
11138   tuple_3c lit;
11139   lit.fst = uu____5;
11140   memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t));
11141   return lit;
11142 }
11143 
11144 /**
11145 A monomorphic instance of
11146 libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics
11147 - K= 3
11148 - CIPHERTEXT_SIZE= 1088
11149 - PUBLIC_KEY_SIZE= 1184
11150 - T_AS_NTT_ENCODED_SIZE= 1152
11151 - C1_SIZE= 960
11152 - C2_SIZE= 128
11153 - VECTOR_U_COMPRESSION_FACTOR= 10
11154 - VECTOR_V_COMPRESSION_FACTOR= 4
11155 - VECTOR_U_BLOCK_LEN= 320
11156 - ETA1= 2
11157 - ETA1_RANDOMNESS_SIZE= 128
11158 - ETA2= 2
11159 - ETA2_RANDOMNESS_SIZE= 128
11160 */
11161 static inline tuple_3c
11162 libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_c6(
11163     libcrux_ml_kem_types_MlKemPublicKey_15 *public_key,
11164     uint8_t randomness[32U]) {
11165   libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key;
11166   /* Passing arrays by value in Rust generates a copy in C */
11167   uint8_t copy_of_randomness[32U];
11168   memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
11169   return libcrux_ml_kem_ind_cca_encapsulate_cd(uu____0, copy_of_randomness);
11170 }
11171 
11172 /**
11173  Encapsulate ML-KEM 768
11174 
11175  Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
11176  The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`]
11177  bytes of `randomness`.
11178 */
11179 static inline tuple_3c libcrux_ml_kem_mlkem768_portable_encapsulate(
11180     libcrux_ml_kem_types_MlKemPublicKey_15 *public_key,
11181     uint8_t randomness[32U]) {
11182   libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key;
11183   /* Passing arrays by value in Rust generates a copy in C */
11184   uint8_t copy_of_randomness[32U];
11185   memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
11186   return libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_c6(
11187       uu____0, copy_of_randomness);
11188 }
11189 
11190 /**
11191 This function found in impl {(libcrux_ml_kem::variant::Variant for
11192 libcrux_ml_kem::variant::MlKem)#1}
11193 */
11194 /**
11195 A monomorphic instance of libcrux_ml_kem.variant.cpa_keygen_seed_d8
11196 with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]]
11197 with const generics
11198 - K= 3
11199 */
11200 static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_d8_0e(
11201     Eurydice_slice key_generation_seed, uint8_t ret[64U]) {
11202   uint8_t seed[33U] = {0U};
11203   Eurydice_slice_copy(
11204       Eurydice_array_to_subslice2(
11205           seed, (size_t)0U,
11206           LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t),
11207       key_generation_seed, uint8_t);
11208   seed[LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE] =
11209       (uint8_t)(size_t)3U;
11210   uint8_t ret0[64U];
11211   libcrux_ml_kem_hash_functions_portable_G_f1_e4(
11212       Eurydice_array_to_slice((size_t)33U, seed, uint8_t), ret0);
11213   memcpy(ret, ret0, (size_t)64U * sizeof(uint8_t));
11214 }
11215 
11216 /**
11217 A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e.closure
11218 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
11219 with const generics
11220 - K= 3
11221 */
11222 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0
11223 libcrux_ml_kem_matrix_compute_As_plus_e_closure_87(size_t _i) {
11224   return libcrux_ml_kem_polynomial_ZERO_89_ea();
11225 }
11226 
11227 /**
11228 A monomorphic instance of libcrux_ml_kem.vector.traits.to_standard_domain
11229 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
11230 with const generics
11231 
11232 */
11233 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
11234 libcrux_ml_kem_vector_traits_to_standard_domain_59(
11235     libcrux_ml_kem_vector_portable_vector_type_PortableVector v) {
11236   return libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d(
11237       v, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS);
11238 }
11239 
11240 /**
11241 This function found in impl
11242 {libcrux_ml_kem::polynomial::PolynomialRingElement<Vector>[TraitClause@0]}
11243 */
11244 /**
11245 A monomorphic instance of libcrux_ml_kem.polynomial.add_standard_error_reduce_89
11246 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
11247 with const generics
11248 
11249 */
11250 static KRML_MUSTINLINE void
11251 libcrux_ml_kem_polynomial_add_standard_error_reduce_89_03(
11252     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self,
11253     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *error) {
11254   for (size_t i = (size_t)0U;
11255        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
11256     size_t j = i;
11257     libcrux_ml_kem_vector_portable_vector_type_PortableVector
11258         coefficient_normal_form =
11259             libcrux_ml_kem_vector_traits_to_standard_domain_59(
11260                 self->coefficients[j]);
11261     libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 =
11262         libcrux_ml_kem_vector_portable_barrett_reduce_0d(
11263             libcrux_ml_kem_vector_portable_add_0d(coefficient_normal_form,
11264                                                   &error->coefficients[j]));
11265     self->coefficients[j] = uu____0;
11266   }
11267 }
11268 
11269 /**
11270  Compute  ◦ ŝ + ê
11271 */
11272 /**
11273 A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e
11274 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
11275 with const generics
11276 - K= 3
11277 */
11278 static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_60(
11279     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 (*matrix_A)[3U],
11280     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *s_as_ntt,
11281     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *error_as_ntt,
11282     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) {
11283   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 result[3U];
11284   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
11285     result[i] = libcrux_ml_kem_polynomial_ZERO_89_ea();
11286   }
11287   for (size_t i0 = (size_t)0U;
11288        i0 < Eurydice_slice_len(
11289                 Eurydice_array_to_slice(
11290                     (size_t)3U, matrix_A,
11291                     libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U]),
11292                 libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U]);
11293        i0++) {
11294     size_t i1 = i0;
11295     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *row = matrix_A[i1];
11296     for (size_t i = (size_t)0U;
11297          i < Eurydice_slice_len(
11298                  Eurydice_array_to_slice(
11299                      (size_t)3U, row,
11300                      libcrux_ml_kem_polynomial_PolynomialRingElement_f0),
11301                  libcrux_ml_kem_polynomial_PolynomialRingElement_f0);
11302          i++) {
11303       size_t j = i;
11304       libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *matrix_element =
11305           &row[j];
11306       libcrux_ml_kem_polynomial_PolynomialRingElement_f0 product =
11307           libcrux_ml_kem_polynomial_ntt_multiply_89_2a(matrix_element,
11308                                                        &s_as_ntt[j]);
11309       libcrux_ml_kem_polynomial_add_to_ring_element_89_84(&result[i1],
11310                                                           &product);
11311     }
11312     libcrux_ml_kem_polynomial_add_standard_error_reduce_89_03(
11313         &result[i1], &error_as_ntt[i1]);
11314   }
11315   memcpy(
11316       ret, result,
11317       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
11318 }
11319 
11320 /**
11321 A monomorphic instance of
11322 libcrux_ml_kem.serialize.serialize_uncompressed_ring_element with types
11323 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
11324 
11325 */
11326 static KRML_MUSTINLINE void
11327 libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_5b(
11328     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re, uint8_t ret[384U]) {
11329   uint8_t serialized[384U] = {0U};
11330   for (size_t i = (size_t)0U;
11331        i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) {
11332     size_t i0 = i;
11333     libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient =
11334         libcrux_ml_kem_vector_traits_to_unsigned_representative_db(
11335             re->coefficients[i0]);
11336     uint8_t bytes[24U];
11337     libcrux_ml_kem_vector_portable_serialize_12_0d(coefficient, bytes);
11338     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
11339         serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t);
11340     Eurydice_slice_copy(
11341         uu____0, Eurydice_array_to_slice((size_t)24U, bytes, uint8_t), uint8_t);
11342   }
11343   memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t));
11344 }
11345 
11346 /**
11347  Call [`serialize_uncompressed_ring_element`] for each ring element.
11348 */
11349 /**
11350 A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key
11351 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
11352 with const generics
11353 - K= 3
11354 - OUT_LEN= 1152
11355 */
11356 static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_secret_key_b5(
11357     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *key,
11358     uint8_t ret[1152U]) {
11359   uint8_t out[1152U] = {0U};
11360   for (size_t i = (size_t)0U;
11361        i < Eurydice_slice_len(
11362                Eurydice_array_to_slice(
11363                    (size_t)3U, key,
11364                    libcrux_ml_kem_polynomial_PolynomialRingElement_f0),
11365                libcrux_ml_kem_polynomial_PolynomialRingElement_f0);
11366        i++) {
11367     size_t i0 = i;
11368     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = key[i0];
11369     Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
11370         out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
11371         (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
11372         uint8_t);
11373     uint8_t ret0[384U];
11374     libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_5b(&re, ret0);
11375     Eurydice_slice_copy(
11376         uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t);
11377   }
11378   memcpy(ret, out, (size_t)1152U * sizeof(uint8_t));
11379 }
11380 
11381 /**
11382  Concatenate `t` and `ρ` into the public key.
11383 */
11384 /**
11385 A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key
11386 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
11387 with const generics
11388 - K= 3
11389 - RANKED_BYTES_PER_RING_ELEMENT= 1152
11390 - PUBLIC_KEY_SIZE= 1184
11391 */
11392 static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_public_key_79(
11393     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *t_as_ntt,
11394     Eurydice_slice seed_for_a, uint8_t ret[1184U]) {
11395   uint8_t public_key_serialized[1184U] = {0U};
11396   Eurydice_slice uu____0 = Eurydice_array_to_subslice2(
11397       public_key_serialized, (size_t)0U, (size_t)1152U, uint8_t);
11398   uint8_t ret0[1152U];
11399   libcrux_ml_kem_ind_cpa_serialize_secret_key_b5(t_as_ntt, ret0);
11400   Eurydice_slice_copy(
11401       uu____0, Eurydice_array_to_slice((size_t)1152U, ret0, uint8_t), uint8_t);
11402   Eurydice_slice_copy(
11403       Eurydice_array_to_subslice_from((size_t)1184U, public_key_serialized,
11404                                       (size_t)1152U, uint8_t, size_t),
11405       seed_for_a, uint8_t);
11406   memcpy(ret, public_key_serialized, (size_t)1184U * sizeof(uint8_t));
11407 }
11408 
11409 /**
11410 A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair
11411 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
11412 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]],
11413 libcrux_ml_kem_variant_MlKem with const generics
11414 - K= 3
11415 - PRIVATE_KEY_SIZE= 1152
11416 - PUBLIC_KEY_SIZE= 1184
11417 - RANKED_BYTES_PER_RING_ELEMENT= 1152
11418 - ETA1= 2
11419 - ETA1_RANDOMNESS_SIZE= 128
11420 */
11421 static inline libcrux_ml_kem_utils_extraction_helper_Keypair768
11422 libcrux_ml_kem_ind_cpa_generate_keypair_fc(Eurydice_slice key_generation_seed) {
11423   uint8_t hashed[64U];
11424   libcrux_ml_kem_variant_cpa_keygen_seed_d8_0e(key_generation_seed, hashed);
11425   Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at(
11426       Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U,
11427       uint8_t, Eurydice_slice_uint8_t_x2);
11428   Eurydice_slice seed_for_A0 = uu____0.fst;
11429   Eurydice_slice seed_for_secret_and_error = uu____0.snd;
11430   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A_transpose[3U][3U];
11431   uint8_t ret[34U];
11432   libcrux_ml_kem_utils_into_padded_array_ea1(seed_for_A0, ret);
11433   libcrux_ml_kem_matrix_sample_matrix_A_38(ret, true, A_transpose);
11434   uint8_t prf_input[33U];
11435   libcrux_ml_kem_utils_into_padded_array_ea2(seed_for_secret_and_error,
11436                                              prf_input);
11437   /* Passing arrays by value in Rust generates a copy in C */
11438   uint8_t copy_of_prf_input0[33U];
11439   memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t));
11440   tuple_b0 uu____2 = libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_fc(
11441       copy_of_prf_input0, 0U);
11442   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[3U];
11443   memcpy(
11444       secret_as_ntt, uu____2.fst,
11445       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
11446   uint8_t domain_separator = uu____2.snd;
11447   /* Passing arrays by value in Rust generates a copy in C */
11448   uint8_t copy_of_prf_input[33U];
11449   memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t));
11450   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_as_ntt[3U];
11451   memcpy(
11452       error_as_ntt,
11453       libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_fc(copy_of_prf_input,
11454                                                            domain_separator)
11455           .fst,
11456       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
11457   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 t_as_ntt[3U];
11458   libcrux_ml_kem_matrix_compute_As_plus_e_60(A_transpose, secret_as_ntt,
11459                                              error_as_ntt, t_as_ntt);
11460   uint8_t seed_for_A[32U];
11461   Result_00 dst;
11462   Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U]);
11463   unwrap_41_83(dst, seed_for_A);
11464   uint8_t public_key_serialized[1184U];
11465   libcrux_ml_kem_ind_cpa_serialize_public_key_79(
11466       t_as_ntt, Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t),
11467       public_key_serialized);
11468   uint8_t secret_key_serialized[1152U];
11469   libcrux_ml_kem_ind_cpa_serialize_secret_key_b5(secret_as_ntt,
11470                                                  secret_key_serialized);
11471   /* Passing arrays by value in Rust generates a copy in C */
11472   uint8_t copy_of_secret_key_serialized[1152U];
11473   memcpy(copy_of_secret_key_serialized, secret_key_serialized,
11474          (size_t)1152U * sizeof(uint8_t));
11475   /* Passing arrays by value in Rust generates a copy in C */
11476   uint8_t copy_of_public_key_serialized[1184U];
11477   memcpy(copy_of_public_key_serialized, public_key_serialized,
11478          (size_t)1184U * sizeof(uint8_t));
11479   libcrux_ml_kem_utils_extraction_helper_Keypair768 lit;
11480   memcpy(lit.fst, copy_of_secret_key_serialized,
11481          (size_t)1152U * sizeof(uint8_t));
11482   memcpy(lit.snd, copy_of_public_key_serialized,
11483          (size_t)1184U * sizeof(uint8_t));
11484   return lit;
11485 }
11486 
11487 /**
11488  Serialize the secret key.
11489 */
11490 /**
11491 A monomorphic instance of libcrux_ml_kem.ind_cca.serialize_kem_secret_key
11492 with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]]
11493 with const generics
11494 - K= 3
11495 - SERIALIZED_KEY_LEN= 2400
11496 */
11497 static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_serialize_kem_secret_key_48(
11498     Eurydice_slice private_key, Eurydice_slice public_key,
11499     Eurydice_slice implicit_rejection_value, uint8_t ret[2400U]) {
11500   uint8_t out[2400U] = {0U};
11501   size_t pointer = (size_t)0U;
11502   uint8_t *uu____0 = out;
11503   size_t uu____1 = pointer;
11504   size_t uu____2 = pointer;
11505   Eurydice_slice_copy(
11506       Eurydice_array_to_subslice2(
11507           uu____0, uu____1, uu____2 + Eurydice_slice_len(private_key, uint8_t),
11508           uint8_t),
11509       private_key, uint8_t);
11510   pointer = pointer + Eurydice_slice_len(private_key, uint8_t);
11511   uint8_t *uu____3 = out;
11512   size_t uu____4 = pointer;
11513   size_t uu____5 = pointer;
11514   Eurydice_slice_copy(
11515       Eurydice_array_to_subslice2(
11516           uu____3, uu____4, uu____5 + Eurydice_slice_len(public_key, uint8_t),
11517           uint8_t),
11518       public_key, uint8_t);
11519   pointer = pointer + Eurydice_slice_len(public_key, uint8_t);
11520   Eurydice_slice uu____6 = Eurydice_array_to_subslice2(
11521       out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t);
11522   uint8_t ret0[32U];
11523   libcrux_ml_kem_hash_functions_portable_H_f1_1a(public_key, ret0);
11524   Eurydice_slice_copy(
11525       uu____6, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t);
11526   pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE;
11527   uint8_t *uu____7 = out;
11528   size_t uu____8 = pointer;
11529   size_t uu____9 = pointer;
11530   Eurydice_slice_copy(
11531       Eurydice_array_to_subslice2(
11532           uu____7, uu____8,
11533           uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t),
11534           uint8_t),
11535       implicit_rejection_value, uint8_t);
11536   memcpy(ret, out, (size_t)2400U * sizeof(uint8_t));
11537 }
11538 
11539 /**
11540  Packed API
11541 
11542  Generate a key pair.
11543 
11544  Depending on the `Vector` and `Hasher` used, this requires different hardware
11545  features
11546 */
11547 /**
11548 A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair
11549 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
11550 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]],
11551 libcrux_ml_kem_variant_MlKem with const generics
11552 - K= 3
11553 - CPA_PRIVATE_KEY_SIZE= 1152
11554 - PRIVATE_KEY_SIZE= 2400
11555 - PUBLIC_KEY_SIZE= 1184
11556 - BYTES_PER_RING_ELEMENT= 1152
11557 - ETA1= 2
11558 - ETA1_RANDOMNESS_SIZE= 128
11559 */
11560 static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair
11561 libcrux_ml_kem_ind_cca_generate_keypair_8c(uint8_t randomness[64U]) {
11562   Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2(
11563       randomness, (size_t)0U,
11564       LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t);
11565   Eurydice_slice implicit_rejection_value = Eurydice_array_to_subslice_from(
11566       (size_t)64U, randomness,
11567       LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t,
11568       size_t);
11569   libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 =
11570       libcrux_ml_kem_ind_cpa_generate_keypair_fc(ind_cpa_keypair_randomness);
11571   uint8_t ind_cpa_private_key[1152U];
11572   memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t));
11573   uint8_t public_key[1184U];
11574   memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t));
11575   uint8_t secret_key_serialized[2400U];
11576   libcrux_ml_kem_ind_cca_serialize_kem_secret_key_48(
11577       Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t),
11578       Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t),
11579       implicit_rejection_value, secret_key_serialized);
11580   /* Passing arrays by value in Rust generates a copy in C */
11581   uint8_t copy_of_secret_key_serialized[2400U];
11582   memcpy(copy_of_secret_key_serialized, secret_key_serialized,
11583          (size_t)2400U * sizeof(uint8_t));
11584   libcrux_ml_kem_types_MlKemPrivateKey_55 private_key =
11585       libcrux_ml_kem_types_from_05_f2(copy_of_secret_key_serialized);
11586   libcrux_ml_kem_types_MlKemPrivateKey_55 uu____2 = private_key;
11587   /* Passing arrays by value in Rust generates a copy in C */
11588   uint8_t copy_of_public_key[1184U];
11589   memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t));
11590   return libcrux_ml_kem_types_from_17_35(
11591       uu____2, libcrux_ml_kem_types_from_b6_da(copy_of_public_key));
11592 }
11593 
11594 /**
11595  Portable generate key pair.
11596 */
11597 /**
11598 A monomorphic instance of
11599 libcrux_ml_kem.ind_cca.instantiations.portable.generate_keypair with const
11600 generics
11601 - K= 3
11602 - CPA_PRIVATE_KEY_SIZE= 1152
11603 - PRIVATE_KEY_SIZE= 2400
11604 - PUBLIC_KEY_SIZE= 1184
11605 - BYTES_PER_RING_ELEMENT= 1152
11606 - ETA1= 2
11607 - ETA1_RANDOMNESS_SIZE= 128
11608 */
11609 static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair
11610 libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_d5(
11611     uint8_t randomness[64U]) {
11612   /* Passing arrays by value in Rust generates a copy in C */
11613   uint8_t copy_of_randomness[64U];
11614   memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
11615   return libcrux_ml_kem_ind_cca_generate_keypair_8c(copy_of_randomness);
11616 }
11617 
11618 /**
11619  Generate ML-KEM 768 Key Pair
11620 */
11621 static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair
11622 libcrux_ml_kem_mlkem768_portable_generate_key_pair(uint8_t randomness[64U]) {
11623   /* Passing arrays by value in Rust generates a copy in C */
11624   uint8_t copy_of_randomness[64U];
11625   memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
11626   return libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_d5(
11627       copy_of_randomness);
11628 }
11629 
11630 /**
11631 This function found in impl {(libcrux_ml_kem::variant::Variant for
11632 libcrux_ml_kem::variant::Kyber)}
11633 */
11634 /**
11635 A monomorphic instance of libcrux_ml_kem.variant.kdf_33
11636 with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]]
11637 with const generics
11638 - K= 3
11639 - CIPHERTEXT_SIZE= 1088
11640 */
11641 static KRML_MUSTINLINE void libcrux_ml_kem_variant_kdf_33_f0(
11642     Eurydice_slice shared_secret,
11643     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) {
11644   uint8_t kdf_input[64U];
11645   libcrux_ml_kem_utils_into_padded_array_ea(shared_secret, kdf_input);
11646   Eurydice_slice uu____0 = Eurydice_array_to_subslice_from(
11647       (size_t)64U, kdf_input, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t,
11648       size_t);
11649   uint8_t ret0[32U];
11650   libcrux_ml_kem_hash_functions_portable_H_f1_1a(
11651       Eurydice_array_to_slice((size_t)1088U,
11652                               libcrux_ml_kem_types_as_slice_d4_1d(ciphertext),
11653                               uint8_t),
11654       ret0);
11655   Eurydice_slice_copy(
11656       uu____0, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t);
11657   uint8_t ret1[32U];
11658   libcrux_ml_kem_hash_functions_portable_PRF_f1_ee(
11659       Eurydice_array_to_slice((size_t)64U, kdf_input, uint8_t), ret1);
11660   memcpy(ret, ret1, (size_t)32U * sizeof(uint8_t));
11661 }
11662 
11663 /**
11664 A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate
11665 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
11666 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]],
11667 libcrux_ml_kem_variant_Kyber with const generics
11668 - K= 3
11669 - SECRET_KEY_SIZE= 2400
11670 - CPA_SECRET_KEY_SIZE= 1152
11671 - PUBLIC_KEY_SIZE= 1184
11672 - CIPHERTEXT_SIZE= 1088
11673 - T_AS_NTT_ENCODED_SIZE= 1152
11674 - C1_SIZE= 960
11675 - C2_SIZE= 128
11676 - VECTOR_U_COMPRESSION_FACTOR= 10
11677 - VECTOR_V_COMPRESSION_FACTOR= 4
11678 - C1_BLOCK_SIZE= 320
11679 - ETA1= 2
11680 - ETA1_RANDOMNESS_SIZE= 128
11681 - ETA2= 2
11682 - ETA2_RANDOMNESS_SIZE= 128
11683 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120
11684 */
11685 static inline void libcrux_ml_kem_ind_cca_decapsulate_700(
11686     libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key,
11687     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) {
11688   Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at(
11689       Eurydice_array_to_slice((size_t)2400U, private_key->value, uint8_t),
11690       (size_t)1152U, uint8_t, Eurydice_slice_uint8_t_x2);
11691   Eurydice_slice ind_cpa_secret_key = uu____0.fst;
11692   Eurydice_slice secret_key0 = uu____0.snd;
11693   Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at(
11694       secret_key0, (size_t)1184U, uint8_t, Eurydice_slice_uint8_t_x2);
11695   Eurydice_slice ind_cpa_public_key = uu____1.fst;
11696   Eurydice_slice secret_key = uu____1.snd;
11697   Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at(
11698       secret_key, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t,
11699       Eurydice_slice_uint8_t_x2);
11700   Eurydice_slice ind_cpa_public_key_hash = uu____2.fst;
11701   Eurydice_slice implicit_rejection_value = uu____2.snd;
11702   uint8_t decrypted[32U];
11703   libcrux_ml_kem_ind_cpa_decrypt_43(ind_cpa_secret_key, ciphertext->value,
11704                                     decrypted);
11705   uint8_t to_hash0[64U];
11706   libcrux_ml_kem_utils_into_padded_array_ea(
11707       Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0);
11708   Eurydice_slice_copy(
11709       Eurydice_array_to_subslice_from(
11710           (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
11711           uint8_t, size_t),
11712       ind_cpa_public_key_hash, uint8_t);
11713   uint8_t hashed[64U];
11714   libcrux_ml_kem_hash_functions_portable_G_f1_e4(
11715       Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed);
11716   Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at(
11717       Eurydice_array_to_slice((size_t)64U, hashed, uint8_t),
11718       LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t,
11719       Eurydice_slice_uint8_t_x2);
11720   Eurydice_slice shared_secret0 = uu____3.fst;
11721   Eurydice_slice pseudorandomness = uu____3.snd;
11722   uint8_t to_hash[1120U];
11723   libcrux_ml_kem_utils_into_padded_array_ea0(implicit_rejection_value, to_hash);
11724   Eurydice_slice uu____4 = Eurydice_array_to_subslice_from(
11725       (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE,
11726       uint8_t, size_t);
11727   Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_00_24(ciphertext),
11728                       uint8_t);
11729   uint8_t implicit_rejection_shared_secret0[32U];
11730   libcrux_ml_kem_hash_functions_portable_PRF_f1_ee(
11731       Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t),
11732       implicit_rejection_shared_secret0);
11733   Eurydice_slice uu____5 = ind_cpa_public_key;
11734   /* Passing arrays by value in Rust generates a copy in C */
11735   uint8_t copy_of_decrypted[32U];
11736   memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t));
11737   uint8_t expected_ciphertext[1088U];
11738   libcrux_ml_kem_ind_cpa_encrypt_60(uu____5, copy_of_decrypted,
11739                                     pseudorandomness, expected_ciphertext);
11740   uint8_t implicit_rejection_shared_secret[32U];
11741   libcrux_ml_kem_variant_kdf_33_f0(
11742       Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0,
11743                               uint8_t),
11744       ciphertext, implicit_rejection_shared_secret);
11745   uint8_t shared_secret[32U];
11746   libcrux_ml_kem_variant_kdf_33_f0(shared_secret0, ciphertext, shared_secret);
11747   uint8_t ret0[32U];
11748   libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time(
11749       libcrux_ml_kem_types_as_ref_00_24(ciphertext),
11750       Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t),
11751       Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t),
11752       Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret,
11753                               uint8_t),
11754       ret0);
11755   memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
11756 }
11757 
11758 /**
11759  Portable decapsulate
11760 */
11761 /**
11762 A monomorphic instance of
11763 libcrux_ml_kem.ind_cca.instantiations.portable.kyber_decapsulate with const
11764 generics
11765 - K= 3
11766 - SECRET_KEY_SIZE= 2400
11767 - CPA_SECRET_KEY_SIZE= 1152
11768 - PUBLIC_KEY_SIZE= 1184
11769 - CIPHERTEXT_SIZE= 1088
11770 - T_AS_NTT_ENCODED_SIZE= 1152
11771 - C1_SIZE= 960
11772 - C2_SIZE= 128
11773 - VECTOR_U_COMPRESSION_FACTOR= 10
11774 - VECTOR_V_COMPRESSION_FACTOR= 4
11775 - C1_BLOCK_SIZE= 320
11776 - ETA1= 2
11777 - ETA1_RANDOMNESS_SIZE= 128
11778 - ETA2= 2
11779 - ETA2_RANDOMNESS_SIZE= 128
11780 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120
11781 */
11782 static inline void
11783 libcrux_ml_kem_ind_cca_instantiations_portable_kyber_decapsulate_fc(
11784     libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key,
11785     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) {
11786   libcrux_ml_kem_ind_cca_decapsulate_700(private_key, ciphertext, ret);
11787 }
11788 
11789 /**
11790  Decapsulate Kyber 768
11791 
11792  Generates an [`MlKemSharedSecret`].
11793  The input is a reference to an [`MlKem768PrivateKey`] and an
11794  [`MlKem768Ciphertext`].
11795 */
11796 static inline void libcrux_ml_kem_mlkem768_portable_kyber_decapsulate(
11797     libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key,
11798     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) {
11799   libcrux_ml_kem_ind_cca_instantiations_portable_kyber_decapsulate_fc(
11800       private_key, ciphertext, ret);
11801 }
11802 
11803 /**
11804 This function found in impl {(libcrux_ml_kem::variant::Variant for
11805 libcrux_ml_kem::variant::Kyber)}
11806 */
11807 /**
11808 A monomorphic instance of libcrux_ml_kem.variant.entropy_preprocess_33
11809 with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]]
11810 with const generics
11811 - K= 3
11812 */
11813 static KRML_MUSTINLINE void libcrux_ml_kem_variant_entropy_preprocess_33_8a(
11814     Eurydice_slice randomness, uint8_t ret[32U]) {
11815   libcrux_ml_kem_hash_functions_portable_H_f1_1a(randomness, ret);
11816 }
11817 
11818 /**
11819 A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate
11820 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
11821 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]],
11822 libcrux_ml_kem_variant_Kyber with const generics
11823 - K= 3
11824 - CIPHERTEXT_SIZE= 1088
11825 - PUBLIC_KEY_SIZE= 1184
11826 - T_AS_NTT_ENCODED_SIZE= 1152
11827 - C1_SIZE= 960
11828 - C2_SIZE= 128
11829 - VECTOR_U_COMPRESSION_FACTOR= 10
11830 - VECTOR_V_COMPRESSION_FACTOR= 4
11831 - VECTOR_U_BLOCK_LEN= 320
11832 - ETA1= 2
11833 - ETA1_RANDOMNESS_SIZE= 128
11834 - ETA2= 2
11835 - ETA2_RANDOMNESS_SIZE= 128
11836 */
11837 static inline tuple_3c libcrux_ml_kem_ind_cca_encapsulate_cd0(
11838     libcrux_ml_kem_types_MlKemPublicKey_15 *public_key,
11839     uint8_t randomness[32U]) {
11840   uint8_t randomness0[32U];
11841   libcrux_ml_kem_variant_entropy_preprocess_33_8a(
11842       Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0);
11843   uint8_t to_hash[64U];
11844   libcrux_ml_kem_utils_into_padded_array_ea(
11845       Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash);
11846   Eurydice_slice uu____0 = Eurydice_array_to_subslice_from(
11847       (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t,
11848       size_t);
11849   uint8_t ret[32U];
11850   libcrux_ml_kem_hash_functions_portable_H_f1_1a(
11851       Eurydice_array_to_slice((size_t)1184U,
11852                               libcrux_ml_kem_types_as_slice_cb_50(public_key),
11853                               uint8_t),
11854       ret);
11855   Eurydice_slice_copy(
11856       uu____0, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t);
11857   uint8_t hashed[64U];
11858   libcrux_ml_kem_hash_functions_portable_G_f1_e4(
11859       Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed);
11860   Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at(
11861       Eurydice_array_to_slice((size_t)64U, hashed, uint8_t),
11862       LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t,
11863       Eurydice_slice_uint8_t_x2);
11864   Eurydice_slice shared_secret = uu____1.fst;
11865   Eurydice_slice pseudorandomness = uu____1.snd;
11866   Eurydice_slice uu____2 = Eurydice_array_to_slice(
11867       (size_t)1184U, libcrux_ml_kem_types_as_slice_cb_50(public_key), uint8_t);
11868   /* Passing arrays by value in Rust generates a copy in C */
11869   uint8_t copy_of_randomness[32U];
11870   memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t));
11871   uint8_t ciphertext[1088U];
11872   libcrux_ml_kem_ind_cpa_encrypt_60(uu____2, copy_of_randomness,
11873                                     pseudorandomness, ciphertext);
11874   /* Passing arrays by value in Rust generates a copy in C */
11875   uint8_t copy_of_ciphertext[1088U];
11876   memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t));
11877   libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 =
11878       libcrux_ml_kem_types_from_01_9f(copy_of_ciphertext);
11879   uint8_t shared_secret_array[32U];
11880   libcrux_ml_kem_variant_kdf_33_f0(shared_secret, &ciphertext0,
11881                                    shared_secret_array);
11882   libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = ciphertext0;
11883   /* Passing arrays by value in Rust generates a copy in C */
11884   uint8_t copy_of_shared_secret_array[32U];
11885   memcpy(copy_of_shared_secret_array, shared_secret_array,
11886          (size_t)32U * sizeof(uint8_t));
11887   tuple_3c lit;
11888   lit.fst = uu____5;
11889   memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t));
11890   return lit;
11891 }
11892 
11893 /**
11894  Portable encapsulate
11895 */
11896 /**
11897 A monomorphic instance of
11898 libcrux_ml_kem.ind_cca.instantiations.portable.kyber_encapsulate with const
11899 generics
11900 - K= 3
11901 - CIPHERTEXT_SIZE= 1088
11902 - PUBLIC_KEY_SIZE= 1184
11903 - T_AS_NTT_ENCODED_SIZE= 1152
11904 - C1_SIZE= 960
11905 - C2_SIZE= 128
11906 - VECTOR_U_COMPRESSION_FACTOR= 10
11907 - VECTOR_V_COMPRESSION_FACTOR= 4
11908 - VECTOR_U_BLOCK_LEN= 320
11909 - ETA1= 2
11910 - ETA1_RANDOMNESS_SIZE= 128
11911 - ETA2= 2
11912 - ETA2_RANDOMNESS_SIZE= 128
11913 */
11914 static inline tuple_3c
11915 libcrux_ml_kem_ind_cca_instantiations_portable_kyber_encapsulate_7a(
11916     libcrux_ml_kem_types_MlKemPublicKey_15 *public_key,
11917     uint8_t randomness[32U]) {
11918   libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key;
11919   /* Passing arrays by value in Rust generates a copy in C */
11920   uint8_t copy_of_randomness[32U];
11921   memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
11922   return libcrux_ml_kem_ind_cca_encapsulate_cd0(uu____0, copy_of_randomness);
11923 }
11924 
11925 /**
11926  Encapsulate Kyber 768
11927 
11928  Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
11929  The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`]
11930  bytes of `randomness`.
11931 */
11932 static inline tuple_3c libcrux_ml_kem_mlkem768_portable_kyber_encapsulate(
11933     libcrux_ml_kem_types_MlKemPublicKey_15 *public_key,
11934     uint8_t randomness[32U]) {
11935   libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key;
11936   /* Passing arrays by value in Rust generates a copy in C */
11937   uint8_t copy_of_randomness[32U];
11938   memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t));
11939   return libcrux_ml_kem_ind_cca_instantiations_portable_kyber_encapsulate_7a(
11940       uu____0, copy_of_randomness);
11941 }
11942 
11943 /**
11944 This function found in impl {(libcrux_ml_kem::variant::Variant for
11945 libcrux_ml_kem::variant::Kyber)}
11946 */
11947 /**
11948 A monomorphic instance of libcrux_ml_kem.variant.cpa_keygen_seed_33
11949 with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]]
11950 with const generics
11951 - K= 3
11952 */
11953 static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_33_b6(
11954     Eurydice_slice key_generation_seed, uint8_t ret[64U]) {
11955   libcrux_ml_kem_hash_functions_portable_G_f1_e4(key_generation_seed, ret);
11956 }
11957 
11958 /**
11959 A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair
11960 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
11961 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]],
11962 libcrux_ml_kem_variant_Kyber with const generics
11963 - K= 3
11964 - PRIVATE_KEY_SIZE= 1152
11965 - PUBLIC_KEY_SIZE= 1184
11966 - RANKED_BYTES_PER_RING_ELEMENT= 1152
11967 - ETA1= 2
11968 - ETA1_RANDOMNESS_SIZE= 128
11969 */
11970 static inline libcrux_ml_kem_utils_extraction_helper_Keypair768
11971 libcrux_ml_kem_ind_cpa_generate_keypair_fc0(
11972     Eurydice_slice key_generation_seed) {
11973   uint8_t hashed[64U];
11974   libcrux_ml_kem_variant_cpa_keygen_seed_33_b6(key_generation_seed, hashed);
11975   Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at(
11976       Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U,
11977       uint8_t, Eurydice_slice_uint8_t_x2);
11978   Eurydice_slice seed_for_A0 = uu____0.fst;
11979   Eurydice_slice seed_for_secret_and_error = uu____0.snd;
11980   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A_transpose[3U][3U];
11981   uint8_t ret[34U];
11982   libcrux_ml_kem_utils_into_padded_array_ea1(seed_for_A0, ret);
11983   libcrux_ml_kem_matrix_sample_matrix_A_38(ret, true, A_transpose);
11984   uint8_t prf_input[33U];
11985   libcrux_ml_kem_utils_into_padded_array_ea2(seed_for_secret_and_error,
11986                                              prf_input);
11987   /* Passing arrays by value in Rust generates a copy in C */
11988   uint8_t copy_of_prf_input0[33U];
11989   memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t));
11990   tuple_b0 uu____2 = libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_fc(
11991       copy_of_prf_input0, 0U);
11992   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[3U];
11993   memcpy(
11994       secret_as_ntt, uu____2.fst,
11995       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
11996   uint8_t domain_separator = uu____2.snd;
11997   /* Passing arrays by value in Rust generates a copy in C */
11998   uint8_t copy_of_prf_input[33U];
11999   memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t));
12000   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_as_ntt[3U];
12001   memcpy(
12002       error_as_ntt,
12003       libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_fc(copy_of_prf_input,
12004                                                            domain_separator)
12005           .fst,
12006       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
12007   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 t_as_ntt[3U];
12008   libcrux_ml_kem_matrix_compute_As_plus_e_60(A_transpose, secret_as_ntt,
12009                                              error_as_ntt, t_as_ntt);
12010   uint8_t seed_for_A[32U];
12011   Result_00 dst;
12012   Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U]);
12013   unwrap_41_83(dst, seed_for_A);
12014   uint8_t public_key_serialized[1184U];
12015   libcrux_ml_kem_ind_cpa_serialize_public_key_79(
12016       t_as_ntt, Eurydice_array_to_slice((size_t)32U, seed_for_A, uint8_t),
12017       public_key_serialized);
12018   uint8_t secret_key_serialized[1152U];
12019   libcrux_ml_kem_ind_cpa_serialize_secret_key_b5(secret_as_ntt,
12020                                                  secret_key_serialized);
12021   /* Passing arrays by value in Rust generates a copy in C */
12022   uint8_t copy_of_secret_key_serialized[1152U];
12023   memcpy(copy_of_secret_key_serialized, secret_key_serialized,
12024          (size_t)1152U * sizeof(uint8_t));
12025   /* Passing arrays by value in Rust generates a copy in C */
12026   uint8_t copy_of_public_key_serialized[1184U];
12027   memcpy(copy_of_public_key_serialized, public_key_serialized,
12028          (size_t)1184U * sizeof(uint8_t));
12029   libcrux_ml_kem_utils_extraction_helper_Keypair768 lit;
12030   memcpy(lit.fst, copy_of_secret_key_serialized,
12031          (size_t)1152U * sizeof(uint8_t));
12032   memcpy(lit.snd, copy_of_public_key_serialized,
12033          (size_t)1184U * sizeof(uint8_t));
12034   return lit;
12035 }
12036 
12037 /**
12038  Packed API
12039 
12040  Generate a key pair.
12041 
12042  Depending on the `Vector` and `Hasher` used, this requires different hardware
12043  features
12044 */
12045 /**
12046 A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair
12047 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector,
12048 libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]],
12049 libcrux_ml_kem_variant_Kyber with const generics
12050 - K= 3
12051 - CPA_PRIVATE_KEY_SIZE= 1152
12052 - PRIVATE_KEY_SIZE= 2400
12053 - PUBLIC_KEY_SIZE= 1184
12054 - BYTES_PER_RING_ELEMENT= 1152
12055 - ETA1= 2
12056 - ETA1_RANDOMNESS_SIZE= 128
12057 */
12058 static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair
12059 libcrux_ml_kem_ind_cca_generate_keypair_8c0(uint8_t randomness[64U]) {
12060   Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2(
12061       randomness, (size_t)0U,
12062       LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t);
12063   Eurydice_slice implicit_rejection_value = Eurydice_array_to_subslice_from(
12064       (size_t)64U, randomness,
12065       LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t,
12066       size_t);
12067   libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 =
12068       libcrux_ml_kem_ind_cpa_generate_keypair_fc0(ind_cpa_keypair_randomness);
12069   uint8_t ind_cpa_private_key[1152U];
12070   memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t));
12071   uint8_t public_key[1184U];
12072   memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t));
12073   uint8_t secret_key_serialized[2400U];
12074   libcrux_ml_kem_ind_cca_serialize_kem_secret_key_48(
12075       Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t),
12076       Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t),
12077       implicit_rejection_value, secret_key_serialized);
12078   /* Passing arrays by value in Rust generates a copy in C */
12079   uint8_t copy_of_secret_key_serialized[2400U];
12080   memcpy(copy_of_secret_key_serialized, secret_key_serialized,
12081          (size_t)2400U * sizeof(uint8_t));
12082   libcrux_ml_kem_types_MlKemPrivateKey_55 private_key =
12083       libcrux_ml_kem_types_from_05_f2(copy_of_secret_key_serialized);
12084   libcrux_ml_kem_types_MlKemPrivateKey_55 uu____2 = private_key;
12085   /* Passing arrays by value in Rust generates a copy in C */
12086   uint8_t copy_of_public_key[1184U];
12087   memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t));
12088   return libcrux_ml_kem_types_from_17_35(
12089       uu____2, libcrux_ml_kem_types_from_b6_da(copy_of_public_key));
12090 }
12091 
12092 /**
12093 A monomorphic instance of
12094 libcrux_ml_kem.ind_cca.instantiations.portable.kyber_generate_keypair with const
12095 generics
12096 - K= 3
12097 - CPA_PRIVATE_KEY_SIZE= 1152
12098 - PRIVATE_KEY_SIZE= 2400
12099 - PUBLIC_KEY_SIZE= 1184
12100 - BYTES_PER_RING_ELEMENT= 1152
12101 - ETA1= 2
12102 - ETA1_RANDOMNESS_SIZE= 128
12103 */
12104 static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair
12105 libcrux_ml_kem_ind_cca_instantiations_portable_kyber_generate_keypair_9b(
12106     uint8_t randomness[64U]) {
12107   /* Passing arrays by value in Rust generates a copy in C */
12108   uint8_t copy_of_randomness[64U];
12109   memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
12110   return libcrux_ml_kem_ind_cca_generate_keypair_8c0(copy_of_randomness);
12111 }
12112 
12113 /**
12114  Generate Kyber 768 Key Pair
12115 */
12116 static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair
12117 libcrux_ml_kem_mlkem768_portable_kyber_generate_key_pair(
12118     uint8_t randomness[64U]) {
12119   /* Passing arrays by value in Rust generates a copy in C */
12120   uint8_t copy_of_randomness[64U];
12121   memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t));
12122   return libcrux_ml_kem_ind_cca_instantiations_portable_kyber_generate_keypair_9b(
12123       copy_of_randomness);
12124 }
12125 
12126 /**
12127  Validate an ML-KEM private key.
12128 
12129  This implements the Hash check in 7.3 3.
12130  Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE`
12131  and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types.
12132 */
12133 /**
12134 A monomorphic instance of libcrux_ml_kem.ind_cca.validate_private_key
12135 with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]]
12136 with const generics
12137 - K= 3
12138 - SECRET_KEY_SIZE= 2400
12139 - CIPHERTEXT_SIZE= 1088
12140 */
12141 static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_private_key_e7(
12142     libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key,
12143     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *_ciphertext) {
12144   uint8_t t[32U];
12145   libcrux_ml_kem_hash_functions_portable_H_f1_1a(
12146       Eurydice_array_to_subslice2(private_key->value, (size_t)384U * (size_t)3U,
12147                                   (size_t)768U * (size_t)3U + (size_t)32U,
12148                                   uint8_t),
12149       t);
12150   Eurydice_slice expected = Eurydice_array_to_subslice2(
12151       private_key->value, (size_t)768U * (size_t)3U + (size_t)32U,
12152       (size_t)768U * (size_t)3U + (size_t)64U, uint8_t);
12153   return core_array_equality___core__cmp__PartialEq__0___Slice_U____for__Array_T__N___3__eq(
12154       (size_t)32U, t, &expected, uint8_t, uint8_t, bool);
12155 }
12156 
12157 /**
12158  Portable private key validation
12159 */
12160 /**
12161 A monomorphic instance of
12162 libcrux_ml_kem.ind_cca.instantiations.portable.validate_private_key with const
12163 generics
12164 - K= 3
12165 - SECRET_KEY_SIZE= 2400
12166 - CIPHERTEXT_SIZE= 1088
12167 */
12168 static KRML_MUSTINLINE bool
12169 libcrux_ml_kem_ind_cca_instantiations_portable_validate_private_key_9c(
12170     libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key,
12171     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext) {
12172   return libcrux_ml_kem_ind_cca_validate_private_key_e7(private_key,
12173                                                         ciphertext);
12174 }
12175 
12176 /**
12177  Validate a private key.
12178 
12179  Returns `true` if valid, and `false` otherwise.
12180 */
12181 static inline bool libcrux_ml_kem_mlkem768_portable_validate_private_key(
12182     libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key,
12183     libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext) {
12184   return libcrux_ml_kem_ind_cca_instantiations_portable_validate_private_key_9c(
12185       private_key, ciphertext);
12186 }
12187 
12188 /**
12189 A monomorphic instance of
12190 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced.closure with types
12191 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
12192 - PUBLIC_KEY_SIZE= 1184
12193 - K= 3
12194 */
12195 static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0
12196 libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_closure_cd0(
12197     size_t _i) {
12198   return libcrux_ml_kem_polynomial_ZERO_89_ea();
12199 }
12200 
12201 /**
12202  This function deserializes ring elements and reduces the result by the field
12203  modulus.
12204 
12205  This function MUST NOT be used on secret inputs.
12206 */
12207 /**
12208 A monomorphic instance of
12209 libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types
12210 libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics
12211 - PUBLIC_KEY_SIZE= 1184
12212 - K= 3
12213 */
12214 static KRML_MUSTINLINE void
12215 libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_330(
12216     Eurydice_slice public_key,
12217     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) {
12218   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 deserialized_pk[3U];
12219   for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
12220     deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_89_ea();
12221   }
12222   for (size_t i = (size_t)0U;
12223        i < Eurydice_slice_len(public_key, uint8_t) /
12224                LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT;
12225        i++) {
12226     size_t i0 = i;
12227     Eurydice_slice ring_element = Eurydice_slice_subslice2(
12228         public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
12229         i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT +
12230             LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT,
12231         uint8_t);
12232     libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 =
12233         libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_4c(
12234             ring_element);
12235     deserialized_pk[i0] = uu____0;
12236   }
12237   memcpy(
12238       ret, deserialized_pk,
12239       (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0));
12240 }
12241 
12242 /**
12243  Validate an ML-KEM public key.
12244 
12245  This implements the Modulus check in 7.2 2.
12246  Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the
12247  `public_key` type.
12248 */
12249 /**
12250 A monomorphic instance of libcrux_ml_kem.ind_cca.validate_public_key
12251 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector
12252 with const generics
12253 - K= 3
12254 - RANKED_BYTES_PER_RING_ELEMENT= 1152
12255 - PUBLIC_KEY_SIZE= 1184
12256 */
12257 static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_public_key_19(
12258     uint8_t *public_key) {
12259   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 deserialized_pk[3U];
12260   libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_330(
12261       Eurydice_array_to_subslice_to((size_t)1184U, public_key, (size_t)1152U,
12262                                     uint8_t, size_t),
12263       deserialized_pk);
12264   libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *uu____0 = deserialized_pk;
12265   uint8_t public_key_serialized[1184U];
12266   libcrux_ml_kem_ind_cpa_serialize_public_key_79(
12267       uu____0,
12268       Eurydice_array_to_subslice_from((size_t)1184U, public_key, (size_t)1152U,
12269                                       uint8_t, size_t),
12270       public_key_serialized);
12271   return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq(
12272       (size_t)1184U, public_key, public_key_serialized, uint8_t, uint8_t, bool);
12273 }
12274 
12275 /**
12276  Portable public key validation
12277 */
12278 /**
12279 A monomorphic instance of
12280 libcrux_ml_kem.ind_cca.instantiations.portable.validate_public_key with const
12281 generics
12282 - K= 3
12283 - RANKED_BYTES_PER_RING_ELEMENT= 1152
12284 - PUBLIC_KEY_SIZE= 1184
12285 */
12286 static KRML_MUSTINLINE bool
12287 libcrux_ml_kem_ind_cca_instantiations_portable_validate_public_key_4b(
12288     uint8_t *public_key) {
12289   return libcrux_ml_kem_ind_cca_validate_public_key_19(public_key);
12290 }
12291 
12292 /**
12293  Validate a public key.
12294 
12295  Returns `true` if valid, and `false` otherwise.
12296 */
12297 static inline bool libcrux_ml_kem_mlkem768_portable_validate_public_key(
12298     libcrux_ml_kem_types_MlKemPublicKey_15 *public_key) {
12299   return libcrux_ml_kem_ind_cca_instantiations_portable_validate_public_key_4b(
12300       public_key->value);
12301 }
12302 
12303 /**
12304 This function found in impl {(core::clone::Clone for
12305 libcrux_ml_kem::vector::portable::vector_type::PortableVector)}
12306 */
12307 static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector
12308 libcrux_ml_kem_vector_portable_vector_type_clone_3b(
12309     libcrux_ml_kem_vector_portable_vector_type_PortableVector *self) {
12310   return self[0U];
12311 }
12312 
12313 typedef int16_t libcrux_ml_kem_vector_portable_vector_type_FieldElement;
12314 
12315 typedef int16_t
12316     libcrux_ml_kem_vector_portable_arithmetic_MontgomeryFieldElement;
12317 
12318 typedef int16_t
12319     libcrux_ml_kem_vector_portable_arithmetic_FieldElementTimesMontgomeryR;
12320 
12321 #if defined(__cplusplus)
12322 }
12323 #endif
12324 
12325 #define __libcrux_mlkem768_portable_H_DEFINED
12326 #endif
12327 
12328 
12329 /* rename some types to be a bit more ergonomic */
12330 #define libcrux_mlkem768_keypair libcrux_ml_kem_mlkem768_MlKem768KeyPair_s
12331 #define libcrux_mlkem768_pk_valid_result Option_92_s
12332 #define libcrux_mlkem768_pk libcrux_ml_kem_types_MlKemPublicKey_15_s
12333 #define libcrux_mlkem768_sk libcrux_ml_kem_types_MlKemPrivateKey_55_s
12334 #define libcrux_mlkem768_ciphertext libcrux_ml_kem_mlkem768_MlKem768Ciphertext_s
12335 #define libcrux_mlkem768_enc_result tuple_3c_s
12336 /* defines for PRNG inputs */
12337 #define LIBCRUX_ML_KEM_KEY_PAIR_PRNG_LEN 64
12338 #define LIBCRUX_ML_KEM_ENC_PRNG_LEN 32
12339